WikiLeaks Cable about Chinese Hacking of U.S. Networks

We know it's prevalent, but there's some new information:

Secret U.S. State Department cables, obtained by WikiLeaks and made available to Reuters by a third party, trace systems breaches -- colorfully code-named "Byzantine Hades" by U.S. investigators -- to the Chinese military. An April 2009 cable even pinpoints the attacks to a specific unit of China's People's Liberation Army.

Privately, U.S. officials have long suspected that the Chinese government and in particular the military was behind the cyber-attacks. What was never disclosed publicly, until now, was evidence.


U.S. efforts to halt Byzantine Hades hacks are ongoing, according to four sources familiar with investigations. In the April 2009 cable, officials in the State Department's Cyber Threat Analysis Division noted that several Chinese-registered Web sites were "involved in Byzantine Hades intrusion activity in 2006."

The sites were registered in the city of Chengdu, the capital of Sichuan Province in central China, according to the cable. A person named Chen Xingpeng set up the sites using the "precise" postal code in Chengdu used by the People's Liberation Army Chengdu Province First Technical Reconnaissance Bureau (TRB), an electronic espionage unit of the Chinese military. "Much of the intrusion activity traced to Chengdu is similar in tactics, techniques and procedures to (Byzantine Hades) activity attributed to other" electronic spying units of the People's Liberation Army, the cable says.

[...]


What is known is the extent to which Chinese hackers use "spear-phishing" as their preferred tactic to get inside otherwise forbidden networks. Compromised email accounts are the easiest way to launch spear-phish because the hackers can send the messages to entire contact lists.

The tactic is so prevalent, and so successful, that "we have given up on the idea we can keep our networks pristine," says Stewart Baker, a former senior cyber-security official at the U.S. Department of Homeland Security and National Security Agency. It's safer, government and private experts say, to assume the worst -- that any network is vulnerable.

Two former national security officials involved in cyber-investigations told Reuters that Chinese intelligence and military units, and affiliated private hacker groups, actively engage in "target development" for spear-phish attacks by combing the Internet for details about U.S. government and commercial employees' job descriptions, networks of associates, and even the way they sign their emails -- such as U.S. military personnel's use of "V/R," which stands for "Very Respectfully" or "Virtual Regards."

The spear-phish are "the dominant attack vector. They work. They're getting better. It's just hard to stop," says Gregory J. Rattray, a partner at cyber-security consulting firm Delta Risk and a former director for cyber-security on the National Security Council.

Spear-phish are used in most Byzantine Hades intrusions, according to a review of State Department cables by Reuters. But Byzantine Hades is itself categorized into at least three specific parts known as "Byzantine Anchor," "Byzantine Candor," and "Byzantine Foothold." A source close to the matter says the sub-codenames refer to intrusions which use common tactics and malicious code to extract data.

A State Department cable made public by WikiLeaks last December highlights the severity of the spear-phish problem. "Since 2002, (U.S. government) organizations have been targeted with social-engineering online attacks" which succeeded in "gaining access to hundreds of (U.S. government) and cleared defense contractor systems," the cable said. The emails were aimed at the U.S. Army, the Departments of Defense, State and Energy, other government entities and commercial companies.

By the way, reading this blog entry might be illegal under the U.S. Espionage Act:

Dear Americans: If you are not "authorized" personnel, but you have read, written about, commented upon, tweeted, spread links by "liking" on Facebook, shared by email, or otherwise discussed "classified" information disclosed from WikiLeaks, you could be implicated for crimes under the U.S. Espionage Act -- or so warns a legal expert who said the U.S. Espionage Act could make "felons of us all."

As the U.S. Justice Department works on a legal case against WikiLeak's Julian Assange for his role in helping publish 250,000 classified U.S. diplomatic cables, authorities are leaning toward charging Assange with spying under the Espionage Act of 1917. Legal experts warn that if there is an indictment under the Espionage Act, then any citizen who has discussed or accessed "classified" information can be arrested on "national security" grounds.

Maybe I should have warned you at the top of this post.

Posted on April 18, 2011 at 9:33 AM • 55 Comments

Comments

WinterApril 18, 2011 9:49 AM

A beautiful example of, again, evidence that states keep information secret against the public interest.

Many private corporations and public services are targeted in the exact same way. Keeping this information a secret made us all less secure.

RandyApril 18, 2011 9:56 AM

Re: "If you are not "authorized" personnel, but you have read...".

I wonder what it feels like to write those sentences? I also wonder if the author actually believes it.

Randy - guiltyascharged

Carlo GrazianiApril 18, 2011 9:58 AM

Would it really be so bad to just keep mail clients from rendering HTML-formatted e-mail on government networks, and force everyone to read mail as plain text?

It seems to me that this would abate a large fraction of the spear-phishing problem, without real damage to information exchange. Admittedly it would be more difficult for civil servants to send each other dancing kittens etc., but the inconvenience seems minor, particularly compared to the other security-related BS one has to put up with to work for USG.

The ObserverApril 18, 2011 10:06 AM

Dear Bruce, this is a clear example that we are in the midst of a Cyberwar (Warfare) and unfortunately is a reality with an apocalyptic forecast.

JohnApril 18, 2011 10:17 AM

So the DoD can't keep their networks secure and want to prosecute the rest of the world for knowing that. Guaranteed fail

Clive RobinsonApril 18, 2011 10:21 AM

I read the Reuters stuff a few days ago and I'm not exactly overly impressed by what has been said.

To be honest it looks like a put up job in many ways.

That is not to say that China is not "an APT" threat, but that there are many others that are being ignored because of the political hysteria in certain areas trying to create a new "super power threat" as in Russia and the cold war.

As some may remember the game was to deliberatly undeer value your own troops and allies whilst selling the overweight conscripted USSR "slop jokey" as a crack elite fighting machine. Likewise to claim theirs arms and armaments that would have looked dated in WWII as being of "advanced design" with large theoretical range and capabilites etc etc.

Well there is a difference between China of today and Russia of the cold war. China has invested well in excess of 1.5Trillion dollars in the US economy one way or another and similar amounts in other Wester economies. It is not exactly in their interest to destabilize either the US or world economy any more than they have to.

Further the type of "spying" they appear to be doing is for broad range econonic reasons. That is like the US and French before them they are after the fruits of other peoples R&D etc.

As the then out going head of the French Secret Service pointed out to a CNN reporter, most Western countries carry out economic espionage to aid their home industry. After all why waste money "re-inventing the wheel" when you can photograph etc the "blue prints".

The real question people should be asking about the "China APT" is why is ONLY China being highlighted and not several other countries (including the likes of Israel).

It strongly sugests there is another agender that we are not currently aware of. After all the US has been recently stiring it up with North Korea via South Korea and to be honest of the respective Korean leadership the South frightens me more than the North currently.

Carlo GrazianiApril 18, 2011 10:24 AM

The other thing is, funny how the Chinese don't whine in public about NSA attacking their networks and comms.

Either (a) there are no such attacks, (b) there are, but the Chinese government believes it has a handle on them, (c) there are, but the Chinese government doesn't know about them, or (d) there are, but the Chinese government assumes that this is just part of the cost of doing business as a great power, and the best defense is a good offense.

My money is on (d).

Fred PApril 18, 2011 10:31 AM

It's probably the acquisition, not the reading:

The Supreme Court has stated, however, that the question remains open whether the publication of unlawfully obtained information by the media can be punished consistent with the First Amendment. Thus, although unlawful acquisition of information might be subject to criminal prosecution with few First Amendment implications, the publication of that information remains protected. - source: http://www.fas.org/sgp/crs/secrecy/R41404.pdf

Clive RobinsonApril 18, 2011 10:33 AM

@ Bruce,

Whilst I remember the EU has recently churned out a fairly substantial document on the reliability / resiliance and cricticality of the Internet ( http://www.enisa.europa.eu/act/res/other-areas/... ).

The main report at over 200 pages is a hefty read, however there is also a thirty page managment summery.

It's the work of the European Network and Information Security Agency (ENISA http://www.enisa.europa.eu/ ) who are currently carrying out other interesting work in the security side of the Internet.

roenigkApril 18, 2011 10:49 AM

During the Cold War, the US had some remarkable success feeding the Soviets bad information they were stealing from US corporations.

http://en.wikipedia.org/wiki/...

The Soviets ultimately determined they had been compromised and could not trust much of what they stole.

I could only hope the US and Britain have 'departments of disinformation' that could at least be creating enough falsified technology that the Chinese could not rely on the validity of what they so easily seem to obtain.

karrdeApril 18, 2011 11:02 AM

Is this an excellent argument that some form of private-key/public-key encryption is necessary for email?

To recap: most of this intrusion was enabled by spear-phishing. Spear-phishing works best if the recipient has no easy way to verify if the message was sent by the putative sender.

Thus, spear-phishing would be harder if most email senders used a private key to sign/encrypt their message, and the recipient had to use a public key to decrypt it.

However, I also realize that such methods are only as secure as the secure storage for the private key of the sender.

kashmarekApril 18, 2011 11:16 AM

Where are they going to put all of the violators when they attempt to jail them? I suppose that house arrest is they best they can do. It seems that is where we are anyway (RealID & such). Much of this would seem to be FUD. When that big laser canon above the sky starts wiping out those registered sites, then we will know.

KDEApril 18, 2011 11:34 AM

I know the warning was meant tongue-in-cheek, but it would have been nice if it actually was at the top, for the sake of those security folk who visit your site on DOD monitored machines.

SamApril 18, 2011 12:10 PM

@Carlos:
> The other thing is, funny how the Chinese don't whine in public about NSA attacking their networks and comms.

Maybe because the Chinese don't have anywhere near as much info that we want... Sure, possibly some military-specific info on warplans would be interesting to us, but its not like we are desperate to steal all that innovate cutting edge military tech China is developing ;)

Mian KhurrumApril 18, 2011 12:50 PM

OK. I agree that that states are targeting others states to get their secrets, this has been going on for thousands of years. Nothing new. What matters is the response of the free society and free people to these activities in the cyber age. Let's have more firewalls, let's have more IDS. The thing which upsets me most is when these stories are used by the security types, me including, to always suggest MORE security. More is not always good. We need to balance against, not only risk, but the cost and usability as well. I posted about the compass which guides me as a security architect. http://www.infosentry.org/archives/71

Clive RobinsonApril 18, 2011 12:51 PM

@ karrde,

"Thus, spear-phishing would be harder if most email senders used a private key to sign/encrypt their message, and the recipient had to use a public key to decrypt it."

Possibly not for a couple of reasons,

Firstly some "spear-phishing" is actually sent from manipulating the real users Mail User Agent (MUA) thus they would probably have direct access to the users Private Key.

Secondly the real problem with those behind spear-phishing, is they are working on the "low hanging fruit" principle. If you toughen up EMail they will either get around it some trivial way, or switch to the next low hanging fruit.

Which means that making their life marginaly harder by insisting on authenticating EMail will make everybody elses life a lot harder and a lot more expensive. It will also have a lot of unwanted side effects....

It is thus almost a "security theatre" solution, in that you are fighting yesterdays battle in a very expensive and inconvenient way for everybody else.

By the way secure DNs and reverse route confirmation by each of the MTA's in the delivery chain would have a very similar effect to what you are proposing in a lot less expensive way.

However neither solution is actually solving the problem, and to be quite honest a lot more would be achived if "user education" actually worked.

But as Bruce has pointed out in the past "user education" does not work because of other "managment incentives" such as meeting next quarters target and keeping your job, have higher priority in the users head. Because everybody knows not meeting your target because the IT Sec boys did not do their job is their fault (and they always fail anyway), whilst not meeting target because you were "wasting company time" doing meaningless security checks the IT Sec guys said to do is your fault...


@ Sam,

"but its not like we are desperate to steal all that innovate cutting edge military tech China is developing ;)"

Yup I guess the Chinese where real disapointed we did not advertise their new stealth fighter for them, so they had to go and wave it under the nose of everybody by flying it in and out of their most insecure military air field untill it poped up on the Internet (what's the point of developing the technology if "not everybody" knows you've got it ;)

MythosApril 18, 2011 1:18 PM

"An April 2009 cable even pinpoints the attacks to a specific unit of China's People's Liberation Army."

yea could be but just because it is mentioned in a cable does not mean it is a fact. Ridiculously many of those cables are often cited like as if they were some Bible scriptures, yet they usually contain a persons OPINION or statement of WHAT WAS HEARD.

So how is it even known that it is China that is spying? Considering todays standards it would not surprise me if it is mainly US companies spying on each other.

Or some other country spying on USA.

How about some actual real proof rather than propaganda?

EHApril 18, 2011 1:24 PM

@Clive: "It strongly sugests there is another agender that we are not currently aware of."

What happens to the military budget after we're out of Af/Iraq?

MythosApril 18, 2011 1:26 PM

What I mean with above is that it cannot be proven with current evidence that it was the Chinese government that is spying on US companies.

It could be Chinese companies that are spying, or it could be western companies that are using China as a base to spy on each other. It could even be North Korea or some other country spying from China.

HistorianApril 18, 2011 1:29 PM

@Clive
"To be honest it looks like a put up job in many ways."

You must think highly indeed of the astuteness of the US intelligence services if you believe that they put this information out there as bait, had Manning snatch it, enticed Assange to believe it, and now had Reuters print it, all to make China look like the big bad wolf. A press release would have been a much shorter route.

"...leadership 'of' the South frightens me more than the North currently."
I would suggest you look a little more closely at the two countries, their actions, and their leadership.

As I take the leak at face value (that it's a leaked document that the US didn't intend for public review), I am sure there are other countries (including some of our "friends") that are actively trying to glean information from us, probably more industrial than military, it just didn't happen to be highlighted in this set of documents.

Richard Steven HackApril 18, 2011 3:34 PM

Clive is right about North Korea. The current South Korean leader is as much a "reunification on my terms" type as Kim in the North. A lot of observers don't like the way both the South and the US have ratcheted up the anti-North rhetoric and provocative military "exercises". Given that the North really is a dangerous opponent (Pentagon war games show 50,000 US casualties in the first ninety days), the whole exercise as compared with some sort of engagement strategy is highly dangerous.

As for the "precise postal code", are we supposed to believe the Chinese military hackers don't know about Web site registrations? Really?

As for "similar tactics, techniques and procedures", there really isn't anything new out there. ANY hacker East or West, Chinese, Russian or American, worth his salt is doing exactly the same things involving spear phishing, APT, etc. My guess is the purely criminal groups are more efficient at it than any state actor.

I don't doubt the Chinese are heavily involved in this stuff. They have a huge espionage apparatus in the US heavily focused on economic intelligence - and why shouldn't they? Intellectual property is an oxymoron. If someone can get to your specs or your marketing plan, more power to 'em. It just means you need to move faster and stop worrying about "cornering the market" because it ain't happening any more.

I can see trying to protect military secrets, but really, with the US spending an ungodly number of factors more than China on defense, it's hardly something I worry about. And almost all the defense of the "China is coming" crowd boils down to, "We gotta protect Taiwan" - and no one bothers to ask, "Why?" Hong Kong survived being turned over to China and Taiwan would, too. It's not worth spending hundreds of billions defending Taiwan.

Bottom line: The Chinese are not taking over the world any time soon - and if they did, they'd probably be better at it than we are. They could hardly be that much worse. In any event, they'd soon find out how hard it actually is.

Trichinosis USAApril 18, 2011 4:18 PM

Showing support for Assange is all well & good - that he's likely owned by the Feds already is probably the only reason why he's still alive and able to live the James Bond vida loca at all. But what about Bradley Manning? Considering the man is languishing in solitary confinement that borders on torture waiting for a supposedly "speedy" trial, we show totalitarian states like China that imitation is the sincerest form of flattery. It's ludicrous to throw stones at China while Manning is treated just like one of their political prisoners. If we're better than China I'd like to see how and why. Manning is forcing us to do our own dirty laundry at the highest levels. Public scrutiny and oversight in those dark, corrupt corners of our government has been needed for decades. I salute Bradley Manning's courage and integrity, and I am shamed by how he is being treated.

Dirk PraetApril 18, 2011 6:06 PM

Gasp ! Are nations really engaging in acts of cyber espionage and sabotage against each other ? And we must really act now because we have credible proof that the enemy is overtaking us ? OMG !

I guess its one thing to acknowledge that there is a problem. Formulating an adequate reply to it is an entirely different cup of tea. As already mentioned by Clive, there is some good work going on at ENISA, where cyber security is indeed being taken serious, beit whilst keeping their feet firmly on the ground. See also the report they released today on the first pan-European cyber security exercise at http://www.enisa.europa.eu/media/press-releases/... . A couple of years ago, I supervised an information sharing project for them, and I was impressed by the levels of professionalism I encountered at every level of the organisation.

From the looks of it, it would seem that the US is again going about the issue in its usual way: secrecy, inducing fear and paranoia against known and unknown enemies so all kinds of special interests groups can push their own agenda, cashing in on the new threat under the flag of patriotism, actual solutions and working strategies being a nice side-effect only. In the process, even more funds will be taken away from less important things such as healthcare and education. Let's just watch the scenario unfold.

Clive RobinsonApril 18, 2011 6:12 PM

@ Historian,

"You must think highly indeed of the astuteness of the US intelligence services if you believe that they put this information out there as bait, had Manning snatch it, enticed Assange to believe it and now had Reuters print it, all to make China look like the big bad wolf. A press release would have been a much shorter route."

You are making the clasic mistake of arguing backwards from effect to cause and then say how incredible this mut be.

I suspect the cables are mainly selected hearsay at best muddled up with an overly keen sense to portray things the way certain people want to hear them.

I most certainly do not think they were made up for consumption by the general populous, just those who have the ability to open the purse strings on US tax dollars.

Go and have a carefull look at the history of the UK "dodgy dossier" that Colin Powell tried to present as fact whilst obviously knowing it was a compleate fabrication.

Most of the stories that gave rise to the dossier and the myth of weapons of mass destruction was a US funded clique of exiled Iraqi citizens who called themselves the Iraqi National Congress, who had for a number of years been trying to feed stories into various gullible journalists around the world (go and look up the history of the "yellow cake documentation").

What happened then was one countries Intel organisation took the "newspaper story" dressed it up as Intel and passed it on to a couple of other countries Intel agencies who then put their own spin on it passed it to the other and copies went back to the first country who then passed them back as conformation of the original reports.

The whole thing was a vast house of cards with people being given any old nonsense because it was what they wanted to hear.

To many non US observers of the US it has been clear for some time that the US military complex (or whatever else you want to call it) need an enemy to ensure their continued existence.

For a while Iraq appeared to be the "high tech" enemy needed for the "think of the children" arguments with Afghanistan providing the "drugs & terrorism" aspect.

Unfortunatly for the US military complex the pictures coming back for the past year or so from the Middle East via the worlds press rob their "high tech enemy" stories of creadence.

Most of the reports with buildings looking like they have been made of mud bricks and people wearing dirty rags portrays a people "who can't be high tech" to the average viewer (or more importantly that's what the politicos appear to think).

[The fact is most pictures of active war zones all very much portray the peoples affected by war in this way, but most people watching the pictures don't realise this. And contrary to how it appears people in the Middle East can be technicaly sophisticated as the Israelis and their army found to their cost with Hammas]

China with it's billions of people and the west only seeing the likes of Hong Kong etc make the mistake of thinking China is just the same as the US only slightly different. Thus "high tech enemy" stories can be made more easily believable.

Esspecialy when China actually goes and makes it's own "stealth aircraft" if you believed the press you would think that "stealth technology" is some kind of almost unattainable pinical of technical achievement that only the US and China have achieved instead of the more prosaic truth (stealth is culdersac in military evolution which is overly expensive and unrequired for 99.9...% of the enemies the US forces are going to encounter).

So yes what has leaked out so far about these cables sugests very much it was a put up job, to loosen the purse strings. The trouble is unlike the politicians many people are not as gullible and self interested and have not been seduced by the silly "if you knew what we know but cann't tell you" line of faux black briefings etc that has been the traditional method of extracting the tax dollars, esspecialy when coupled to "we're thinking this bit of real estate in your bailwick would be a good location for the headquarters/command center / base / factory / etc.".

stevelaudigApril 18, 2011 6:14 PM

"Maybe I should have warned you at the top of this post."

What post? hah

JackApril 18, 2011 6:27 PM

Is Clive saying there is a conspiracy to create conspiracies? Or there is ... I don't get it.
It reminds me of the cyberwar thing. First everyone agrees there is no such thing and it's just a hoax to get a bigger budget and these attacks are bogus. Then here comes more about the attacks just in time for someone who cannot possibly know, to say they remember some propaganda campaign that took place in the 60's and 70's and this is just more evidence of a conspiracy to create a conspiracy to create hype because .... WTF.

Dirk PraetApril 18, 2011 6:51 PM

@ Jack

"Is Clive saying there is a conspiracy to create conspiracies?"

What Clive is saying is that we are all being manipulated and lied too. Constantly. And not only by marketing campaigns claiming your Samsonite is able to survive an encounter with a steam roller.

pfoggApril 18, 2011 10:46 PM

@Carlo Graziani

I've been wondering about the HTML email thing for a while: it *looks* like HTML gives you streamlined, non-obvious vulnerabilities with nearly no payoff, but I've been assuming that the HTML was serving some important purpose I wasn't aware of. Perhaps not?

I can see where *attachments* would be hard to eliminate, though.

Stephan EngbergApril 19, 2011 12:43 AM

Great article

The Danish Government has realised the same problem - that poerimeter security cannot hold especially not in a cloud/Internet of Things world.

And also suggested ways to address this problem through logical isolation or ensuring that transactions cannot logicially be linked and thus not represent a threat to the real world.

Some might call this "privacy", but Security by Design is so much more.

We ran a series of workshops with government officials on sensitive Government applications involving taxes, healthcare and cross public/private sector boundaries demonstrating how Security By Design can be applied.

These lead to a report starting with recognising a simple aspect - we cannot allow personally referable data in cloud systems as there is no perimeter.

The report is published and can be downloaded here
http://digitaliser.dk/resource/896495

Stephan EngbergApril 19, 2011 12:53 AM

To prevent misunderstandings, the appraoch is not to make perfect code.

The focus is design systems that try to ensure transactions are logically isolated so that even when someone penetrates or bypasses the "legitimate" rules, the attack does not scale as the attacker does not learn information (keys, identifiers etc.) that can be reused in another context.

Beyond the security aspect, another really intersting consequences is that value chains are forced to allign according to the interests of the Customer - as the customer has the power to withdraw even post-transaction.

Why - because the most likely attacker is an insider or someone with power to ORDER an override if this is technically feasible.

When security alligns the technical architecture according to the value chains, the commercial/bureaucratic interests have to listen to customers instead of trying to forcefully adapt the citizens to the systems.

WillApril 19, 2011 1:20 AM

Would all government people using linux live CDs or some kind of signed remote boot system help slightly?

Davi OttenheimerApril 19, 2011 1:44 AM

Am I the only one who find it hilarious that the Chinese supposedly registered their "espionage".

"A person named Chen Xingpeng set up the sites using the "precise" postal code in Chengdu used by the People's Liberation Army Chengdu Province First Technical Reconnaissance Bureau (TRB), an electronic espionage unit of the Chinese military"

I am reminded of the story about the Lebanese who insisted that an Israeli mfg label on a "listening device" found in the desert was evidence of Mossad.

http://www.flyingpenguin.com/?p=8668

Are these spies so sloppy that they can be easily caught and traced, reducing need to worry...or are we too focused on finding the easy clues?

Clive RobinsonApril 19, 2011 4:36 AM

@ Davi,

'Am I the only one who find it hilarious that the Chinese supposedly registered their "espionage"'

Stranger things have happened...

I viewed that rather silly titbit as "evidence for the politico's" to get excited about, and thus an indicator of the intended audience for the cable (and just part of the reason I say it's a "put up job").

In reality sharing a post code is like sharing a town or city, it is something you generaly cannot avoid, and perhaps sometimes use to your advantage.

That is there tends to be a clustering effect, once upon a time all shops used to be "on the high street". Thus if you arrived in a town you knew that asking for directions to the high street would get you to the shops and most probably the Banks etc as well.

This still goes on in "vanity letter heads" for instance how many companies register their head offices in a prestigious post code or district because they think it will add gravitas etc to the company letterhead?

At one time MI6 shared a post code with a couple of pubs and restaurants, and it is said a brothel as well, however Curzon St is a little more trendy these days (or so some people claim).

Mentioning MI6, reminds me of a little snippet in the "stranger than fiction" catagory, mentioned in Prof R.V. Jones's book "Secret War". At the end of the war the UK Government was "down sizing" big time, Jones's office was with many others in the MI services in rented offices in central London. The landlord of the offices Jones was in had been given notice and was thus showing prospective new tenents around. To Jones's horror he found out late in the afternoon, that later that evening the landlord was showing representatives of the Russian embassy around his and other MI and secret service offices...

Clive RobinsonApril 19, 2011 4:55 AM

@ Stephan Engberg,

"The focus is design systems that try to ensure transactions are logically isolated so that even when someone penetrates or bypasses the"legitimate" rules, the attack does not scale as the attacker does not learn information (keys identifiers etc.) that can be reused in anothe context Beyond."

It's a possible aproach or "plan of action", however there is the old maxim that "Plans of Action do not survive first contact with the enemy.". And with IS Security it is often difficult to decide who the enemy is (ie all the users be they legitimate or not).

One big problem with information system security is we have "users" that have more than one "role". Lumping the roles under one user ID is the proverbial "putting all the eggs in one basket". However seperating the roles out under diferent IDs or sub IDs is problematic most times because it cuts across the way users view the system and frequently makes solutions appear as either unusable or tempramental in use.

As with all engineering solutions there is a "sweet spot" but finding it and keeping sight of it are very difficult problems in our rapidly devolving architecture, where often solutions have to be provided to supply work resources on systems beyond the control of the resource owner. The current example of this is personal "smart phones", but similar issues arise with "cloud computing" in it's various guises.

Stephan EngbergApril 19, 2011 6:27 AM

@ Clive

Politely - you are arguing with your own assumptions. I agree with what you say, but you are not arguing with what I said.

"Lumping the roles under one user ID" is incompatible with Security by Design. Single Sign-On is NOT part of sustainable security design.

You cannot reuse any key/Identifier for two different purposes without joining these logically.

So - whereas the key management structures may ¨(or perhaps even should) client-side create the resemblance of SSO towards the Enduser - technology should ensure this is isolated client-side under enduser control even for non-technical people.

Notice though, that the Danish Goverment just as many others are fighting to figure out how to deal with the issue of "getting there from here".

We need to get out of this "One-size-fits-nothing" or "Standards-silo" thinking.

We are moving towards runtime resolution of security without any pre-assumed lockins accepted. See for example this paper.
http://centaur.reading.ac.uk/14713/

BF SkinnerApril 19, 2011 7:05 AM

@Carlo graziani "be so bad to just keep mail clients from rendering HTML-formatted e-mail on government networks, and force everyone to read mail as plain text?"

Government (some/most/all) agencies and military have been doing this since the early oughts. One could argue that having branded email (in html) raises the bar on a spear-phish attempt since the intruder must have samples before they can create a versimultude email.

But this is not just fooling people with a click here stegano link. A trojan shipped as an attachment marked "your HR audit" will get people to open it (at least so says RSA).

BF SkinnerApril 19, 2011 7:06 AM


@Clive "China has invested . . . in the US economy ...and ... other Wester economies. It is not exactly in their interest to destabilize "

This presumes thier intent is to destabilize. The fact that the wikileak cables were secret not TS or compartmentalized is suggestive on the level of US concern. Since we haven't yet seen them all and none of the TS/SPECAT or code word intelligence summaries it's not at all certain.

Your observation on theft of economic goods, IP and so is more to the point. If western countries continue to out innovate (and the rate of that innovation is increasing) second and 3rd world within a few decades they will never be able to hold even, catch up or continue to compete.

What the chinese do seem to be interested in is control. Their attacks, non-espionage, have been against regime critics, supporters of Tibet and other disputed territories, law firms, and people who control their great firewall filters. I wonder if the WTO has been compromised? They should probably check their seals.

-------------------------------------

@Clive "Firstly some "spear-phishing" is actually sent from manipulating the real users Mail User Agent (MUA) thus they would probably have direct access to the users Private Key."

A a bit cart and horse here, innit? In order to compromise client workstations you have to spear-phish but in order to spear-phish you've got to already have a compromised client?

While true in some circumstances the identity and signature certificates are not local to the client. The DoD Common Access Card has all certificates on the card itself. I believe the HSPD12 PIV card is the same.

Simple things can still be done and fairly cheaply. IPLocking and SPF for example. I'm not sure about DKIM yet. Gmail has it but it's very passive.

On one engagement I was able to spoof email from one client's CISO from a public service in England (fancy that). When they investigated on why the mail servers were configured to allow it they were told "Oh that. That's intentional. People want that." The only documented reason I could find was "allows people to appear as if they were in the office." so this company can easily recieve emailed instructions from outside it's network that are indistinguishable from its internal communications unless you look at the headers.

I concure though it does have to be easy, it should be cheap (but the value of cheap is relative to the cost of compromise) and users should have 'security practice' as part of their annual performance evaluations.

-------------------------------------

@Clive "one countries Intel organisation took the "newspaper story" dressed it up as Intel "

But open source publication _is_ a major component of intel. It has to vetted to weed out Fortean events and there's no promises about what policy makers will do with it. The CIA has been politicized ever since DCI Bush.

--------------------------------------

@Clive "put up job"

While it's certain that competition exists within government IC (but competition that's free market and a good thing right?) and that people tell the boss what they think they want to hear and play down the disasters in project time lines -- but in dealing with information, the reason it exists and the supporting technologies and models?

I'll come down on the side of people papering over gaps in their own understanding every time. The amount of detail loss that happens when information makes it way up the decision making pyramid continues to astound me.

jdbertronApril 19, 2011 9:02 AM

Can someone explain why the fact that we know the Chinese military is hacking into our government computers should be kept a secret ?
What advantage is there ? Is anybody asking ?

Clive RobinsonApril 19, 2011 9:18 AM

@ Stephan Engberg,

"Politely - you are arguing with your own assumptions. I agree with what you say, but you are not arguing with what I said"

No I'm not, I'm saying that it's not imposible to achieve what you are trying to do it's just difficult and the small "sweet spot" where it works is a fast moving target.

My first paragraph was a warning in part about "theoretical" over "practical" systems solutions. An example of this, is the reason we use the US DoD TCP/IP protocols for networking and not the ISO OSI, simply "IP" was practical at the time, whilst OSI in many respects is only just becoming possible now. And also in part, the issue of when there is a gulf of difference between the aims and outlook of the users, to the designers and resource owners.

My second paragraph was a very brief synopsis of the existing state of play as it relates to the problem.

My final paragraph was to point out briefly the real difficulty with finding a workable solution or "sweet spot", and importantly maintaining it when and if you ever get there....

Perhaps I was to brief and should amplify what I'm saying.

Part of the existing problem is legacy from very resource limited times.

Effectivly we are still using security models that where known to be not just out of date but realy weak before they were implemented back in the early 1960's. The excuse they had then was the technology was barely up to the task of those weak systems. Todays excuse appears to be "custom and practice" or more bluntly "we've always done it that way" which many would say is no excuse (which it isn't), but we appear stuck with them, the most obvious failure being "passwords".

These old security models had a purpose that was intialy perimeter defence at the access point to a closed environment (terminals and mainframes) Slightly later they were to isolate privileged code when IBM came up with a way to do it in hardware (ie put the kernel in ring 0).

Well that was back then when in the comercial environment control of the computing resources was the big issue, it is not realy the case now as effectivly it's a (partialy) solved problem. The big problem today and in the foreseable future is control of information.

So not realy "privilege escalation" but compartmentalisation at the existing privilege level. Most existing work on information protection models was to do not with compartmentalisation at a particular privilege level but at different privilege levels (ie unclasified, classified, restricted, secret and top secret).

The models that did and do exist for this were rarely if ever seen outside of "word classified" environments where to be frank they were just about unusable (but this was not an important consideration to the "managment").

Part of the problem is the issues of translating "tangable" physical security models into "intangable" information security models. Further it is realising as mainly physical beings there are subtle issues to do with assumptions giving rise to incorect axioms in our thinking (I've been through these a couple of times in the past on this blog).

One underly assumption that is fairly easy to see is that surounding information duplication or copying.

In the real/physical tangable world compartmentilisation of information at the same privilege level is generaly not so much of an issue as it is in the intangible information world.

That is a person can have (paper) folders of information for refrence but without other resources (ie a photo copier etc) it is difficult to copy information from a source to an unintended destination (it happens with loose leaf but not often).

Not so on a computer where a bit of information is just like any other bit of information thus "ring fencing" it is a far more difficult if not impossible job except under what many users would regard as draconian rules.

The simplest way to do this is to ensure that data from two seperate compartments cannot exist on any given user resource at any one time, nor is there any way for information to be copied from user device to user device. In effect it is the equivalent of an "air gap" security system. But this is virtually unusable with access to only a single user device, and multiple user devices are unwieldy at best and expensive to implement.

Whilst it is possible to talk of compartmentalisation on the same user device in practice it is extreamly difficult to achive and in a device such as a smart phone almost impossible to guaranty.

This means big changes from beneath the hardware layer all the way up the user stack past the presentation layer. We have some technologies that can theoreticaly assist with this but practical implementation is in consumer grade systems as close to impossible as makes little difference currently (and no the current consumer grade Trusted Platform Initiatives are not the way to go on this as it just moves not solves the problem).

Having looked into the problem for a while I can see that on the current "single CPU" architecture strict compartmentalisation is not just practicaly but also theoreticaly not possible.

So the question moves down too, at what "relaxation point" from "strict compartmentalisation" are the benifits still out weighing the problems?

But this then brings in the issue of "low hanging fruit" in most cases an attacker has access to or is a considerably more sophisticated person than the resource owner. Further unlike the resource owner who has to present a broad defence, the attacker generaly can opt for a very focused attack. Thus the resource owner hits a serious resource / usability wall long long before the attacker does. Further as the attacker has narrow focus they can effectivly "out spend" 99.9...% of resource owners.

So the issue is a complex one requiring significant changes across the entire user stack, and this is before you get into the subject of side channels etc.

GreenSquirrelApril 20, 2011 5:19 AM

@historian
"You must think highly indeed of the astuteness of the US intelligence services if you believe that they put this information out there as bait, had Manning snatch it, enticed Assange to believe it, and now had Reuters print it, all to make China look like the big bad wolf. A press release would have been a much shorter route."

This assumes the target of the "put up" job is the public.

Nearly all Governmental internal documents are produced and disseminated to get other government officials to do something the originator wants them to do. There is no reason to believe that a department wishing to get greater authority to do X wouldnt produce a report claiming that Y was happening and X was required to prevent it.

Having spent almost all my adult life reading and producing governmental reports, I wouldnt trust any of them. If they said it was daylight at 1000hrs, I'd still want to look out of the window to be sure.

This goes back to another interesting point made here about the Wikileaks Cables. People have, for some unknown reason, taken every bit of opinion, gossip and rumour they contain and assumed it is the REAL TRUTH™©®. The reality is the best we can take away from the cables is that it really is what various diplomats etc have reported back to Washington. Every bit of it may well be totally fabricated nonsense.

Stephan EngbergApril 21, 2011 6:00 AM

@ Clive

It seems, we pretty much agree.

Your use of "compartmentalisation" seems very close to my use of the term logical isolation. And we strongly agree on the failure of existing "Trusted Computering" where some third party are always in control.

My take on there to start on Consumer electronics and basically all of this is to focus on the trust boundaries, i.e. instead of asuming perfect technology, focus on making interoperable security and enable the ability to resolve the semantics of security.

This require we stricly break "security" down into non-overlapping semantic aspects (security objectives) and keep aware that most "security" or "communication" technologies will address (adding or damaging) multiple such sematic aspects.

When and only when the semantic security interfaces is richer than the realworld requirements by at least one level of abstraction, we can begin to virtualise realworld entities towards the applications in the virtual world.

boogApril 21, 2011 1:39 PM

"Maybe I should have warned you at the top of this post."

It wouldn't have mattered if you did. My browser would have downloaded the whole page regardless of the warning, and I'd have a hard time proving I didn't read it.

Stephan EngbergApril 25, 2011 2:54 AM

@ Clive

One additionel comment regarding your considerations as to compartmentalisation internally & sideleaks e.g. mobile phones and computers.

Sure, this is a problem. Part of a solution is to remove all critical keys and identifiers from the vulnurable entities and put them in tameprresistent devices controlled by the citizen.

Another part of a solution is to operate a zero-acceptance model, i.e. that no process is allowed to leak data serverside and thus any data leaked must be non-legitimate.

The root problem here is that even if a device theoretically COULD be made perfect, we have no way of ensuring the a specific device is an implementation of a perfect model. Any device could have built-in modifications. Hence, zero-tolerance so that any leak will involve liability.

Perfect security, i.e. gurantee against all potential failures. But we can ensure transactions does not involve legitimate transfer of control and then focus on revokability and recoverability in many layers.

One problem is that (US) intelligence also wants to be able to penetrate the security of others so they are faced with ambiguity that cannot be resolved. You cannot both ensure citizen rights and the rights of a regime - they are by definition contradictory.

RobertTApril 25, 2011 4:31 AM

@ Stephan Engberg,

"operate a zero-acceptance model, i.e. that no process is allowed to leak data serverside and thus any data leaked must be non-legitimate. "

zero acceptance is an interesting concept, I'd like to hear how you believe this concept can be efficiently implemented in a passive RFID tag. (i believe this is the industry you're involved in)

BTW: (Fair warning) I'm going to assume that an attacker can get physically close to the tag and understands technically how to generate some very non-spec compliant RF excitation waveforms. these will be used to probe the tag, possibly while another third party transaction is occurring.


SapthaApril 26, 2011 10:47 PM

Basic facts:
If someone got cough as hacker in USA , he goes to jail
if the same thing happen in chxxx , you will gain good reputation as " Hacker" and will be utilized for something valuable.
when it come to counties like sri lanka we are not in both side , no one even know what the hell is going on , I strongly believe USA need a strategy to protect things , as same as they force physical military powers , should think of controlling on going global IT attacks.

rtfmMay 15, 2011 2:10 PM

thinkin' the sentence might be double-secret probation if everyone is going down. Toga, Toga.

BinaryFuMay 16, 2011 12:09 PM

"I don my tin-foil hat and wizard robe..."

Those of you who believe these leaks are accidental probably also believe pro-wrestling is real.

Wikileaks is only doing the job assigned to it via the government - most likely without the owner's knowledge of who's running him. The legal onslaught is just so much saber rattling.

-Source unknown

HillsmanMay 16, 2011 8:28 PM

I stopped paying attention after: "cables, obtained by WikiLeaks and made available to Reuters by a third party"!

This so-called evidence is so tainted and unreliable after being handled by 4 unknown sources, why would you even repeat it? There is no way you could ever verify that there was a legitimate cable to start with in this case (as with most other Wikileaks 'revelations').

Hearing about evil government secrecy is getting as boring as hearing Twitter 'conversations' regurgitated by news outlets as actual news and opinion.

HughJune 8, 2011 3:06 PM

First without international laws, cyberspace is a wild wild west, second more R&D funding from the Govt is needed to stay ahead of the curve in this so called cyber war

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..