Once again Google is making headlines as they clash with another country over usage constraints. The internet giant got word last month of Kazakhstan’s attempts to reroute all Google domains there to servers located within the country. Google raised them one by suspending their Kazakh domain google.kz and rerouting them to google.com.

Typically Google’s domains in a given country will be tailor configured to increase search relevance to that country. However when users search the internet they are not limited by national boundaries so that requests can be handled in the fastest possible way. By rerouting away from Kazakhstan, Google Senior Vice President Bill Coughran writes in a blog post, “users will experience a reduction in search quality as results will no longer be customized for Kazakhstan.”

…

For full original article, see here

Get ready for international Internet regulation; top leaders from the US, UK, and France are making increasingly public statements about their plans to draft new rules that will make the ‘Net more secure and will crack down on copyright infringers.

In a speech back on February 4, UK Foreign Secretary William Hague sounded a dire warning about the state of the ‘Net.

The intelligence reports I see as Foreign Secretary show that just one criminal computer programme can harvest over thirty gigabytes of stolen passwords and credit card details from over a hundred countries in a matter of days, causing millions of pounds worth of fraud…

Last year the national security interests of the UK were targeted in a deliberate attack on our defence industry. A malicious file posing as a report on a nuclear Trident missile was sent to a defence contractor by someone masquerading as an employee of another defence contractor. Good protective security meant that the email was detected and blocked, but its purpose was undoubtedly to steal information relating to our most sensitive defence projects.

And last month three of my staff were sent an e-mail, apparently from a British colleague outside the FCO, working on their region. The e-mail claimed to be about a forthcoming visit to the region and looked quite innocent. In fact it was from a hostile state intelligence agency and contained computer code embedded in the attached document that would have attacked their machine. Luckily, our systems identified it and stopped it from ever reaching my staff.

William Hague
The Wild West might make a romanticized setting for films, but when you’re on the receiving end of chaotic violence, you start longing for some law and order pretty quick. In his speech, Hague pledged that law and order was coming in the form of an “international agreement about norms in cyberspace.”

Such discussions have been ongoing for years, but in dilatory and fragmented fashion. Hague now wants to formalize and accelerate the discussions—”we need to get the ball rolling faster!”

…

For full original article, see here

Digital Civil Rights in Europe reports: “During an investors day on 10 May 2011 in London, Dutch Internet service provider KPN admitted to using deep packet inspection (DPI) technology, to determine the use of certain applications by its mobile internet customers. Vodafone soon followed with an announcement that it used this technology for traffic shaping. The Dutch minister of Economic Affairs within days announced an investigation into KPN’s practices and promised to publish the results within two weeks.”

EFF recently received documents from the FBI that reveal details about the depth of the agency’s electronic surveillance capabilities and call into question the FBI’s controversial effort to push Congress to expand the Communications Assistance to Law Enforcement Act (CALEA) for greater access to communications data. The documents we received were sent to us in response to a Freedom of Information Act (FOIA) request we filed back in 2007 after Wired reported on evidence that the FBI was able to use “secret spyware” to track the source of e-mailed bomb threats against a Washington state high school. The documents discuss a tool called a “web bug” or a “Computer and Internet Protocol Address Verifier” (CIPAV),1 which seems to have been in use since at least 2001.

What is CIPAV and How Does It Work?
The documents discuss technology that, when installed on a target’s computer, allows the FBI to collect the following information:

IP Address
Media Access Control (MAC) address
“Browser environment variables”
Open communication ports
List of the programs running
Operating system type, version, and serial number
Browser type and version
Language encoding
The URL that the target computer was previously connected to
Registered computer name
Registered company name
Currently logged in user name
Other information that would assist with “identifying computer users, computer software installed, [and] computer hardware installed”3

It’s not clear from the documents how the FBI deploys the spyware, though Wired has reported that, in the Washington state case, the FBI may have sent a URL via MySpace’s internal messaging, pointing to code that would install the spyware by exploiting a vulnerability in the user’s browser. Although the documents discuss some problems with installing the tool in some cases, other documents note that the agency’s Crypto Unit only needs 24-48 hours to prepare deployment.4 And once the tool is deployed, “it stay[s] persistent on the compromised computer and . . . every time the computer connects to the Internet, [FBI] will capture the information associated with the PRTT [Pen Register/Trap & Trace Order].5

Where Has CIPAV Been Used and What Legal Process Does the FBI Rely On to Use It?

It is clear from the documents we received that the FBI—and likely other federal agencies—have used this tool a lot. According the documents, the FBI has used CIPAV in cases across the country—from Denver, El Paso, and Honolulu in 2005; to Philadelphia, California, and Houston in 2006; to Cincinnati and Miami in 2007. In fact, one stack of documents we received consists entirely of requests from FBI offices around the country to the agency’s Cryptologic and Electronic Analysis Unit (“CEAU”) for help installing the device.6

The FBI has been using the tool in domestic criminal investigations as well as in FISA cases,7 and the FISA Court appears to have questioned the propriety of the tool.8 Other agencies, and even other countries have shown interest in the tool, indicating its effectiveness. Emails from 2006 discuss interest from the Air Force,9 the Naval Criminal Investigative Service10 and the Joint Task Force-Global Network Operations,11 while another email from 2007 discusses interest from the German government.12

The FBI’s Crypto Unit appears to have viewed the CIPAV as a proprietary tool. In one email, an agent grumbled, “we are seeing indications that [CIPAV] is being used needlessly by some agencies, unnecessarily raising difficult legal questions (and a risk of suppression without any countervailing benefit).”13 In another email, an agent stated, “[I] am weary [sic] to just hand over our tools to another Gov’t agency without any oversight or protection for our tool/technique.”14 And a third email noted, “[w]e never discuss how we collect the [data CIPAV can collect] in the warrants/affidavits or with case agents. AUSAs, squad supervisors, outside agencies, etc.”15

It appears from the documents that the FBI wasn’t sure what legal process to seek to authorize use of the spyware device. Some emails discuss trying to use a “trespasser exception” to get around a warrant,16 while others discuss telling the AUSA (government attorney) to cite to the “All Writs Act, 28 U.S.C. § 1651(a).”17 And one email suggests some agents thought the tool required no legal process at all. In that email, the FBI employee notes he considers the tool to be “consensual monitoring without need for process; in my mind, no different than sitting in a chat room and tracking participants’ on/off times; or for that matter sitting on P2P networks and finding out who is offering KP.”18

Eventually, the FBI seems to have sought a legal opinion on the proper use of the tool, both from the Office of General Counsel and from the National Security Law Branch,19 and ultimately, the agency seems to have settled on a “two-step request” process for CIPAV deployments — a search warrant to authorize intrusion into the computer, and then a subsequent Pen/Trap order to authorize the surveillance done by the spyware.20

What Does This Mean for the FBI’s Push for New Back Doors into Our Internet Communications?
Over the past few months, we’ve heard a lot from the FBI about its need to expand the Communications Assistance to Law Enforcement Act (CALEA), a law that that requires all telecommunications and broadband providers to be technically capable of complying with an intercept order. Federal law enforcement officials have argued that under current regulations they can’t get the information they need and want to expand CALEA to apply to communications systems like Gmail, Skype, and Facebook. However, these documents show the FBI already has numerous tools available to surveil suspects directly, rather than through each of their communications service providers. One heavily redacted email notes that the FBI has other tools that “provide the functionality of the CIPAV [text redacted] as well as provide other useful info that could help further the case.”21 Another email notes that CIPAVs are used in conjunction with email intercepts, perhaps using similar spyware-type tools.22 If the FBI already has endpoint surveillance-based tools for internet wiretapping, it casts serious doubt on law enforcement’s claims of “going dark.”

A device that remains “persistent” on a “compromised computer” is certainly concerning. However, if the FBI obtains a probable cause-based court order before installing tools like CIPAV, complies with the minimization requirements in federal wiretapping law by limiting the time and scope of surveillance, and removes the device once surveillance concludes, the use of these types of targeted tools for Internet surveillance would be a much more narrowly tailored solution to the FBI’s purported problems than the proposal to undermine every Internet user’s privacy and security by expanding CALEA. We will continue to report on both the FBI’s use of endpoint surveillance tools and on the agency’s push to expand CALEA as more documents come in.

Click here to access full pdf versions of the documents we received or see below for the pages referenced in this post.

Egyptian anti-regime activists found a startling document last month during a raid inside the headquarters of the country’s state security service: A British company offered to sell a program that security experts say could infect dissidents’ computers and gain access to their email and other communications.

The discovery highlights the emerging market of Western companies that sell software to security services from the Middle East to China to spy on the kinds of social media activists who recently toppled regimes in Egypt and Tunisia.

Amid the scattered papers, interrogation devices and random furniture found during the raid, the activists uncovered a proposed contract dated June 29 from the British company Gamma International that promised to provide access to Gmail, Skype, Hotmail and Yahoo conversations and exchanges on computers targeted by the Interior Ministry of ousted President Hosni Mubarak.

The proposal from Gamma International was posted online by Cairo physician Mostafa Hussein, a blogger who was among the activists who seized the ministry’s documents.

“It is important evidence of the intent of the state security and investigation division not to respect our privacy,” Mr. Hussein said.

“This proposal was sent to a notorious department known for torture, spying on citizens to help Mubarak’s regime,” Mr. Hussein said, referring to the State Security Investigations Service. “The company Gamma, I consider them to be partners in the crime of trying to invade our privacy and arrest activists.”

The document was then noticed by a top cybersecurity company called F:Secure, which placed on its website the scanned proposal for the software, called FinFisher.

The Gamma document exemplifies a new commercial market involving private companies who sell malicious software or malware that provides “back door” or remote access to computers without being detected by the machine’s user.

Sometimes called worms, this kind of computer software-based attacker had been used mainly by government intelligence agencies and organized crime groups as well as private hackers.

Today, malware increasingly is sold by security firms to governments and law enforcement agencies seeking to track not just criminals but also political dissidents.

“No longer do activists against repressive regimes have to only worry about Web censorship. Today they must worry about something far more insidious and hard to detect, malware that is coming from Western companies in countries that promote freedom and democracy,” said Robert Guerra, project director of Freedom House’s Internet freedom program.

According to Gamma’s promotional literature, the FinFisher software is capable of “remote monitoring and infection solutions” that can provide “full access to stored information with the ability to take control of” the targeted computer, including the ability to “captur[e] encrypted data and communication.”

The worm attack entices the targeted computer user, such as an Egyptian blogger, to unwittingly download the malware through a thumb drive, or another seemingly harmless download such as a video game or piece of digital music.

Then, without the user knowing, the software sets up a hidden remote access point that would let the attacker — in this case, Egypt’s security services — to acquire information including the user’s social media passwords and the files stored on a hard drive.

Peter Lloyd, an attorney for Gamma International, told The Washington Times that the company never sold the FinFisher software to the Egyptian security ministry.

But the lawyer declined to answer questions about the company’s malware division, or the detailed proposal found in the Egyptian ministry.

“Gamma complies in all its dealings with all applicable U.K. laws and regulations,” Mr. Lloyd said. “Gamma did not supply to Egypt but in any event it would not be appropriate for Gamma to make public details of its transactions with any customer.”

The Egyptian activists that found the FinFisher proposal also found transcripts of encrypted Skype chats between dissidents in the abandoned security ministry. Skype is a video telephone system.

“I have seen my Gmails and Skype chats printed out in transcripts from the headquarters the day we went into those offices,” said Sherif Mansour, senior program officer for Freedom House who worked on the organization’s Egypt program.

The malware industry is big business. The proposed contract offered Egypt’s State Security Investigations Service a suite of software products, along with training in its use, for more than $525,000.

“FinFisher is a company that is producing the malware for money and that is the innovation,” said Mikko Hypponen, the chief research officer for F:Secure. “We have enough headaches just fighting the criminals.”

Gamma International and FinFisher are not alone.

In February, internal emails between cybersecurity company HBGary and law firm Hunton and Williams, representing Bank of America, discussed the prospect of infecting computers affiliated with Anonymous, the hacker group affiliated with WikiLeaks.

Anonymous claimed credit for disclosing those emails. WikiLeaks has threatened to disclose internal documents of Bank of America that it says would be damaging.

The bank-related email exchanges mentioned a Georgia-based company called Endgames Solutions and included promotional materials advertising Computer Network Attack or Computer Network Exploitation as part of its Maui suite of software. A public relations specialist hired by Endgames Solutions declined to discuss the matter.

Endgame is known within computer security circles as being on the cutting edge of so-called “offensive” security efforts, mainly for corporate customers.

Rafal Rohozinski, the CEO of the SecDev Group, a cybersecurity consulting firm, said the new malware industry is troubling.

“In North America, you are starting to see an industry in the cybersecurity [field] which is offering ethically questionable product and service offerings,” he said. “HBGary is a good example of this. There are others who do this at a technical level.”

“Malware is a growing industry,” said Noah Shachtman, a nonresident fellow at the Brookings Institution and editor of Wired’s Danger Room. “The cliche that this was a couple of kids doing this in their parents’ basement was never true in the first place. Now it’s totally wrong, now the suits and the MBAs are peddling this stuff both to crooks and to wannabe Big Brothers.”

One example of this kind of systematic attack was called Ghostnet, a cyberoperation connected to servers in China and Taiwan that was discovered in 2009 by security specialists with the private Infowar Group.

The discovery of Ghostnet found that a number of opponents of the Chinese government, such as the Dalai Lama’s network, had been infected for at least five years.

Mr. Hypponen said, “Ghostnet is the first case of this kind of thing on a broad scale.” He added that “Ghostnet and similar related attacks are probably not done in practice by the government, but they work through independent hackers.”

Former Homeland Security Secretary Michael Chertoff said computer-based technology that used to be in the hands of the government have quickly made their way into the commercial sector.

“The most sophisticated tools at the very, very leading edge are still, I think, in the hands of the government,” he said in an interview last week after a panel appearance at the National Press Club. “But I think there is a lot of stuff out there. Look at the capability that private people have to get commercial encryption products which are pretty robust. This issue of trickling down from the very high-end technology down into the commercial space, I think that is a very fast process these days.”

Are the Chinese spying on Ottawa resident Maggie Wenzhuo Hou?

Hou, a 41-year-old Chinese dissident who has lived in Ottawa since June 2009, is convinced that agents of the government of China are monitoring and blocking her e-mail and telephone communications.

While she can’t prove her allegations, she can offer up a long list of circumstantial evidence to support her claims. Based on her dissident status and documented attacks by China-based hackers, security experts say hers is a credible story.

Alex Neve, secretary general of Amnesty International Canada, says Chinese monitoring of human rights activists in this country is a “well-known and notorious pattern.”

Hou is a “high-profile, outspoken human rights activist who has some real credibility because she’s freshly out of China, has first-hand experience with human rights violations and is quite well connected to a number of known human rights activists still inside China,” Neve says.

“So it does not surprise me at all that she could be, would be or was targeted for some sort of hacking or computer surveillance by the Chinese authorities.”

But Ron Deibert, the director of the University of Toronto’s Citizen Lab, which in 2009 uncovered GhostNet, a cyberspy ring based in China that was gathering intelligence in more than 100 countries, counsels caution when assessing cases such as Hou’s.

“There are so many people who read about issues of espionage or information-based attacks and jump immediately to the extreme conclusion,” Deibert says.

For her part, Hou says “Canadian authorities” are interested in her experiences, and have interviewed her three times about them. She decided to go public to warn Canadians about what she calls China’s “silent cyber war.”

“The Canadian public is just sleeping while, as we Chinese say, a tiger’s sleeping next to you. People should wake up. This country is slipping into danger,” she says. “When I came to Canada, I thought I’d be safe. I don’t feel safe anymore. I feel like I’m in China.”

Hou first got involved in human rights and political activism in China while attending Sichuan University in 1989, the year of the Tiananmen Square massacre. In 2003, she founded and led a now-defunct human rights group in Beijing. She’s now director of the human rights committee of the Democratic Party of China, an exiled opposition party.

While in China, she was arrested and detained many times, most recently at the time of the 2008 Beijing Olympics, when she was imprisoned for 18 days for her involvement in human rights protests.

When she became pregnant late that year, she managed, with help from some Canadian friends, to leave China for a teaching job at the University of Ottawa. She gave birth a month later and taught courses in human rights and political activism in China at the university’s graduate school of international and public affairs the during the 2009-10 academic year. She has had protected person status in Canada since last August.

She first started noticing some “funny things” going on around the time of Prime Minister Stephen Harper’s visit to China in December 2009, when she was involved in demonstrations and an online petition. “My e-mails started to be irregular,” she says. “There were lost e-mail messages.” When people signed the online petition, their names didn’t appear. Friends told her that when they opened her Gmail messages, their computers slowed down noticeably.

Google Inc., which owns Gmail, told Hou at the time that the problem was with her computer. But the company has since accused Chinese authorities of interfering with its Gmail, leading to access problems.

Last May, Hou travelled to Toronto to have her computer examined by Greg Walton, a computer security expert who worked for Citizen Lab on the GhostNet project. According to Hou, Walton told her the computer was heavily hacked and was communicating with dozens of IP addresses, including some in China.

Walton, now based in London, England, agrees there were “anomalies” in the network traffic. “However, the traffic was almost entirely consistent with common malware to which all Internet users are exposed, associated with cyber criminals motivated by profit rather than the targeting of political dissidents.”

Despite his failure to find anything linked to Chinese spying on Hou’s computer, Walton says “credible sources within the investigations community have repeatedly indicated that there has been growing unease about the surveillance of dissidents in Canada.”

In an e-mail to the Citizen, an official at the Chinese Embassy in Ottawa said allegations that the Chinese government supports hacking are “groundless and with ulterior motives.”

“The Chinese government has consistently been firmly opposing any illegal activities that sabotage the Internet and computer networks, including computer hacking,” the official wrote, adding that China’s government “is ready to work with countries to counter hacking and other forms of Internet crime.”

But Rafal Rohozinski, chief executive of Ottawa-based SecDev Group, who worked with Citizen Lab on the GhostNet project, say Hou’s allegations are credible.

“We’ve got plenty of precedent where these kinds of techniques have been used against inconvenient political actors,” says Rohozinski, though whether the perpetrators are Chinese authorities or “patriotic hackers” is difficult to determine.

Whenever Hou communicates with people in China, “she has to work through services that invariably pick up her identifying IP address or the address of the e-mail she’s using,” Rohozinski says. “If someone’s on a watch list, it’s pretty simple to be able to identify that individual.”

Wesley Wark, a security expert and visiting professor at the University of Ottawa, says there’s lots of evidence that China is involved in state-sponsored efforts to “harass and survey” Chinese expatriates. “It’s a big part of what the Chinese do, and they do it because they have global reach, because they are determined to monitor overseas dissident groups and individuals.”

Deibert notes that Hou isn’t an ordinary person. “She’s someone who’s connected politically to Chinese events. That puts her in a different category right off the bat.”

Wark thinks the Canadian government should be meeting regularly with Chinese officials to emphasize that spying and hacking are not tolerated in Canada. “But that’s not a message we’ve heard from recent governments. The big message is trade and better relations.”

Hou acknowledges that speaking out carries risks. “I definitely am worried,” she says. “I know their people are watching me. Their people maybe hate me. But I feel I have an obligation for myself, for Chinese people and for people at large, including Canadians.”

This week, the U.S. Department of Justice and the FBI took action to disable the “Coreflood” botnet. In an unprecedented move, a federal judge granted permission to authorities to seize control of the botnet, which compromised private computers with malicious software that captured private online banking information from users. The Internet Systems Consortium, a non-profit organization, was given permission to takeover the botnet’s command-and-control servers — used to communicate with infected private computers — and replace the servers with its own. These servers would respond to command and control requests from infected computers, and send a “stop” command to infected machines, effectively interrupting the botnet by stopping the malware from running on private computers. According to this Wired article, Coreflood is designed to run whenever an infected computer is rebooted. The replaced servers are required to send the “stop” command after every reboot, until the malware is removed from the victim’s computer. A similar method was used by Dutch authorities in 2010 to takedown the Bredolab botnet.

Botnets have become a popular tool in the underground economy of cyber crime. By exploiting personal computers infected with malware—effectively turning these computers into “zombie computers” controlled by a botmaster—the underground economy has indeed become a lucrative one. According to this US request filing, Coreflood victims included private companies such as a North Carolina investment firm and a Tennessee defence contractor which lost USD 151,201 and USD 241,886 respectively. In late 2010, Nart Villeneuve and the Information Warfare Monitor released Koobface: Inside a Crimeware Network, a report on the Koobface botnet, detailing its propagation strategies, counter-security measures, and business model. Villeneuve found that over the course of one year, through the use of pay-per-click and pay-per-install affiliate programs and forcing compromised computers to install malicious software and engage in click fraud, Koobface operators were able to earn over USD 2 million.

The Globe and Mail notes that, “the Corefood investigation was aided immensely by a geographic fluke – the fact that many of the perpetrators and victims resided within a single jurisdiction, the United States”. Indeed, Villeneuve explains, botnet operators are able to benefit from the fact that their criminal acts spread across multiple jurisdictions—the issue of multiple jurisdictions often complicate investigations and hinder law enforcement and takedown efforts. In the case of Coreflood, US authorities were able to successfully takeover the botnet because its servers were located within US jurisdiction—in Georgia, Texas, Ohio, California, and Arizona. For the official documents see here for the Justice Department’s press release, here for the complaint, here for the seizure warrant, and here for the Coreflood temporary restraining order.

Users have expressed discomfort with the government performing actions against their computers. In this Wired article, the EFF commented, “Even if we could absolutely be sure that all of the infected Coreflood botnet machines were running the exact code that we reverse-engineered and convinced ourselves that we understood this would still be an extremely sketchy action to take. It’s other people’s computers and you don’t know what’s going to happen for sure. You might blow up some important machine.”

While underground crime represents one aspect of the economics of cyberspace, the global economy of cyber controls represents another. A few weeks ago, we reported on the release of the the OpenNet Initiative’s West Censoring East: The Use of Western Technologies by Middle East Censors, 2010-2011, a report that details the complicity of Western companies (Websense, Netsweeper, Intel) in the online censorship of over 20 million citizens in nine countries in the Middle East and North Africa. The complicity of Western companies in filtering has placed a major spotlight on the actions of private actors in cyberspace. While some companies such as Google have pulled out from territories requesting its compliance in censorship others such as RIM has decided to adjust its policies to appease governments. This week, RIM’s Mike Lazaridis walked out on a BBC Interview when asked whether “security issues” in India and the Middle East had been “sorted out”—referring to the security implications for users in territories where governments have threatened to ban the service if the company failed to comply with its requests for access to encrypted communications. Yesterday, it was reported that the UAE government had asked telecom companies Etisalat and Du, to restrict access of a new and more secure version of Blackberry’s service to only “qualifying organizations”—not private individuals.

While restrictive cyberspace controls are often thought of as a characteristic of authoritarian governments this week Canadians were informed about a plan from their government to enact greater control over their communications.

In Canada, the Conservative government included a commitment in their election platform to pass a bundled “crime and justice” bill that includes lawful access legislation through Parliament within 100 days if re-elected. Michael Geist has a timely analysis of this issue in this blog. This bill will, as Geist states, “fundamentally reshape the Internet in Canada,” as it establishes a three pronged approach to deal with lawful access, focusing on information disclosure, mandated surveillance technologies, and new policing powers. This bill will effectively establish Internet surveillance requirements as well as create the conditions for potential disclosure of personal information (IP address, device identification numbers, address, phone number, etc) without oversight from the courts. It will require ISPs to develop technical surveillance capabilities in order to isolate communications and engage in interception. Police will also be given new powers to access surveillance data. Cyber crime is a serious issue that requires focused attention. However, the possible impact of these proposals on user privacy in Canada is a cause for concern.

This week, a DDoS attack was launched on Livejournal— which, with 4.7 million Russian users, has become a powerful forum for political discussion in Russia (Maria Garnaeva of Kaspersky Lab has a great analysis and report of the attack). The attacks began on March 24, from the Optima botnet on prominent Livejournal user Alexei Navalny (who discusses government corruption in his blog as well as a number of other URLs until April 1. By April 4, however, the botnet was launched on many popular Livejournal blogs and effectively caused the Web site to be inaccessible in Russia. The attacks rendered the Web site inaccessible in Russia on March 30 and April 4.

Within this, the oppositional newspaper, Novaya Gazeta, was also similarly attacked. It was reported that the newspaper believes that the attack was carried out by those who attacked the Livejournal. The large scale DDoS attack was at one point sending 70,000 visit requests every 14 seconds.

This Global Voices post details the current discussion and speculations in Russian cyberspace over the attack. Many have been quick to suggest that the attack was a politically motivated state-sponsored attack whose primary target was Navalny. Another prominent user, Anton Nosik, suggested that the attack be linked to a recent article in the newspaper Argumety i Fakty, which suggested that Russian Livejournal users shift to another platform. Nosik understands the attack to be an orchestration by the Russian government to disband the Russian Livejournal community. The Novaya Gazeta has linked the attacks to this year’s parliamentary election and next year’s presidential election in Russia. The paper’s editor told the Associated Press that he believes the attacks were meant to “discredit the public platforms which express alternative points of views.” The opposition leader has publically stated that, “It’s quite possible that those people who have ordered the attack are planning the complete crash of Live Journal in the heat of the 2011-2012 election campaign,” he wrote on his blog Friday.” The PutinWatcher Web site also suggests that the attack was state-sponsored, pointing to the fact that “DDoS attacks have been the favored technique in blogging attacks linked to the Russian government in the past” as seen in the attacks on the Estonian government in 2007 and the Georgian government in 2008 which some have linked to the Russian state.

Recently, Alexander Andreyechkin of Russia’s Federal Security Service announced that the organization has proposed placing a ban on foreign services such as Skype, Hotmail and Gmail due to the security threats stemming from their “uncontrolled use”—meaning, that control of traffic through these services is done from foreign servers—as well as the concern that these services use foreign-made encryption technology. These comments were later revoked.

These recent attacks are occurring against a backdrop of intensified control over Russian cyberspace this year (see this OpenNet Initiative post for more details)—for instance, the launch of the League of Internet Safety, and the rise of the so-called “30 Ruble Army.” The Russian government has however, denied the allegations. In fact, Medvedev’s own Livejournal blog suffered from the attack. Attribution is often difficult to determine, however, what is of significance is that these recent attacks are consistent with the controls in Russian cyberspace as documented by Ronald Deibert and Rafal Rohozinski (see Deibert and Rohozinski’s Control and Subversion in Russian Cyberspace)—for instance, the deployment of next generation information controls (such as DDoS attacks) characterized by “just in time” blocking or event-based denial of selected content or services.

Just because you’re paranoid doesn’t mean that HBGary won’t create a rootkit to record your keystrokes, read your e-mail and track where you move your mouse.

Most (in)famous for proposing a wide-ranging plan to discredit the defenders of WikiLeaks, the security company HBGary Federal recently pitched the Pentagon’s premiere research branch on a Paranoia Meter to hunt down the next Bradley Manning.

The proposal was valuable enough to the company that CEO Aaron Barr wrote it himself. Barr resigned in the wake of the firm’s WikiLeaks scandal.

Last August, as Danger Room reported, blue-sky research firm Darpa asked software engineers to design a system to sift through Defense Department e-mail, web and network usage for “anomalous missions” indicating that a user might intend to siphon sensitive information to unauthorized entities. The program is called CINDER, short for the Cyber Insider Threat Program. It’s managed by legendary hacker Peiter “Mudge” Zatko.

Months before HBGary became synonymous with an attack against WikiLeaks and its posse, Barr offered Darpa a way to make CINDER a reality, potentially taking down the next big U.S. government secret-leaker.

Barr’s September 17 proposal to Darpa envisioned CINDER as an online lie detector, searching for peaks and troughs in virtual “adrenaline” during a user’s network activity.” (The story was reported by our sister site Ars Technica in February.) [W]e will have a rootkit on the host that monitors keystrokes, mouse movements, and visual cues through the system camera,” Barr pitched.

“We believe that during particularly risky activities we will see more erratic mouse movements and keystrokes,” wrote Barr, “as well as physical observations such as surveying surroundings, shifting more frequently, etc.”

He called his proposed creation a “Paranoia Meter” — a “human factor and activity correlation engine.”

That requires collecting a lot of data, HBGary’s proposal acknowledges: The only way to judge anomalous user behavior is to create a model for normal behavior; that in turn requires mapping normal behavior for the median user — which in the Defense Department’s case is millions of people.

“[Y]ou can create way too many false positives,” Barr’s proposal concedes. “That said, the approach is fundamental to detecting insider threat activity.”

HBGary’s CINDER would use the methods of a malicious user in order to catch one. Using a rootkit program gives an outsider the same privileges as a network administrator. HBGary would “collect select file access, process execution with parameters, e-mail communications, keyboard activity with a time/date stamp, network/TDI activity (and the actual network data if appropriate), and IM traffic.”

The rootkit could be configured to provide security officers with “screenshots and … a video stream” of suspicious behavior. And it would exfiltrate data to a controlling server by a process that “emulate[s] outbound HTTP browsing.”

Once collected, data would be assigned numeric value varying with a specific user, in order to gauge who’s suspicious and who isn’t. For example: “Do they encrypt files (+10), do they regularly explore the data stores (+5). Are they part of a corporate effort to bring horizontal visibility across their business verticals (-5). Is the person a prolific author and not just a consumer of data on a particular topic or program (-10).”

Nor did HBGary expect to keep its “Paranoia Meter” limited to Defense Department use. “HBGary plans to transition technology into commercial products,” it specified on its proposal.

Darpa hasn’t issued a contract for CINDER yet. So far, it’s collected just over 50 interested vendors, ranging from mega-intel contractors like California’s SAIC to Virginia’s Blackbird Technologies, an internet security firm that recently branched out into warzone personnel-recovery tech. HBGary isn’t on the newest vendor list.

HBGary came in for a world of hurt after Barr boasted of how easy it was to discover the identities of WikiLeaks’ defenders. The hacktivist and prankster group Anonymous retaliated, big time, by posting torrents of internal HBGary e-mails.

In some messages, the firm claims to work with the FBI to unmask Anonymous members through their online habits. In others, Barr suggests targeting the financial supporters of WikiLeaks (“…get people to understand that if they support the organization we will come after them….”) and to threaten the livelihoods of pro-WikiLeaks writers like Salon’s Glenn Greenwald.

In response, a House subcommittee demanded last month that the Defense Department disclose any contracts it holds with HBGary. (The firm also wrote a proposal for Darpa’s “Cyber Genome” project.)

And, after Anonymous hacked his Twitter account and disclosed 60,000 of the firm’s e-mails — making a mockery of his claims to provide his clients with online security — Barr resigned as CEO in late February.

Whether that makes HBGary too radioactive for Darpa’s CINDER contract remains to be seen. If not, soldiers at the Morale Welfare and Recreation computer labs might find themselves secretly monitored under the suspicion that they’re the next Bradley Manning.

Two weeks ago, the security firm RSA announced that its security systems had a cyber attack launched against it. The attack resulted in the extraction of information pertaining to its SecurID two-factor authentication products. Without many details from RSA on the attack, analysis has been largely speculative. Although Brian Krebs of Krebs on Security acknowledges this limitation, his recent analysis of the attack—based on an unclassified document from the US-CERT—is interesting.

Krebs found that some of the domains used in the attack were tongue and cheek taunts against the US, for instance: www usgoodluck .com; obama .servehttp .com; and prc .dynamiclink .ddns .us (spaces in links are deliberate). Krebs found that the domains trace back to ‘dynamic DNS providers’ which are popular in the attacker community. In speaking with the founder of the dynamic DNS provider responsible for the root domains involved in the attack, he found that 99 percent of the time that the attackers logged into change an IP address for a domain, the attackers were logging in from an address in China. He also found that a closer look at the domains show that attackers used familiar tools that had been previously used in attacks attributed to China. Nonetheless, Krebs notes that the most important question has not been answered: “How much information did the attackers get, and can organizations still trust SecurID tokens as an authentication mechanism?”

In the aftermath of the RSA attack, US Senator Susan Collins of the Senate Homeland Security and Governmental Affairs Committee is pushing Congress pass comprehensive cybersecurity legislation: “The cyber-attack revealed by RSA today underscores the serious and sophisticated cyberthreat we face. Congress needs to fundamentally reshape how the federal government works collaboratively with the private sector to address all cyber threats, from espionage and cyber crime to attacks on the most critical infrastructure. The need to pass comprehensive cyber security legislation is more urgent than ever.”

Meanwhile, the Pentagon has revised its 2011 budget plan and is now requesting USD 3.2 billion to boost cybersecurity. For a breakdown of how this money will be allocated, see here. This Next.Gov article suggests that it is hard to pin down the funding for defense, with one critic stating, “This is a perfect example of ‘What are we spending money for? It’s unclear.”

USD 444 million of the budget will cover elements “outside traditional information assurance accounts,” meaning cyber operations, security innovations and forensics. This week, Ronald Deibert and Rafal Rohozinski warned against the establishment of the cyber military industrial complex which is emerging out of the market opportunities now being offered for those in the defense and security industries. This week, the OpenNet Initiative released West Censoring East: The Use of Western Technologies by Middle East Censors, 2010-2011, a report that details the complicity of Western companies (Websense, Netsweeper, Intel) in the online censorship of over 20 million citizens in nine countries in the Middle East and North Africa. This Wall Street Journal article details the findings of the OpenNet Initiative report.

Just a few weeks ago, the United States Central Command (CENTCOM) awarded a USD 2.76 million contract to Ntrepid to develop a so-called “online persona management service” software which will allow the military to manipulate social media sites by controlling/influencing online conversations and spreading propaganda through fake online profiles (known as “sock puppets”) in foreign languages (including Arabic, Farsi, Urdu and Pashto). According to CENTCOM, “The technology supports classified blogging activities on foreign-language websites to enable Centcom to counter violent extremist and enemy propaganda outside the US.” According to the Guardian, it is thought that this contract is a part of Operation Earnest Voice—a military programme developed in Iraq as a psychological warfare weapon.

How the emerging cyber military industrial complex will shape the Internet for users is increasingly becoming a concern. In the United States, the leak of HBGary’s plans for a “reconnaissance cell” and to use dis-information to infiltrate, discredit and disturb pro-union organizers, union-backed Web sites, and Chamber of Commerce critics, including U.S. Chamber Watch, Change to Win (Union Federation), and Service Employees International Union, has led House Democrats to push for Congressional investigation into correspondence and documents from parties involved, as well as other government contracts which involved these contractors involved in the scandal.

Last week, Forbes spokes with Rep. Hank Johnson who expressed concerns over domestic surveillance and the contracts emerging out of the cyber military industrial complex: “[We're] talking about government contractors who may have developed tools to track and control information from foreign terrorists organizations. When those contractors using that kind of technology, developed pursuant to government contract and utilizing American tax payer dollars, then turn the tools into domestic surveillance and marketing to business organizations, with the goal of discrediting and disrupting and actually destroying organizations that disagree with their clients, doing that domestically is like turning spying tools on the very people who paid for them.”