Tuesday, January 26, 2010

The Malicious Get Smarter

A report that Joseph Menn filed from San Francisco last night for the Financial Times seems to indicate that the dangers of malware may be escalating to a new level. Here is the basic story:

Personal friends of employees at Google, Adobe and other companies were targeted by hackers in a string of recently disclosed cyberattacks, raising privacy concerns and pointing to a highly sophisticated operation, security experts said.

Cybersecurity experts analysing the attacks said the hackers spied on individuals and used other sophisticated techniques, making them extremely difficult to stop. The disclosures come amid renewed alarm over cybersecurity after Google said it had been the target of a series of cyberattacks from China.

The most significant discovery is that the attackers had selected employees at the companies with access to proprietary data, then learnt who their friends were. The hackers compromised the social network accounts of those friends, hoping to enhance the probability that their final targets would click on the links they sent.

“We’re seeing a lot more up-front reconnaissance, understanding who the players are at the company and how to reach them,” said George Kurtz, chief technology officer at security firm McAfee.

“Someone went to the trouble to backtrack: ‘Let me look at their friends, who I can target as a secondary person’.”

Just as troubling as the story itself, however, may be the reactions it is likely to provoke. Towards the end of Menn's account we get a hint of some of those reactions:

Another element of the attack code used a formula only published on Chinese language websites, said Joe Stewart, a researcher for security firm SecureWorks. Mr Stewart also found that some of the code had been assembled in 2006, suggesting that the campaign had been not only well organised but enduring.

The evidence pointed to a government-sponsored effort that only large spy agencies or perhaps some of the most advanced big companies could have withstood, experts said. China on Monday described accusations it was behind cyberattacks as “groundless”.

At the risk of finding myself put on some lists that could make my life very unpleasant, I would like to be bold enough to suggest that, in this particular case, the Chinese may have a point. The sad truth is that, whenever bad things happen in cyberspace, there tends to be an outbreak of accusations, most of which come problem people who have the authority to speak from a bully pulpit (such as being interviewed by a reporter for the Financial Times) but who are fundamentally naive about the underlying nature of the world the Internet has made. In spite of all the supporting evidence, these people tend to deny a fundamental rule of Internet culture:

Never underestimate the capacity of Internet technology to empower an individual intent on causing serious damage.

In the world the Internet has made, even the presence of source code for malware on a Chinese language Web site is not an indicator of Chinese involvement at either an institutional or an individual level. Those who cause damage can be very clever at concealing their identities, and one of the best strategies for concealment is the creation of false clues.

I have noticed that, ever since the Massachusetts Senate election, there has been a lot of rhetoric about "circular firing squads," particularly applied to the organization of the Democratic Party. Menn's article may have inadvertently suggested that we now run a similar risk over the issue of cybersecurity. After decades of denying the risks of ignoring security questions, we may now face the formation of a circular firing squad on a global scale, with every offended party aiming to shoot down a "most likely offender." This is likely to have no effect other than to make things easier for those who get their kicks out of causing worldwide damage. Unfortunately, the likelihood of a concerted effort to take cybersecurity seriously is about as high as that for addressing environmental problems!

1 comment:

Anonymous said...

Well Stephen you said it. Turns out the "Chinese code" fingered is in reality code and algorithm that's widely available in the device application arena:

http://www.theregister.co.uk/2010/01/26/aurora_attack_origins/

I was able to find the same code in listserv archive from 2003, using clues from above article