Inside Cyber Warfare - Jeffrey Carr [87]
The Open Net Initiative recently released a detailed report on Internet filtering (i.e., censorship) by the government of Iran. A big part of Tehran’s control derives from all Internet traffic being routed through one bottleneck—the Telecommunications Company of Iran (TCI). Another is the prohibition against private citizens subscribing to high-speed service.
The single greatest takeaway for social media advocates in the Iranian elections is that there is nothing clear cut about the event nor the usefulness of the tool. Individuals’ eagerness to join in the DDoS flood may be putting the very people that they wish to help at risk. Those looking with a noncritical eye to tweets for “real,” as-it-happens information may be reading an Iranian government disinformation post. There is a commensurate increase in risk and reward.
Social Engineering
A group of Canadian researchers recently uncovered a massive Chinese computer espionage ring (GhostNet) involving almost 1,300 infected computers in 103 countries. According to their report, about 30% of the infected hosts were located in government offices, media companies, and nongovernment organizations (NGOs).
The malware used, a type of Trojan known as a remote access tool (RAT), was of Chinese design and named gh0st RAT. Once infected, the attacker gained complete control of the host computer, including the ability to:
Activate a web cam and conduct audio and video surveillance
Search for and exfiltrate sensitive documents
Initiate keylogging to capture usernames and passwords
One of the many interesting lessons derived from the GhostNet investigation is that none of the espionage tools or techniques that was used so successfully were new. It was basically a variant of the old Spear Phishing scheme, which is when an attacker sends out a carefully worded email message to an organization or company that features highly focused content.
For example, the email message used to spread the gh0st RAT Trojan contained the following subject line: “Translation of Freedom Movement ID Book for Tibetans in Exile.”
The email message contained the emblem of the Tibetan Government in Exile, and the attached .doc file had the same title as the subject line. When clicked, the file apparently opened normally; however, once opened, a series of unfortunate events followed:
A vulnerability on the user’s machine was exploited and the malware was loaded.
Once installed, the malware attempted to make contact with its control server.
Any operator with access to the control server’s interface could then gain complete control of the infected computer and access to the network to which it belonged.
Anti-virus software frequently did not detect this Trojan. According to the report’s authors, only 11 of 34 anti-virus programs successfully quarantined the infected document; the other 23 simply didn’t catch it.
In 2006, Australia’s CERT announced an 80% miss rate by anti-virus (AV) programs in stopping malware, principally because hackers will test their code against existing AV programs until it escapes detection.
This underscores one of the most important points in understanding any cyber defense strategy: both states and enterprises that must defend sensitive data from malicious access cannot rely solely on technology to protect them. The human element, with all of its strengths and weaknesses, is paramount.
While millions of people of all ages enjoy many of the benefits of being connected to the Web, it also raises their risk for being victimized by an online scam or attack. The more information a cyber criminal knows about his target, the easier it is to create an attractive lure, and the more likely it is that an unsuspecting individual (as demonstrated by the GhostNet investigation) will take the bait.
Social media sites such as Twitter, Facebook, Plaxo, and LinkedIn meet legitimate