NedaNet: Hackers to the rescue?

A post reproduced in its entirety from Eric Raymond's "Armed and Dangerous" blog (hat tip: Chap):

I’ve spent the last seventeen hours living inside a cyberpunk novel. A libertarian cyberpunk novel. It’s been a weird and awesome experience.

Within an hour after I received a plea for help from Iran, a regular commenter on this blog recruited me into a hacker network that has been forming to support the democratic Iranian revolutionaries by providing them with proxy servers, Tor anonymizers, and any other technologies needed for them to communicate over channels the Iranian regime cannot censor or control.

I know this network has contacts on the ground among the revolutionaries. I don’t know who they are, and don’t want to know. Most of the other network members are just names on an IRC channel. But we’re putting together a stealth network at amazing speed. Nothing matters as much as the courage and determination of the Iranians on the ground, but we aim to make a difference in our own way and we have the tools to do it.

This disorganization has only been forming for a very short time. It doesn’t really have leaders. It didn’t have even a name when I joined it, though I’ve given it one that looks like it might stick. Until and unless somebody else steps up to the job, I’m our public contact.

This role carries a non-zero risk that I will be targeted for assassination, or interrogation followed by execution, by agents of the Iranian regime - we’ve had more than one death threat against core members already. I take this risk with eyes open because we need somebody to be public, and I know I’ve already been a jihadi target since 2006; at least I can keep some other poor bastard out of the line of fire. I now expect to remain continuously armed for the duration of the Iranian crisis.

Rostam, this is how I’m answering your plea. We’ll do what we can for your people. For freedom.

To learn more about NedaNet and how you can help, go here.

Related: NedaNet resource page

Sysadmins in BDUs

The Army forces were under attack. Communications were down, and the chain of command was broken.

Pacing a makeshift bunker whose entrance was camouflaged with netting, the young man in battle fatigues barked at his comrades: “They are flooding the e-mail server. Block it. I’ll take the heat for it.”

These are the war games at West Point, at least last month, when a team of cadets spent four days struggling around the clock to establish a computer network and keep it operating while hackers from the National Security Agency in Maryland tried to infiltrate it with methods that an enemy might use. The N.S.A. made the cadets’ task more difficult by planting viruses on some of the equipment, just as real-world hackers have done on millions of computers around the world.

The competition was a final exam of sorts for a senior elective class. The cadets, who were computer science and information technology majors, competed against teams from the Navy, Air Force, Coast Guard and Merchant Marine as well as the Naval Postgraduate Academy and the Air Force Institute of Technology. Each team was judged on how well it subdued the threats from the N.S.A.

Cyberwar: Cadets trade the trenches for firewalls (New York Times, 11 May 2009)

Yeah, but.

Cyberspies have penetrated the U.S. electrical grid and left behind software programs that could be used to disrupt the system, according to current and former national-security officials.

The spies came from China, Russia and other countries, these officials said, and were believed to be on a mission to navigate the U.S. electrical system and its controls. The intruders haven't sought to damage the power grid or other key infrastructure, but officials warned they could try during a crisis or war.

"The Chinese have attempted to map our infrastructure, such as the electrical grid," said a senior intelligence official. "So have the Russians."

Electricity Grid in U.S. Penetrated By Spies (Wall Street Journal, 7 April 2009)

OK, this is straight-up scary stuff.

Occupational hazard: I have a dangerously small amount of actual knowledge about how one attempts to detect and prevent intrusions into networks and systems, but I'm around the buzzwords a lot, so I'm going to go out of my way not to use jargon in the hope that I won't accidentally mangle a term of art.

Here's what I've been able to gather about this: even though you *can* secure, e.g., a nuclear facility's core operations from the public Internet, there's MORE than enough stuff hooked up to the public Net that you'd really rather it not be there if you thought about it much.

But.

At the same time, this story sort of reminds me of the feigned outrage over the Bombay terrorists having used Blackberries and so forth to access news sites on the Internet and communicate with each other.

OF COURSE they used Blackberries. They also breathed air, drank water and ate food, as Bruce Schneier pointed out, probably a lot more elegantly - they exploited what was available in their environment, and what was available included devices that for the equivalent of a few hundred bucks up front and fifty or so a month makes you a walking, talking, e-mailing, web-surfing, highly mobile node on the Net.

Deal with it.

No, seriously. The good guys have the same tools and more money, and if we don't have better brains we're all in real trouble.

So, my thinking is -

We're in a highly interconnected world.

Bad guys are constantly finding ways to exploit this.

(Who's a "bad guy" depends largely but not entirely on where you sit. There are some objective standards of evil and there are regimes and groups that are way over those lines. They have access to the Intertubes too.)

*@&$^!, OF COURSE THEY'RE TRYING TO MAP OUR INFRASTRUCTURE.

Among other things.

Here would have been an interesting thing to read in the Wall Street Journal: How do we plan to prevent them from doing this, and more importantly what are we doing to learn about their weaknesses, which may not be, as is true in our case, their information and communications infrastructure?

War in cyberspace

The discussion of cyberattacks and cyberwarfare is complicated by widespread disagreement over how to define these terms. Many cyberattacks are really examples of vandalism or hooliganism, observes Bruce Schneier, a security guru who works for BT, a British telecoms operator. A cyberattack on a power station or an emergency-services call centre could be an act of war or of terrorism, depending on who carries it out and what their motives are.

For a cyberattack to qualify as “cyberwar”, some observers argue, it must take place alongside actual military operations. Trying to disrupt enemy communications during conflict is, after all, a practice that goes back to the earliest telecommunications technology, the telegraph. In 1862, for example, during the American Civil War, a landing party from Thomas Freeborn, a Union navy steamer, went ashore to cut the telegraph lines between Fredericksburg and Richmond. The Russian navy pioneered the use of radio jamming in the Russo-Japanese war of 1905. On this view, cyberattacks on infrastructure are the next logical step. The attacks on Georgia might qualify as cyberwarfare by this definition, but those on Estonia would not, since there was no accompanying military offensive in the real world. As Mr Schneier puts it: “For it to be cyberwar, it must first be war.”

Not everyone agrees. For years there has been talk of a “digital Pearl Harbour”—an unexpected attack on a nation’s infrastructure via the internet, in which power stations are shut down, air-traffic control is sabotaged and telecoms networks are disabled. There have even been suggestions that future wars could be waged in cyberspace, displacing conventional military operations altogether. Why bomb your enemy’s power-stations or stockmarkets if you can disable them with software? So far there have been no successful attacks of this type, but that does not stop people worrying about them—or speculating about how to launch them.

Do cyberattacks count as war? (The Economist, 4 December 2008)

Schneier on Chinese hackers

Bruce Schneier doesn't think that the multifarious hacker attacks against Western IT infrastructure emanating from China are state-sponsored... but he also doesn't take much comfort in that:

If anything, the fact that these groups aren't being run by the Chinese government makes the problem worse. Without central political coordination, they're likely to take more risks, do more stupid things and generally ignore the political fallout of their actions.

In this regard, they're more like a non-state actor.

So while I'm perfectly happy that the U.S. government is using the threat of Chinese hacking as an impetus to get their own cybersecurity in order, and I hope they succeed, I also hope that the U.S. government recognizes that these groups are not acting under the direction of the Chinese military and doesn't treat their actions as officially approved by the Chinese government.

Schneier on Security: Chinese Cyber Attacks (14 July 2008)

US power blackouts: a hacker connection?

Computer hackers in China, including those working on behalf of the Chinese government and military, have penetrated deeply into the information systems of U.S. companies and government agencies, stolen proprietary information from American executives in advance of their business meetings in China, and, in a few cases, gained access to electric power plants in the United States, possibly triggering two recent and widespread blackouts in Florida and the Northeast, according to U.S. government officials and computer-security experts.

One prominent expert told National Journal he believes that China’s People’s Liberation Army played a role in the power outages. Tim Bennett, the former president of the Cyber Security Industry Alliance, a leading trade group, said that U.S. intelligence officials have told him that the PLA in 2003 gained access to a network that controlled electric power systems serving the northeastern United States. The intelligence officials said that forensic analysis had confirmed the source, Bennett said. “They said that, with confidence, it had been traced back to the PLA.” These officials believe that the intrusion may have precipitated the largest blackout in North American history, which occurred in August of that year. A 9,300-square-mile area, touching Michigan, Ohio, New York, and parts of Canada, lost power; an estimated 50 million people were affected.

Officially, the blackout was attributed to a variety of factors, none of which involved foreign intervention. Investigators blamed “overgrown trees” that came into contact with strained high-voltage lines near facilities in Ohio owned by FirstEnergy Corp. More than 100 power plants were shut down during the cascading failure. A computer virus, then in wide circulation, disrupted the communications lines that utility companies use to manage the power grid, and this exacerbated the problem. The blackout prompted President Bush to address the nation the day it happened. Power was mostly restored within 24 hours.

China's Cyber-Militia (National Journal, 31 May 2008)

Words fail me

People are too trusting, especially when there’s chocolate on the line.

A survey out today by the organizers of the tech-security conference Infosecurity Europe found that 21% of 576 London office workers stopped on the street were willing to share their computer passwords with a good looking woman holding a clipboard. People were offered a chocolate bar in exchange for the information. More than half of the people surveyed said they used the same password for everything.

Security is No Match for Chocolate and Good Looking Women (WSJ Technology Blog)

"Attractive woman holding clipboard and offering chocolate" works on men *and* women, by the way:

61% of workers surveyed shared their birthdates and a similar number – 60% of men and 62% of women – shared their names and telephone numbers.

Come on, kids. Let's be safe out there. Resist the siren song of Cadbury Dairy Milk, don't use the same password for everything, and for God's sake don't share personal information with strangers, even (especially!) hotties "taking surveys."

Electronic health records: not private, not safe

In a recent survey of 307 healthcare information-technology managers, Cisco Systems found that investing in database security is the managers’ biggest priority. As hospitals shift into the digital world with electronic records and wireless devices, protecting data is becoming increasingly important.

But the Business Technology Blog also found something worrisome: The survey reported that 16% of respondents had a security breach at their organization in the last six months; 24% reported a breach in the past 12 months.

Wall Street Journal Business Technology Blog: Electronic Health Records Aren't Safe (12 March 2008)

In other words, assuming that this is an accurate sample, there's at least a one-in-four chance that your private health records have been compromised in the last year.

It knows, and it punishes

The Storm worm is fighting back against security researchers that seek to destroy it and has them running scared, Interop New York show attendees heard Tuesday.

The worm can figure out which users are trying to probe its command-and-control servers, and it retaliates by launching DDoS attacks against them, shutting down their Internet access for days, says Josh Korman, host-protection architect for IBM/ISS, who led a session on network threats.

“As you try to investigate [Storm], it knows, and it punishes,” he says. “It fights back.”

As a result, researchers who have managed to glean facts about the worm are reluctant to publish their findings. “They’re afraid. I’ve never seen this before,” Korman says. “They find these things but never say anything about them.”

And not without good reason, he says. Some who have managed to reverse engineer Storm in an effort to figure out how to thwart it have suffered DDoS attacks that have knocked them off the Internet for days, he says.

Storm worm strikes back at security pros (Network World, 24 October 2007)