Wednesday, March 24, 2010

A Report from "Hacking Comes of Age: Climategate, Cyber-Espionage and iWar," a University Lecture Series Event

GoDaddy, the net’s largest domain-name registrar, announced Wednesday it would stop selling .cn domain names, saying it was unwilling to comply with new rules from the Chinese government that require new and existing .cn domain-name holders to provide photo ID. Wired, 3-24-10

Iranian security forces say they have arrested 30 people and disabled "the most important U.S.-backed organized networks of cyber war launched by anti- revolutionary groups." ... Some 29 Websites were "hacked" by Iranian security in order to find the accused, according to the reports. The Iranian government accused the sites and their operators of conducting a clandestine espionage effort under cover of human rights initiatives. Dark Reading, 3-15-10

Under an agreement that is still being finalized, the National Security Agency would help Google analyze a major corporate espionage attack that the firm said originated in China and targeted its computer networks, according to cybersecurity experts familiar with the matter. The objective is to better defend Google -- and its users -- from future attack. Washington Post, 2-4-10

Thousands of emails, from the University of East Anglia's Climatic Research Unit (CRU) were first published on a small server in the city of Tomsk in Siberia.
So-called ‘patriot hackers’ from Tomsk have been used in the past by the Russian secret service, the FSB, to attack websites disliked by the Kremlin ... Russia, a major oil exporter, may be trying to undermine calls to reduce carbon emissions ahead of the Copenhagen summit on global warming.
Telegraph/UK, 12-6-09

A Report from "Hacking Comes of Age: Climategate, Cyber-Espionage and iWar," a University Lecture Series Event

By Richard Power

As you can see from the four stories I selected to introduce this post, the second decade of the 21st Century has gotten off to a tumultuous start in regard to security and privacy in cyberspace. On 3-18-10, I was privileged to participate in a Carnegie Mellon University Lecture Series (ULS) panel on "Hacking Comes of Age: Climategate, Cyber-Espionage and iWar," which explored these issues in uncommon depth and clarity.

The event was a testimonial on just how uniquely situated Carnegie Mellon University really is, to serve as a vital national resource; the event also underscored the importance of CyLab's role within the University, cultivating, as it does, both the human factor and the technological edge. (Indeed, five of the six panel participants have CyLab affiliation.)

At the opening of the session, panel moderator Peter Madsen, Distinguished Service Professor for Ethics and Social Responsibility, Office of the Vice Provost for Education and Heinz College, provided some background on how the session came about: "It originated with a request from University President Jared Cohon to Dr. Indira Nair, our Vice-Provost of Education, in the wake of the so-called "Climate Gate" affair. There was a great deal of consternation about the hacking that went on at the University of East Anglia. President Cohon thought it would be appropriate for our community to take a look at the issues surrounding hacking. He must have been prescient, because since then issues have arisen, such as Google alleging that China was hacking its proprietary information, and just the other day, Iran has claimed that the United States, since the days of President George W. Bush, has been running a cyber war attack against it, trying to de-stabilize the country. They made the claim that $400 million dollars was allocated by President Bush for this cyber war ..."

Richard Pethia, Director of the CERT Program, Software Engineering Institute Fellow and CyLab Co-Director, served up "A Brief History of Hacking" from the ARPAnet attacks (1986), chronicled in best-seller The Cuckoo's Egg, and the Morris Worm attacks (1988) through what he characterized as "nuisance hacking" in the 1990s (e.g., hackers looking for free use of computer time, phreakers avoiding phone charges, technical "explorations" by the curious, "noisy" viruses that clogged e-mail inboxes, etc.). After that, Pethia went on, in the mid- to late 1990s,"it got more serious."

As an example, he cited, the Phonemasters, a cyber crime ring that attacked major companies such as MCI Worldcom, Sprint, AT&T and Equifax, and the Citibank case, in which Russian hacker Vladimir Levin stole $10 million. (BTW, both cases are documented at length in my Tangled Web: Tales of Digital Crime from the Shadows of Cyberspace.)

Pethia than moved on to the rise of Distributed Denial of Service (DDoS) attacks in the late 1990s (including the headline grabbing attacks on eBay, Amazon, CNN, and other icons of the Internet in 2000); these DDoS attacks, Pethia remarked, were "the beginning of what we call today 'botnets,' groups of machines that had been pirated, control software placed in the machines ..."

In 2001, he went on, the influence of Eastern European organized crime on the hacking of e-commerce was revealed as a serious problem, and continued to evolve throughout the decade.

"Along about the same time we became to see Spyware, and over time we began to see Spyware used to gather information from home machines. And what were they collecting? Your bank accounts, your banking passwords ... So all of this starts to come together."

Pethia next hit on the rise of the Cyber-Mercenary in the mid-2000s: "People who will create a botnet for you, if you don't want to buy it, you can rent it; they will create special viruses or worms for you, they will give you a money back guarantee that at least for some period of time those viruses and worms will not be detected ..."

Moving on from the mid-2000s, Pethia pointed to a "growing electronic crime infrastructure."(Shadowcrew, e.g., had 4,000 members, buying and selling credit card numbers, e-mail accounts and other personal ID documents.) He also touched on cyber-extortion and the growth in identity theft (he skipped over phishing, since another panelist, Jason Hong, would be addressing it specifically) and links to terrorist activities. And concluded, by highlighting some significant attacks on U.S. Defense Department (DoD) computers in 2007, as well as attacks against the Defense industrial base (e.g., the breaching of a U.S. fighter jet project) in 2009.

Pethia's presentation was a compelling yet comprehensive tour-de-force journey in time, ranging from 1986 to the year 2010, and it provided an excellent framework for the rest of the panelists to work within.

(NOTE: Pethia's remarks begin 00:03:33 minutes into the video recording.)

Next, Paul Fischbeck, Professor of Social and Decision Sciences and of Engineering and Public Policy at Carnegie Mellon spoke on "Climate Gate: A Case of Hacking or Whistleblowing?"

Fischbeck's fascinating presentation focused on the inside politics of the climate science dispute that lead up to the "Climate Gate" disclosures. In the course of his remarks, he identified the key players, shared insights on the contents of the e-mail, and offered a frame for the ethical and statistical issues behind the dispute.

Fischbeck also articulated some lessons learned for scientific researchers, stressing that the affair will have a "huge impact on science."

"All the Royal Societies have spoken very strongly against the procedures that were [revealed], saying you got to be much for open then you have been."

"Blogs and the Internet, and sort of non-traditional experts," Fischbeck added, "are having a big impact on climate change."

Concerning whether or not this event was a hack attack or a leak, he said only, "It has not been determined yet, and it swings back and forth from week to week as to which is more likely."

(NOTE: Fischbeck's remarks start 00:16:16 into the video recording.)

From my point of view, the question is not necessarily an either/or, and the answer (if one is arrived at, or ever made public) may well included elements of both, or elements that could be interpreted as one or the other, depending upon your bias, or your interpretation of law, ethics, etc.

Take note, for example, of the scenario suggested in a recent Independent story on the affair: Climate emails hacked by spies: Interception bore hallmarks of foreign intelligence agency, says expert, Independent, 2-1-10.

Whether or not a state intelligence agency is found to be involved, considering this story broke on the eve of the global climate conference in Copenhagen, I would be surprised if a powerful commercial entity, or a related industry grouping, were not found to be pulling the strings, one way or another. (Of course, I would also be surprised if the involvement were ever revealed publicly.)

But to be clear, this is my view, not Dr. Fischbeck's.

Next, Dawn Cappelli, Senior Member of the Technical Staff in CERT, Software Engineering Institute, spoke on CERT's Insider Threat Research.

Offering a high-level overview, Cappelli started off with insights into some actual cases, including this story of staggering financial fraud:

"This guy we actually got to talk to in prison ... He was a foreign currency trader in a large financial institution. His bank thought they were making all kinds of money. He was the star. He was the greatest trader they had. After five years, they discovered he had actually been covering up almost $700 million in losses. When you think about the controls they have in the financial industry, the auditing, the separation of duties, it is pretty amazing that someone could actually get away with this. Since this case, there have actually been two more cases that were very similar."

Cappelli also gave a glimpse into the scope of the data that CERT's Insider Threat Research has collected (including 112 cases of sabotage, 129 cases of financial fraud, 132 cases of espionage, and 62 cases of intellectual property theft). She closed her presentation with a Summary of Best Practices, e.g., "Anticipate and manage negative workplace issues" and "Consider insider threats in the software development cycle" to "Track and secure the physical environment" and "Log, monitor, and audit employee online actions."

(NOTE: Cappelli's remarks begin 00:29:19 into the video recording.)

CyLab research Jason Hong spoke on "Phishing and Espionage." Hong is an Assistant Professor, School of Computer Science, Human Computer Interaction Institute, as well as one of the Co-Founders of Wombat Security Technologies (along with fellow CyLab researchers Lorrie Cranor and Norman Sadeh).

In his remarks, Hong outlined the ways in which Phishing is increasing in sophistication: e.g., spear-phishing, targeting specific groups or individuals, using information about your organization or information specifically about you, such as fake e-mails from friends or fake videos of you using publicly available information, all with the intent to install malware or steal your passwords.

Hong also discussed whaling, phishing focused on big targets, and cited an incident in which thousands of executives been targeted, with what appeared to be official subpoenas from a U.S. District Court. He also noted that although there aren't too many documented cases so far; it is clear that the motivation for such attacks is no longer limited to petty cyber crime, but also extends to corporate espionage on behalf of competitors and nation states (and "not just China," Hong added emphatically).

In regard to what can be done to mitigate this threat, Hong cited a range of solutions, and stressed that all are needed in order to make a significant impact.

But again, you will have to view the video to learn more.

(NOTE: Jason Hong's remarks begin 00:39:35 into the video recording.)

Next was my presentation on the China-Google story.

To provide some context in regard to China's cyber activities over the last few years, I touched on nineteen open source stories related to economics, politics, intelligence and cybercrime, e.g.:

If you read Google's explanation about why it threatened to withdraw from China, you might think it's all about a recent Chinese cyber-attack and Google's anger over being made complicit in the persecution of human rights activists. But cyber experts and China hands alike point to a much broader issue: The Chinese government has adapted the tactics it has used for military cyber espionage for corporate purposes and is now using them on a wide scale. Foreign Policy, 1-14-10

MI5 has accused China of bugging and burgling UK business executives and setting up “honeytraps” in a bid to blackmail them into betraying sensitive commercial secrets … In 2007 Jonathan Evans, the director-general of MI5, had written privately to 300 chief executives of banks and other businesses warning them that their IT systems were under attack from “Chinese state organisations”. Times (London), 1-31-10

Such context is of vital importance.

For the last fifteen years, I have been telling information security professionals and executives alike that if they want understand cyber risks & threats, they need to pay as much attention to the front page headlines of the Financial Times, Yomiuri Shimbun, Der Spiegel, the Asia Times, etc., as they do to patch bulletins, virus signature updates, and the IT security news media.

Industrial espionage has been subsumed by Information Age Espionage.

Tomorrow arrived yesterday.

It is not just how, but also who, why & when that you need to wrap your minds around. Cyberspace is no longer just a shadowy world in which bottom feeders take advantage of the naive or the reckless, it is a global arena of economic and geopolitical struggle.

(NOTE: My remarks begin 00:53:12 into the video recording.)

As you will see from the video record, our presentations were followed up with a lively Q and A with the audience.

Video Recording of ULS Panel: View online | Download

[NOTE: Viewers will need to have the Windows Media 9 player or higher to view this webcast. Mac users will need to download the flip4mac for QuickTime plugin from Microsoft.]