Friday, November 21, 2008
Chinese cyberattacks on civilian, government, and military networks are rising, a congressional advisory committee warned in a report released Thursday, and the United States needs to bolster its defenses and engage with allies and Chinese authorities to clarify the consequences of aggression in cyberspace.
"China is targeting U.S. government and commercial computers for espionage," says the U.S.-China Economic and Security Review Commission's (USCC) 2008 Annual Report to Congress. "Alan Paller from the SANS Institute, an Internet security company, believes that in 2007 the 10 most prominent U.S. defense contractors, including Raytheon, Lockheed Martin, Boeing, and Northrop Grumman, were victims of cyberespionage through penetrations of their unclassified networks."
Citing examples of Chinese espionage, the report looks back to 2005 at an incident in which hackers from China stole files related to NASA's Mars Reconnaissance Orbiter that detailed the space vehicle's propulsion system, solar panels, and fuel tanks. It also cites an incident that same year in which the aviation mission planning system for Army helicopters and related software were stolen from the Army Aviation and Missile Command at Redstone Arsenal in Alabama.
More recent examples abound. On Nov. 18, Quan-Sheng Shu, a Chinese-born scientist who worked in Virginia, pleaded guilty to selling U.S. military rocket technology to China.
Earlier this month, The Financial Times, citing an unnamed senior U.S. official, reported, "Chinese hackers have penetrated the White House computer network on multiple occasions, and obtained e-mails between government officials."
In June, U.S. Rep. Frank Wolf, R-Va., said that four computers in his office had been compromised in 2006 and that computers used by other members of Congress and by the House Foreign Affairs Committee had also been hacked.
"These cyberattacks permitted the source to probe our computers to evaluate our system's defenses, and to view and copy information," said Wolf. "My suspicion is that I was targeted by Chinese sources because of my long history of speaking out about China's abysmal human rights record."
In February, the U.S. Department of Justice announced the arrests of four individuals -- Tai Shen Kuo, Yu Xin Kang, Gregg William Bergersen, and Dongfan "Greg" Chung -- and accused them of stealing military and aerospace secrets and sending them to China. The Justice Department linked those cases to that of Chi Mak, a former engineer for Anaheim, Calif.-based defense contractor Power Paragon, who was arrested in 2005 and convicted last year of spying for China, his native country.
The USCC report also warned about the risks posed by IT hardware manufactured abroad.
"The global supply chain for telecommunications items introduces another vulnerability to U.S. computers and networks," the report says. "Components in these computers and networks are manufactured overseas -- many of them in China. At least in theory, this equipment is vulnerable to tampering by Chinese security services, such as implanting malicious code that could be remotely activated on command and place U.S. systems or the data they contain at risk of destruction or manipulation. In a recent incident, hundreds of counterfeit routers made in China were discovered being used throughout the Department of Defense. This suggests that at least in part, Defense Department computer systems and networks may be vulnerable to malicious action that could destroy or manipulate information they contain."
Such concerns have been circulating for years in government security circles. But action may be at hand. On Tuesday, civilian and defense procurement groups published a notice in the Federal Register seeking comment on whether federal acquisition rules should be revised to require that "contractors selling information technology (IT) products (including computer hardware and software) represent that such products are authentic."
In February, the FBI announced that its ongoing anti-counterfeiting campaign had resulted in more than 400 seizures of fake Cisco (NSDQ: CSCO) equipment worth more than $76 million. A five-page FBI PowerPoint presentation dated Jan. 11, 2008, summarizes some of the agency's findings in its investigation of fake Cisco gear. It notes that fake hardware is vulnerable to supply chain subversion and attack, and could allow others to access to systems meant to be secure.
It has been a week since a half-million bot-infected machines were suddenly freed from their "master" botnet servers after ISPs pulled the plug on the illicit McColo hosting service. So now what happens to those orphaned bot machines?
Researchers have spotted these errant bots over the past week attempting to phone home to their former command and control (C&C) servers. While the industry continues to celebrate a nearly 70 percent nosedive (albeit temporary) in spam volume without McColo to host the world's biggest spamming botnets anymore, these orphaned bots are still at risk -- and possibly still spewing spam, security experts say.
"They are probably already infected with multiple things. You hardly ever find just one bot on these computers," says Joe Stewart, director of malware research for SecureWorks. "You may find three or four different spam bots on the same machine. And who knows what else -- password stealers and other rogue ware."
Many of these bots -- which were members of the world's most prolific spam botnets, Srizbi, Mega-D, and Rustock "--are likely still spamming away for other botnets, or even possibly other servers on the big three that weren't hosted on McColo, security experts say.
Stewart notes that disconnected bots could even get reinfected by their former botnet. They are often infected with a Trojan that constantly checks in for updates via a malicious "pay-for-install" site. "It just downloads whatever binaries are put there by whoever's paying to get them installed," he says. So Rustock, for example, could pay for this service to reinfect its lost bots all over again, and update it with a link to a new C&C server.
The Shadowserver Foundation, a volunteer organization that gathers intelligence on the Internet's dark side, is building a so-called "sinkhole" server that poses as a defunct malicious domain server in order to find out what these machines leave behind. This could possibly help enterprises identify infected machines in their organizations, for example.
In general, most owners, especially consumers, of these infected machines are unaware that their desktop computer or laptop is under the control of cybercriminals; if they do know, aren't sure what to do about it.
Antibotnet appliance vendor FireEye this week posted instructions for cleaning up Srizbi bot-infected machines left behind in the McColo takedown. But some security researchers are skeptical that the McColo takedown is really an opportunity to clean up infected bots. First, the victims must be aware that they are infected. Second, consumer victims aren't likely to know how to clean their machines from the bot infection.
"It's a question of who is going to inform them that they need to clean it," SecureWorks' Stewart says. And even if researchers or vendors were to spot infected machines, they could report their IP addresses to the corresponding ISPs. "It takes a lot of time to clean up these machines, with multiple things infecting them...and it's difficult to do remotely," he says.
Michael Whitehurst, global vice president of customer support for Marshal8e6, says the botnets and spammers will recover, and likely soon. "If these bots don't have any instructions, they sit idle and wait. We're really curious about...when the bot-runners put in place new command and control, how easily the bots will be able to connect to them," Whitehurst says. "And how quickly spam volumes are going to ramp up."
The good news is that users with heavily infected machines eventually get them cleaned somehow if their performance suffers, or they just buy new ones. "Fortunately, these machines eventually go away," SecureWorks' Stewart says. "We're always seeing a stream of machines leave the botnet. But then the cycle continues with new bot victims."
The RCMP will not pursue charges against the Canadian Human Rights Commission over allegations that its investigators hacked an Ottawa woman's wireless internet account to conceal their identity on websites under investigation for hate speech, the National Post has learned.
A parallel investigation of the same incident by the Privacy Commissioner remains ongoing.
The complaint arose in March at the Canadian Human Rights Tribunal hate speech prosecution of Marc Lemire, webmaster of freedomsite.org, when his legal team brought a subpoena against internet service provider Bell Canada.
They were seeking the identity of whoever logged on to the neo-Nazi website stormfront.org under the name "Jadewarr" in December, 2006, just as bloggers were using technical data to reveal "Jadewarr" as the online pseudonym of Dean Steacy, a lead hate speech investigator at the CHRC. Mr. Steacy later acknowledged this under oath.
In his testimony, Alain Monfette, director of Bell Canada's law enforcement support team, read out the name and address of a woman, coincidentally a Bell Canada employee, whose computer IP address matched that of Jadewarr at the time in question, according to the Florida-based owner of stormfront.org, Don Black.
Neither the CHRC lawyers nor Mr. Lemire's team had ever heard of her. She has no connection to CHRC investigators, but she did have a laptop computer with a wireless connection, and the address Mr. Monfette gave for her apartment in downtown Ottawa is near the CHRC offices.
This led to speculation that CHRC staff were illegally using an innocent woman's internet account to hide behind her identity when investigating target websites, a claim Mr. Lemire made in a formal complaint to police, while also posting detailed photographs and schematics of her apartment building. That investigation is now concluded without charges.
A decision remains pending at Mr. Lemire's hate speech tribunal. In a phone interview on Thursday, the woman said the RCMP told her they do not have proof her account was hacked, nor proof that it was not, and to investigate further would involve going after technical data from a website based in the United States, stormfront.org, which they said is not possible.
"They don't have an explanation. They pretty much said it's shitty luck," she said.
The CHRC refused to comment on Thursday, but have denied the allegation of hacking in the past. The RCMP refused to comment.
In an email, Mr. Lemire said the facts in the wireless hacking case are "fairly overwhelming" and the decision not to lay charges "[s]mells like a highly political decision in the shadow of a self-serving report the CHRC is releasing next monday. It is full bore damage control for a government agency spinning out of control."
Bernie Farber, CEO of the Canadian Jewish Congress and a supporter of the CHRC, said this allegation has been a damaging "albatross" for the Commission for many months.
"It was just, in my view, not possible," he said. "And as a result many people were wrongly pointing a finger at the CHRC, accusing it of all kinds of nefarious work. This will, I think, allow some breathing room and allow discussion to evolve around the important issues, as opposed to stupid allegations that should never have been brought forward in the first place."
Mr. Farber said it might have been "ideal" if the CHRC had managed to prevent Mr. Lemire from eliciting the woman's name in the first place, but that the investigation was in the end a "healthy process" to demonstrate that the commission behaves within the confines of the law.
Ezra Levant, whose blog has become the centrepiece of the campaign against human rights hate speech law, said that, "while the conduct of the human rights commission may not have reached the level where the police thought it was criminal beyond a reasonable doubt, that is not an acceptable standard for our government."
"I think the behaviour of the CHRC is morally grotesque, but that's not a crime," he said. "I think it's politically scandalous, but that's not on the books either."