Dutch Police Hacking Back – A Privacy Violation Waiting To Happen?

media_xl_1757672Here in the Netherlands, we’ve seen a proposal for new legislation regarding Cybercrime pop up occasionally for well over a year now. It is coming up for a formal vote by the Senate (Eerste Kamer) on October 7th and was topic for debate on the 24th of September.

The proposed law “Wet Computercriminaliteit III” in Dutch, which translates to the Law on Computercrime III, appears to have some kind of personal note for the Dutch Minister of Security & Justice Ivo Opstelten.

That is, if you take into consideration that many consider it to be an ill-defined law full of poorly understood ideas that can have severe unintended consequences (most notably violating the privacy of innocent civilians), which has been bashed by virtually all sides except Law Enforcement, but still keeps making its reappearance. Even though the general opinion was negative, it was amended slightly before stealthily being put up for a vote of Congress just before the summer recess this year.

This method is sometimes used by Dutch politicians when they wish to slip it in unnoticed. Whether that is the case here, or whether it has indeed worked towards easing the political path remains to be seen. Regardless, this topic has drawn much attention in the Netherlands.

The Computercrime law in question covers a relatively broad spectrum. In a few points the law enables Police to:

  • Remotely investigate computers belonging to criminals, allowing them to copy data or make it inaccessible;
  • Hack into a system if it is unknown where a targeted system is located, while taking notice of international law (please note that this is not the same as ADHERING to international law);
  • Tap or observe communications, but this requires a judge to sign off;
  • Listen in on Skype calls;
  • Prosecuting people for providing access to stolen data, equal to Fencing stolen property;
  • Force a suspect to decrypt encrypted data – refusal to decrypt can lead to a prison sentence of no more than 3 years.

While translated, these bullet points -in my opinion- reflect the way the proposal was worded. Immediately I had some questions. Here are a few:

  • Remotely investigate systems belonging to criminals – Does this mean that if you’ve ever been convicted, they can access your system whenever they like? Or do they mean SUSPECTS? Also, see my later point on having a judge signing off.
  • Hacking into systems of unknown location while taking notice of international law – Aren’t we required to ADHERE to international law instead of simply taking notice? I should try this excuse to get out of a speeding ticket!
  • Tap or observe communications – This is the only specific point that especially mentions it needs a judge to sign off on. That is strange. It seems to me that tapping and/or observing is, when compared to actually breaking and entering into a system, the lesser power.
    Why is it not stated that hacking into a system requires a judge to sign off? Given the generally careful wording of articles of law, I can only surmise that this absence means that the actual hacking into a system does NOT require a judge to sign off first.
  • Listen in on Skype calls – How about any other kind of sort-of-encrypted voice communication application? Skype is popular now, but which application will be popular in the future? This point seems to limit itself unnecessarily. Also, does this fall under tapping or observing communications, which means it requires a judge to sign off?
  • Equating fencing with providing access to stolen data – This might be (mis)used to criminally prosecute people who share ‘warez’ with their Torrent client. In the almost erratic behavior we have been seeing from BREIN (the Dutch equivalent of the RIAA / MPAA) and its head honcho Tim Kuik, we already know their lobbyists will be foaming at the mouth on this item.

    Bad news for the Warez community, to be sure. But with all the already controversial items, why was this put in? It would be nice if a plausible case (preferably more!) was given where this item is useful that is NOT linked to the Netherlands becoming a stooge for the (largely American) Music & Video industry.

  • Forcing suspects to decrypt encrypted data – This is in special response to several child pornography cases where suspects had strongly encrypted content on their systems that Law Enforcement officers could not break. Looking at it from that perspective, it is understandable that this is to be desired.

    However, child pornography is NOT the only reason why anyone would want an encrypted folder. I personally use encrypted containers to store my company’s valuable data in, and I would certainly recommend it for anyone. What are the environmentals of putting this item into practice? And by that, I mean I would appreciate a list of the type of cases where judges will be using this law.

    Most people will agree with using this in cases against child pornography, but it would be an entirely different matter in cases of, say, intellectual property rights of a company. In any case, I would bet that any really guilty child pornographer would prefer 3 years jail time over a full sentence for child pornography. Especially after the way these folks are (understandably) treated by the general populace once their identities are known. In other words: isn’t this item a bit useless to use against hardcore criminals?

Opstelten versus the Community
A few months ago I shared a stage at Nyenrode Business University with, among others, Wil van Gemert (the Dutch National Counterterrorism Coordinator at the NCTV) and Ronald Prins (Fox-IT). Mr van Gemert, who has long worked for the Dutch police before being promoted to his current position, was the only speaker who unequivocally supported this law. All the other speakers, stemming from industries such as Finance, Technology and Education, opposed for a variety of reasons.

We all understood perfectly well that times have changed, and that the police must be able to change with it if we expect them to protect us from criminal behavior. That is not the issue I have with these plans. The issue is how to prevent misuse of this power, and given the many examples we can cite from, this is not a minor consideration that is easily dismissed.

Police officers are human beings too, and they too will bring their personal lives to the job. What is to stop an officer from cracking open the mailbox of a loved one suspected of cheating? Why is it so unclear whether a judge is required to sign off on an action versus the police making a judgment call?

The questions are also of a practical nature: HOW are the police going to crack systems? What software will they use? Will they make use of the same vulnerabilities known to the criminal industry, or will they somehow develop their own backdoors? Will we ever know? If they discover new vulnerabilities, will they still inform us of their existence or keep them under wraps just to ensure their own capability of gaining access? Will they strike deals with software giants such as Microsoft to get a backdoor?

The most critical questions for me have everything to do with prevention of misuse. Who can perform what action, under what circumstances? And who will make sure they cannot do it under other circumstances?

Who will check whether the police have complied with the regulations and limitations we impose on this law? What will be the consequence for a police officer or official when he or she violates them? How plausible will enforcement and auditing still be if the only result is a minor slap on the wrist?

Bart Jacobs, a well known Dutch professor who teaches and researches information security at the Radbout University in the Netherlands, also made clear his reservations about this law. When asked, he had these questions:

How can I know the police didn’t change anything on my system if I am a suspect? Can I ever prove the police didn’t change anything? Or that they have? Can you EVER know?

Please note that I am translating and paraphrasing somewhat. Other observations he made were interesting to share: “When creating the law on tapping phones, the government promised it would be sparsely used. Now, we are one of the most-tapped nations in the world.”  And  “The police are acting like their backs are against the wall. They are framing the debate in a “poor me” fashion to garner sympathy.” It is clear from these remarks that Professor Jacobs is not a fan of this new law.

There are many questions that need to be answered before implementing such an article of law. Naturally I understand that the current wording and phrasing is not what will end up in Dutch law, but all above points should be given due consideration. Cyber crime has brought us considerable change with regards to criminal activity, and the laws we currently have may not be sufficient. But knee-jerk reactions make bad laws and if we are to really deal with cybercrime, we must have good and solid laws that ensure citizen safety (and privacy!) without compromising Justice.

 

Information Security, Post-Snowden

As published on Tripwire’s State of Security:

The revelations regarding the extensive digital intelligence gathering programs of the American National Security Agency by Edward Snowden won’t have escaped your notice. Since the first reports around June 5th of 2013, the hits have not stopped coming; each consecutive unveiling being of larger scale, depth and intensity than its predecessor.

It is interesting to note that Snowden was hardly the first whistleblower on the massive internet espionage operation by the US government. On January 20th 2006 an employee of AT&T approached the Electronic Frontier Foundation (EFF) with proof that AT&T was cooperating in an NSA intelligence program and on july 2nd 2012 three NSA employees shored up a lawsuit by that same organisation.

The facts are hard to ignore: wiretapping heads of state[1], allied or not[2], hacking telecom corporations[3], large scale internet wiretapping[4] and forcing American technology firms to provide access to customer information[5] or worse: building a backdoor into their products[6]. Summing matters up sometimes stretches the bounds of credibility.

As Jacob Appelbaum put it during his talk at the German CCC conference late last year, the NSA´s operations have really only been limited by Time. Had Snowden waited another year, chances are that we would have seen even bigger programs come to the surface. And perhaps we still might; if Snowden is to be believed we haven’t seen the last of his work.

The impact on our online privacy is consistently mentioned by the various news media. Organisations of all sizes and nationalities are asking themselves just how safe their data is. Do they have unwanted American visitors on their network? How are they going to keep out the NSA? Or other intelligence agencies? Cán you keep them out at all?

In my opinion, these questions aren´t simply valid, but due to the immensity and depth of these intelligence gathering programs and the long list of involved corporations, a considerable bit of research should be more than warranted.

Thanks to Snowden´s revelations we have enough material to make three assumptions:

  • Virtually all the internet traffic is tapped. Because it’s not just the NSA spying on internet traffic but –to varying degree- almost every national intelligence agency on the planet, there is a reasonable degree of certainty that all of our traffic is intercepted and looked at, regardless of where it´s going or where its´ coming from. In case you´re wondering, this certainly includes smartphone traffic.
  • American and British hardware (laptops, desktops, servers, USB devices, mice, keyboards, smartphones et cetera) are very likely all compromised by a backdoor through which remote access can be obtained. If it hasn´t been built in during fabrication, it could still be inserted during transportation, with the aid of transportation firms[7]. For safety sake it is reasonable to assume that Canadian, Australian and New Zealand firms are performing such tasks for their respective intelligence agencies as well, given that these countries are also part of the Five Eyes intelligence gathering pact between the US, UK, Canada, Australia and New Zealand.
  • We cannot trust American technology firms. It is unfortunate for those that haven´t been compromised, but due to American anti-terrorism laws you simply cannot trust them you’re your data. Whether they are paid or forced to cooperate is, in the end, unimportant for you; they willprovide the NSA with intelligence or build those backdoors into their products that are so prevalent and so desired. Your data simply isn´t safe with American online service providers, and thanks to the PATRIOT act it doesn´t even matter if the data itself is on US soil or not. It also doesn´t matter if you are not American. Or if you´re a citizen of an allied country. The American justice system pretty much completely ignores non-citizens and as such, virtually everything done to your data is considered legal. Your data can be reached and inspected regardless of where it resides, and they do it on a shockingly large scale. Here too, it would be wise to lump British, Australian, New Zealand and Canadian firms in on this.

And its not just US firms that have been exploited in such a fashion. Among the firms on the list below you will also see enterprises that have a lot to lose if banned from the American technology market, such as Samsung. Lets put some names to faces. Do you have products in your network or at home that are made by these companies?

Then you almost certainly have a backdoor into your network through which the NSA can enter your network unseen. Perhaps more than one. And now that it is public knowledge that these backdoors exist, it is highly likely that they are exploitable by other parties as well.

pic

The US is, thanks to strong representation in the Technology market, in a very comfortable position where gaining remote access is concerned. This doesn’t stop other nations from attempting the same level of access or intelligence, and quite successfully.

China, Russia and Iran also developed strong Cyber programs of which digital espionage is a substantial element. Closer to home the French DGSE was embarrassed by sudden publication of their own cyber espionage program, not a week after they publicly denounced such practices. Israel has also been known to have a very effective digital intelligence gathering program.

If you still have doubts about whether or not you might be compromised, the EFF has published an electronic file[8] containing exactly what vendors and their respective products give unwanted access to commercial networks. You will encounter the term “persistent backdoor” very often, which means that there is a built-in back door in the product through which unauthorised access to the network is easily attained.

They work virtually the same as the software companies install so that their employees can work from home, with the notable exception that your organisation doesn’t know, support or condone about this ‘feature’ of the products they installed and considered safe.

So why should companies care about this? You’ll often hear the argument that such programs revolve around national security, and is an affair between nation states, not commerce. And yet there have been several cases that show that this is certainly not always the case. Information obtained by national espionage programs can easily be used to great commercial advantage.

There are some prime examples in which national intelligence agencies provided firms with information that gave them a competitive advantage during critical moments while competing with foreign competitors, such as during the negotiations of lucrative contracts. On July 5th 2000 the European Parliament launched an investigation into contract negotiations taking place in Brasil in 1994.

In this case the French firm Thomson-CSF lost a contract to the American defence contractor Raytheon to a tune of $1.3 billion because Raytheon had received crucial information intercepted by an American intelligence agency. In 2000, aircraft manufacturer Airbus lost a Saudi contract worth $6 billion to American firms Boeing and McDonnell Douglas in equal fashion.

Both these incidents took place during the ECHELON program, an earlier iteration of the PRISM program that we have heard so much about in recent months. The amount of data that is being intercepted and monitored makes the ECHELON program pale in comparison.n

Whether you do business internationally or not, having intruders on your networks and mobile devices are almost certainly unwanted. There are ways to defend yourself, but depending on which hardware and software you are using, you may have to start looking for different vendors offering similar products.

This isn’t always practical. Imagine replacing Microsoft Windows with a Linux distribution on all of your systems. This may not be feasible due to lack of staff capable of supporting Linux. Replacing servers, desktops, laptops or networking equipment with equivalent products made by vendors of a different nationality can be difficult, but you could still take steps in the right direction.

For instance, if you are currently using remote access tokens by RSA[9], you may want to consider replacing them. By its very nature, remote access technology is an exceptionally critical service that can immediately defeat all of your network security measures. Whether you will be safe after a full overhaul of your network will likely always remain a mystery; Snowden or some other whistleblower might implicate yet more firms that are complicit with national intelligence agencies.

To have a realistic chance at securing your network, it must be capable of segmenting your various suppliers and vendors. Ideally your network architecture is designed in such a way that no single vendor or supplier can compromise the entire network by itself.

Outsourcing your data or network services to a cloud provider is equally a hazardous idea. You have to be absolutely assured that your provider does not store your data outside your nation’s borders, which would open up avenues for foreign entities to gain access. Most nations have laws in place for their intelligence and law enforcement agencies to obtaining access to systems within their sovereign territory with or without the consent of its owner.

If you have assured yourself that your cloud provider won’t suddenly change its policy. Be aware that most of the firms implicated by Snowden have kept -or have been forced to keep- silent about their assistance to the NSA. If your privacy has been violated, you may learn of it much too late or not at all.

Also, it is critical that you encrypt your data. This includes both data in transit and data at rest, so the smart move is to not leave any data unencrypted on online services such as Dropbox. Be sure to use encryption that is not commonly used on the Internet, or made by any of the implicated firms listed above.

The NSA, and more than likely many intelligence agencies with them, is especially capable of cracking the most used encryption methods such as SSL[10] (Secure HTTP, which ensures that well-known lock icon in front of a web address in your browser). Custom, strong and domestically made crypto technology is the best choice to protect both your network traffic as well as encrypting data storage devices[11].

Finally, it is important that you have a strong identity & access management program. None of the measures above amount to very much if an employee or supplier has access to your network and happily provides this access to a third party with bad intentions.

Protecting information today is more complex than before. To have a chance at keeping unwanted visitors off your network tomorrow, you must lay the foundation today. Although this can be a considerable undertaking, you can at least be assured that it will not get any easier. The time of leaning back casually without having to worry about security has certainly passed.

picAbout the Author:  Don Eijndhoven (@ArgentConsulting), Chief Executive Officer of Argent Consulting B.V, lead cyber security architect and guest lecturer Cyber Resillience at the Nyenrode Business University. Don can be reached at d.eijndhoven@argentconsulting.nl.

Argent Consulting buys B-Able Argent Consulting

PRESS STATEMENT

Monday, 26th May 2014. The Netherlands: Due to insurmountable differences among management, the joint effort between Argent Consulting and B-Able, dubbed “B-Able Argent Consulting” has been terminated. Argent Consulting has bought out the remaining shares and will fulfill existing contracts until their natural termination. The Argent Consulting brand will return to the field in full force; offering new and revised products and services in the global Cyber industry.

Argent Consulting’s CEO Don Eijndhoven had this to say: “The joint venture was entered into based on an estimation of overlap of skills and services between Cyber Security and the more established field of Information Security. We expected a much more receptive customer base but there wasn’t sufficient foundation to work on. In short, the alliance wasn’t as fruitful as we hoped it would be. While this is regrettable, there was also good news: In the Cyber realm we did, and continue to, perform excellently. Having landed several prestigious consultancy contracts with global NASDAQ-listed firms, our core business scores very well and we are going to keep advancing in this strategic direction under the Argent Consulting flag.”

On Dutch Banking Woes and DDoS Attacks

DDOS-attackIf you don’t live in the Netherlands or don’t happen to have a Dutch bank account, you can certainly be forgiven for not having caught wind of the major banking woes that have been plaguing the Dutch. For weeks now, massive DDoS attacks (linked article in Dutch) have brought low the online services of several banks, interrupting mobile payments and slowing down overall online financial traffic. At the center of the digital storms is ING, which was hit first (Dutch) and is hit the most often (Dutch), but Rabobank, ABN AMRO and SNS Bank are also frequent targets. Dutch online payment system iDeal has also been attacked several times, impacting virtually all Dutch banks as well as the many online retailers that use it.

What the goal behind this wave of DDoS attacks is, is as yet unknown, but there are several possible motives at play. It could be simple vandalism, a rather hefty attempt at misdirection to cover up real hacking attempts, or it could have something to do with ING and ABN AMRO being implicated or involved with investigations into tax evasion through offshore banking by the ICIJ. The latter seems unlikely, as most of the DDoS traffic appears to be coming from Romania (according to hackers collective HacksIn – I had a link about that, but lost it somehow) and no motive has made itself known thus far. It was a matter of time until Anonymous came along to jump on the bandwagon, and indeed its Dutch chapter appears to have done so this week when someone posing as Anonymous posted a message on Pastebin. In it, they claim to know who is behind the DDoS attacks (a group of Muslim extremists called Izz al-Din al Qassam Cyber Fighters), and that the Dutch people should go out and collect their money from these banks because it is not safe there.

There are, however, some issues with this post on Pastebin. Firstly, the group they blame for the DDoS attacks is in fact the group responsible for attacks on US BANKS, and there is no discernible link between the US banks being hit or the Dutch banks currently under attack. The motive for the attack against US banks seems clear: Izz al-Din al Qassam demands the removal of the movie “Innocence of Muslims” from Youtube. Once the movie is removed the attacks will stop, they claim. To my knowledge, no such demands have been made here in the Netherlands.

The second issue is that the advice posed by Anonymous would, in fact, immediately collapse the Dutch financial market, as no Dutch bank is currently strong enough to survive such a proposed bank run. They simply don’t have sufficient cash in their vaults. In other words: this is a really bad idea.

So what now?
For starters, ING should hire someone who knows how to communicate during a crisis. Its obvious that they suck at it. They’ve finally stepped off their “Silence, Evade, Deny” strategy but its taken a while. All major companies should look into this, because they may very well be next. Second, major companies with a serious online presence should really start taking this stuff seriously. DDoS attacks are hardly new material to deal with, and proper impact negation tactics have been around for a while. If your income is dependant on online services and this income is significant, get a real ISP that understands this and has expertise in countering such digital vandalism such as Arbor Networks or Prolexic.

The bad news is that according to a recent Prolexic report, DDoS attacks are getting increasingly stronger. They have seen the first 130GB/s DDoS attack this year, and during the first quarter of this year the average attack bandwidth was 48.25GB/s, which signifies a whopping 718% increase over last year. The increase seems to come from a change of victims in the botnets (Dutch) they use. Apparently, they are now targeting web servers especially for their higher bandwidth capacity, which in turn increases overall attack bandwidth. On top of that, the DDoS attack seems to have regained its popularity because the targetlist is growing. Airlines such as KLM (Dutch) and Dutch authentication firm DigID (Dutch) have also recently been hit with massive attacks. In an effort to stave off this wave of disruptions, the Dutch National Cyber Security Center has been organising collective defense (Dutch) between Dutch banks, but it seems they may have to include firms from other walks of life as well. I think we can safely conclude that this avenue of attack is still very worthwhile and won’t be going away anytime soon.

In fact, things may get a lot worse if this newly discovered DDoS technique gets incorporated. Apparently Incapsula mitigated a small attack of 4GB/s recently, and they traced it back to a single source. Generating 8 million DNS queries per second, causing ALL of the 4 GB/s traffic by its lonesome, certainly qualifies it to be called a DDoS Cannon instead of a lowly bot. I don’t know if it is technically feasible, but imagine 100K+ systems doing this.

Wrapping up this piece, I would like to ask mainstream news reporters to please start learning some basic truths about information security. Stop referring to DDos attacks as “(sophisticated) cyber attacks”. They’re not. A DDoS attack is annoying, yes. But on the scale of sophistication they rate roughly as digital graffiti. Also, some major outages are caused by stupidity from the victim rather than an outside source. At least ONE major outage on april 4th of this year at ING was caused by someone messing up certain files that had to be read into a system. This caused a major outage and customers seeing the wrong amount on their bank accounts. This incident was also the most significant failure of ING’s webcare / crisis communication because they didn’t do anything until the problem was almost fixed (many hours later). Still, mainstream media fed the panic frenzy that it was an external “sophisticated cyber attack” until the absolute very end. Very poor reporting if you ask me. Proper reporting matters because your news is read by people who take it for immediate truth. You can, and do, cause panic and unrest when you blow things out of proportion, so please stop doing so. Thank you.

The Dutch, the Yanks, the Cloud and YOU

Recently a research project by the Amsterdam University [PDF Alert] revealed that US law allows for the US government to access information stored in the Cloud, by (ab)using the PATRIOT act. Multiple Dutch politicians have started asking questions from state secretary Teeven of the Justice department as to whether he knew about this before the research project, and whether he did anything to prevent this or to warn Dutch citizens about this potential breach of privacy. He has since sent in an official answer. Unsurprisingly, he confirms that the issue is real, but does not answer the question about whether he knew about this beforehand. He goes on to saying that it is up to each individual to be careful with any information they publish online, be it to a cloud-based service or anywhere else.

What surprises me, is that people still don’t seem to understand what the Cloud is, what it does and how it works. The effects of the PATRIOT act have long been known, and its effects have been hotly debated for years. How is this any surprise to anyone?

Please follow this logic:

The Cloud is the Internet. It really is that simple. Cloud Services are simply applications that run on clustered computer systems. Maybe on two, ten, a hundred or a thousand systems at a time, it doesn’t matter. Users –and data- are replicated to every system in this cloud regardless of where they are. There could be ten in your own country, twenty in the US and another fifty in Russia. This is (most often) invisible to the end user, and very often special effort is made to keep this invisible to the end user, and to make it one big system regardless of what server you are connecting to, or from where. To be on the safe side, you should assume that regardless of where you are located when you upload data, it is uploaded to the entire grid – not just the part in your country.

And it matters where these systems are located geographically, because that is the only factor in the question as to what country’s laws this system –and more importantly the data on that system- is subject to. For example: Google has servers dedicated to Google Docs in a lot of countries such as the Netherlands, Germany, Britain, the US and probably several countries in Asia. You upload a document to Google Docs while in the Netherlands. As soon as you do, it is replicated to either all the systems all over the globe, or replicated between central data storages all over the globe. It is generally safe to assume that your data will be everywhere, regardless of where you are. ANY country that has Google servers for Google Docs within its borders can in theory –this depends on what laws exist in said country- demand access to this data. The US is almost certainly not the only government that can do this, but even if no other country has such laws, you can rest assured that if the need ever arises (from a national security standpoint) to access your data, things tend to get very ‘flexible’ on very short notice in most countries. Therefore you should assume that you can not trust any online service with your data, regardless of its classification or nature.

As has always been the case, in the end you –and only you- remain the only person responsible for what happens to your data. If you absolutely do not want it leaked, don’t put it on the internet.

Social Media as a Cyber Warfare Gamechanger

September of 2012 will live on in infamy for a large number of people. It was the month of the massive riots by Islamic extremists who, incited by the ever present radical imams, stormed several US embassies, allegedly over a months-old, poorly crafted Youtube video that ironically decried the violence of Islam. Most notable of which were the embassies of Egypt and Libya, where four Americans lost their lives; one of which was an American ambassador. Riots and demonstrations followed all over the globe for about a week. I say allegedly because a closer scrutiny of what happened will tell you an entirely different story.

Stoking an Insurgency
It´s not the first time that something seemingly innocuous gets blown out of proportion by religious extremists with their own agenda; some of you may recall the Mohammed cartoon riots or pick any of the incidents listed in the article by Michelle Malkin who goes into this a lot more eloquently than I ever could. Regardless, my point is that there is a lot more to this Innocence of Muslims riot than meets the eye, as the ever well-informed good people of Sofrep.com will tell you. They have a lot more information than what you are likely to have seen in the press.  The cliff notes are quite simple and a lot more easily explained than what the press is force-feeding us:

Trained soldiers executed a coordinated attack on multiple US embassies at the same time. These so-called ´rioters´ were carrying RPG´s with them. You know, as you do when out shopping on a summer day in Benghazi. Not only was this not a spontaneous event, but chatter about this meticulously planned attack was picked up by various intelligence agencies beforehand and people in Washington are now falling over each other on who to blame for this failure to act to the imminent threat. This did not, however, stop some deviously clever people from using the Innocence of Muslims video, which by that time had been on Youtube for 6+ months without anyone noticing, as a clever ruse to further fan the anti-American flames. Did I mention that all of this happened on the very significant anniversary of 9/11?

The Facebook Riots
On a much smaller scale, on Friday the 21st of September the small Dutch town of Haren came under siege by thousands of youths looking to party, who swarmed the town after one girl accidentally published an invitation to her Sweet Sixteen birthday party on Facebook to the entire world. Resulting in what is now referred to in the Netherlands as the “Facebook Riots”, a few ´friends´ of the girl decided it would be fun to relive the movie Project X and started spreading the word. Things escalated and swiftly got out of hand, requiring the riot police to act. When the smoke cleared the following morning it became clear that the rioting youths had caused damages of several million euro´s. Ever since this phenomenon took hold, attempts at recreating the carnage (Dutch link) have been springing up all over the country (Dutch link), keeping local government and police on their toes.

Tallinn´s Bronze Night
Let’s go back to Estonia in 2007: The local government in Tallinn relocates an elaborate Soviet-era grave marker of a Bronze Soldier, as well as some war graves, to a more out of the way location. What followed was two solid days of rioting (now referred to as Bronze Night or the April Unrest) and, better known in cyber security circles, the massive cyber-attacks against the Estonian parliament, banks, ministries, newspapers and broadcasters. While no real proof has been found to directly implicate the Kremlin in backing the riots or the cyber-attacks, it has since been believed to be true regardless and on March 10th 2009 a commissar of the Kremlin-backed youth group Nashi claimed responsibility.

The Innocence of Muslims riots, the Haren Facebook Riots and the April Unrest disconcertingly share a common factor: All three were incited and coordinated through the internet. The only real difference is the level of sophistication: Tallinn´s Bronze Night was more or less coordinated through various internet fora and both the Innocence of Muslims riots and the Haren Facebook riots were incited, spread and coordinated through Social Media sites Youtube, Facebook and Twitter.

The reason that I now write this piece is because I fear that this level of social manipulation can be readily adopted by foreign powers to foment troubles well outside of their own national borders. In the case of the April Unrest in Tallinn, the rioting and the cyber-attacks were all done through allegedly Kremlin-owned “assets” such as Nashi. Of course I can offer no empirical evidence to validate my fear, but I would argue that the other two cases prove you don´t need such assets to get the same results. Especially the Haren case shows that massive local damage can be done through exploiting the set of social phenomena that Social Media create and that we have barely begun to discover. It seems to me that it is only a matter of time before these social phenomena are actively exploited by those groups that are specifically suited and knowledgeable in these tactics such as Anonymous or 4Chan.

To me, indeed these phenomena feel like a weapon custom made for them. Think of it as a gross escalation of Swatting and you will understand why governments need to get a grip on this before it undermines their authority. If done right, I have no doubt that successfully re-creating the Haren case is almost as easy and almost as swiftly arranged. And these are just the groups that generally only have mischief on their mind. Can you imagine the damage that can be done this way by someone with truly malicious intentions and absolutely none of its own assets at risk? Some creative type with a long exposure to really unconventional warfare getting his cues from a government with a score to settle, and deep pockets to fund the whole thing? It’s a scary thought. If used properly, Social Media might very well be the most refined weapon for asymmetric warfare to date.

 

Correlating and Escalating Cyber

On September 20th, CNet reported on a new wave of malware called ´Mirage´, embedded in PDF´s that were distributed through spear-phishing attacks against a multitude of targets, such as a Philippine oil company, a Taiwanese military organization and a Canadian energy firm. The attackers´ target set also included firms in Brazil, Israel, Egypt and Nigeria. Their report was based on the findings of Silas Cutler, a security researcher at Dell CTU. The researchers declined to comment on the origins of this new malware, but as we´ve seen before the characteristics of this digital crimewave are a dead match to the likes we´ve encountered during Night Dragon, Operation Aurora and pretty much everything we´ve seen coming out of China the last decade. Call me old-fashioned, but when I read attack characteristics such as these, I feel confident that a talk with the PRC is warranted:

  • Widespread – broad targeting of an entire industry, aiming for commercially sensitive data;
  • Not extremely sophisticated, just adequate to get in;
  • Supporting command and control network is highly active;
  • Attacks seem well-prepared and highly organized;
  • Some of the malware is made by the Honker Union (a well-known Chinese hacker group);
  • Command and control IP address belonging to China, as did three others that have been used in the Sin Digoo affair earlier;

Looking at this pretty much confirms that those talks US Secretary of Defense Leon Panetta had with the Chinese recently about exactly these kinds of cyber-attacks, had little effect. Considering how much American debt is held by the Chinese, you would have to ask yourself just how hard a line the US can draw against such practices, but other countries would probably do well to start talking more sternly through the diplomatic channel with China. Make no mistake: the economic damages of these attacks are so high that involvement is definitely required at the state level.

Getting out of Dodge first
So here we have a rather clear-cut case of attacker correlation which, as ever, is done pretty much after the fact by an international firm who investigated the malware. My question is: How do you deal with this as a nation, as it happens?

This one question breaks down into a number of smaller issues. First off, you´d have to establish at least somewhat formally who defends what network. And let’s be fair: if you´re a democracy, it’s unlikely to be just one entity. The second issue you have to tackle is detecting the actual attack as it happens. Some network administrators will be able to, others won´t. To be of any use on a national level, defenses on all networks should probably be somewhat similar. At least quality-wise, you´d need them to be similar otherwise you wouldn´t be able to determine the whole scope of each outbreak, even after the fact.  This begs the question as to how wise or desirable it would be to regulate information security measures in some way. In many companies, information security is still seen only as an expense and not as a requirement, even though we can cite countless examples of companies being severely damaged by successful cyber-attacks.

So let’s assume we know who defends every network, and assuming they can all detect a new wave of malware as they happen. Then what? This information is usually kept a secret (or ignored, but that’s another matter entirely) and no signals are exiting these defending parties. When is the last time you called your government after a major cyber-attack hit your company? If you can answer that question, you´re really in a minority and most likely operating in a heavily regulated industry such as Finance or Healthcare. The rest is pretty much left to fend for itself. Attacked entities need a local place to send information about these attacks. I would argue that for governments to be able to correlate various cyber-attacks, it must first have a central authority to which each entity can report attacks on their networks and systems. I haven´t heard of any country having this, but a while back a couple of my friends here in the Netherlands started talking about the lack of such an authority. This was thought up during a brainstorming session at the Dutch MoD and initially dubbed a Security Operation Center (SOC). Even though I feel this name is somewhat ambiguous, let’s keep it for now. Given its national scope, we should probably stick to the CERT naming convention and call it GOVSOC.

Alright, then what?
At the risk of becoming repetitive, let’s assume for now that such a GOVSOC is formed and operational. You´d then need to devise thresholds and escalation paths, along with policies to deal with all eventualities. You´d also need some pretty good agreements with law enforcement, the military and civil government. All three of these parties need some kind of mandate to be able to act on information. It would also need to be covered how each of these parties will act on given information. In case of an actual cyber-attack wave being detected, it would first need to be established on whether there is nation-state involvement or if it´s cybercrime. In case of nation-state involvement, what would you want your government to do? Even when you´re certain who did what, what are thresholds to acting on it? How big must the damage be before diplomatic relations deteriorate? Is this affected by how much you engage in these activities yourself?

Maybe I’m wrong, and I sure hope I am, but I haven´t heard of any country getting to this point yet. Many have been debating these and similar questions, but how about some action? For instance, in the Netherlands the National Cyber Security Center (NCSC) seems like a great candidate to embed that GOVSOC function in. Its government, but it’s a public-private collaboration. If you know of any such developments in your country, please share it with me.

The Dutch and the Dorifel

Unless you happen to live in the Netherlands, chances are that you missed the outbreak of a ‘new’ piece of malware a few weeks ago called Dorifel, also known as XDocCrypt. With over 3000 infections in a matter of hours, of which 90% were systems in the Netherlands, this triggered the Dutch National Cyber Security Center almost instantly. XDocCrypt/Dorifel is a new trojan that encrypts executables, Excel- and Word files that it finds on USB drives and network disks, causing companies to come to a grinding halt almost immediately after infection. Later investigation by Digital Investigations turned up that it also distributes phishing banking websites for ING Bank, ABN AMRO and SNS Bank (all banks with a strong presence in the Netherlands). With such distinctive traits, you would expect that it would be ransomware, but it’s not. It doesn’t ask for money, and there are no real clues what the point is of encrypting those files. It may simply have been a trial run just to find out how good this technique works, but it’s all conjecture at this point.

As an aside, it should be mentioned that the malware’s efforts in encryption did uncover something I found interesting: it exploits the RTLO Unicode Hole, which uses a Windows standard Unicode “Right-to-left override” that are more commonly used in Arabic and Hebrew texts (meaning it’s a Feature, not a Bug). Through this use of the RTLO Unicode Hole, they make filenames such as testU+202Ecod.scr appear in the Windows Explorer as testrcs.doc, and effectively make a harmful executable look like a simple Word doc.

What worries me most, and this is the reason for this article, is the delivery vehicle used by this new piece of malware. You see, it doesn’t exploit some new weakness. Instead, it’s being delivered by systems previously infected with the Citadel/Zeus trojan. This means that over 3000 systems in the Netherlands –systems belonging mostly to ministries, local government and hospitals- already had active botnets inside their networks before getting infected with this new malware! Mind you, virtually all of these systems and networks had active antivirus and IDS systems, and NONE detected either the Citadel/Zeus botnet already in place, nor the new XDocCrypt/Dorifel malware. If anything should be a severe wake-up call for Dutch firms who still half-ass their security, this is it.

Major AV vendors such as Kaspersky and McAfee now address this piece of malware, but it does make you wonder: If this Trojan hadn’t gone through the trouble of encrypting all those files, would it ever have been caught? Clearly, with only a couple of thousand infections, it is not that big of an outbreak. Chances are good that Dorifel would have stayed below the “economic feasibility to fix” line that most antivirus corporations adhere to. With malware code mutation getting increasingly easier and more mature, will this be our future? No more large infections, but a lot more small ones to stay below the collective AV radar? It seems plausible. It certainly makes the dim future of the current AV Modus Operandi that much dimmer. When will we finally see a paradigm shift in our approach to defeating malware?

Dutch MoD releases Defense Cyber Strategy

At long last, the Dutch Ministry of Defense has published a crucial piece of Cyber Doctrine by publishing its Cyber Strategy [PDF Alert – Dutch]. It was given quite a nice introduction by the Dutch Minister of Defense Hans Hillen, who introduced it during the MoD’s Cyber Symposium in Breda on the 27th of june. During this introduction it was also asserted that over 90% of all attacks to Dutch military systems and networks was of Chinese origin, which made me wonder why we haven’t heard any political outcry yet, but I digress as this is not the topic I had in mind of treating today. Let’s get to the document in question: It’s a total of 18 pages long and the introduction of the Dutch Cyber Defense Strategy is, as is often the case in such documents, very telling. The language used should be looked at as defining terms by which the rest of the document can be interpreted.

In the introduction the Dutch MoD acknowledges that they use the digital domain for (satellite-)communications, information-, sensor-, navigation-, logistical- and weapons systems, that are dependent on secure internal and external networks of digital technology and that  this makes them vulnerable to cyber attacks.

They also acknowledge that other countries are developing offensive cyber capabilities and that non-state actors are also capable of forming a threat to Defense forces by attacking digital systems and networks. What’s interesting is that this strategy also acknowledges the blur of the lines between the combatant and the non-combatant, and also the blurring of the borders of any operational areas. Both are key components of the “Fourth Generation Warfare” principle and it seems that the Dutch MoD has at least partially accepted this principle. What makes this so interesting is that they are declaring that non-combatants may also be actively targeted. In essence, they are putting the world on notice that walking around without a uniform is no longer an automatic safe haven, and that if you’re involved with any kind of cyber attack, part of a militia or a terrorist, you have a bull’s-eye on your head. No matter where you are. Plain and simple.

The last paragraph of the introduction specifically mentions that the Military Industrial complex is already a major and consistent target of cyber attacks because they develop and produce high-grade military technology. The strategic and economic value of their digital assets is high and as such these need to be very well guarded, also in the Cyber aspect. This ties in nicely with my earlier articlebased on the MIVD’s yearly report.

For those interested in what official Dutch political documents and official questions this document ties into, here’s the official answer:

The Defense Cyber Strategy was created in answer to:

  • The publication ‘Defensie na de kredietcrisis’ of April 8th, 2011 (“Kamerstuk 32 733, nr. 1”);
  • The piece to be covered by the MoD in the National Cyber Security Strategy as I covered earlier (“Kamerstuk 26643, nr. 174”);
  • The advice given on Digital Warfare by the Advisory Council on International Questions (AIV);
  • The Advice Commission’s (CAVV) answer to the questions posed in “Kamerstuk 33 000-X, nr. 79”;

 Right, so we have that covered. Now let’s get to the meat of the document. From the onset it looks pretty promising. The strategy has six driving points and they are very broad (but relevant): 

  1. Creating an integral and integrated approach;
  2. Increasing digital resillience of the entire MoD (Cyber Defense);
  3. Developing the capability to carry out cyber operations (Cyber Offense);
  4. Reinforcing intelligence gathering in the digital domain (Cyber Intelligence);
  5. Increasing knowledge and innovative power of the MoD in the digital domain, including recruiting and keeping qualified personnel (“adaptive and innovative”);
  6. Intensifying collaboration nationally and internationally. 

(more…)

Dutch Military Intelligence dives into Cyber

The Dutch Military Intelligence agency (MIVD) recently released its 2011 yearly report (in Dutch). As is usual, they covered the events of 2011, but also did some forecasting for 2012. Its especially this last bit I was interested in, and im writing this in the hope that you feel the same way.

One of the most interesting facts I extracted from the report is that the MIVD will be focusing the majority of its Cyber Warfare efforts in countering Cyber Espionage. Given that this is probably the most tangible and widely represented cyber activity currently employed, I think this is a wise choice. Add that to the fact that the Netherlands is, by far, the most connected country in Europe (highest internet penetration in Europe with 83%; highest broadband internet penetration in the world with 68% of its connections at 5mbs or faster) it would probably be a safe assumption to say that our economy is critically interwoven with the Internet. Now, I know that there’s a lot to be said about the military defending a mostly commercial and/or civil commodity, but personally I’m happy with this direction. If anything, it’s *a* direction and from what I’ve seen this has not always been the case in the past.

Three other interesting tidbits that were published in the report involved the MIVD’s future collaborative efforts. One of these is a rather obvious and expected one, but it involves their supporting the Dutch Ministry of Defense with their Cyber Operations through involvement with Taskforce Cyber. A less obvious one is their intention to support in ‘cyber-aspects’ of the Dutch military industrial complex. They don’t really go into how they intend to assist, other than that it will involve working with Dutch domestic intelligence agency AIVD. This is too bad because it sounds interesting. Considering the major cyber security breaches in the past at American defense contractors such as Booz-Allen Hamilton, Lockheed Martin, L3 Communications or Northrop Grumman, it certainly sounds pertinent. They don’t mention it specifically, but odds are good that this (and only this) is what the MIVD has in mind when they mention countering cyber intelligence. Lastly, and to me this was the most interesting, they reveal their intentions to collaborate with the AIVD to set up a special SIGINT Cyber Unit (or command – this wasn’t mentioned) to generate shared cyber intelligence. Their goals for this unit are straightforward: Assisting in cyber operations in support of regular military operations, chart threats, provide excellent cyber intelligence at all times, and to assist in attributing cyber attacks.

The report also tickled my interest in ‘cyber semantics’ when the MIVD asserted that offensive cyber operations usually include the same activities as cyber intelligence and/or cyber espionage. They also mention that cyber is increasingly important in counterintelligence, and mentioned that they would be increasingly exploiting social media such as Facebook, Hyves, Twitter et cetera. An interesting side note here is that due to severe upcoming Defense budget cuts and related contract terminations, it’s been observed that everyone in the Dutch armed forces is now suddenly absolutely perfect in every way (article in Dutch), because apparently it’s gotten to the point that calling in sick is now a bad career move. Our troops should be warned that venting their frustrations through social media is probably a bad idea at this time, however much it may be valid criticism.