Category Archives: Blog

The FBI, Sony and the Attribution Problem, Part 1- Why?

The recent attack on Sony has publicly paraded one of the predominant problems in incident response. While the immediate issue in incident response is of course the remediation of compromised systems and bringing these systems and IT services back online, it is entirely human to look for somewhere to cast blame. Let’s begin by fleshing out the “why” of attribution before engaging with the “how”.

Why Attribution?

For an affected entity, and for the security professionals working within it, attribution of the attacker(s) is only an ancillary concern. Certainly steps taken (or not taken) during the direct remediation of the breach are important and even essential to the later attribution effort, but priority of work must be on restoration of service. After service is restored, and the breach points corrected, the attribution process begins. Here are some reasons to perform attribution:

1. Attacker Centered Defense– If the attacker can be identified or at least have their tactics, techniques and procedures characterized, it may be possible to take steps to make their next intrusion more difficult and time consuming.

2. Legal/Governmental Retribution– Bringing criminal charges or taking other action against the attacker may deter future attackers, or may have deterrence against the current attackers if they are in a jurisdiction where criminal charges cannot be brought, but are vulnerable to intergovernmental or other pressures.

3. “Hacking Back”– This is an operation pregnant with a host of legal and ethical concerns. It may appear advantageous in the midst of an attack to attack back, but the technical reasons for doing so need to be looked at carefully. There are two scenarios where hacking back could reduce the impact of an ongoing hacking attack. One of these is a DDOS attack, where hacking back into the command and control systems of the attributed botnet may be a viable method to stem the attack. In the second scenario, stolen data belonging to the attacked entity has been definitively located (through attribution efforts) on a server, and then the entity performs a hacking operation to delete that data before it can be copied or moved. Both of these operations are patently illegal in the U.S.  due to the Computer Fraud and Abuse Act. Both also carry a low probability of success or advantage for the attacked entity. If a DDOS operation is disrupted, other botnets can be easily employed by the attacker at short notice, or they may regain control of the compromised botnet. The command and control servers may also be innocent bystanders who are unknowingly playing host to malware. Taking down the servers of a hospital or local government  or foreign military could have extremely serious human and geopolitical downsides.  In the second scenario, the attacked entity would have to be extremely proactive to get the toothpaste back into the tube. In fact, it is so difficult it may as well be regarded as functionally impossible, and there is little chance of getting all the data before it is further disseminated.

Looking at the limited reasons for attribution  and given especially the weakness of the third reason, it may be entirely reasonable for an attacked entity to decide not to pursue attribution. In the end, even having your attacker arrested will not undo the damage caused in the attack. The process of attribution is also not cost free. Additionally, any major actions taken on the basis of the attribution performed may only result in more reputation damage for the entity as the original breach and security failure is further publicized.

Why Attribute the Sony Hack? 

Obviously an attack as devastating as Sony’s–which will probably involve hundreds of millions of dollars in damage to Sony Pictures Entertainment, in addition to a substantial erosion of their reputation and personal damage to many of their prominent employees–should be answered. To decide to not attribute the attackers would make their actions seem tacitly permitted, and probably contribute to further devastating attacks against other entities. This Public Order justification is the purview of the FBI, who has taken a lead role in the investigation of the attack. Sony, of course, probably wishes nothing more than for this incident to go away and may be leaning more towards active disinterest in attribution. It isn’t as if any future lawsuit will recover their lost capital, and their threats of legal action against those who published the more tabloid-friendly portions of their internal emails are at serious risk of the Streisand Effect.

Of course, SPE is not the only actor involved. There are cyber security companies and the U.S. Government at work here as well. Attribution is in the interests of cyber security companies for reputation and prestige reasons, as a proof of their aptitude and ability. On the government side attribution can be a marker of aptitude as well, however, retribution is also a significant influence. In the global and domestic political arenas strong attribution can aid in the pursuit of other interests. Attribution has been used by the U.S. Government previously to pressure the Chinese Government in regards to their cyber espionage campaigns, and charges have been filed in the U.S. against a number of their operators.  So it comes to this. The primary reasons for attribution are political, as support for past and future actions and as an instrument of geopolitical pressure. The actions supported by attribution may include legislative efforts, international sanctions, and even electronic and physical attacks.

In Part Two of this work, having established the interests of the actors involved in attribution, we will look at the “How” of the SPE hack attribution as far as it is known publicly.

 

 

 

 

 

The WIP hosted #LocalVoicesTalk about Women in Islam, a Twitter event.

On Thursday, July 24, The WIP hosted a Twitter chat “Women in Islam: Myth vs. Reality.” Join the conversation from 9:30 am – 10:30 am PDT on Twitter. #LocalVoicesTalk. 

You can view a recap of the discussion here.

Photo credit: Stephanie Murti

There will also be a workshop on Twitter best practices immediately before the event at 9:00 am in the DLC. All interested parties are encouraged to attend.

The idea for “Women in Islam: Myth vs. Reality” was inspired by two CNS fellows from Pakistan – Maria Syed and Nidaa Shahid. Both fellows wrote this summer for The WIP addressing the common misperceptions in the West of women in Pakistan. After sharing the topic with CNS fellow Abdulmajeed Ibrahim of Nigeria, the topic grew to address common misperceptions in the West about Islam. The vision for this conversation is to engage Muslims and Non-Muslims to cultivate better cross-cultural understanding.

Please join us at 9:30 Thursday morning, July 24 using #LocalVoicesTalk

Bios of participants:

Maria Syed @SyedMarias – Maria Syed is currently a visiting fellow at James Martin Center for Nonproliferation Studies, MIIS. She is a researcher at Islamabad Policy Research Institute (IPRI), Pakistan and has over six years of research experience. Her areas of interest include Pakistan’s security and governance issues, political economy, The Middle East and North Africa region with special focus on The Arab Spring.

Nidaa Shahid @NidaaShahid – Nidaa Shahid is a visiting fellow at James Martin Center for Nonproliferation Studies at MIIS. She is a Radio Journalist from Pakistan. She has been working for the Pakistan Broadcasting Corporation (PBC) which is the official radio channel of Pakistan for the past five years. Apart from that she is also an MPhil Graduate in Defense and Strategic Studies with a focus on Media Studies, Information Warfare and Psychological Warfare.

Abdulmajeed Ibrahim @abdulmj1 – Abdulmajeed Ibrahim is a visiting fellow at James Martin Center for Nonproliferation Studies, MIIS. He is a Regulatory Engineer at the Nigerian Nuclear Regulatory Authority (NNRA), Abuja. He has been working there for five years. He is experienced in Nuclear Security, Safeguards and Nonproliferation. His interests include Nuclear Nonproliferation and Disarmament. He hopes for a World  free from Weapons of Mass Destruction.

The Women’s International Perspective @thewip – Based on the campus of the Monterey Institute of International Studies, The WIP is a global source for women’s perspectives. The WIP reports news, world opinion, and commentary through our Feature Articles, Byline Portal, Current Headlines and community blog. Our mission is to provide quality articles from the unique perspectives of women, accessible worldwide, and free to readers.

Infrastructure Hackers, Script Kiddies and “Watchdogs”: A Round-up of Monsters Under the Bed from CIS/MS-ISAC

A recent report from the MS-ISAC (Multi-State Information Sharing Analysis Center) and written by CIS (Center for Internet Security, a private nonprofit) publicized by security journalist Brian Krebs addresses a series of concerns regarding an infrastructure hacker who calls himself “Sun Hacker” and has made a name for himself by changing the displays of road information signs remotely.

Sun Hacker encourages people who see his real world defacements to “TWITT WTH ME”, and maintains an active twitter account where he recounts his website and sign defacements. His hacks have not been overly complex, apparently targeting insecure applications of the SNMP protocol and in at least one case breaking in through the telnet port 23 protocol—a protocol entirely disabled years ago in most any security implementation, and typically blocked by most firewalls for its notoriously bad security. Using telnet to provide access to systems for road sign information is a very short-sighted security choice, akin not only to assigning the fox to guard the hen-house, but then also advertising the hen-sitting party on craigslist.

The CIS report notes that Sun Hacker is operating from Saudi Arabia and is not known to be associated with any other major “hacktivist” groups. He has conducted SQL injection attacks on a number of websites, and documents hacking other web connected devices such as LED light bulbs and car radios.

Then the CIS report goes (deeper?) into the rabbit hole, beyond simply characterizing Sun Hacker as a “Hacktivist” (a term now so diluted as to include playful defacements in addition to political statements) and as a “Malicious Actor”.

This activity likely coincides with the May 27, 2014, release of the video game “Watch Dogs,” in which game play revolves around “hacking,” with a focus on hacking critical infrastructure-based electronic devices in particular. Watch Dogs allows players to hack electronic road signs, closed circuit television cameras (CCTVs), street lights, cell phones, and other systems. On May 27, 2014, the malicious actor posted an image of the game on his Twitter feed, demonstrating his interest in the game, and the compromise of road signs occurs during game play. CIS believes it is likely that a small percentage of Watch Dog players will experiment with compromising computers and electronic systems outside of game play, and this activity will likely affect SLTT government systems and Department of Transportation (DOT) systems in particular.

This is where the peril of puffing up minor actors and conflating minor events begins to show as a major analysis flaw. Especially in cyber security where there are real actors who can present real dangers,  a sense of balance is necessary. Inflating fears about things that are on their face innocuous leads to misallocation of resources, especially on a national level. It could even lead to a nationwide alert insinuating that a major video game is training the youth of America to become infrastructure hackers. The “Hacking” showcased in the game is just a series of in-game events, with limited to no applicability outside of a fictional game universe.

Certainly there are risks involved with the hacking of road signs, but a distinction should be made when those hacks are minor and only possible due to a choice by the service provider (in this case state Departments of Transportation) to abandon even the most basic conceptions of security. Most of the other incidents of road sign hacking are so simplistic as to be entirely ignored, as seen in the “Zombies Ahead” hacking of towable roadside signs. These “hacks” are possible because of the use of default passwords on the towable signs in addition to poor physical security measures. That said, pranks on this level being treated as some sort of infrastructure security threat that requires national attention shows a serious flaw in the perspectives of our national cyber security organs and analysts. The know-how necessary for “hacking” towable road signs has been widely distributed on the internet for some time, especially in forums devoted to pranksterism.

The lesson of this type of “infrastructure attack” should be taken from “The Field of Dreams.” On Security, “If you break it, they will come.”  Weak security on this class of devices is the real issue here, not the existence of Sun Hacker or the release of a video game.

-Dan Gifford

MCySec Media Manager

 

Recent Activity from The European Cyber Army (ECA)

Intelligence Analysis, the threat monitor for Recorded Future, detailed recent attacks and events linked back to The European Cyber Army (ECA) in a recent article. The group has also been linked to several campaigns against U.S. banks in recent months. Additionally, large-scale Syrian web outages have also been traced back to the ECA as of March.

European Cyber Army Logo

For those interested in seeing what other groups remain active in Europe, outside of Crimea, be sure to follow this group.

Summary of 2013 Malware Development

HackSurfer just released a summary on malware development for 2013 based on the formal report from Panda Labs. Here are some of the key points from the summary:

  • Almost 32% of computers across the world found infected with malware.
  • There were 82,000 different malware strains that emerged in 2013.
  • Android Platforms remained the primary target for cyber criminals with nearly two million android based malware being created in the year of 2013.
  • Trojans were the biggest contributor in 2013 with 71.11% of all new malware.
  • The growth of new malware strains rose to 13.3% versus 9.67% in 2012 year.
  • China remained the most infected country in 2013 with 54.0% ratio.
  • Sweden was on the last position with least malware-infected countries.
  • 20% of all malware were created in the year of 2013.
  • The most popular virus families were Sality and Xpiro.
  • 30 million new malware variants were created in 2013.

2014 Prediction about Imminent Threats:

  • New malware variants can hit the market in 2014 that will compel to implement strong security parameters in organizations.
  • Java vulnerability will remain in 2014 due to countless security flaws and its high usage in the world.
  • Users will fall victim to cyber culprits due to social engineering techniques.
  • Android platform will remain on the top in malware spreading.
  • Ransomware malware will be on the top position in 2014 than Trojans and Botnets.
  • Corporate culture has to think beyond traditional antivirus product.
  • Hackers can target internet-connected device (Internet of Things) for attack purpose.

Turkey Thrashes Twitter, Leaks put Gov in a Twist

Amid deepening corruption scandals in Turkey, the Turkish Government has shut down access to a number of social media outlets, most recently Twitter, after Twitter failed to comply with their demands to censor links to wiretapped conversations of the inner circle which seem to provide evidence of corruption. Prime Minister Erdogan was unfazed by condemnation of this move, saying “the international community can say this, can say that. I don’t care at all. Everyone will see how powerful the Republic of Turkey is”.

 

Commerce Dept. Cans ICANN

The US Government is winding down their participation in the Internet Corporation for Assisgned Names and Numbers (ICANN). ICANN’s duties include setting policies for domain names, top level domains, and controlling the root nameservers that are the backbone of the Domain Name Service, which is a distributed registry that translates addresses entered into a web browser from something like www.google.com to a machine readable address (in this case 74.125.239.146). While much hay has been made by certain political personalities, among them Moonbase Commander Newt Gingrich, about this loss of control by the US to an undefined international community, this move has been planned for a significant amount of time, and the transition of ICANN towards a more global regulatory system will occur under a planned framework.

There was another possible path for the governance of the DNS and addressing systems, that being the ITU, which would have been overseen by the UN. However, as every nation would have had a vote in that situation, and the number of nations which would like to see substantial control instituted and widespread surveillance authorized is almost certainly greater than those who (at least publicly) would like to see a free and open internet. Many nations saw this as problematic, among them the US and Russia, which has lent significant weight to the process being adopted now of reforming ICANN and reducing US Government influence. That said, the existing system was no longer sustainable, especially in the wake of the Snowden leaks which revealed wide ranging activities by the US Government, activities which have done significant damage to the moral authority which is the foundation of governance.

Pursuing ICANN as a regulatory body for the future is an example of the use of the Multistakeholder governance model, which will essentially give regulatory control to a number of major internet and technology companies, and Internet civil society groups. A presentation on the application of this model in ICANN may be found here.

 

Dan Gifford, MCySec Media Manager

Point of Sale Target’ed, Millions of Credit Cards Scraped.

Early in December rumors began bouncing across cyberspace that retail giant Target had been hit in an extensive cybercrime scheme, wherein point of sale devices, (read here cash registers) had been infected with a program designed to steal credit card details. The attack seems to have been concentrated on the “Black Friday” sale after Thanksgiving, one of the busiest shopping days of the year. Since then a number of the stolen credit cards have been cloned and sold online, and retailers and credit card companies have been sent scrambling to contain the damage.

More details about the specifics of the breach have become available as time goes on. Security journalist Brian Krebs, who broke the story and has been a driving force in the public exposition of the damage, has revealed the method used by the attackers to penetrate into Target’s network. The attackers sent spearphishing emails to a subcontractor who had access to parts of Target’s internal networks, Fazio Mechanical, and used the access credentials they gained within this heating, ventilation and air conditioning company to break into the Target network.

The breach potentially exposed millions of consumer credit cards, and many have shown up for sale on forums within the deep web. In response to the scale of the breach, hearings have been held in Congress on methods to prevent similar breaches in the future. One proposed method is to transition to smartcard technologies over the 1960’s era magnetic strips that currently employed.

Hotels May Become New Data Breach Point

A data breach appears to have hit White Lodging, a firm which manages hotel franchises for the Marriott, Hilton and Starwood Hotel chains. As reported by Brian Krebs, The breach appears to have struck computers in the restaurants and gift shops of a number of hotels managed by the company over a time period extending from March 2013 until the end of the year, collecting credit card information. Krebs was alerted to the breach by a number of fraud specialists working in banking who were dealing with the fallout of the credit card frauds.

Mask/Careto Unmasked, Shadowy Spanish Spybots Slink into Sunset

Amid continuous revelations of a variety of “Advanced Persistent Threat” (APT) hacking operations sponsored by nation states–among them Flame/Gauss/Duqu/Stuxnet, Red October, Comment Crew, Shamoon, Icefog and Dark Seoul– the major global players such as the US, Russia, and China have been heavily represented. A new report by Kaspersky has revealed an advanced operation conducted by an as yet unknown but presumably Spanish speaking state. The operation apparently began as early as 2007, and the sophistication of the code has been judged as higher than that seen in programs such as Duqu, Red October or Icefog.

Based on multiple strings in the code, especially those referring to “Careto”, Spanish slang for ugly face or mask, it is assumed that the virus writers speak Spanish. The malware was discovered by Kaspersky Lab because it exploited a flaw in earlier versions of Kaspersky’s anti-virus software to hide itself from virus scans. The payload of the program also included a rootkit and a bootkit, employed zero-day exploits and   could infect a variety of 32 and 64 bit systems, including versions for Windows, Mac, and Linux, and possibly Android and IOS used on smartphones.

The campaign seems to have relied on spearphishing to send users to a malicious website which would deploy the modular program. Many of the malicious sites used addresses which impersonated the sites of a number of Spanish and international newspapers, all of which were signed by a valid certificate (albeit a certificate for an unknown (and probably fictitious) Bulgarian company called TecSystem LTD). The setup used on command and control servers for the malware was also designed to deny access to IP addresses that may be used by security researchers, among them Kaspersky Lab.

The entities targeted by the attacks seemed to primarily be in the UK, Brazil and Morocco, though a range of European countries are represented. The discovered targets are also only a limited subset of the possible targeted groups, as the team involved was very effective at covering their tracks, and the given targets in the image above only represent the systems being targeted at the time that Kaspersky made their investigation. However, soon after the operation was discovered, it was shut down, as detailed in the article linked below.

“Kaspersky researchers have sinkholed about 90 of the C&C domains the attackers were using, and the operation was shut down last week within a few hours of a short blog post the researchers published with a few details of the Mask campaign. Costin Raiu, head of the Global Research Analysis Team at Kaspersky, said that after the post was published, the Mask operators rolled up their campaign within about four hours.”

Dan Gifford- MCySec Media Manager

The Syrian Electronic Army: Mediums of Disinformatics

sea-195x110

“We are just Syrian youths who want to defend their country against the media campaign that is full of lies and fabricated news reports”

The Syrian Electronic Army (SEA) most likely began at least in part as an outgrowth of the Syrian Computer Society (SCS), an internet and information science advocacy group founded by the late Basil Al-Assad in 1989, and later led by Bashar Al-Assad prior to his elevation to the presidency. In 1997 there were only 35,000 computers in the country, two for every thousand people.  The early days of Syria’s acceptance of the internet were marked by significant bureaucratic trepidation, predominantly motivated by concerns of cultural penetration. The opposing camp was urged onward by a recognition that in the face of heavy usage of the internet by other nations, especially Israel, Syrian perspectives were being drowned out. Surveys conducted in 1998 by an early advocate, Dr. Imad Mustafa, found that of 1.5 million documents on the web dealing with Syrian aspects of the Arab-Israeli conflict, 56% had been written by Israeli organizations, 18% by Zionist groups outside of Israel and another 17% were written by US government organizations. On issues rich with nationalistic fervor such as the Golan Heights, the survey found that there were essentially no existing sources or documents on the internet which were benign to Syrian interests, and that 71% of the documents were absolutely hostile to Syrian perspectives. This preoccupation with “correcting” the established media narrative has fed directly into the ethos of the SEA, though they also engage in “punishing” media outlets by propagating false news events.

The personnel evolution of the group can be roughly split into two phases. In the early phase of the group their website from May of 2011, syrian-es.com was hosted by the SCS, and the domain registration pointed to the same group. A later site, sea.sy, was registered with the approval of the SCS. By May of 2013, however, the SCS cut all of these ties and disabled use of the sea.sy site. There may have been significant personnel changes later in the 2011 era, and it is entirely possible that the activists who shared membership in SCS and SEA left at that point. The second phase of the group was much more shadowy, international and varied in their technical aptitude.

The method of attacks has been multi-pronged, from website defacement and redirects, to propaganda posting on facebook, and in some cases campaigns distributing malware (intended to reveal the identity and activity of online actors) against the Syrian Opposition. Recent operations have been heavily focused on compromising social media accounts of news organizations and celebrities.

In April of 2013 SEA conducted spearphishing (directed emails designed to steal user credentials and other data) attacks which resulted in them obtaining control of the Associated Press twitter account, which they used to spread a false story about an explosion at the White House which injured the President.

AP_Tweet_2544300c

The tweet caused a temporary drop in the Dow Jones Industrial Average of over a hundred points, but AP was quickly able to regain control of their twitter account and retract the false story.

Graph_2544313b

This method of attack has proven to be both high profile and high impact, and the group seems to have generally shifted focus onto compromising social media accounts. These compromises have been varied in intent, from posting false information for shock value to pushing propaganda against perceived international enemies of Syria and Al-Assad. This week there has been a compromise of CNN’s twitter account and website, used both to spread propaganda in favor of Al-Assad and to plant a false news story apparently intended to disrupt financial markets. Increasing attempts to manipulate markets may indicate economic motives behind SEA operations, especially if these actions are combined with short-selling, though this connection would require further analysis for confirmation.

CNN hacked syrian-electronic-army-hack-cnn

 

The Syrian Electronic army represents a new type of cyber actor, one which is both a hacktivist group in the vein of Anonymous, and a state sponsored group much like many in operation across the world. However, unlike many hacking groups with state sponsorship, SEA concentrates on propaganda operations instead of espionage for military or economic reasons. In this sense they bear some similarity to groups like the Chinese Honker Union, and Russian hacktivist movements which have surrounded military operations and international controversies in Estonia and Georgia. The funding for the group remains murky. There are allegations that Rami Makhlouf, a billionaire cousin of Bashar Al-Assad, supported the group in leaving Syria and basing their operations in other Arab states, and continues to provide accommodations for group members. There are also rumors that hackers are paid between five hundred and a thousand dollars for successful website compromises.

Dan Gifford – MCySec Media Manager

 

 

Russia Crowdsourcing It’s Cyber Security Strategy: Clever Experiment or Solicitation of Internet Restriction Freedoms?

On November 29, 2013 the Federation Council (CF) of the Russian Federation held parliamentary hearings on the draft of the Concept of Russia’s Cyber Security Strategy. Participants of the hearing, recognizing the significant security implications of the proposed cyber security strategy, offered to submit the draft online for public discussion. The main concerns of the draft concept were gaps in the overall cyber security posture for Russia, incorporation of both state and private-sector entities, and establishing clear incident response models for individuals, businesses and the state.

On January 10, 2014 the CF published a 10-page draft of the Concept of the Russian Federation Cyber Security Strategy and allowed commentators to personally email one of the lead senators overseeing the concept’s development. The senator, Ruslan Gattarov, is the head of the Federation Council Committee on Development of Information Society which established a working group of experts to work on the cyber security strategy a year ago. Several other Russian government organizations also contributed to the final draft, including the Security Council, the Ministry of Communications and Mass Media, the Federal Security Service (FSB), the Ministry of Internal Affairs and the Ministry of Foreign Affairs.

(Pictured Above: Senator Ruslan Gattarov)

However, the FSB criticized the draft strategy pointing out the use of incorrect terminology: the term “cyber security” as used in western countries primarily encompasses the protection of equipment and communication channels. The term “information security”, which the FSB insists on, has a broader meaning and includes Internet content.

On January 13 of this year, RBK-TV, (currently Russia’s only 24-hour business news television channel), aired a report on Cyber Security (2:32 – 9:28) in Russia and invited two subject matter experts to express their opinions about the subject. During this broadcast RBK-TV stated that the Concept of the Russian Federation Cyber Security Strategy offers seven key directions, in particular, the improvement of the legal framework in the field of information technology. The authors suggest that for crimes committed on the Internet, there should be harsher punishment, including criminal prosecution. Furthermore, among the general objectives of the strategy is to increase “digital literacy” of the population and improve the culture of information security. The strategy also proposes to abandon the need of foreign programs and computers and instead rely on domestic products. However, the strategy does concede that technical support and consultation from foreign experts is still necessary for the protection of strategic resources.

Yuriy Gatchin, Chair of the Computer Security Systems Department at the St. Petersburg National Research University of Information Technologies, Mechanics and Optics (St. Petersburg NRU ITMO) disagrees with the draft strategy’s proposal that Russia still needs outside technical support. Mr. Gatchin argues that there should be no such need of foreign experts since there are plenty of “competent and smart professionals” within Russia and that Russia “needs to rely on its own strength”.  Another expert, Artem Kozlyuk, one of the leaders of the Pirate Party of Russia and also the head of the project “RosKomSvoboda“/RuBlackList.Net, sees this document as mostly “focused towards the domestic market”. Kozlyuk clearly identifies the Russian government’s recent trend of fostering fear and then responding with quick policy solutions issued through the State Duma.

According to Mr. Kozlyuk, cyber security responsibility should lie on private companies’ and structures’ self-regulation as well as individuals self-policing their online activities instead of relying on the government’s implementation of an information blocking directive.  Although the draft strategy currently welcomes public suggestions, Mr. Kozlyuk is pessimistic about what influence the commentators will have since there is no legal framework to support any type of publicly determined policy.

In a separate interview with Systemnyi Administrator / System Administrator, Mr. Kozlyuk offers his outlook on the future of Russian Internet:

“The Future of the Internet – is blocking, censorship under the pretext, aggressive defense of copyright, widespread identification and criminal liability for the comments. In short, the state, with some delay, but still came to the Internet”.

(Picture Above: Artem Kozlyuk)

“Personally, I think that the next year will be a turning point for Runet (Russian Internet): either State will choose “Chinese version” of Internet regulation with the Ministry of censorship, total information control, burdensome sanctions for Internet business and the introduction of thousands of army pro-government bloggers to refute negative impact of censorship on civil society. Or perhaps our efforts will not be wasted, and the process of integrating adequate public interests and the leveling of the negative impact of laws to limit the information will begin. I’m not saying that everything will be decided within the next year, but I’m almost certain a vector will be given, and all of us will feel what it will be”.

It is difficult to predict if Russia’s idea will prove to be successful. The draft of the Concept will be accessible for discussion, comments and suggestions for approximately one month. We will have to wait until all the results are in to see whether the final product of this endeavor will become Russia’s first publicly inspired piece of legislation or simply sputter out of existence.

– by Olga Volcsko, graduate student at the Monterey Institute of International Studies

Flames of the Dragon: A Profile of the PRC’s Cyber Situation

Since February of last year when the Mandiant Report was released, China has been at the forefront of cyber security news. It has become apparent that the PRC is waging all-out economic warfare through the use of widespread cyber espionage, intellectual property theft and massive data-exfiltration operations. China has a long history of copy-cat behavior and convoluted laws regarding intellectual property rights which support their various motivations for engaging in cyber espionage. Although much of this activity has been attributed to the Comment Crew (also referred to as APT1 by Mandiant), there are several organizations within the PRC’s hierarchy that contribute to these cyber intelligence operations.

There is also a looming concern over the PRC’s rapid expansion of their cyber-warfare capabilities. China appears focused on using their advances in cyber to balance their disparity with the U.S.’s traditional military technology and to add an additional layer to their anti-access strategy. A more frightening prospect is a build-up of military strategy that supports preemptive cyber-attacks which could lead to a cyberwar between the U.S. and China. This scenario may seem unlikely, but the NSA claimes to have foiled several Chinese cyber-attack attempts and there are reports of other recent cyber-attacks against the U.S. power grid.

The U.S. is not the only country that is concerned with China’s cyber behavior. The U.K. has addressed the PRC’s cyber espionage and expressed concern over the intentions of China’s Huawei Telecommunications company. Other European countries have accused China of accessing their foreign ministries as well. Mongolia has managed to join China’s target list having received a recent barrage of attacks, most likely in response to Mongolia’s outreach to Western nations. However, China’s cyber-attacks are not focused entirely on foreign nations. One of China’s primary targets for offensive cyber action is it’s own Tibet Autonomous Region. Several reports state that Tibet has become ground-zero for Chinese hackers and cyber-attacks in the PRC’s hunt for political dissidents within the region.

The PRC is committed to denying allegations that their central government is behind these cyber-attack and cyber-espionage campaigns. Several authorities within the U.S. also have expressed doubts over the hype of cyber escalation between the U.S. and China. The Obama administration has taken steps to initiate talks between the U.S. and China for improving cyber security between the two nations. The mood remains tense, especially following the revelations of Edward Snowden, with China accusing the U.S. of maintaining a double-standard in its behavior. Despite a steep decline in Chinese cyber activity following the release of Mandiant Report, China is back on the offensive with a resurgence of cyber-espionage efforts. It will be interesting to see where things go from here.

– by Ben Volcsko, Research Assistant

Profile of Brazil’s Overall Cyber Security Situation

Brazil is often known for its coastal beauty but sadly it should also be recognized for its prolific cyber security concerns. According to Symantec, Brazil is listed as number 7 on their list of countries with the biggest cybercrime problems. Despite investing significant amounts of money into cyber start-ups and establishing cooperative cyber security agreements with Argentina, India and Russia, Brazil is still struggling to overcome the persisting challenge that cyber-criminals present. On top of this, Brazil has recently taken a hardliner stance against the U.S. following the revelations of Edward Snowden. Brazil has actively supported the U.N.’s Cyberprivacy Agreement and begun taking steps to bypass the U.S.-operated underwater cable systems in order to reduce their dependence on who they now perceive to be false friends. It appears that Brazil, however, is focused on the wrong issues as they still need to overcome large numbers of internal banking Trojans and substantial gaps within their cyber security dynamics. Some experts even claim that Brazil’s current security posture is so poor that they are wide open to cyber-invasion. Brazil has also taken steps to introduce cloud technology into their government networks which could magnify problems in their current state. On a positive note, Brazil is now realizing that effective policy and law for responding to cybercrime is necessary. Hopefully Brazil will follow-up these legislative acts with improvements in their cyber security practices to provide some teeth for their new resolve.

For another recent summary of Brazil’s cyber security situation, check out the National Center for Digital Government’s whitepaper Brazil and the Fog of (Cyber) War.

– by Ben Volcsko, Research Assistant

WHAT!!?! Single-Use Computer Passwords A Reality?

The National Institute of Standards and Technology just released an article about how Quantum Physics might allow us to start using secure, single-use computer passwords.  There are a lot a wild claims that are circulating with our approach to full-scale quantum computing. Its hard to say if these claims will be realized or not, but one thing is for sure, we all need to prepare for the emergence of quantum.

keys

– by Ben Volcsko, Research Assistant

One of Cyber’s Greats – Dr. John Arquilla

Here is a write-up for one of cyber security’s most important contributors, Dr. John Arquilla.

Dr. John Arquilla is professor of defense analysis at the U.S. Naval Postgraduate School, author of Insurgents, Raiders, and Bandits: How Masters of Irregular Warfare Have Shaped Our World, and co-editor of Afghan Endgames: Strategy and Policy Choices for America’s Longest War. 

Dr. Arquilla’s work focuses primarily on the implications of the information revolution for military organization and doctrine. At the organizational level, his research identifies the network as the form most empowered by advances in information technology and explores the potential for redesigning hierarchies along more networked lines.

The policy relevance of this work can be seen in the growing emphasis on “network-centric” operations over the past decade, and in the emergence of two NETWARCOM entities, one within the Navy, the other a part of STRATCOM. At the doctrinal level, Arquilla’s research has identified the possibility of moving from more traditional forms of frontal and/or flanking attacks to omnidirectional assaults — i. e., “swarming.” A network comprised of many small cells and nodes is seen as being ideally suited to this doctrine — thus the connection between doctrinal innovation along these lines and organizational redesign.

Far from being limited to theory, swarming has been appearing in practice as a dominant doctrine in many conflicts over the past fifteen years — e.g., from the insurgent uses of swarms in the Russo-Chechen War of 1994-1996 to Iraq (especially in the 2004-2006 period), and in commando-style terrorist assaults like the one in Mumbai in the fall of 2008 and the more recent swarming attacks mounted in Kabul by Taliban teams.

Needless to say, both networks and swarming tactics have emerged in the virtual world as well, being on particular display in Estonia in 2007 and Georgia in 2008 — both cases apparently showcasing growing Russian expertise in cyberspace-based operations. In sum, Arquilla’s research invites and encourages careful reflection on the potential of“swarm networks” to become ever more salient in military and security affairs.

Selected list of Dr. Arquilla’s published articles:

You can follow Dr. Arquilla’s Foregin Policy “Voice” on FP online.

Chronology of Major Works:

– by Ben Volcsko, Research Assistant

Highlands Group Recommended Reading List

Just in time for your holiday shopping, we are pleased to announce the Highlands Group 2013 Reading List.

Each year the Highlands Group present a list of books that we would like to call to your attention as being noteworthy.  We hope that you will find a book on this list to enjoy and spend time with over the holidays or when you are on travel.  This year we have a robust stocking full of twenty-one books, including two works of fiction, covering a wide range of topics.

Our panel of distinguished guest reviewers for 2013 includes Lawrence Wright, Pulitzer Prize-winning author for his book, The Looming Tower; Peter Ho, the former Singaporean Secretary of Defence and Secretary of Foreign Affairs; Melanie Greenberg, CEO of the Alliance for Peacebuilding; George Dyson, author and historian of technology; Richard Bookstaber, economist and author;  Bob Belden, Grammy-winning jazz composer, arranger and musician; and Ann Pendleton-Jullian, author, architect, and designer.

Successor to Blackhole Exploit Kit May Take Years to Emerge

The arrest of Paunch shut off the flow of updates to the highly popular crimeware infastructure support tool, the Blackhole Kit. Since then there have been a number of contenders for the lucrative crown. A new article at Threatpost speaks with analysts at Kaspersky labs about the prospects for newcomers as they come into the market. Thus far, no single product has shown it can dominate. This may indicate that taking down people like Paunch may have a real and lasting impact on the cybercrime milieu.

DARPA is Trying to Turn Cyberwar Into Child’s Play

DARPA, as expected, is coming up with many new and inventive ways of trying to rethink the cyber security challenges that DOD is plagued with. First they have developed a series of free computer and mobile app based games that, while seemingly innocuous, are actually providing algorithms for solving basic programming vulnerabilities. DARPA is also looking to shift the established system of cyberwarfare practices residing predominantly in the hands of technical experts to a mass-production type operation. This transition project is detailed in Wired’s article This Pentagon Project Makes Cyberwar as Easy as Angry Birds. Bob Dylan was right, “the times they are a-changin”.

– by Ben Volcsko, Research Assistant