Argent Consulting to continue under B-Able Argent Consulting

Exciting news! Argent Consulting has decided to make a fresh new start with its Cyber consulting activities by merging them with B-Able – thé Business Information Security firm. Under the new name of B-Able Argent Consulting we will deploy products and services that feature the very best properties of both firms.

The first news publications have started and we will soon inform you of the official launch!

PRISM: Tip of the Cyber Intel Iceberg

PRISM Slide 1When Edward Snowden published information on PRISM – a rather drastic intelligence gathering program in which several (assume All) government agencies such as the FBI and the NSA draw intelligence from major tech companies such as Microsoft, Skype and Facebook – he was immediately revered and reviled by the general populace. Especially within the US armed forces community, the general sentiment seems to be that he’s a traitor and someone needs to go fetch a rope. But really, how much of this is new or even unexpected?

Right after the 2nd World War in March of 1946, a multilateral agreement between the UK, the US, Canada, Australia and New Zealand was signed in which they agreed to cooperate and share intelligence. This was originally intended to be mostly Signals intelligence, but has long since been extended to include much more. This intelligence alliance between those five nations has become known as Five Eyes. It was a secret treaty (allegedly even kept from the Australian PM’s until ’73) but has been exposed for quite some time now. In fact, Canadian Brigadier-General James S. Cox (RET) wrote a rather salacious paper on this treaty, and to illustrate just how well this treaty is working out can be gleaned from the following paragraph in the executive summary of said paper (emphasis mine):

 “The Five Eyes intelligence community grew out of twentieth-century British-American intelligence cooperation. While not monolithic; the group is more cohesive than generally known. Rather than being centrally choreographed, the Five Eyes group is more of a cooperative, complex network of linked autonomous intelligence agencies, interacting with an affinity strengthened by a profound sense of confidence in each other and a degree of professional trust so strong as to be unique in the world.” – “Canada and the Five Eyes Intelligence Community” by Brig-Gen James S. Cox (RET).

This profound sense of confidence in each other likely stems from the fact that they’ve been doing this for over 60 years, and I would hazard that this partnership has had its strength tested a few times. Successfully, from the looks of it. Either way, I think it is a safe assumption that the UK, Canada, New Zealand and Australia are as much to blame for PRISM as the Americans. Funny how none of them have mentioned their unfettered access to this raw data, hmm?

What boggles my mind is how little people seem to care. Maybe the name ECHELON rings a bell? This was an expansion on collection and analysis in the 60′s to this same Five Eyes program. I should stress that the actual gathered (and shared) intelligence included much more than just signals intelligence. We’re talking raw internet data. Raw, meaning absolutely everything that passed through, without any kind of filter. If you said it through any kind of internet-connected medium, through any American provider, service or product, you have definitely been logged there. And even not using any of said American providers, services or products, your traffic could still have been routed through PRISM, depending on where you are, where the servers are that you connected with, or how traffic was routed. And that’s just assuming that this traffic was really only collected in the US, which may not be the case now that we’ve established that at least 4 other countries were actively in on this program.

Now that we’ve firmly established the “who” part of this whodunit –or at least establish who benefits-, its time to look a little closer at what happened.

So what happened with PRISM?
Simply put, since somewhere as early as 2007 the various US intelligence and Law Enforcement agencies used the law to gain access to information harvested by tech giants such as Microsoft, Google, Apple, Yahoo, Facebook, Skype and Youtube. This means that they had access to a multitude of heavily used social media sites such as Facebook, Skype, Twitter and Youtube, but also cloud services such as iCloud, Google Drive and Dropbox. This was all done legally under US laws. Their alleged goal was to monitor foreign communications that take place on US servers, but of course it couldn’t hurt that what they collected included everything under the virtual sun – including stuff on American citizens and US allies.

Edward Snowden brought to light just exactly what is going on, and how it’s done. For those of us who have an IT-technical background, it doesn’t take much imagination. It can be done easily, and not to my surprise, this is what they did. Snowden published a PowerPoint presentation containing 41 slides on this, but interestingly only 5 of those slides were published. The remaining slides are, apparently, so “hot” that nobody wants to burn themselves by publishing it. Both the Guardian’s Glenn Greenwald and the Post’s Barton Gellman have made it clear that the rest of the PowerPoint is dynamite stuff which we’re not going to be seeing any time soon. “If you saw all the slides you wouldn’t publish them,” wrote Gellman on Twitter, adding in a second tweet: “I know a few absolutists, but most people would want to defer judgment if they didn’t know the full contents.”. I think that I speak for most Europeans when I say that I disagree strongly with Gellman, and would very much like to see the remaining slides.

Although the slides that have been published can be easily found without my help, I would be remiss in not adding them here for your enjoyment. Much of the international outrage can be explained by these pictures. And by outrage, I mean by the people, not the other governments. Any outrage on their behalf is geopolitical theatre, because every government in the world is either doing this, or would very much like to. You only have to look at the recently unveiled DGSE (French secret service) surveillance program which operates in exactly the same vein as PRISM.

Without further ado, here are the slides that were published from Snowden’s originally 41 slides:

PRISM Slide 1

 

PRISM Slide 2

 

PRISM Slide 3

 

PRISM Slide 4

 

PRISM Slide 5

 

UPDATE
My apologies. Apparently I had missed the release of 4 more slides by Washington Post around July 1st. Unfortunately these slides don’t really do much but add to the confusion. Nevertheless I would like to share these with you too.

prism slide 6

 

 

prism slide 7

 

prism slide 8

 

prism slide 9

On Dutch Banking Woes and DDoS Attacks

DDOS-attackIf you don’t live in the Netherlands or don’t happen to have a Dutch bank account, you can certainly be forgiven for not having caught wind of the major banking woes that have been plaguing the Dutch. For weeks now, massive DDoS attacks (linked article in Dutch) have brought low the online services of several banks, interrupting mobile payments and slowing down overall online financial traffic. At the center of the digital storms is ING, which was hit first (Dutch) and is hit the most often (Dutch), but Rabobank, ABN AMRO and SNS Bank are also frequent targets. Dutch online payment system iDeal has also been attacked several times, impacting virtually all Dutch banks as well as the many online retailers that use it.

What the goal behind this wave of DDoS attacks is, is as yet unknown, but there are several possible motives at play. It could be simple vandalism, a rather hefty attempt at misdirection to cover up real hacking attempts, or it could have something to do with ING and ABN AMRO being implicated or involved with investigations into tax evasion through offshore banking by the ICIJ. The latter seems unlikely, as most of the DDoS traffic appears to be coming from Romania (according to hackers collective HacksIn – I had a link about that, but lost it somehow) and no motive has made itself known thus far. It was a matter of time until Anonymous came along to jump on the bandwagon, and indeed its Dutch chapter appears to have done so this week when someone posing as Anonymous posted a message on Pastebin. In it, they claim to know who is behind the DDoS attacks (a group of Muslim extremists called Izz al-Din al Qassam Cyber Fighters), and that the Dutch people should go out and collect their money from these banks because it is not safe there.

There are, however, some issues with this post on Pastebin. Firstly, the group they blame for the DDoS attacks is in fact the group responsible for attacks on US BANKS, and there is no discernible link between the US banks being hit or the Dutch banks currently under attack. The motive for the attack against US banks seems clear: Izz al-Din al Qassam demands the removal of the movie “Innocence of Muslims” from Youtube. Once the movie is removed the attacks will stop, they claim. To my knowledge, no such demands have been made here in the Netherlands.

The second issue is that the advice posed by Anonymous would, in fact, immediately collapse the Dutch financial market, as no Dutch bank is currently strong enough to survive such a proposed bank run. They simply don’t have sufficient cash in their vaults. In other words: this is a really bad idea.

So what now?
For starters, ING should hire someone who knows how to communicate during a crisis. Its obvious that they suck at it. They’ve finally stepped off their “Silence, Evade, Deny” strategy but its taken a while. All major companies should look into this, because they may very well be next. Second, major companies with a serious online presence should really start taking this stuff seriously. DDoS attacks are hardly new material to deal with, and proper impact negation tactics have been around for a while. If your income is dependant on online services and this income is significant, get a real ISP that understands this and has expertise in countering such digital vandalism such as Arbor Networks or Prolexic.

The bad news is that according to a recent Prolexic report, DDoS attacks are getting increasingly stronger. They have seen the first 130GB/s DDoS attack this year, and during the first quarter of this year the average attack bandwidth was 48.25GB/s, which signifies a whopping 718% increase over last year. The increase seems to come from a change of victims in the botnets (Dutch) they use. Apparently, they are now targeting web servers especially for their higher bandwidth capacity, which in turn increases overall attack bandwidth. On top of that, the DDoS attack seems to have regained its popularity because the targetlist is growing. Airlines such as KLM (Dutch) and Dutch authentication firm DigID (Dutch) have also recently been hit with massive attacks. In an effort to stave off this wave of disruptions, the Dutch National Cyber Security Center has been organising collective defense (Dutch) between Dutch banks, but it seems they may have to include firms from other walks of life as well. I think we can safely conclude that this avenue of attack is still very worthwhile and won’t be going away anytime soon.

In fact, things may get a lot worse if this newly discovered DDoS technique gets incorporated. Apparently Incapsula mitigated a small attack of 4GB/s recently, and they traced it back to a single source. Generating 8 million DNS queries per second, causing ALL of the 4 GB/s traffic by its lonesome, certainly qualifies it to be called a DDoS Cannon instead of a lowly bot. I don’t know if it is technically feasible, but imagine 100K+ systems doing this.

Wrapping up this piece, I would like to ask mainstream news reporters to please start learning some basic truths about information security. Stop referring to DDos attacks as “(sophisticated) cyber attacks”. They’re not. A DDoS attack is annoying, yes. But on the scale of sophistication they rate roughly as digital graffiti. Also, some major outages are caused by stupidity from the victim rather than an outside source. At least ONE major outage on april 4th of this year at ING was caused by someone messing up certain files that had to be read into a system. This caused a major outage and customers seeing the wrong amount on their bank accounts. This incident was also the most significant failure of ING’s webcare / crisis communication because they didn’t do anything until the problem was almost fixed (many hours later). Still, mainstream media fed the panic frenzy that it was an external “sophisticated cyber attack” until the absolute very end. Very poor reporting if you ask me. Proper reporting matters because your news is read by people who take it for immediate truth. You can, and do, cause panic and unrest when you blow things out of proportion, so please stop doing so. Thank you.

Trojans for the Bundestag – German PD acquired Finfisher

FinfisherIn December of last year, the German public prosecutors’ office had declared that there was no legal basis for the use of the so-called “Bundestrojaner” spyware, which was used to spy on German citizens. On top of it being illegally used, it was also found to be of very poor quality by extensive research performed by the Chaos Computer Club. In a surprising turn of events, German political platform NetzPolitik.org has now uncovered secret documents belonging to the Ministry of Finance, that the Ministry of the Interior sent to the Bundestag (the political seat of Germany) that reveals the German Federal Police’s intention to use Gamma Group’s Finfisher spyware to do the exact same thing.

Finfisher is quite an elaborate suite that allows for remote take-over of both computer systems and mobile devices such as iPhones, Androids, Blackberries and Windows Mobile-phones by pretending to be a software update. Gamma Group sells this product to dictatorial regimes all over the world, and that says a lot. What is also quite interesting is the presence of the logo for the UK’s Home Office and a link to its’ premier Security & Policing Exhibition. Does this imply that the UK government also purchased this product? Wikileaks recently published a document that looks like Finfishers’ marketing brochure and it is certainly geared towards the more modern police forces, as it sports solid integration with LEMF, which stands for Law Enforcement Monitoring Facility.

In august of last year, Bloomberg published an article that reported Finfisher presence on 5 continents and analysis performed by Rapid7 indicated its presence in at least Australia, the Czech Republic, Dubai, Ethiopia, Estonia, Indonesia, Latvia, Mongolia, Qatar, Bahrain  and the United States.  Now, of course this is not concrete proof that these governments actually use Finfisher, but Gamma Group is based in the UK and they have placed this software in the category of goods requiring an export permit because of the restrictions on exporting such digital weapons. Combined with how Gamma specifically markets Finfisher as ‘Governmental IT intrusion‘, it is highly unlikely that the British government would allow legitimate export to be done to just anyone. In a similar story posted by the New York Times, Bloomberg spoke to Martin J. Muench, who is managing director of Gamma International, and he stated that they had not sold their product to Bahrain and the malware that was found must have either been a stolen demonstration copy, or reverse-engineered by criminals.

To be clear, the use of this software is highly questionable. A while back the Dutch Minister of Safety and Justice Ivo Opstelten revealed that a plan was in the works to change the law so that it became allowed for the Dutch police to hack systems belonging to suspects. This led to international resistance and an open emergency letter [PDF warning - Dutch] was sent to the Minister to have this plan terminated because it was a gross violation of privacy. Apparently Germany is already at least one step further than this, having purchased the software already. Is this the future for the Netherlands as well? Will Minister Opstelten dust off his ill-advised plan and follow Germany in purchasing this software? I hope not. Not only is the Dutch police severely understaffed as it is, it also has a serious history of bending (or outright breaking) the rules and violating people’s rights when it comes to (ab)using technology such as this. And just how long will it take before hacking a suspects’ computer will no longer require an approval from a court judge? Where is our oversight then?

The Value of Secure Coding Procedures

MatrixDigitalRainI recently had a very interesting conversation with Dave Hyman of Checkmarx, who asked me how I saw the future of cyber security (or information security, take your pick). Now, as I’m sure you´ll agree with me, that’s a fairly abstract question that can go a lot of ways. My friends will confirm that I enjoy waxing philosophical discussions like that, but given what Checkmarx does with code security, that is the direction this talk went. And there really is a lot to say about secure coding practices that I feel doesn’t quite getting the limelight it deserves. Any Information Security course or lesson in Security certification will stress that security should be part of the code design practice rather than being tacked on at a later stage; I couldn´t agree more. Unfortunately, security precautions made in the coding process, which turns a design into a working product, are often overlooked and that is a mistake.

(Before I continue: I should note that I am NOT a professional coder; if I make a mistake in my reasoning, please let me know.) In a paper I once wrote I referred to “industry standard” with regards to the amount of bugs per line of code. The argument being that as long as humans would keep writing software, the ´human element´ guarantees that we will always remain vulnerable to exploitable bugs and errors in code. Of course not all bugs lead to exploitable vulnerabilities, but a percentage will and that is a problem and a great risk. I dug up my source, a book called Code Complete by Steve McDonnell. The book points out that the Industry Average is about 15 – 50 errors per 1000 lines of code (The book was published by Microsoft Press, I am sure you won´t find it surprising that they mention that Microsoft applications have an average of 10 – 20 defects per 1000 lines of code). To put that in larger application perspective, Microsoft´s Windows 7 is estimated to have roughly 50 million lines of code; this means that if they adhered to the industry average, there are between roughly 750,000 to 2,500,000 defects in Windows 7!

Even if Microsoft´s code quality is well reviewed and above standard, we can estimate between 500,000 to 1,000,000 code errors in Windows 7! Any one of these could be mistakes that allow remote code execution, which is considered the jackpot for anyone trying to hack their way into the system. Mind you, these are just mistakes and mistakes will happen no matter what you do. A good quality control program should be able to detect and reduce this number of detected errors. Some/ Many of these code errors will lead to heavy security risks in the application and to the user. These coding errors are due to careless coding practice and inability to detect vulnerabilities. The code may function, but the code will be insecure. An excellent example of this is SQL Injection. SQL Injection is the ´art´ of being able to run SQL statements directly to the database backend of a website, either by using a form field or the URL box in the browser. By doing so, you can ask questions of the database that you really shouldn´t be allowed to ask, such as asking it to tell you all the usernames and passwords in the database. Or more commonly: all the credit card information of every customer in the database. This has been around since 2002 and there are several solutions available that prevent SQL Injection attacks. The fact that this technique is still responsible for the majority of major successful data breaches tells us that not everyone is aware of how proper coding technique can prevent SQL Injection attacks.

Many buffer overflow or buffer underrun vulnerabilities are also caused by not properly setting boundaries, which can be easily prevented by developers being more aware of secure coding techniques. Review of these techniques and code review solutions are what you can expect to learn at “secure coding” courses. We should seriously consider making these courses part of the norm for hiring programmers or developing programming talent. Many people will groan and protest at that statement, because it’s another burden on an already stressed industry. I agree that it is not the easiest way forward but courses and code review solutions may very well be the cheapest method to getting more secure software applications.

A secure coding class is one-off and relatively inexpensive, it beats having to actively hunt for and patch insecure code. Such an effort for secure coding must come from the software development industry itself. The end customer won´t ask secure coding because most look only at software ability cost. The customer trusts us that product is secure, and we as an industry, should accept our responsibility and enforce higher security standards on our products. This starts at practicing secure programming. At the rate we are adopting technology into our daily lives, we should start sooner rather than later.

The Dutch, the Yanks, the Cloud and YOU

Recently a research project by the Amsterdam University [PDF Alert] revealed that US law allows for the US government to access information stored in the Cloud, by (ab)using the PATRIOT act. Multiple Dutch politicians have started asking questions from state secretary Teeven of the Justice department as to whether he knew about this before the research project, and whether he did anything to prevent this or to warn Dutch citizens about this potential breach of privacy. He has since sent in an official answer. Unsurprisingly, he confirms that the issue is real, but does not answer the question about whether he knew about this beforehand. He goes on to saying that it is up to each individual to be careful with any information they publish online, be it to a cloud-based service or anywhere else.

What surprises me, is that people still don’t seem to understand what the Cloud is, what it does and how it works. The effects of the PATRIOT act have long been known, and its effects have been hotly debated for years. How is this any surprise to anyone?

Please follow this logic:

The Cloud is the Internet. It really is that simple. Cloud Services are simply applications that run on clustered computer systems. Maybe on two, ten, a hundred or a thousand systems at a time, it doesn’t matter. Users –and data- are replicated to every system in this cloud regardless of where they are. There could be ten in your own country, twenty in the US and another fifty in Russia. This is (most often) invisible to the end user, and very often special effort is made to keep this invisible to the end user, and to make it one big system regardless of what server you are connecting to, or from where. To be on the safe side, you should assume that regardless of where you are located when you upload data, it is uploaded to the entire grid – not just the part in your country.

And it matters where these systems are located geographically, because that is the only factor in the question as to what country’s laws this system –and more importantly the data on that system- is subject to. For example: Google has servers dedicated to Google Docs in a lot of countries such as the Netherlands, Germany, Britain, the US and probably several countries in Asia. You upload a document to Google Docs while in the Netherlands. As soon as you do, it is replicated to either all the systems all over the globe, or replicated between central data storages all over the globe. It is generally safe to assume that your data will be everywhere, regardless of where you are. ANY country that has Google servers for Google Docs within its borders can in theory –this depends on what laws exist in said country- demand access to this data. The US is almost certainly not the only government that can do this, but even if no other country has such laws, you can rest assured that if the need ever arises (from a national security standpoint) to access your data, things tend to get very ‘flexible’ on very short notice in most countries. Therefore you should assume that you can not trust any online service with your data, regardless of its classification or nature.

As has always been the case, in the end you –and only you- remain the only person responsible for what happens to your data. If you absolutely do not want it leaked, don’t put it on the internet.

Social Media as a Cyber Warfare Gamechanger

September of 2012 will live on in infamy for a large number of people. It was the month of the massive riots by Islamic extremists who, incited by the ever present radical imams, stormed several US embassies, allegedly over a months-old, poorly crafted Youtube video that ironically decried the violence of Islam. Most notable of which were the embassies of Egypt and Libya, where four Americans lost their lives; one of which was an American ambassador. Riots and demonstrations followed all over the globe for about a week. I say allegedly because a closer scrutiny of what happened will tell you an entirely different story.

Stoking an Insurgency
It´s not the first time that something seemingly innocuous gets blown out of proportion by religious extremists with their own agenda; some of you may recall the Mohammed cartoon riots or pick any of the incidents listed in the article by Michelle Malkin who goes into this a lot more eloquently than I ever could. Regardless, my point is that there is a lot more to this Innocence of Muslims riot than meets the eye, as the ever well-informed good people of Sofrep.com will tell you. They have a lot more information than what you are likely to have seen in the press.  The cliff notes are quite simple and a lot more easily explained than what the press is force-feeding us:

Trained soldiers executed a coordinated attack on multiple US embassies at the same time. These so-called ´rioters´ were carrying RPG´s with them. You know, as you do when out shopping on a summer day in Benghazi. Not only was this not a spontaneous event, but chatter about this meticulously planned attack was picked up by various intelligence agencies beforehand and people in Washington are now falling over each other on who to blame for this failure to act to the imminent threat. This did not, however, stop some deviously clever people from using the Innocence of Muslims video, which by that time had been on Youtube for 6+ months without anyone noticing, as a clever ruse to further fan the anti-American flames. Did I mention that all of this happened on the very significant anniversary of 9/11?

The Facebook Riots
On a much smaller scale, on Friday the 21st of September the small Dutch town of Haren came under siege by thousands of youths looking to party, who swarmed the town after one girl accidentally published an invitation to her Sweet Sixteen birthday party on Facebook to the entire world. Resulting in what is now referred to in the Netherlands as the “Facebook Riots”, a few ´friends´ of the girl decided it would be fun to relive the movie Project X and started spreading the word. Things escalated and swiftly got out of hand, requiring the riot police to act. When the smoke cleared the following morning it became clear that the rioting youths had caused damages of several million euro´s. Ever since this phenomenon took hold, attempts at recreating the carnage (Dutch link) have been springing up all over the country (Dutch link), keeping local government and police on their toes.

Tallinn´s Bronze Night
Let’s go back to Estonia in 2007: The local government in Tallinn relocates an elaborate Soviet-era grave marker of a Bronze Soldier, as well as some war graves, to a more out of the way location. What followed was two solid days of rioting (now referred to as Bronze Night or the April Unrest) and, better known in cyber security circles, the massive cyber-attacks against the Estonian parliament, banks, ministries, newspapers and broadcasters. While no real proof has been found to directly implicate the Kremlin in backing the riots or the cyber-attacks, it has since been believed to be true regardless and on March 10th 2009 a commissar of the Kremlin-backed youth group Nashi claimed responsibility.

The Innocence of Muslims riots, the Haren Facebook Riots and the April Unrest disconcertingly share a common factor: All three were incited and coordinated through the internet. The only real difference is the level of sophistication: Tallinn´s Bronze Night was more or less coordinated through various internet fora and both the Innocence of Muslims riots and the Haren Facebook riots were incited, spread and coordinated through Social Media sites Youtube, Facebook and Twitter.

The reason that I now write this piece is because I fear that this level of social manipulation can be readily adopted by foreign powers to foment troubles well outside of their own national borders. In the case of the April Unrest in Tallinn, the rioting and the cyber-attacks were all done through allegedly Kremlin-owned “assets” such as Nashi. Of course I can offer no empirical evidence to validate my fear, but I would argue that the other two cases prove you don´t need such assets to get the same results. Especially the Haren case shows that massive local damage can be done through exploiting the set of social phenomena that Social Media create and that we have barely begun to discover. It seems to me that it is only a matter of time before these social phenomena are actively exploited by those groups that are specifically suited and knowledgeable in these tactics such as Anonymous or 4Chan.

To me, indeed these phenomena feel like a weapon custom made for them. Think of it as a gross escalation of Swatting and you will understand why governments need to get a grip on this before it undermines their authority. If done right, I have no doubt that successfully re-creating the Haren case is almost as easy and almost as swiftly arranged. And these are just the groups that generally only have mischief on their mind. Can you imagine the damage that can be done this way by someone with truly malicious intentions and absolutely none of its own assets at risk? Some creative type with a long exposure to really unconventional warfare getting his cues from a government with a score to settle, and deep pockets to fund the whole thing? It’s a scary thought. If used properly, Social Media might very well be the most refined weapon for asymmetric warfare to date.

 

The Dutch and the Dorifel

Unless you happen to live in the Netherlands, chances are that you missed the outbreak of a ‘new’ piece of malware a few weeks ago called Dorifel, also known as XDocCrypt. With over 3000 infections in a matter of hours, of which 90% were systems in the Netherlands, this triggered the Dutch National Cyber Security Center almost instantly. XDocCrypt/Dorifel is a new trojan that encrypts executables, Excel- and Word files that it finds on USB drives and network disks, causing companies to come to a grinding halt almost immediately after infection. Later investigation by Digital Investigations turned up that it also distributes phishing banking websites for ING Bank, ABN AMRO and SNS Bank (all banks with a strong presence in the Netherlands). With such distinctive traits, you would expect that it would be ransomware, but it’s not. It doesn’t ask for money, and there are no real clues what the point is of encrypting those files. It may simply have been a trial run just to find out how good this technique works, but it’s all conjecture at this point.

As an aside, it should be mentioned that the malware’s efforts in encryption did uncover something I found interesting: it exploits the RTLO Unicode Hole, which uses a Windows standard Unicode “Right-to-left override” that are more commonly used in Arabic and Hebrew texts (meaning it’s a Feature, not a Bug). Through this use of the RTLO Unicode Hole, they make filenames such as testU+202Ecod.scr appear in the Windows Explorer as testrcs.doc, and effectively make a harmful executable look like a simple Word doc.

What worries me most, and this is the reason for this article, is the delivery vehicle used by this new piece of malware. You see, it doesn’t exploit some new weakness. Instead, it’s being delivered by systems previously infected with the Citadel/Zeus trojan. This means that over 3000 systems in the Netherlands –systems belonging mostly to ministries, local government and hospitals- already had active botnets inside their networks before getting infected with this new malware! Mind you, virtually all of these systems and networks had active antivirus and IDS systems, and NONE detected either the Citadel/Zeus botnet already in place, nor the new XDocCrypt/Dorifel malware. If anything should be a severe wake-up call for Dutch firms who still half-ass their security, this is it.

Major AV vendors such as Kaspersky and McAfee now address this piece of malware, but it does make you wonder: If this Trojan hadn’t gone through the trouble of encrypting all those files, would it ever have been caught? Clearly, with only a couple of thousand infections, it is not that big of an outbreak. Chances are good that Dorifel would have stayed below the “economic feasibility to fix” line that most antivirus corporations adhere to. With malware code mutation getting increasingly easier and more mature, will this be our future? No more large infections, but a lot more small ones to stay below the collective AV radar? It seems plausible. It certainly makes the dim future of the current AV Modus Operandi that much dimmer. When will we finally see a paradigm shift in our approach to defeating malware?

Real Bullets for Digital Attacks

In May of last year, the US Government published its International Strategy for Cyberspace. The publication made some waves in the international community because in this document the US stated that military reprisals to cyber attacks were now officially on the table. More specifically, the US government stated that it ‘encouraged responsible behavior and oppose those who would seek to disrupt networks and systems, dissuading and deterring malicious actors and reserving the right to defend these national security and vital national assets as necessary and appropriate’ [emphasis mine]. This declaration of intent came after an ever increasing number of (detected) attacks on USG networks and systems. Development of cyber capabilities by governments worldwide are also likely to have influenced the situation.

Whatever the underlying political reasons of publishing such a loaded statement, the publication is clearly intended to deter would-be attackers and, as such, is more or less aligned with one of the RAND Corporation’s Monograph studies during Project Air Force on CyberDeterrence and Cyberwar (freely available PDF). In this lengthy publication by the hand of Martin C. Libicki, the subject of CyberDeterrence is extensively studied and described. He approaches the subject from so many angles that it would make you smile if it you didn’t have to read it all to get to the end. One especially important aspect of this discussion is the much-debated problem of attribution. Since retalliation and the threat thereof are a large part of deterrence, knowing who to strike is of paramount concern. Libicki describes various scenario’s such as striking back to the wrong target or not striking at all, and how every scenario has its own consequences. Suffice to say that if you, as an attacker, hide your tracks well enough (don’t forget the cyber intelligence aspect!), you won’t have much problems with retalliatory strikes. If you manage to implicate an innocent third party instead, you may even turn that into a distinct advantage. Considering that retalliation may now include kinetic attacks (bullets to bytes), it can be safely said that they have upped the proverbial ante.  

You might be wondering what the point is of declaring retalliatory (potentially kinetic) attacks when every player in this field knows what the score is: No attribution – No problem. So why make a public statement about how you’re going to strike back if everyone knows its highly unlikely? Well, Libicki covers that too by describing the effects of not striking back, striking back silently, striking back publicly as well as not striking back publicly. I won’t copy/paste his work here, but reading between the lines I found that even though such a public statement is mostly a bluff, it is somewhat of a deterrent and it wins out over the downsides. Besides, and here is the succint point of it all, even though you declare that you may use kinetic military options as a retalliatory measure doesn’t mean you are immediately obliged to actually do so.

In December of last year, the Dutch government was advised by the Advisory Council on International Affairs (AIV) (Dutch) to declare a similar statement with regards to cyber attacks. If the Dutch government decides to take up the advice, The Netherlands will be in the same boat as the US when it comes to cyberdeterrence strategy. It doesn’t worry me. I feel that making such a statement to the world has more upsides than downsides and it shows backbone. When I, along with friend and fellow NCDI council member Niels Groeneveld, was asked to provide input to some of the questions the AIV was looking to answer, I found the discussion so interesting that I wrote several articles about it. See the “Questions from .GOV” series. I was happy to see that some of my input had been used, but it also more-or-less automatically disqualifies me from judging this advice. So I ask you: How do you feel?

Debating Cyber Warfare – More Questions from .GOV (Part II)

In continuation of the series I promised you on high-level debates surrounding Cyber Warfare, here is the next article in a series of three. This article will be the longest in the series due to the multi-parted nature of the question. Of course the answers given to each of the questions are merely my opinions on the matter. Please feel free to comment or contact me with relevant remarks.

Question                
In how far, and in what way, are existing international Legal frameworks relevant to behavior in the Cyber domain; specifically in relation to cyber violence? 

  • [Ad Bellum] Under what circumstances can a cyber threat be considered use of force or threatening use of force, in the sense of article 2, section 4 of the UN Charter? Under what circumstances can a cyber attack be considered an armed attack  that justifies violence in self-defence based on article 51 of the UN Charter?
  • [In Bello] When does humanitarian law of war apply to behaviors in the Digital domain? Must these be linked to kinetic use of force? How would this, during such application, be given shape to the Law of War’s  principles of distinction and proportionality, and the requirement of taking precautions for safety?
  • How would Civil legal concepts such as Sovereignty and Neutrality be given shape in the Cyber Domain?

Relevant UN Charter articles:

  • Article 2, Section IV:
    All Members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations.
  • Article 51:
    Nothing in the present Charter shall impair the inherent right of individual or collective self-defence if an armed attack occurs against a Member of the United Nations, until the Security Council has taken measures necessary to maintain international peace and security. Measures taken by Members in the exercise of this right of self-defence shall be immediately reported to the Security Council and shall not in any way affect the authority and responsibility of the Security Council under the present Charter to take at any time such action as it deems necessary in order to maintain or restore international peace and security.

An Answer – the Right to Self Defence
Although Cyber gives a new dimension to Warfare, it is my opinion that the general application and behavior apply in the same fashion as they do under conventional warfare. It is important that one should look to the effects of cyber attacks rather than the method or the individual components therein. In the end it is the damage dealt that bears relevance to those it is inflicted upon rather than the method. For this reason the thresholds that have bearing on the various articles in the UN Charter  we have set for conventional warfare do not necessarily change because of innovation in technology, nor do  international agreements automatically become void. Under the current UN Charter, each member state has the right to actively defend itself when attacked (or threatened with attack) and I feel this right remains relevant when discussing cyber warfare. I would like to point out though, that what is typical for Cyber Warfare, but uncommon in kinetic operations, is the problem of Attribution. Not knowing who will attack, is attacking or has attacked you complicates the situation considerably. It makes all action and reaction susceptible to a fair margin of error and so any response should be carefully considered before execution.

Humanitarian principles
As far as humanitarian principles in warfare go, it is certainly conceivable that cyber attacks may directly or indirectly lead to injury or loss of life. For instance, when a cyber attack on a power plant successfully blacks out an area, this can cause all kinds of damage. Some of the more obvious risk area’s are those that affect Hospitals and Emergency Services such as Police and Ambulance services, but this is not a new aspect of warfare. Knocking out power and communications is always something that must be done with utmost care, and this advance in technology doesn’t change that. In this case a well-placed cyber attack may very well be preferred over a kinetic attack that does permanent damage. Principles of distinction between military and civilian targets, as well as proportionality should still apply when discussing the use of cyber attacks.

Civil-Legal principles
The debate surrounding legal concepts such as Sovereignty and Neutrality are the subject of much debate amongst technical, political and legal experts from many nations, and any answers to these questions are most likely susceptible to change as insight is gained over time. Many people take the approach that Cyberspace does not have physical borders, but this is not exactly true. While Cyberspace as a concept may be regarded as unbound by geography, it is held up by very real, physical networking equipment. Data flowing from one system to the next does actually cross physical space through cables, routers and maybe even airspace via satellites or Wi-Fi connections. As such, this data may be subjected to all kinds of rules and regulations imposed by the owners of the networking equipment in between points of departure and arrival. And what to say about being used as a proxy during a cyber attack? Without international understanding of the ‘rules of the game’, you may be involuntarily drawn into conflicts because one of the parties routes his cyber attacks through your networks, or even using systems that are hosted on your soil. Regardless of what position you take, it’s clear that concepts such as Sovereignty and Neutrality have a place in the debates surrounding Cyber Warfare.