Event Details:

Join us for the inaugural Palantir Night Live (PNL) forum with Nart Villeneuve, Chief Security Officer for the Secdev Group, who will discuss some of his experiences as a lead technical investigator on GhostNet, the Chinese cyberspying ring that most notably hacked into the Dalai Lama’s account (read the New York Times article for more details), as well as a variety of other cyber investigations.

Attendance is limited, in order to allow for an open forum conducive to discussion.

Registration is first come, first served. Food and refreshments will be available.

Please email questions/comments to: pnl@palantirtech.com

March 23rd, 5:30-7:30pm EST
Palantir Technologies
1660 International Drive
Suite 800
McLean, VA 22102

Read about Sergey Brin’s GhostNet talk at the 2010 TED conference.

Tags: Aurora, Botnets, China, Google, Malware.

The data about Aurora has always felt just a little off for me. Maybe its that everyone writing about it just has their own piece of the puzzle to analyse, without the detail required to accurately link the pieces together.

When it comes to the command and control infrastructure, maybe it’s that some obfuscated the domain names while others published them, but with a domain on the blog post that’s not in technical write up. Maybe it is that some have significantly bigger lists than others (that include duplicates as well as the root domain for a dynamic dns provider that hands out sub-domains).

Maybe it is that some name domains that hosted the exploit but do not provide details on C&C’s that compromised hosts check-in with. Maybe the difference between the long lists and short lists is that some are including “copycats” — sites that host the IE exploit. Since “Aurora” is now being used to refer to the specific attack on Google, the 0day vulnerability in Internet Explorer (that was apparently used), and the malware that was apparently dropped by the exploit (Hydraq) interchangeably it is difficult to get a handle on exactly what is what.

Google says the attacks were “highly sophisticated and targeted” (as does McAfee, Mandiant, and iDefense) while Damballa says that it was the work of amateurs, Dancho Danchev says that “[i]t’s in fact [an] average team” and Mikko Hypponen says “[t]his wasn’t in my opinion ground-breaking as an attack. We see this fairly regularly.” OK, well, that’s quite the continuum of “sophistication.” Back to that in a bit.

Attribution? The New York Times reported that the attacks were traced to two schools in China: Shanghai Jiaotong University and the Lanxiang Vocational School. While some have drawn links between these schools and the Chinese military others cast doubt on it. The Financial Times reportsthat “a freelance security consultant in his 30s” in China wrote (part of) the Internet Explorer exploit but “is not a full-time government worker, did not launch the attack, and in fact would prefer not be used in such offensive efforts.” Hmm. OK. Mandiant indicated that the quality of the exploit points toward some kind of relationship with the Chinese state, while iDefense, looking at the command and control infrastructure, pretty unambiguously states that the Chinese State was being the attacks whether or not “amateurs” were used.

So here we are at the crossroads of the exploit, the malware, and the command and control infrastructure. And as Richard Bejtlich points out there’s more to it than just the technical aspects of malware, there is, as Mike Cloppert describes, a range of indicators that allow one to characterize the adversary behind the attacks. Clearly, most of us relying on public sources do not have a sufficient level of detailed information to analyse the attack on Google with such depth.

This brings me back to the Damballa report. I really liked this report because is focused on the command and control infrastructure, it was based on interesting data collected via passive DNS data collection and included many interesting conclusion and enough detail to begin connecting their data with other publicly available data. In fact, one of the most interesting observations for me was evidence that the DNS resolutions indicate that Google China was compromised first, followed by Google in Mountain View some 17 hours later. Still, there are parts of the report that are confusing to me.

The Damballa report starts by looking at “five CnC domain names associated with the Aurora botnet” that were publicly disclosed, however, these domain names are not explicitly stated in the report. The most seemingly authoritative list, from Symantec, for example, lists 7 domains. The starting point appears to be “blog1.servebeer.com”. This one is common to all lists (except Symantec’s technical write-up). The domain servebeer.com is a Dymanic DNS serverice offered by No-IP that allows people to register sub-domains such as “blog1.” Based on factors such as “DDNS credentials” Damballa linked the following domains together (four of which are not disclosed).

CnC_Domain.1
CnC_Domain.2
CnC_Domain.3
CnC_Domain.4
blog1.servebeer.com

At some point each of the 5 domains above pointed at at least one of the “IP addresses associated with two of the CnC servers used during the Aurora attack.” The IP’s were not disclosed. Therefore, I am not entirely sure of how the next group of domain names are linked.

baltika1.servebeer.com
m7been.zapto.org
miecros.info
mcsmc.org
yahoo.blogdns.net
filoups.info
google.homeunix.com

While the last 2 domains (filoups.info and google.homeunix.com) appear on the US CERT list of “Aurora” domains, the first 5 domains (baltika1.servebeer.com, m7been.zapto.org, miecros.info, mcsmc.org, and yahoo.blogdns.net) do not.

Damballa then links this second group to “two distinct families of Fake AV Alert / Scareware: Login Software 2009 and Microsoft Antispyware Services.”

Fake AV Alert / Scareware
mcsmc.org
micronetsys.org
mnprfix.cn
filoups.info
miecros.info

Fake Microsoft Antispyware
ec2-79-125-21-42.eu-west-1.compute.amazonaws.com
ip-173-201-21-161.ip.secureserver.net
inekoncuba.inekon.co.cu
google.homeunix.com
yahoo.blogdns.net
voanews.ath.cx
ymail.ath.cx

So, filoups.info links the “Fake AV Alert / Scareware” to the US CERT list of “Aurora” domains and google.homeunix.com links the “Fake Microsoft Antispyware” to the US CERT list of “Aurora” domains. Both appear in Damballa’s second cluster (which has an unclear relationship with the first cluster).

Using the Damballa list along with samples from ThreatExpert I compiled a list that included a few additional domain names. I included domain names that the individual piece of malware requested that had similar paths to those identiofied by Damballa and excluded those that appeared to be other malware or SEO URLs.

For example, one sample contains google.homeunix.com, yahoo.blogdns.net, tyuqwer.blogdns.com, and tyuqwer.dyndns.org. The domains google.homeunix.com and tyuqwer.dyndns.org appear on the US CERT list, yahoo.blogdns.net appears on the Damballa list and tyuqwer.blogdns.com appears on neither. Another sample contains google.homeunix.com tyuqwer.dyndns.org blogspot.blogsite.org and voanews.ath.cx. All of these domains appear on the US CERT list google.homeunix.com and voanews.ath.cx appear on the Damballa list.

The next grouping largely focuses on “mcsmc.org” abnd the domain names that apear with it and request similar URL paths but are not in the Damballa report.

virtualmits.com
syswa.cn
thcway.info
searchnix.info
wscntgy.com
google-analitics.in
licagreem.in
jusched.in

The relationships between the domains can be built our further, especially if we include common IP addresses. I think this indicates that there are a variety of conclusion being drawn based on data that comes bundled with a variety of assumptions. For example, is the sample detailed by Symatec the same — as opposed to similar to — the one used in attack on Google? How were these “master” lists — such as the one by US CERT created? How were these domains bundled together?

In the Damballa report in particular there are a few additional assumptions that I am not entirely sure of. First, I’m not sure that DDNS == amateur. Many of the targeted attack on civil society and human rights groups I’ve looked at used DDNS. And while many DDNS providers do cooperate with the security industry and law enforcement, the ones in China (like 3322.org) don’t. Moreover, I’m not sure that “amateur” necessarily excludes state involvement — even governments can engage in behaviour that would be considered amateurish. And would you want to tip off state involvement by being uber3l33t? The logic just starts to become circular after a while, especially if you only focus on the technical aspects.

I mean, if we take Google at their word and believe that “a primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists” how do we explain the connection to (probably Eastern European) SEO and related common malware?

Even if we assume that the “master” list is accurate, Damballa does raise some alternative explanations for the association between the two:

* it is possible that two different groups purchased the services of the same crimeware group (probably the same people behind Operation Aurora) to distribute and manage their malware family. Or the crimeware group rented out different variants of the same malware to different groups with different intentions.
* There is no natural progression seen between the two families. Usually malware writers evolve in both technology and protection of their creation but these two families did not show any related evolution. The malware families appear to exist independently, and then become superseded by Trojan.Hydraq.

The relationship between crimeware — or common botnet operators/kits — and targeted malware attacks in order to extract sensitive data (some might call this espionage) is something I tried to explore in “The “Kneber” Botnet, Spear Phishing Attacks and Crimeware.” Again, given the lack of precise data I don’t claim to know what’s going on in the Google case — in fact, I may have just made it worse with this post. But if we accepts the links that Damballa has found to be accurate it does raise the important issue of the relationship between crimeware and espionage.

But, maybe, we’re jumping to conclusions based on faulty assumptions. I just don’t know. It is still a mess.

The recent announcement by the United States giant search engine Google that it might withdraw from China made the headlines in world media. The Google decision highlighted the aggressiveness of the Chinese hackers who had been penetrating cyber fortresses like the Pentagon or the White House (as well as the PMO or the MEA in India!).

Claude Arpi spoke to Shishir Nagaraja, the co-author (with Ross Anderson) of The Snooping Dragon: Social malware Surveillance of the Tibetan Movement, published by University of Cambridge Computer Laboratory in March 2009.

Shishir Nagaraja, currently associated with the Information Trust Institute of the University of Illinois (US), tells rediff.com, not only about the Google episode, but also his experience with the Office of the Dalai Lama in Dharamsala and the world of hackers, in general.

He believes that we have only seen the beginnings of the cyberwar, the ‘war of tomorrow’. In the not-too-distant future, it will affect each one of us.

What according to you has happened with Google in China?

From what I could gather, they targetted some people connected to the Tibetan movement and some mainland activists.

The second aspect is that the infrastructure used by Google to carry out censorship in China was a part of the attack. Not very much has been made public by Google in this regard, so we can’t be very sure.

Third, Google itself was a victim and they claim to have lost intellectual property. What we know for sure is that the email accounts of the Tibetan activists were read regularly from IP addresses in China.

What is new in these attacks? One reads that they were highly sophisticated?

No, it is the same old story. Nothing is new. It is the same thing that we wrote about [The Snooping Dragon report] or Greg Walton wrote about [Tracking GhostNet report]. Same thing!

The only new thing is that they have targetted Gmail addresses, but this was known to us. In fact, I had approached Google in September [2008] after the Office of the Dalai Lama’s Representative in New York had got in touch with me; they had found out that somebody had maliciously configured their SMTP [outgoing mail] server so that it would forward all their emails to a certain Google account.

It is interesting because a lot of space is needed for this and Google has that space. Isn’t it better to use something already available?

The Dalai Lama’s Office [in New York] found out that even that [Google account] space had overflowed; they had not removed the wiretrap and the forwarded mail started bouncing from Google. It is then that they realised what was going on.

When I was approached, I advised them to talk to Google. Later, on their behalf, I informally talked to the person in Google responsible for investigating malicious activity. He said, ‘You can put a formal complaint if you want, but there is not much that we can do.’ This is the response that I got.

Some 30 other companies are said to have been attacked at the same time.

Yes, we had projected [such attacks] in our report. In fact, the theft of Google’s IP is exactly the sort of attack we warned against. We had said that more and more people will use tactics pioneered by the ‘Chinese hackers’. The attack this time is not different; the attack vector is the same, ‘abuse of social trust’.

The [attackers] make your emails look like from someone you trust, not from a stranger. This is done by replaying past messages with minor modifications, and I expect the attackers will mature to the point of using victim input in real time to construct attack emails: for instance, by embedding malware into an attachment even as the victim composes a message.

Now for that part about why Google is behaving like this [threatening to withdraw]? There are no new technical reasons for doing so. There might be business reasons though. It is a tough market. They don’t have a large share in China compared to their competitors.

This could be a face saving excuse or a bargain striking maneuver, I don’t know.

Ultimately, to threaten to withdraw is good for their image?

It is favourable to their image. There is a lot of anti-China sentiment in the West. [Google's decision] plays into this, while giving them a good reason to withdraw, though I am not sure that they really want to withdraw, because political censorship climate has remained unchanged in China.

Ten/fifteen years ago, when they came to China, the Chinese government told them the same thing: you have to censor the Web. Today, Google says: ‘We are negotiating with the Chinese government. We don’t want to censor the Web!’ The reasons stated now to leave the market were valid even when they entered the market.

Playing in a capitalist world, Google knew the rules of the game, and they were willing to play by it as long as they turned a profit. It was the same then, it has not changed, formally or informally.

Since 1989, the Chinese government is clear about their policy of censorship.

Could you tell us your experience with the Office of the His Holiness the Dalai Lama (OHHDL). Tell us about Snooping Dragon? It seems to have been interesting in the sense that you found an organisation willing to be openly studied, which not the case for governments, banks, Army, etc.

Yes, it is not usual, though since 2004 there have been some cases documented through Congressional hearings. In contrast, by agreeing to make the findings public, the Buddhists have shown themselves to be truly enlightened.

Though, from a political perspective, agreeing to make the subject public made a lot of sense [for them]. In the diplomatic battle between China and Tibet, the latter has always sought to portray an image of a victim set against an aggressive Chinese position.

It played [in favour] of their PR image. However, banks, governments and companies seek an image of ‘nothing is wrong with our security’. But this is a rational explanation. I don’t think His Holiness invited us with this in mind.

When we were invited to have a look, the OHHDL was not aware of the extent of damage being caused by the attacks much less being in a position to perform accurate diplomatic calculations.

It was quite bad?

Oh, yes, it was bad. Their electronic infrastructure was completely compromised. The bad news is that this attack can also be carried out on any usable computing infrastructure with very few exceptions, very few people believed in this assertion when our report came out, but the successful attacks on Google vindicate our position.

Could, for example, the attackers have known the position of the Dalai Lama’s team before they went to Beijing for talks?

Very much possible if their position [for talks] was prepared and recorded on the computers. These days, the OHHDL is fairly tech savvy and use email and electronic storage for almost all their activities.

The Chinese stole detailed meeting notes, plans for school construction, basically any data sitting on an OHHDL computer was lifted. One of the most important was the refugee database.

It means all the registration details of all the Tibetans refugees who had fled to India.

The sys-admins took it offline as soon he realised that the attack was going on. Regarding the sys-admins, I have a lot of respect for the decisions they took. They took the right decisions and the level of response with speed and accuracy would be in line with the best trained sys-admins.

It is quite commendable really. They found a problem, and they asked experts for help immediately without trying to hide the problem or hoping it would go away. . . they wanted to find out. They found the best experts to help them. Usually the IT security culture of most organisations is to hide mistakes.

The sort of openness that the OHHDL has in matters of general policy as well in the management of their computer security is very commendable.

It is because of this culture [of openness] that they were able to discover the extent of surveillance going on. And for these reasons, we are much more aware of Chinese info-warfare capability.

To what extent the security holes have been closed, I am not sure. I don’t think they have been closed. They are very much there and the attacks might be repeatable; it is a tough problem to solve.

If embassies or government offices can be attacked, one can presume that it is easier to penetrate relatively smaller office like the Dalai Lama’s?

Yes, you are right. Similarly, if Google can be attacked, then most companies can be successfully targetted as well.

A news item mentioned that Tibetans would have stolen data from the Chinese, particularly the laptop of a lady-member of the United Front Works Department, the Chinese ministry dealing with the Dalai Lama’s Envoys. Are you aware of this?

I don’t know. I have not heard about this.

There is always the question of what constitutes proof in a computer security investigation. In the case of the OHHDL, the evidence I have used during the investigation, wasn’t the IP address of the control server or similar information.

The main evidence comes from the fact that the Chinese foreign ministry used some of the intelligence information gathered from electronic surveillance and used it to apply diplomatic pressure on those invited to meet with the Dalai Lama.

When the Chinese foreign ministry showed full knowledge of OHHDL emails — this constitutes strong evidence in my eyes — it showed that there was Chinese government involvement at some level, although they might not have carried out the attack themselves.

The ownership of the attack is squarely with the Chinese government even if they might have ‘outsourced’ the attack to Chinese cyber-guerrillas.

In our report, we provided additional explanation on why we chose to point fingers at the Chinese government. We also considered other theories: who else could have been motivated to carry out this attack and why and if they had done it, what would be the evidence.

We have seen strong evidence of Chinese government involvement, and none to the contrary.

The media has recently dealt at great length on the so-called independent hackers and the role of the Chinese State.

In my mind, it is a little bit like guerilla warfare; a much sought-after alternative to conventional forces. Guerilla warfare provides plausible deniability to the sponsoring State. If you consider US-Iraq, US-Afghanistan, Pakistan-India or Israel-Palestine conflicts, we often see a model of ‘guerilla warfare’ playing out. It appears that such a model of warfare is gaining popularity.

If the quality of the fighters is very good on the ‘open market’, why not hire them instead of training your own and risking bad press.

Don’t you think that China has this type of mindset to use these tactics while it is not present in India?

Well, there are documented cases of India’s intelligence agencies using the underworld (Dawood versus Chhota Rajan, for example). But these are home affairs and have little to do with other countries.

In comparison, the Chinese use of guerrilla hacker networks is quite popular. Timothy Thomas has documented this quite well [it is referenced in the Snooping Dragon report].

The Chinese attacks on the OHHDL appear to have been carried out by semi-skilled amateurs. From the quality of the work, I can say that it was not a very skilled person, not a real expert. If they had experts on hand, then the situation would have really been different in terms of difficulty analysis.

This points to two things: one: analysis will get tougher in future as attacks get more sophisticated, and, second, if amateurs can carry out successful attacks on Google and OHHDL, then that signals a very real danger.

About Chinese ‘experts’: do you believe that many of them have been trained in the US or the West and later returned to China?

Possibly! But there is no need for a good hacker to be trained in the US. People with good computer skills are very much there in countries like India, Pakistan or China. Some very, very skilled people might not even have had elementary education.

The Chinese recently closed a ‘hacking’ school in Hebei province. Is it eyewash, or will it make a difference?

[These days] there are loads of resources online, so closing one school won’t make a difference for the same reason that closing a terror school hasn’t made a difference.

If someone wants to learn, it does not take much effort. It is important to understand that the main innovation is not technological, it is a psychological one. The entire computer industry has progressed technologically, but computer security is not a technology issue.

Technologies are fine, they are there. The question is the human link. The way humans interact with computer security is poorly understood by software engineers.

The current technology does not consider humans as they are: humans are fitted into a user model of how they are ‘supposed’ to be. Each time there is a security problem, security experts are quick to point to the user’s fault! The user did not do this or that! This mindset has to change.

Technology needs to understand and accept user behaviour and provide security assurances with this in mind. We should accept people as they are, accept the diversity in human behaviour, there is no point in writing manuals and designing secure systems for somebody else.

The users are not going to do change, so user education is the wrong place to spend security budget.

In their White Paper of Defence, the Chinese strategy has undergone a shift from ‘active defense’, (never attacking someone first, but being ready to respond if attacked) to ‘active offense’. Don’t you think that a nation practicing this will always be a step ahead of its opponent?

As usual, computer security is quite asymmetric. It takes less to attack than to defend. You have only to find one hole to be successful in attack, while defence has to plug all the holes.

For this reason, it appears that attacking is easier than defending, computer systems or physical world security.

Recently, an article in the Indian Press affirmed that the National Technical Research Organisation which deals with cyber attacks in the government pretends that their Rapid Action Group can tackle an attack in less than 90 minutes. What are your views on this?

Assuming they mean ‘any’ intrusion, it is highly, highly unlikely to be true. If it was true, it would be a five-star research contribution, probably worth a Nobel Prize.

Instead, if they are claiming that the exact same attack would be detectable that’s straight forward but close to useless in defending against future attacks (they won’t be the same as past attacks).

Attacks don’t repeat the same way. . . why should they? They always evolve. To prove that nobody can steal an organisation’s data, you have to prove that every hole has been closed.

[However] there are not just bugs in software; there are also bugs in human operation. For example the attack on the OHHDL was not due to a computer bug, the software defects were there, but they were incidental to the attacks.

When humans authenticate emails, they do so based on socio-cognitive signals based on the text of the email. It is a highly sophisticated pattern analysis-based authentication mechanism that is used by humans.

The attackers found a way to beat it by simply replaying the text. In this type of an attack, detectability is very low. If the attacker decides to intrude and stay around your network, it might take a couple of years before he/she is detected, [he can remain dormant].

In the case of the OHHDL, they were probably there for a year or so. The attackers were detected, because they increased the frequency of attacks way too much. They made two mistakes: one they replayed emails too many times, and second, they showed that they knew some information that they could have not known without spying.

But the attackers will learn and the second generation of social malware attacks will be more covert. Will we detect them? Unlikely! In half an hour? Very, very unlikely!

When the Pentagon or the White House have been penetrated [in the past], it took [sometimes] years to find out. They are ways to remain covert, attack covertly (no replays), transmit covertly (using covert channels/’96 there are lots of them).

Presence of attacks on OHHDL could be found out [relatively easily]. But if they deployed covert communication over the Internet to transfer stolen information, then they can remain virtually undetectable for a very long time.

Recently, DefExpo India 2010 was held in Delhi. The Indian government is planning to spend Rs 50,000 crore (Rs 500 billion) in military hardware, don’t you think that it is not the ‘war of yesterday’?

Oh, yes! Absolutely! What you mentioned is conventional warfare. Now we are speaking of guerilla warfare. A significant national security risk to India lies in the area of computer security which can’t be addressed with Sukhois.

With the increasing reliance on computer networks, India’s information infrastructure is growing rapidly. The budget for computer security has to increase too.

There is a very real risk that China has control over significant parts of the government’s computer infrastructure. Military capability will mean little if the enemy has high quality intelligence.

Supremacy in information security is crucial, for economic security reasons too. For example, how to protect IP from India’s software industry from being stolen? Social malware can be used to steal software.

Another example involves injecting false data into accounting systems. Each company has an accounting system which is automated using computers. Social malware can be used to infect a majority of the computers of an accounting system.

With banks having a hard time coping with 1 per cent of customer machines being infected, how can a company run an accounting system with 50 per cent of its machines being compromised?

The scale of such economic fraud could run into hundreds of millions of dollars. And it is increasing, even as we speak.

We all need security against social malware attacks. Political organisations could be hit and have their political secrets revealed. Consumers and business organisations will be hit by accounting frauds.

In today’s economic climate, such frauds might be enough to put small companies out of business. Today, even for a small company, you can’t do your accounts manually. . . if a malware introduced false transaction amounts of Rs 10,000 or Rs 15,000, this won’t even be noticed until it is too late and money has been siphoned off using Western Union.

If the behaviour of banks in the case of ATM frauds is anything to go by, then banks will simply dump the liability on the end users saying ‘it is your fault; the malware was in your computer.’

The negative fallout will always have to be taken by the customers who do not have the means to defend themselves. I foresee that we will witness new instances of social malware attacks, targetting businesses and individuals in the near future.

Tell us something about your project in India

I will move to India shortly. I will take a position of Assistant Professor at the IIIT Delhi and, with a group of three colleagues, will start a Security Group conducting research and teaching in computer security.

We have a Master’s and a PhD programme. My first priority will be to carry out a comprehensive analysis of the scale of computer crime in India. Today, this research is carried out by people from outside [India].

To carry out defensive actions, we have to know the scale of exposure to [computer piracy]. What we did for the OHHDL, we will do for various companies and governmental organisations. It means high level audits. It is a lot of work. All the information is scattered today, it may take a while to get the data, analyse it, publish the results and take remedial measures.

The government can’t do everything, but it can start programmes to improve computer security for the public.

(1) Take a leadership position in promoting a global, multilateral agenda around arms control in cyberspace. The present state-based cyber security agenda is almost entirely absent of voices or forums dedicated to creating norms of mutual restraint, confidence building and information sharing.

(2) Take a more active interest in the role played by Canadian companies which support China’s vast censorship and surveillance regime.

(3) Lead by example in domestic policy areas, including addressing loose laws on wiretaps, ambiguous oversight of intelligence agencies, shoddy content filtering mechanisms around access to pornography and hate speech, questionable deep packet inspection and data retention practices by internet service providers, and other areas in which Canadian practices provide justification for China’s own domestic censorship and surveillance regime.

Dr. Ronald Deibert is Associate Professor of Political Science and Director of the Citizen Lab at the Munk Centre for International Studies at the University of Toronto. China’s Cyberspace Control Strategy: An Overview and Consideration of Issues for Canadian Policy is part of the CIC’s 2010 China Paper series.

For more information on China’s Cyberspace Control Strategy: An Overview and Consideration of Issues for Canadian Policy or the CIC, please visit: www.canadianinternationalcouncil.org.

The Canadian International Council (CIC) is a non-partisan, nationwide council established to strengthen Canada’s role and capacity in international affairs, which builds on the proud histories of the Canadian Institute of International Affairs and the Canadian Institute of Strategic Studies. The CIC aims to advance research, discussion and debate on international issues by fostering a Canadian foreign policy network that crosses academic disciplines, policy areas, and economic sectors. CIC’s research program is managed by the national office in Toronto. The CIC’s 15 branches across Canada present a variety of activities to CIC members, including speakers programs, conferences and seminars, and study groups.

Contacts:
MEDIA CONTACT:
Media Profile
Susan Reisler
416 342-1843
susan.reisler@mediaprofile.com

China is among the world’s most dynamic countries when it comes to information and community technology research, development and consumer use. It is now the world’s largest national Internet population. China is also the world’s most pervasive filterer of Internet content, engages in widespread electronic surveillance and has been suspected of global cyber-espionage against adversaries abroad. This paper draws upon the experiences of several Canadian-based research and development projects that focus directly upon (and confront) China’s cyberspace control strategy to map out its main features and discuss the challenges they present for Canada.

The main part of this paper provides an overview of China’s content filtering, surveillance and information warfare policies and practices. This overview is followed by a consideration of issues for Canada. Like many other countries, Canada depends on economic exchange with China and is home to a large and growing Chinese diaspora community that can be vocal critics of China’s human rights policies. Canada is also the home of some of the leading research and development projects on Internet censorship, surveillance and information warfare that, at times, are antagonistically linked to China. The conclusion considers some of the challenges and opportunities for Canadian interests and presents three recommendations for Canadian policy.

La Chine compte parmi les pays les plus dynamiques en matière de recherche, de développement et de consommation des technologies de l’information et communautaires, comme en témoigne notamment sa population Internet nationale, aujourd’hui la plus importante du monde. C’est aussi le pays qui filtre le plus rigoureusement le contenu Internet. Elle pratique en outre la surveillance électronique à grande échelle et est soupçonnée de
cyberespionnage à l’encontre de ses adversaires internationaux. Cette étude puise à l’expérience de plusieurs projets de recherche-développement canadiens directement axés sur la stratégie chinoise de contrôle du cyber- space (et la remettant en question) afin de dégager ses principales caractéristiques et les défis qui s’ensuivent pour le Canada. La plus grande partie de l’étude porte sur les politiques et pratiques chinoises touchant le filtrage
de contenu, la surveillance et la guerre de l’information. Suit une analyse des enjeux qu’elles soulèvent pour le Canada, qui mise comme de nombreux autres pays sur ses échanges avec la Chine tout en abritant une diaspora chinoise grandissante et parfois très critique à l’égard de la politique chinoise des droits de l’homme. Au Canada se mènent aussi d’importants projets de recherche-développement sur la censure en ligne, la surveillance et la guerre de l’information, dont les résultats impliquent la Chine de façon parfois antagoniste. En conclusion sont présentés certains des défis et possibilités liés aux intérêts canadiens et formulées trois recommandations touchant la politique du Canada.

But the most interesting result was due to the combination of attacks, surveillance and censorship Google has decided to reassess their operations in China:

These attacks and the surveillance they have uncovered–combined with the attempts over the past year to further limit free speech on the web–have led us to conclude that we should review the feasibility of our business operations in China. We have decided we are no longer willing to continue censoring our results on Google.cn, and so over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all. We recognize that this may well mean having to shut down Google.cn, and potentially our offices in China.

The decision to review our business operations in China has been incredibly hard, and we know that it will have potentially far-reaching consequences. We want to make clear that this move was driven by our executives in the United States, without the knowledge or involvement of our employees in China who have worked incredibly hard to make Google.cn the success it is today. We are committed to working responsibly to resolve the very difficult issues raised.

Wow.

The connection between censorship, surveillance and attacks is the key. Censorship, such as the blocking of web sites, is fairly crude but effective when combined with targeted surveillance and attacks. While many, especially the technically savvy, can circumvent China’s filtering system, the “GFW”, using tools such as Psiphon and Tor most Chinese citizens do not. The GFW doesn’t have to be 100% technically effective, it just has to serve as a reminder to those in China about what content is acceptable and that which should be avoided. The objective is to influence behaviour toward self-censorship, so that most will not actively seek out banned information of the means to bypass controls and access it.

The nexus of censorship, surveillance and malware attacks allows China is the key to China’s information control policies. It is not just about the GFW. Internet users in China face complex threats that are heavily dependent on additional factors, such as involvement in political activities, that involve targeted attacks and surveillance. China chooses when, where and how to exercise this granular control.

The InfoWar Monitor — which is a partnership between the Citizen Lab, Munk Centre for International Studies, University of Toronto and The SecDev Group (and SecDev.cyber which focuses on Internet threats) — has been focusing on these threats. For example, in a report “Breaching Trust: An analysis of surveillance and security practices on China’s TOM-Skype platform” we documented how Tom-Skype (the Chinese version of Skype) was censoring and capturing politically sensitive content. In “Tracking GhostNet: Investigating a Cyber Espionage Network” we documented targeted malware attacks that compromised over 1,295 infected computers in 103 countries, 30% of which are high-value targets, including ministries of foreign affairs, embassies, international organizations, news media, and NGOs.

Google’s decision to re-asses their operations in China is courageous. I strongly hope that Microsoft, Yahoo! and others follow Google’s lead — as, to their credit, they have done in the past. In “Search Monitor Project: Toward a Measure of Transparency” I compared the censorship practices of Google, Yahoo! and Microsoft as well as the domestic Chinese search engine Baidu and found that all followed Google’s lead to some extent by at least disclosing their censorship practices to their users. I hope that they stand by Google.

China, the ball is in your court.

Source: Ron Deibert and Rafal Rohozinski | OpEd in the Christian Science Monitor

Toronto — The recent cyberespionage attacks on Google and that company’s subsequent announcement that it would reconsider its search engine services in China gripped the world’s focus and set off a debate about China’s aggressive cybersecurity strategy.

The apparent scope of the attacks – more than 30 companies affected, Gmail accounts compromised, human rights groups targeted – took many by surprise. Some observers believe the attacks were highly sophisticated in nature, employing never-before-seen techniques. Many reports concluded that the Chinese government undertook the attacks.

As principal investigators in the Information Warfare Monitor, a project formed in 2002 to investigate and analyze the exercise of power in cyberspace, we have seen many of these types of attacks first hand in our research, and have followed closely those examined by other researchers.

From our vantage point, the Google cyberattacks are unusual not in apparent scope or sophistication – as some commentators believe – but rather in terms of the high-profile nature of the victim and the victim’s very public reaction. Indeed, we believe targeted cyber attacks such as these will grow in frequency as cyberspace becomes more heavily contested.

Defense against cyberattacks

The question is what to do about them.

Solutions won’t be easy. Nor will they be solved by technical means alone. They will require widespread and comprehensive public policy changes, greater awareness of network security practices, and above all else a recognition by governments worldwide that an arms race in cyberspace serves no country’s national strategic interest.

For their part, companies should be encouraged to be more transparent and willing to share information about attacks on their infrastructure and less concerned about the liabilities of doing so. Google’s actions are exemplary in this regard and may set a new standard of disclosure.

Although many people point to China as an aggressive cyberactor, it is important to understand that cyberspace has become a battleground for intense military competition. Many countries are developing offensive cyberwarfare capabilities, including targeted espionage. Just recently, for example, Dennis Blair, the director of US National Intelligence, argued the United States should be more aggressive in stealing other countries’ secrets in cyberspace. Other countries are less open about such intentions, but no less ambitious. Many successful operations, no doubt, are hidden.

The actors in this intense arms race are not just states. Cyberspace allows anyone with the intent and capability to exploit network vulnerabilities.

For example, there are countless criminal organizations thriving in the hidden ecosystems of cyberspace, profiting from cyberattacks, cybercrime, and cyberfraud. These organizations employ techniques and tools that are virtually indistinguishable from those that were uncovered in the Google attacks, and by us earlier in our Tracking Ghostnet investigation, a 10-month examination of alleged Chinese cyberspying of numerous diplomatic missions, ministries of foreign affairs, and international organizations.

Such groups also offer their services for hire, giving other actors who want to benefit from them a good cover and plausible deniability. It’s called cyberprivateering, and it’s one of the best ways to avoid being caught. Indeed, it’s a major reason why sourcing attacks like the one on Google is so difficult.

Risks from Web 2.0 companies

Second, attacks such as these are becoming more common because of changes to the character of cyberspace itself. The services of Web 2.0 companies – so-called cloud computing platforms and social-networking groups – are the primary vehicles through which most people experience and interact with the Internet today.

While Twitter, Google Groups, Yahoo Mail, and Flickr may make our cyberexperiences much more convenient, interactive, and richly engaging, they also create two risks: a wide spectrum of new security vulnerabilities and a multiplicity of ever-evolving vectors through which victims can be targeted and attacks mounted.

It is common today for cyberespionage or fraud networks to propagate their malware by exploiting and infiltrating popular social-networking forums like these, or to command their systems through blogging sites and multiple, redundant groups, free hosting services, or anonymous mail accounts. It’s often said that dark clouds may have silver linings, but cyberclouds have turbulent and very dark hidden cores.

A final ironic factor contributing to cyberespionage attacks relates to the very success of cyberspace itself. Over the past decade, numerous countries, organizations, nongovernmental organizations, and citizen groups have rushed to embrace new information and communication technologies. This is a way to jump-start economic development or take advantage of social-networking opportunities.

But they have done so largely without attention to proper security protocols. Private, sensitive, and even highly classified documents that were once locked away in file cabinets now circulate through proprietary clouds and pass between USB sticks, from the home to the office to the laptop, from the coffee shop to the airport lounge. Vulnerabilities multiply as networking increases.

When we issued our Tracking Ghostnet report, we concluded that it was not the first nor would it be the last of its kind. Unfortunately, the Google attacks have borne out that prediction. And there will surely be more.

Ron Deibert is director of the Citizen Lab, Munk Centre for International Studies, University of Toronto. Rafal Rohozinski is the CEO of SecDev.Cyber and a senior fellow at the Citizen Lab. Together, they are principal investigators of the Information Warfare Monitor project and coauthors of the “Tracking Ghostnet” report.

But the most interesting result was due to the combination of attacks, surveillance and censorship Google has decided to reassess their operations in China:

These attacks and the surveillance they have uncovered–combined with the attempts over the past year to further limit free speech on the web–have led us to conclude that we should review the feasibility of our business operations in China. We have decided we are no longer willing to continue censoring our results on Google.cn, and so over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all. We recognize that this may well mean having to shut down Google.cn, and potentially our offices in China.

The decision to review our business operations in China has been incredibly hard, and we know that it will have potentially far-reaching consequences. We want to make clear that this move was driven by our executives in the United States, without the knowledge or involvement of our employees in China who have worked incredibly hard to make Google.cn the success it is today. We are committed to working responsibly to resolve the very difficult issues raised.

Wow.

The connection between censorship, surveillance and attacks is the key. Censorship, such as the blocking of web sites, is fairly crude but effective when combined with targeted surveillance and attacks. While many, especially the technically savvy, can circumvent China’s filtering system, the “GFW”, using tools such as Psiphon and Tor most Chinese citizens do not. The GFW doesn’t have to be 100% technically effective, it just has to serve as a reminder to those in China about what content is acceptable and that which should be avoided. The objective is to influence behaviour toward self-censorship, so that most will not actively seek out banned information of the means to bypass controls and access it.

The nexus of censorship, surveillance and malware attacks allows China is the key to China’s information control policies. It is not just about the GFW. Internet users in China face complex threats that are heavily dependent on additional factors, such as involvement in political activities, that involve targeted attacks and surveillance. China chooses when, where and how to exercise this granular control.

The InfoWar Monitor — which is a partnership between the Citizen Lab, Munk Centre for International Studies, University of Toronto and The SecDev Group (and SecDev.cyber which focuses on Internet threats) — has been focusing on these threats. For example, in a report “Breaching Trust: An analysis of surveillance and security practices on China’s TOM-Skype platform” we documented how Tom-Skype (the Chinese version of Skype) was censoring and capturing politically sensitive content. In “Tracking GhostNet: Investigating a Cyber Espionage Network” we documented targeted malware attacks that compromised over 1,295 infected computers in 103 countries, 30% of which are high-value targets, including ministries of foreign affairs, embassies, international organizations, news media, and NGOs.

Google’s decision to re-asses their operations in China is courageous. I strongly hope that Microsoft, Yahoo! and others follow Google’s lead — as, to their credit, they have done in the past. In “Search Monitor Project: Toward a Measure of Transparency” I compared the censorship practices of Google, Yahoo! and Microsoft as well as the domestic Chinese search engine Baidu and found that all followed Google’s lead to some extent by at least disclosing their censorship practices to their users. I hope that they stand by Google.

China, the ball is in your court.

Police don’t need intrusive powers to tackle modern Internet crime – there’s a new paradigm

I’m at the Citizen Lab, an interdisciplinary research facility at the Munk Centre for International Studies, University of Toronto. I am reviewing reports on cyber security. With me is Nart Villeneuve, senior research fellow and chief research officer for our partner company, SecDev.Cyber.

Nart is busy doing what he usually can be found doing: following hunches, deeply engaged in cyber forensic investigations. In his latest work, he has gained backdoor access to track a very large, Russian-operated botnet – a collection of infected computers under the control of an attacker.

No doubt about it, the perpetrators of this botnet are into criminal behaviour. Although it is Russian in origin, the botnet uses control servers in China and manipulates thousands of compromised computers in the United States and Germany (so-called “zombies [http://en.wikipedia.org/wiki/zombie_computer]“) to launch computer network attacks. Russian criminal organizations are known to contract out such attacks to anyone who will pay. We witness a real-time attack against an obscure Russian website, lasting a few minutes.

This botnet also appears to be connected to a massive spam operation that sends out bogus links to gambling, pornography, pharmaceuticals and fake anti-virus software. Nart’s probes uncover directories containing four million recipient e-mail addresses. They are also engaged in widespread “click fraud,” redirecting browsers of infected computers to online ads without the users’ knowledge in order to generate microincome on a massive scale.

In fact, botnets like this one are at the heart of just about every imaginable menacing and serious act of Internet crime, from espionage to child pornography. They are so vexing for law enforcement and intelligence, we are often told, because of the so-called “attribution” problem – the challenge of identifying the perpetrators.

It has become a truism to say the Web facilitates anonymity. “On the Internet, no one knows you are a dog,” went the famous New Yorker cartoon [http://weblogs.mozillazine.org/gerv/archives/2007/images/internet_dog.jpg] – or in this case, a fraudster, terrorist or gangster. Perpetrators can mask their real identities through proxy computers located in foreign jurisdictions, or contract out to third parties who carry out their criminal deeds.

Some have advocated radical solutions to this problem, including the end of anonymity, the requirement for Internet users to have permanent IDs, even the wholesale scrapping of the Internet as we know it. Bills C-46 [http://www2.parl.gc.ca/housepublications/publication.aspx?docid=4008179&language=e&mode=1] and C-47 [http://www2.parl.gc.ca/housepublications/publication.aspx?pub=bill&doc=c-47&parl=&ses=〈uage=e], currently working their way through Canadian parliamentary committees, would require Internet service providers to install new surveillance equipment, collect personal data, retain it for longer periods of time and allow law enforcement and intelligence to see that personal information, in some circumstances without a court warrant. The Privacy Commissioner of Canada and others have raised serious concerns about this.

Although attribution, anonymity, and investigation of Internet crime remain very real challenges, I believe they are not insurmountable and do not require radical infringements on privacy or wholesale alterations to the Internet as we know it. In fact, the Internet itself, and the mass of data it contains, points to the solution.

Shortly after our observations, Nart uncovered a lead to the possible botnet operator: a Russian student registered at Moscow State University. There was no magical sniffing tool or lawful access provisions clearing his way. He simply pieced together bits of seemingly disparate information – a name here, a string of code there, a domain registration, a recurring handle, an e-mail address, all pieced together by searching Google results.

It’s not the first time Nart has done this. In 2008, he uncovered a massive spy network being run through the Chinese version of Skype, and was able to locate, access and archive the control servers behind them using creative Google searches.

Earlier this year, the Information Warfare Monitor (one of our projects with SecDev.Cyber) tracked down Ghostnet [http://www.theglobeandmail.com/news/technology/meet-the-canadians-who-busted-ghostnet/article732409], a massive cyber espionage network infecting 1,295 computers in a 103 countries. Nart provided a critical break in the investigation by Googling a 22-character string collected during field research. It led to one of the poorly secured command server interfaces.

The Information Warfare Monitor is now working on a report about attacks against the websites of prominent Burmese human-rights groups. Many people suspect the attacks are connected to Myanmar’s military regime, but our investigation leads conclusively to a single individual. We even have his picture from his social networking pages.

The reason for such successes are twofold: our methods and the nature of superabundant information in the cyber age.

As university-based researchers and private sector researchers without access to warrants and private information, we have been forced to do more with less. We rely on qualitative, as opposed to quantitative, approaches. We engage in multidisciplinary analysis of data, as opposed to its automated mining. We search for connections between disparate sources of open information, instead of digging through that which is private.

The problem for law enforcement and intelligence today is not the lack of information; it is the deluge of it. The U.S. National Security Agency reportedly sucks up the equivalent of the contents of the Library of Congress every six to eight hours, every single day.

This is an old paradigm, based on methods where information is easy to hide and hard to find. It’s ill-suited to our modern hypermedia environment, which includes more than four billion cellphones around the world, according to the International Telecommunication Union. Many of them are equipped to snap pictures and videos, and upload them instantly to YouTube or Twitter. These images can be geotagged through Google Maps, which now includes street-level images of many major cities.

In other words, who needs more surveillance powers when people willingly monitor themselves? Social networking has brought us the Age of Auto-Surveillance. These are my friends, here is my house, this is the bus I take, here is my dog, this is my e-mail address, here is my phone number, this is my place of work, this is what I like to eat for lunch.

Criminals and terrorists rarely tweet about their crimes, true. But they cannot escape the digital traces and electronic signatures that everyone, even the most determined criminal, now leaves. In the case of the Russian student, it was a user name posted on a hacker forum that was also used as part of a website domain, which then showed up as a prefix on an e-mail address of an innocuous undergraduate essay that was posted online, along with the student’s name.

In a time when every person’s digital life is now turned inside out and electronically dispersed and disaggregated, does it really make sense to think solutions lie in adding to that flood? Law enforcement and intelligence don’t need to sidestep court protections and civil liberties to meet the challenges of cyber crime – they need a new investigatory paradigm.

Ron Deibert is director of the Citizen Lab and a principal with the SecDev Group. He is a cofounder of and principal investigator for the Information Warfare Monitor.

So seven months later, who does Villeneuve thing the culprits really are?

“We don’t know for sure who was behind the attacks, Villeneuve told the capacity audience. “It could be the Chinese government, but it just as easily could have been random.”

Villeneuve said that perhaps one diplomat was infected, then because that diplomat knew other diplomats the infection just spread. The other option is that the whole thing was a conspiracy to frame China, as nearly all the command and control servers were located in China.

Though Villeneuve wasn’t sure about who was behind GhostNet, he does suspect that other similiar botnets are out there, waiting to be discovered.

As for GhostNet itself, Villeneuve said that within a few hours of his report on the botnet being made public and published by the New York Times, the botnets command and control servers were shut off.

In my view, this is about as good as it gets in the cloak and dagger world of international cyber espionage. Personally I think the network was too well organized to be anything other than a well-funded group, government or otherwise.

Let’s just hope that Villeneuve and other ‘good people’ like him remain vigilant and detect other such efforts before too much damage is done.