Get up to speed on cyber security Cyber Activism using tech

A Canadian Internet watchdog who recently helped uncover a vast suspected cyber spying network warns that organizations working in international development need to become much better versed in information security.

State-sponsored attacks that block websites and shut down mobile phone networks are increasingly being used to “disrupt the work of civil society at times when their input could be critical to political or social processes,” Rafal Rohozinski told a public meeting at the International Development Research Centre (IDRC).

Well-meaning groups working in the developing world also risk endangering the very individuals and communities they seek to help if they fail to get up to speed on information security in the digital era, he says.

Rohozinski, founder of the Ottawa-based think tank SecDev Group, collaborates with a team of cyber sleuths burrowed in the Citizen Lab in the basement of the University of Toronto’s Munk Centre for International Studies. For 10 months, the researchers tracked an electronic espionage ring they dubbed GhostNet [幽灵网], before bringing it to light in March 2009.

Key members of the team included Citizen Lab director Ron Deibert and research fellow Nart Villeneuve, along with the SecDev Group’s Greg Walton, who conducted the India-based field testing. (They also work together on OpenNet Initiative Asia, an IDRC-funded project that is helping to build a regional network of experts in the field of Internet censorship and surveillance.)

High-value targets

By the time the researchers lifted the lid on GhostNet, the covert intelligence-gathering operation had compromised almost 1300 computers in 103 countries. It was active for close to two years before abruptly shutting down two days after its existence was revealed in The New York Times on March 29, 2009.

Almost one-third of the affected computers were “high-value” targets, located in foreign ministries, embassies, news organizations, international organizations, and NGOs. They included the offices of the Dalai Lama, the Russian embassy in Beijing, foreign affairs ministries in Iran and Indonesia, the Indian diplomatic service, and the Asian Development Bank. Computers were infiltrated for an average of 145 days, and for as long as 660 days.

The network’s command and control centre appears to have been based on Hainan Island in southern China, but the researchers are careful not to ascribe blame. They say they were unable to determine conclusively whether GhostNet was a government or criminal operation, or even a do-it-yourself effort by freelance hackers.

“Ultimately, the question of who is behind GhostNet may matter less than the strategic significance of the collection of affected targets,” the researchers write in their report, Tracking GhostNet: Investigating a Cyber Espionage Network. “What this study discovered is serious evidence that information security is an item requiring urgent attention at the highest levels.” Cyber spying ‘easy and cheap’

At first glance, electronic spying might appear to be a cloak and dagger realm of little relevance to groups working in the field of international development. “Yet cyber security and cyber espionage have far-reaching implications for our work,” Rohozinski says.

In the past, traditional “signals intelligence” focused on intercepting communications — whether sent by telex, fax, phone, or mail — as they were in transit to their intended recipients. But the Internet has changed all that. Information can now be retrieved at source before it moves anywhere, and the cost of collecting it — using low-tech tools available to anyone — is minimal. It is now easy and cheap to vacuum up information, Rohozinski says — “and NGOs are more of a target than they were 15 years ago.”

Groups that collect data on vulnerable communities risk putting them in greater danger if the information is stolen, he says. Even seemingly benign documents, such as lists of meeting participants, could have strategic importance in the wrong hands.

“It’s important to recognize that as NGOs, particularly those that work with communities at risk, you are collecting information of a personal nature, which can be put to uses that are very different — in fact, antithetical — to the reasons you collect it,” Rohozinski says.

“There has to be discipline about what information you collect and how you hold and communicate it. But most NGOs and research organizations are poorly versed in information security — the level of awareness is abysmally low. Commercial off-the-shelf software won’t thwart this kind of attack.”

Development gains at risk

The Internet is on its way to becoming a much more controlled and regulated domain, Rohozinski says. However, moves by developed countries to fix their own digital security problems threaten to unleash “a cascade of unintended consequences” on the developing world. These risk rolling back development gains that have been made possible in the past 15 years by computers and the Internet, he warns.

“Calling something a security issue here, without defining exactly what we mean by that, opens the door to that definition being applied to a much wider range of activities in developing countries,” Rohozinski says. “‘Terrorism’ may mean that any political group can be excluded. ‘Pornography’ can include anything that’s in any way culturally problematic.”

Over time, the court system and strong advocacy communities will likely help redress this problem in developed countries, he says. “But there’s less confidence that that’s going to happen in developing countries, where the expertise to engage in policy-level dialogue doesn’t exist in this domain.”

Rohozinski believes that building this expertise in the developing world is now just as important a task as was promoting the spread of computers and the Internet in the 1990s.

A Rat in the honeypot

The investigators had been tracking GhostNet for nine months when Nart Villeneuve, a research fellow at the Citizen Lab, identified a 22-character string of code that was showing up repeatedly in infected computers. After punching the code into Google, he was astonished to stumble on one of the spy network’s control servers, located in China. This discovery led the researchers to three other GhostNet servers — two in China and one at a Web-hosting company in the United States. They staked out the servers, virtually, observing all incoming and outgoing traffic, while being careful not to break privacy laws.

Then Villeneuve set a trap. A “honeypot” computer, isolated from the researchers’ own network, could allow them to witness GhostNet’s functioning up close. The attacker(s) took the bait and infected the honeypot with a Rat — a “remote administration tool.”

A Rat is a kind of malicious software, or malware, that gives an external user full control over a computer. It can lift documents off a targeted computer, turn its Webcam on and off, or record audio using its built-in microphone.

“It can also use your Outlook email box to send legitimate messages from your account to another legitimate user, so it’s undetectable as malware,” says GhostNet investigator Rafal Rohozinski. “And it can steal data. We were able to view in real time a sensitive document that was selected, grabbed, and carried off the computer.”

Kelly Haggart is a senior writer at IDRC.

Posted in InfoWar Monitor:

This site built with Open Source: html/css, php, apache, linux, vim, air, water.
— and also with the awesome Lenovo ThinkPad —
which is made in and working for — thank you, China!