Inside Cyber Warfare Part 16

Do spread the (legitimate) word, it works! When the bloggers asked for twitter maintenance to be postponed using the #nomaintenance tag, it had the desired effect. As long as we spread good information, provide moral support to the protesters, and take our lead from the legitimate bloggers, we can make a constructive contribution.

Please remember that this is about the future of the Iranian people, while it might be exciting to get caught up in the flow of partic.i.p.ating in a new meme, do not lose sight of what this is really about.

Unfortunately, by engaging in DDoS attacks, an individual may contribute to the closure of Internet access by the Iranian government, thus shutting off the very life line that the Iranian opposition needs to build the support of the global community.

The Open Net Initiative recently released a detailed report on Internet filtering (i.e., censorship) by the government of Iran. A big part of Tehran's control derives from all Internet traffic being routed through one bottleneck-the Telecommunications Company of Iran (TCI). Another is the prohibition against private citizens subscribing to high-speed service.

The single greatest takeaway for social media advocates in the Iranian elections is that there is nothing clear cut about the event nor the usefulness of the tool. Individuals' eagerness to join in the DDoS flood may be putting the very people that they wish to help at risk. Those looking with a noncritical eye to tweets for "real," as-it-happens information may be reading an Iranian government disinformation post. There is a commensurate increase in risk and reward.

Social Engineering

A group of Canadian researchers recently uncovered a ma.s.sive Chinese computer espionage ring (GhostNet) involving almost 1,300 infected computers in 103 countries. According to their report, about 30% of the infected hosts were located in government offices, media companies, and nongovernment organizations (NGOs).

The malware used, a type of Trojan known as a remote access tool (RAT), was of Chinese design and named gh0st RAT. Once infected, the attacker gained complete control of the host computer, including the ability to: Activate a web cam and conduct audio and video surveillance Search for and exfiltrate sensitive doc.u.ments Initiate keylogging to capture usernames and pa.s.swords One of the many interesting lessons derived from the GhostNet investigation is that none of the espionage tools or techniques that was used so successfully were new. It was basically a variant of the old Spear Phishing scheme, which is when an attacker sends out a carefully worded email message to an organization or company that features highly focused content.

For example, the email message used to spread the gh0st RAT Trojan contained the following subject line: "Translation of Freedom Movement ID Book for Tibetans in Exile."

The email message contained the emblem of the Tibetan Government in Exile, and the attached .doc file had the same t.i.tle as the subject line. When clicked, the file apparently opened normally; however, once opened, a series of unfortunate events followed: A vulnerability on the user's machine was exploited and the malware was loaded.

Once installed, the malware attempted to make contact with its control server.

Any operator with access to the control server's interface could then gain complete control of the infected computer and access to the network to which it belonged.

Anti-virus software frequently did not detect this Trojan. According to the report's authors, only 11 of 34 anti-virus programs successfully quarantined the infected doc.u.ment; the other 23 simply didn't catch it.

In 2006, Australia's CERT announced an 80% miss rate by anti-virus (AV) programs in stopping malware, princ.i.p.ally because hackers will test their code against existing AV programs until it escapes detection.

This underscores one of the most important points in understanding any cyber defense strategy: both states and enterprises that must defend sensitive data from malicious access cannot rely solely on technology to protect them. The human element, with all of its strengths and weaknesses, is paramount.

While millions of people of all ages enjoy many of the benefits of being connected to the Web, it also raises their risk for being victimized by an online scam or attack. The more information a cyber criminal knows about his target, the easier it is to create an attractive lure, and the more likely it is that an unsuspecting individual (as demonstrated by the GhostNet investigation) will take the bait.

Social media sites such as Twitter, Facebook, Plaxo, and LinkedIn meet legitimate networking needs among professional adults; however, they are concurrently being tracked, mined, searched, and ranked for marketing purposes by companies such as Nielson Buzzmetrics, Visible Technologies, and other firms that perform brand-monitoring and name-recognition services for businesses.

Social engineering as a tactic for hackers precedes all of the previously mentioned services by many years. In fact, the "old-school" approach consisted of dumpster diving and other "meat s.p.a.ce" techniques used to gather user login and pa.s.sword information from target companies. Thanks to the rapidly growing social media s.p.a.ce, those old-school techniques have given way to a completely online approach.

The Government 2.0 movement of 2009 highlights many of the benefits that might accrue with the use of social software by government officials and agencies, including providing a real-time gauge for evaluating public sentiment during key moments of national or international events and policy debate.

The negative aspects relate directly to social engineering hacks. Government employees' user profiles, not to mention their posts, often contain personal data that a motivated hacker could leverage into an attack similar to the one described in the GhostNet case.

Since there are legitimate uses for this information as well as nefarious ones, specialty Internet search engines are being created that focus on the Social Web. A January 2009 post on the Online Marketing blog (http://www.toprankblog.com/2009/01/6-social-search-engines/) reviewed no less than six new social search engines, three of which were: WhosTalkin.com This application searches for keyword topics in conversation threads taking place in over 60 social media portals.

Samepoint.com This application tracks millions of conversations taking place in tens of thousands of blogs and on social media sites.

OneRiot.com OneRiot crawls the links people share on Twitter, Digg, and other social sharing services, and then indexes the content on those pages in seconds.

The Social Graph API

Google Labs recently created the Social Graph API, which allows developers to access the connections that people have made via the Web, whether through blogs, Digg, YouTube, LinkedIn, Facebook, Twitter, or other social networks. This has significant intelligence-gathering implications for adversaries looking to target specific groups of people.

The Social Graph API works by searching for pages that belong to you via your membership in one of the many social networks on the Web. In addition to finding your Twitter, Daily Motion, and Flickr home pages (for example), it will also look for links between friends, followers, or even your blog roll.

By now it should be obvious that employees who work in targeted, high-value industries (e.g., government, public utilities, defense contractors) must exercise caution in revealing any personal details, areas of interest, and affiliations. It is simply too easy to build detailed personal profiles from open sources, and it's getting easier every day.

Channel Consolidation

Jeff Jonas has established a well-deserved reputation for excellence in demonstrating how large organizations can sort through ever-growing mountains of data and make vital connections, whether the purpose is national security or sustaining profitability.

In 2009, Jonas wrote a blog post ent.i.tled "Channel Consolidation." In it, he makes the case that channel consolidation is an essential ingredient to improving accuracy in prediction (for example, when an online travel site makes suggestions based on your past trips).

Jeff points out that channel separation is what we have known all of our lives. Even though our actions are recorded by each credit card purchase and cell phone call, our banker doesn't know where we were at 11 a.m. yesterday, and your doctor isn't informed as to the contents of your email inbox.

Channel consolidation, however, is what we are moving toward. As Jonas points out, it is an essential component in making accurate predictions about what you want to read or what movie you want to rent. Consumers like the convenience, and businesses like the efficiency. Law enforcement and intelligence services like it for their own cla.s.sified reasons.

In his blog post on the subject, Jeff points to Facebook as an example of what channel consolidation might look like: Facebook makes a great example of channel consolidation. All your emails, instant messages, status updates, past/present/and future travel, annotated photos, your social circle, memberships, self-expressed interests, and more...all bundled together in one nice little package, under your user account. Traditionally such life details are expressed on diverse channels-un.o.bservable to any single ent.i.ty. No more. Facebook, with this panoramic view of its users, now likely has a substantially more complete picture of a person than almost any other single ent.i.ty.

How powerful is this? Here is one example: if you are a Facebook user maybe you have noticed the increasingly (spooky smart) relevant ads. I get ads that read "Are you 44, a triathlete, and want abs like this?" Or a well-timed ad over the summer when I was in Southern California that read: "Are you looking for a triathlete coach in the Orange County area?" It is so relevant I find it very hard not to click on the ad! (Be a.s.sured I do resist.) The more sense Facebook makes of users, the better the service, the more folks will find Facebook irreplaceable, the more users will flock to the platform, and last but not least, the more advertisers are willing to pay. Everyone seems the winner.

An Adversary's Look at LinkedIn

LinkedIn and other social networking sites are essentially trust networks, but with little in the way of authentication. Therefore the obvious question-how reliable is the trust that is extended?-remains a difficult one to answer.

Nitesh Dhanjani, a computer security expert who specializes in the financial sector, believes that the problem will grow worse and that our privacy, reputations, and ident.i.ties are stake. (See his book Hacking: The Next Generation (http://oreilly.com/catalog/9780596154585/) [O'Reilly]).

Nitesh points to LinkedIn as an example. Imagine that you are a consultant with a profile at LinkedIn. Your contact list represents intellectual property and you want to protect it from the prying eyes of your compet.i.tors. At the same time, it may benefit you to share that property in a way that is mutually beneficial. This requires a way to authenticate the ident.i.ty of each member, something that doesn't yet exist on any social networking site, including LinkedIn.

From an adversarial point of view, how would one take advantage of this situation? Since LinkedIn builds its ident.i.ty-management structure around email addresses, a social engineering hack would probably take advantage of that. Email addresses are easy to spoof, so all one needs to do to access a target contact list is to get the target to connect with a fake LinkedIn account. Here is the process that Nitesh imagined: Think of an individual the target LinkedIn member may know but who doesn't yet have a LinkedIn account.

Create an email address with the name of this individual, such as [email protected] or [email protected] You can go as far as creating a similar looking domain name of the company the individual may work at (for example, @applee.com, @app1e.com, etc.).

Create a profile on LinkedIn with the name and email address of the individual.

Send an invitation to the target using the new LinkedIn account, and wait for the target to accept.

Bonus: other people the target is connected to will notice that he or she has added a new friend (the individual you picked). Should the individual happen to be a mutual friend of these people, they will likely attempt to connect to your new LinkedIn profile, offering you even more details about the target's network.

Once connected, the circle of trust is established and resources begin to be exchanged, partly facilitated by LinkedIn's own user interface and partly out of enthusiasm of the members. Since an adversary's fraudulent profile needs as many connections as he can secure in order to be believable and gain trust, he may very well appear to be the perfect LinkedIn member-outgoing, gregarious, helpful, informative, happy to provide contacts and recommendations, and so on.

As a result, other legitimate members will be happy to nominate or provide recommendations for him, and that could include membership in LinkedIn discussion groups dedicated to discussing issues related to cyber warfare or intelligence or IT security. The list is endless.

A solution to this dilemma is not easy to come by, since social networks rely on members sharing information about themselves, and indeed people love to share information. The beauty of this hack is that it plays on perfectly natural and accepted modes of behavior.

It may be that some individuals employed in critical jobs should be prohibited from joining such networks. At the very least, it wouldn't hurt for everyone to become a bit more skeptical about their online relationships. At best, a more secure authentication system should be put into place.

BIOS-Based Rootkit Attack

This is a newly discovered exploit created by two researchers who work for Core Security Technologies. Although BIOS-based attacks are not new, this one evades anti-virus software and cannot be destroyed by rebooting an infected computer.

According to its developers, Anibal Sacco and Alfredo Ortega, the infected machine can go on to attack other machines without using its host machine's memory or hard drive. Furthermore, since it runs before any other code on the system, it can allow an attacker to deactivate the anti-virus software.

Defense against this exploit is difficult at best. Its creators say that the best options are "to prevent the flashing of the BIOS by enabling 'write' protection on the motherboard, or deploying digitally signed BIOSes."

Malware for Hire

In March 2009, a ifew employees of Applicure, an Israeli network security company, launched a SQL injection attack against the Hezbollah website, temporarily taking it offline.

What made this event unique was how they did it: they used a piece of Chinese-created malware that allows subscribers to hire botnets on a monthly basis, with fees ranging from a little over $20 a month for a very small network of 10 bots to $100 a month to control 1,000 bots.

According to an article on Hareetz.com, this application-a kind of malware-as-a-service-offers a user-friendly interface that allows the operator to choose the type of attack, attack speed, and number of computers (bots).

Anti-Virus Software Cannot Protect You

All anti-virus software is signature-based, meaning that it relies on software security companies such as McAfee, Symantec, and Kaspersky to create a unique algorithmic hash (or signature) for each anti-virus that's discovered. In 2008, there were so many viruses being created that Symantec needed to write a new signature every 20 seconds. In 2009, it changed to every 8 seconds.

As of this writing, Triumfant's Worldwide Malware Signature Counter is displaying 3,704,642 malware signatures needed by AV software to be up to date. As I typed the period of that last sentence, that number increased by 5.

The counter can be found at http://www.triumfant.com/Signature_Counter.asp. As I write this second edition, the count has increased by almost 400% to 13,930,460.

Simply put, security software vendors cannot keep up this pace. More importantly, updates to customer computers cannot occur fast enough to ensure protection. Finally, it's important to remember that no anti-virus software can protect you from a zero-day exploit, i.e., a virus that is so new that no AV signature has been created for it.

This makes it necessary for Computer Network Defense operations to become a priority in any cyber warfare strategy. It also requires the acceptance of a harsh reality, namely that the NSA and DHS (the two agencies responsible for military and civilian cyber network security, respectively) cannot possibly protect every department and every enterprise. Instead, these agencies must determine the high-priority targets in both arenas and focus on hardening those systems, while requiring 24/7 monitoring of individual networks.

Targeted Attacks Against Military Bra.s.s and Government Executives

Attacks against military bra.s.s and government executives make for great news stories. Media outlets often will report that "machines have been compromised" and "data has been stolen" but provide few details as to how the attacks were carried out. This section discusses the means by which targeted attacks are executed. The attack described here is based on actual attacks that have occurred. Several technical details have been changed, but the major characteristics of the attacks are intact.

Research is the key to offensive capabilities