2 Electrons may move at the speed of light, but legal systems crawl at the speed of bureaucratic institutions: The lack of international co-operation around cyber security is discussed in Brian Krebs, “From (& To) Russia, With Love,” Washington Post, March 3, 2009, http://voices.washingtonpost.com/securityfix/2009/03/from_to_russia_with_love.html. See also Jeremy Kirk, “UK Police Reveal Arrests Over Zeus Banking Malware,” Computer World, November 18, 2009, http://www.computerworld.com/s/article/9141092/UK_police_reveal_arrests_over_Zeus_banking_malware; and Omar El-Akkad, “Canadian Firm Helps Disable Massive Botnet,” Globe and Mail, March 3, 2010, http://www.globeandmail.com/news/technology/canadian-firm-helps-disable-massive-botnet/article1488838.
3 Specialists working for Facebook, Jan Droemer, and other security researchers: In January 2012, Facebook outed the identity of the Koobface perpetrators in “Facebook’s Continued Fight Against Koobface,” January 17, 2012, https://www.facebook.com/note.php?note_id=10150474399670766. See Riva Richmond, “Web Gang Operating in the Open,” New York Times, January 16, 2012, http://www.nytimes.com/2012/01/17/technology/koobface-gang-that-used-facebook-to-spread-worm-operates-in-the-open.html?pagewanted=1&_r=2&mid=57&ref=technology. Joe Sullivan, Facebook’s chief of security, stated: “People who engage in this type of stuff need to know that their name and real identity are going to come out eventually and they’re going to get arrested and they’re going to be targeted.” A week before Facebook released the identities of the Koobface perpetrators, Dancho Danchev independently released the identity of the leader of Koobface, Anton Nikolaevich Korotchenko of St. Petersburg, in “Who’s Behind the Koobface Botnet? – An OSINT Analysis,” Dancho Danchev’s Blog – Mind Streams of Information Security Knowledge, January 9, 2012, http://ddanchev.blogspot.ca/2012/01/whos-behind-koobface-botnet-osint.html. The public exposure and the release of the Sophos report led to immediate action by Koobface: its command-and-control servers stopped responding, and the gang started removing traces of themselves off the Net. Facebook’s “name-and-shame approach” was criticized by some in the security community for hampering an ongoing criminal investigation and jeopardizing the evidence. See Stefan Tanase, “Was the Koobface Expose the Right Move?,” Threat Post, January 19, 2012, http://threatpost.com/en_us/blogs/was-koob-face-expose-right-move-011912.
4 Ever since the Internet emerged from the world of academia: A detailed look at modern cyber crime can be found in Misha Glenny, DarkMarket: How Hackers Became the New Mafia (Toronto: House of Anansi Press Inc, 2011); Misha Glenny, “Dark Market: Cybercrime, Cybercops and You,” Independent, September 30, 2011, http://www.independent.co.uk/arts-entertainment/books/reviews/dark-market-cybercrime-cybercops-and-you-by-misha-glenny-2362945.html; and Joseph Menn, Fatal System Error: The Hunt for the New Crime Lords Who Are Bringing Down the Internet (New York: Public Affairs, 2010).
5 In Brazil, there is an academy: Kaspersky Lab’s Fabio Assolini writes about a Brazilian cyber-crime school in “A School for Cybercrime: How to Become a Black Hat,” Secure List, January 17, 2012, http://www.securelist.com/en/blog/208193337/A_School_for_Cybercrime_How_to_Become_a_Black_Hat.
6 Cyber crime has become one of the world’s largest growth businesses: General Keith Alexander, NSA director and head of U.S. Cyber Command, recently said that cyber crime and cyber espionage accounted for the greatest transfer of wealth in history. See “America’s Top Cyberwarrior Says Cyberattacks Cost $250 Billion a Year,” International Business Times, July 13, 2012, http://www.ibtimes.com/americas-top-cyberwarrior-says-cyberattacks-cost-250-billion-year-722559.
7 First, a December 27, 2011, breach: The breaches that occurred in the last week of December 2011 are documented in “Tianya Hacked, 4 Million Passwords Published,” Tech in Asia, December 26, 2011, http://www.techinasia.com/tianya-hacked-4-million-passwords-published/; and Ken Dilanian, “Hackers Reveal Personal Data of 860,000 Stratfor Subscribers,” Los Angeles Times, January 4, 2012, http://articles.latimes.com/2012/jan/04/nation/la-na-cyber-theft-20120104.
8 a particularly malignant backdoor trojan horse: Poison Ivy is a common backdoor trojan that gives attackers access to and control of an affected machine. Through the use of the Poison Ivy trojan in the Nitro campaign, attackers were able to steal intellectual property from nearly fifty companies, most of them belonging to the chemical industry. See Eric Chien and Gavin O’Gorman, “The Nitro Attacks: Stealing Secrets from the Chemical Industry,” Symantec Security Response, http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_nitro_attacks.pdf; and “Nitro Attackers Have Some Gall,” Symantec, December 12, 2011, http://www.symantec.com/connect/blogs/nitro-attackers-have-some-gall.
9 in 2009, Koobface left a Christmas greeting for security researchers: The greeting can be found at Dancho Danchev, “The Koobface Gang Wishes the Industry ’Happy Holidays,” Dancho Danchev’s Blog – Mind Streams of Information Security Knowledge, December 26, 2009, http://ddanchev.blogspot.ca/2009/12/koobface-gang-wishes-industry-happy.html.
9: DIGITALLY ARMED AND DANGEROUS
1 the SEA boasted about it on their Arabic Facebook page: The Syrian Electronic Army (SEA) is an open and organized pro-government computer attack group that is actively targeting political opposition and Western websites. The Citizen Lab does not have concrete evidence linking the SEA to the Assad regime; however, the regime has expressed tacit support for its activities, and has allowed the group to operate with impunity. See Helmi Noman, “The Emergence of Open and Organized Pro-Government Cyber Attacks in the Middle East: The Case of the Syrian Electronic Army,” Information Warfare Monitor, May 30, 2011, http://www.infowar-monitor.net/2011/05/7349; “Syrian Electronic Army: Disruptive Attacks and Hyped Targets,” Information Warfare Monitor, June 25, 2011, http://www.infowar-monitor.net/2011/06/syrian-electronic-army-disruptive-attacks-and-hyped-targets/; and “Syrian Electronic Army Defaces 41 Web sites, One UK Government Web site,” Information Warfare Monitor, June 29, 2011, http://www.infowar-monitor.net/2011/06/syrian-electronic-army-defaces-41-web-sites-one-uk-government-web-site.
2 In February 2012, Anonymous broke into the email server of the Syrian Ministry: See Barak Ravid, “Bashar Assad Emails Leaked, Tips for ABC Interview Revealed,” Haaretz, February 7, 2012, http://www.haaretz.com/print-edition/news/bashar-assad-emails-leaked-tips-for-abc-interview-revealed-1.411445. The role of Telecomix in distributing circumvention tools to Syrian citizens has been profiled in “#OpSyria: When the Internet does not let citizens down,” Reflets, September 11, 2011, http://reflets.info/opsyria-when-the-internet-does-not-let-citizens-down/.
3 routers belonging to Blue Coat: The Citizen Lab reported on the use of Blue Coat in Syria and Burma in “Behind Blue Coat: Investigations of Commercial Filtering in Syria and Burma,” November 9, 2011, https://citizenlab.org/2011/11/behind-blue-coat/; and “Behind Blue Coat: An Update from Burma,” November 29, 2011, https://citizenlab.org/2011/11/behind-blue-coat-an-update-from-burma/. On October 5, 2011, Telecomix released censorship log files taken from Syrian Blue Coat devices, showing that the Assad regime was using Blue Coat devices to filter and monitor HTTP connections in Syria. See Sari Horwitz, “Syria Using American Software to Censor Internet, Expert Says,” Washington Post, October 22, 2011, http://www.washingtonpost.com/world/national-security/syria-using-american-software-to-censor-internet-experts-say/2011/10/22/gIQA5mPr7L_story.html. See also Citizen Lab, “Planet Blue Coat: Mapping Censorship and Surveillance Tools,” January 15, 2013, https://citizenlab.org/planetbluecoat.
4 the website of Al-Manar: Citizen Lab documented the hosting of Hezbullah and Syrian government websites on servers based in Canada in “The Canadian Connection: An Investigation of Syrian Government and Hezbullah Web Hosting in Canada,” November 17, 2011, http://citizenlab.org/wp-content/uploads/2011/11/canadian_connection.pdf; and “The Canadian Connection: One Year Later,” November 14, 2012, https://citizenlab.org/2012/11/the-canadian-connection-one-year-later/.
5 reports from inside Syria of phishing attack
s: On phishing attacks around the Syrian conflict, see Eva Galperin and Morgan Marquis-Boire, “Syrian Activists Targeted with Facebook Phishing Attack,” Electronic Frontier Foundation, March 29, 2012, https://www.eff.org/deeplinks/2012/03/pro-syrian-government-hackers-target-syrian-activists-facebook-phishing-attack; and Eva Galperin and Morgan Marquis-Boire, “New Wave of Facebook Phishing Attacks Targets Syrian Activists,” Electronic Frontier Foundation, April 24, 2012, https://www.eff.org/deeplinks/2012/04/new-wave-facebook-phishing-attacks-targets-syrian-activists. See also Peter Eckersley, “A Syrian Man-In-The-Middle Attack Against Facebook,” Electronic Frontier Foundation, May 5, 2011, https://www.eff.org/deeplinks/2011/05/syrian-man-middle-against-facebook; and Jennifer Preston, “Seeking to Disrupt Protesters, Syria Cracks Down on Social Media,” New York Times, March 23, 2011, http://www.nytimes.com/2011/05/23/world/middleeast/23facebook.html?_r=4. Since March 2012, the Electronic Frontier Foundation has been collecting and analyzing malware that pro-Syrian-regime hackers have used to target the Syrian opposition. See “State Sponsored Malware,” Electronic Frontier Foundation, https://www.eff.org/issues/state-sponsored-malware. The Citizen Lab reported on the targeted attacks on Syrian dissidents in “Syrian Activists Targeted with BlackShades Spy Software,” June 19, 2012, https://citizenlab.org/2012/06/syrian-activists-targeted-with-blackshades-spy-software/.
The Citizen Lab and EFF are developing a joint report on information operations in the Syrian conflict, to be published in spring 2013. See also Nart Villeneuve, “Fake Skype Encryption Software Cloaks DarkComet Trojan,” Trend Micro Blog, April 20, 2012, http://blog.trendmicro.com/fake-skype-encryption-software-cloaks-darkcomet-trojan/.
6 a new model of “active defence”: The phenomenon of autocratic regimes successfully wielding information technologies for their own advantage is discussed in Ronald Deibert and Rafal Rohozinski, “Liberation vs. Control: The Future of Cyberspace,” Journal of Democracy 24, no.1 (2010): 43–57. See also Larry Diamond, “Liberation Technology,” Journal of Democracy 21, no. 3 (2010): 69–83; and Evgeny Morozov, The Net Delusion (New York: PublicAffairs, 2011).
7 during parliamentary elections in Kyrgyzstan: The OpenNet Initiative documented the failure and hacking of Kyrgyz websites during the 2005 parliamentary elections in Kyrgyzstan in “Special Report: Kyrgyzstan Election Monitoring in Kyrgyzstan,” OpenNet Initiative, February 2005, http://opennet.net/special/kg/
8 2006 Belarus presidential elections: The OpenNet Initiative documented the attacks on opposition websites and Internet failure during the 2006 presidential elections in Belarus in “The Internet and Elections: The 2006 Presidential Elections in Belarus (and Its Implications),” OpenNet Initiative, April 2006, http://opennet.net/sites/opennet.net/files/ONI_Belarus_Country_Study.pdf
9 As Russian tanks stormed the territory: The use of information controls during the 2008 Russia–Georgia war is discussed in Masashi Crete-Nishihata, Ronald J. Deibert, and Rafal Rohozinski, “Cyclones in Cyberspace: Information Shaping and Denial in the 2008 Russia–Georgia War,” Security Dialogue 43.1 (February 2012), 3–24.
10 downloaded instructions for one of the DDoS tools: Evgeny Morozov wrote about his experience as a participant in the online Georgia-Russia war in “An Army of Ones and Zeroes: How I Became a Soldier in the Georgia-Russia Cyberwar,” Slate, August 14, 2008, http://www.slate.com/articles/technology/technology/2008/08/an_army_of_ones_and_zeroes.html.
11 vexing the Burmese opposition and independent media outlets: The Citizen Lab’s research on DDOS and defacement attacks on Burmese opposition and independent media outlets was documented in Masashi Crete-Nishihata and Nart Villeneuve, “Control and Resistance: Attacks on Burmese Opposition Media,” in Access Contested: Security, Identity, and Resistance in Asian Cyberspace, eds. Ronald Deibert, John Palfrey, Rafal Rohozinski, and Jonathan Zittrain. (Cambridge: MIT Press, 2012): 154–176.
12 When the Iranian Cyber Army launched: In September 2011, it came to light that the DigiNotar Certificate Authority was compromised by a lone Iranian hacker. See Peter Eckersley, Eva Galperin, and Seth Schoen, “A Post Mortem on the Iranian DigiNotar Attack” Electronic Frontier Foundation, September 13, 2011, https://www.eff.org/deeplinks/2011/09/post-mortem-iranian-diginotar-attack.
10: FANNING THE FLAMES OF CYBER WARFARE
1 Kaspersky is concerned about anonymity online: When asked “What’s wrong with the design of the Internet?” in a 2009 interview with ZDNet, Kaspersky responded: “There’s anonymity. Everyone should and must have an identification, or Internet passport. The Internet was designed not for public use, but for American scientists and the U.S. military. That was just a limited group of people – hundreds, or maybe thousands. Then it was introduced to the public and it was wrong … to introduce it in the same way.” See Vivian Yeo, “Microsoft OneCare was ‘Good Enough’ ” ZDNet, October 16, 2009, http://www.zdnet.com/microsoft-onecare-was-good-enough-2062058697.
2 The former U.S. counterterrorism czar: Richard Clarke warns about the growing cyber-war threat in Richard A. Clarke and Robert K. Knake, Cyber War: The Next Threat to National Security and What to Do About It (New York: HarperCollins, 2010). Researchers warn against the alarmist rhetoric about cyber threats and the emergence of a cyber-industrial complex in the United States in Jerry Brito and Tate Watkins, Loving the Cyber Bomb? The Dangers of Threat Inflation in Cybersecurity Policy, Working Paper no. 11–24, Washington: George Mason University, 2011. David Perera traces the history of the term “Electronic Pearl Harbor” from its first public usage in 1996 to the present in “Stop Saying ‘Cyber Pearl Harbor,’ FierceGovernmentIT, June 13, 2012, http://www.fiercegovernmentit.com/story/stop-saying-cyber-pearl-harbor/2012–06–13. Thomas Rid argues that cyber war is unlikely to occur in the future in “Cyber War Will Not Take Place,” Journal of Strategic Studies 35, no. 1 (2012).
3 Kaspersky was back in the news: Kaspersky Lab’s announcement on the discovery of Flame in “Kaspersky Lab and ITU Research Reveals New Advanced Cyber Threat,” is at Kaspersky Lab, May 28, 2012, http://www.kaspersky.com/about/news/virus/2012/Kaspersky_Lab_and_ITU_Research_Reveals_New_Advanced_Cyber_Threat. For discussion, see Chris Bronk, “Cyber Intrigue: The Flame Malware International Politics,” Cyber Dialogue, May 31, 2012, http://www.cyberdialogue.ca/2012/05/cyber-intrigue-the-flame-malware-international-politics; and Tom Gjelten, “ ‘Flame’ Virus Fuels Political Heat Over Cyber Threats,” KQED News, June 2, 2012, http://www.kqed.org/news/story/2012/06/02/96069/flame_virus_fuels_political_heat_over_cyber_threats?source=npr&category=technology.
4 the ITU is the world’s oldest international organization: Milton Mueller has written on the politics of international Internet governance in Networks and States: The Global Politics of Internet Governance (Cambridge: The MIT Press, 2010).
5 proposed a “code of conduct”: In 2011, Russia, China, Tajikistan, and Uzbekistan proposed a voluntary code of conduct for cyberspace at the United Nations. See letter dated 12 September 2011 from the Permanent Representatives of China, the Russian Federation, Tajikistan and Uzbekistan to the United Nations addressed to the Secretary-General, available at: http://www.cs.brown.edu/courses/csc11800/sources/2012_UN_Russia_and_China_Code_o_Conduct.pdf; and Nate Anderson, “Russia, China, Tajikistan propose UN ‘code of conduct’ for the ‘Net,” Ars Technica, September 20, 2011, http://arstechnica.com/tech-policy/2011/09/russia-china-tajikistan-propose-un-code-of-conduct-for-the-net.
6 connections between Flame and another devastating cyber weapon, Stuxnet: The Kaspersky Flame FAQ is available at: “The Flame: Questions and Answers,” Secure List, May 28, 2012, http://www.securelist.com/en/blog/208193522. The connection between Flame and Stuxnet is discussed in Jim Finkle and Joseph Menn, “Some Flame Code Found in Stuxnet Virus: Experts,” Reuters, June 12, 2012, http://www.reuters.com/article/2012/06/12/us-media-tech-summit-flame-idUS-BRE85A0TN20120612; Greg Miller, Ellen Nakashima, and Julie Tate, “U.S., Israel Developed Flame Computer Virus to Slow Iranian Nuclear Efforts, Officials Say,” Wall Street Journal, Ju
ne 19, 2011, http://www.washingtonpost.com/world/national-security/us-israel-developed-com-puter-viras-to-slow-iranian-nuclear-efforts-officials-say/2012/06/19/ gJQA6xBPoV_story.html; and Kenneth Rapoza, “Kaspersky Lab: Same Countries Behind Stuxnet and Flame Malware,” Forbes, June 11, 2012, http://www.forbes.com/sites/kenrapoza/2012/06/11/kaspersky-lab-same-countries-behind-stuxnet-and-flame-malware/.
11: STUXNET AND THE ARGUMENT FOR CLEAN WAR
1 a detailed “decoding” of the virus: For Langner’s research on Stuxnet, visit his blog at http://www.langner.com/en/blog/. See also Ralph Langner, “Stuxnet: Dissecting a Cyberwarfare Weapon,” Security & Privacy, IEEE 9, no. 3 (2011): 49–51.
2 the planning and operational process behind the Stuxnet virus: On June 1, 2012, the New York Times reported that anonymous current and former government officials of the U.S., Europe, and Israel had confirmed that Stuxnet was indeed the work of American and Israeli experts, under orders of President Obama, who wanted to slow Iran’s progress towards building an atomic bomb without launching a traditional attack. See David Sanger, “Obama Order Sped Up Wave of Cyberattacks Against Iran,” http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html?pagewanted=all&_r=0. Sanger’s article was adapted from his book, Confront and Conceal: Obama’s Secret Wars and Surprising Use of American Power (New York: Crown Publishers, 2012). See also William J. Broad, John Markoff and David E. Sanger, “Israeli Test on Worm Called Crucial in Iran Nuclear Delay,” New York Times, January 15, 2011, http://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html?pagewanted=2&_r=1&hp; and William J. Broad and David E. Sanger, “Worm Was Perfect for Sabotaging Centrifuges,” New York Times, November 18, 2010, http://www.nytimes.com/2010/11/19/world/middleeast/19stuxnet.html.
Black Code: Inside the Battle for Cyberspace Page 28