Google China cyberattack part of vast espionage campaign, experts say

Image via CrunchBase

By Ariana Eunjung Cha and Ellen Nakashima
Thursday, January 14, 2010; A01

Computer attacks on Google that the search giant said originated in China were part of a concerted political and corporate espionage effort that exploited security flaws in e-mail attachments to sneak into the networks of major financial, defense and technology companies and research institutions in the United States, security experts said.

At least 34 companies -- including Yahoo, Symantec, Adobe, Northrop Grumman and Dow Chemical -- were attacked, according to congressional and industry sources. Google, which disclosed on Tuesday that hackers had penetrated the Gmail accounts of Chinese human rights advocates in the United States, Europe and China, threatened to shutter its operations in the country as a result.

Human rights groups as well as Washington-based think tanks that have helped shape the debate in Congress about China were also hit.

Security experts say the attacks showed a new level of sophistication, exploiting multiple flaws in different software programs and underscoring what senior administration officials have said over the past year is an increasingly serious cyber threat to the nation's critical industries.

"Usually it's a group using one type of malicious code per target," said Eli Jellenc, head of international cyber-intelligence for VeriSign's iDefense Labs, a Silicon Valley company helping some firms investigate the attacks. "In this case, they're using multiple types against multiple targets -- but all in the same attack campaign. That's a marked leap in coordination."

Image by Steve Webel via Flickr

While it's difficult to say with certainty where a cyberattack originated because the Internet allows hackers to seemingly crisscross country borders and time zones in seconds, the issue is quickly turning into a source of diplomatic tension.

The standoff between Google and China touches on the most sensitive subjects in U.S.-China relations: human rights and censorship, trade, intellectual property disputes, and access to high-tech military technology.

"The recent cyber-intrusion that Google attributes to China is troubling, and the federal government is looking into it," White House spokesman Nick Shapiro said. He added that President Obama made Internet freedom "a central human rights issue" on his trip to China last fall.

Since it began operations in China five years ago, Google had agreed in theory to filter sensitive searches but clashed with the Chinese government on what material was covered, and the company regularly found its service blocked when it defied its hosts.

China's state media reported that the government is looking into Google's claims. In China, news about Tuesday's public rebuke by Google was heavily censored except for a stinging opinion piece in the official People's Daily that called the Silicon Valley tech giant a "spoiled child" and predicted that it would not follow through on its ultimatum.

The recent attacks seem to have targeted companies in strategic industries in which China is lagging, industry experts said. The attacks on defense companies were aimed at gaining information on weapons systems, experts said, while those on tech firms sought valuable source code that powers software applications -- the firms' bread and butter.

The attacks also focused on obtaining information about political dissidents.

"This is a big espionage program aimed at getting high-tech information and politically sensitive information -- the high-tech information to jump-start China's economy and the political information to ensure the survival of the regime," said James A. Lewis, a cyber and national security expert at the Center for Strategic and International Studies. "This is what China's leadership is after. This reflects China's national priorities."

Adobe, a software maker, confirmed on Wednesday that it learned of the attacks on Jan. 2 but said there was "no evidence to indicate that any sensitive information . . . has been compromised," while Symantec, which makes security software, said it is investigating to "ensure we are providing appropriate protection to our customers."

Dow Chemical said that it has "no reason to believe that the safety, security and intellectual property of our operations are in jeopardy." Yahoo and defense contractor Northrop Grumman declined to comment on the attack.

The attackers, experts said, followed the familiar "phishing" ruse: A recipient opens an e-mail that purports to be from someone he knows and, not suspecting malicious intent, opens an attachment containing a "sleeper" program that embeds in his computer. That program can be controlled remotely, allowing the attacker to access e-mail, send confidential documents to a specific address -- even turn on a Web camera or microphone to record what is going on in the room.

In many cases, a user does not know he has been the victim of an attack.

One type of attack exploits a flaw in Adobe Reader, a popular free program that allows e-mail users to read .pdf document files. The flaw was made public Dec. 15 but fixed only on Tuesday -- the day Google announced that its systems had been compromised.

Sara L.M. Davis, executive director of New York-based Asia Catalyst, which assists charities in developing countries, said she began to receive these fake e-mails shortly after the new year. The senders all appeared to be people with whom she regularly communicates. The subject lines contained topics -- "AIDS in China" or "Some photographs of you and Dr. Gao" -- that suggested familiarity with her and her organization.

"If I weren't already paranoid, I would have already opened one," Davis said.

Google declined to provide details on what exactly the attackers took and whether it included any information about super-secret search engine technology that drives the company's profits.

Nart Villeneuve, a research fellow at the University of Toronto, has analyzed attack e-mails sent to human rights groups over the past few months. Villeneuve, who works at Citizen Lab, which focuses on Internet and politics, helped research GhostNet, a vast cyberspying operation revealed last year that apparently originated in China and targeted the office of the Dalai Lama, foreign embassies and government offices.

He said the GhostNet attack resembles the strategy used against Google, other U.S. companies and human rights groups this time around. The attack e-mails to the human rights organizations could mostly be traced to "command and control" computers in mainland China. However, Jellenc said, the two attacks do not appear to have been carried out by the same group.

In August, someone obtained a list of 5,000 subscribers to the China Leadership Monitor, a respected quarterly publication from the Stanford University's Hoover Institution.

The subscribers received a fake e-mail from a Gmail account purportedly from the publication but with an attachment that would take over their computers. Alice Miller, a visiting professor at Stanford and the publication's editor, said she had worked with U.S. government investigators and said the attack originated in China.

Staff writers Cecilia Kang and John Pomfret contributed to this report.

Related articles by Zemanta

• Google Statement on China Approach (blogs.wsj.com)
• Google, Like Guns N Roses, Wants Chinese Democracy (blippitt.com)
• Google Might Leave China Following Cyber-Attacks - Did They Come From The Chinese Government? (thenextweb.com)
• Google beefs up Gmail security amid fallout from computer hacking attack in China (taragana.com)

Passwords: How We Should Reinvent Them - Newsweek.com

Image via Wikipedia

Tough to remember but easy to crack, passwords are the weak link in computer security. Billions hang in the balance.

By Nick Summers | NEWSWEEK

Published Oct 9, 2009

From the magazine issue dated Oct 19, 2009

My password is gr8199. I've been using it for more than a decade, ever since a Web site first required me to create a string of six to 12 characters, with a mixture of letters and numbers. At that moment the only sequence I could think of had to do with the Wayne Gretzky vanity license plate my family happened to be considering: the Great One, No. 99, which yielded gr8199. As the requirements for passwords evolved over the years, I added extra nines, cobbled on a question mark, and blended it with my alternate password (which is, insanely, my Social Security number). Until last week, gr8199 and its descendants got you into my laptop, my e-mail, my Scrabble, my bank accounts, my blog, my work PC, my health insurance, Facebook, Skype, Snapfish, Hulu, my tax returns, and at least 39 other sites across the Internet. I can tell you my secret code because I'm changing it; I'm changing it because I'm telling you. My password system is a mess—and I bet yours is, too.

If you're a typical Web user—and these days, what office worker doesn't spend all day plugged in to the browser?—you have 6.5 passwords, each of which is used at four sites, and you're forced to type one eight times per day. Your employer likely makes you create a brand-new code every 90 days. At one point or another, you've probably scrawled a password on a Post-it, e-mailed one to yourself, or made other security-breaching concessions to the fundamental impossibility of memorizing so many strings of gobbledygook. Today we don't have passwords so much as coping systems.

Companies spend billions of dollars protecting their computer systems, and passwords are a linchpin. With so much riding on Americans' faulty passwords, there has to be a better way to make our technology secure—and it's taking shape inside Carnegie Mellon University's cyber-security-research department. There is no password 2.0 in the wings, no genius breakthrough to secure our stuff forever. But for the past five years a few members of CyLab, as it's known, have been studying not just the mathematical theory behind passwords but the way humans actually use them. Their findings suggest there's a lot we can do to make this part of our lives far less of a hassle—and in my case, to move far beyond gr8199.

Though it's housed in an otherwise nondescript building on the north side of Carnegie Mellon's Pittsburgh campus, parts of CyLab resemble James Bond's Q Branch. The biometrics lab in particular is hard at work taking the fiction out of science-fiction movies like Minority Report. The workspace is a hive of activity, with 15 students bent over all manner of gadgetry; it's like a high-school shop class, but with prototype face-tracking cameras instead of band saws. This is where Carnegie Mellon wows its visitors, with toys that can read a person's fingerprint from across the room, reverse-engineer a 3-D model of a face from a simple 2-D snapshot, and recognize a moving iris at 13 meters. Nearly every gadget here would give a civil libertarian a stroke.

With their futuristic sexiness and fat military funding, biometrics and bleeding-edge cryptography have long drawn the best minds in computer security. But for average consumers, biometrics has also been among the biggest letdowns in security. The fingerprint scanners available on some laptops are essentially novelties, for example, and voice authentication has never been reliable or secure enough to function on its own. Cost is also a huge obstacle: unless you work at the CIA, your employer isn't likely to buy you an iris reader any time soon. "Biometrics never caught on, and it never will," says Richard Power, a CyLab fellow who rails about the lack of progress—he calls it a "lost decade"—in computer security.

For regular people accessing Web sites and PCs, passwords are what we're stuck with, primarily because they're simple and cheap. Among computer researchers, passwords are a key aspect of a burgeoning field known as "usable security." At Carnegie Mellon, the scientists who've pioneered the discipline work not in a lab but upstairs in a wing that looks no different from most universities' English or history departments. Look closer, though, and you'll see signs that this is no ordinary place. The doors are all marked with 2-D bar codes; a professor enters his office by snapping a photo with his cell phone. Click! goes the phone; thunk! slides the bolt. It's more secure than a physical key, which can be stolen and copied, and no less handy.

The academics here are rethinking basic questions about what makes something—an office, a Web site—secure, without driving its owner crazy. And their findings call into question many of the recent security advances in the banking, e-mail, and other critical systems you log into every day. Researchers here fault virtually everything your corporate IT department tells you about strong passwords. And they take the radical stance that you, the user, should be listened to when passwords become overbearing, not yelled at when you forget them.

As an academic discipline, usable security—a blend of computer science and psychology—is only about five years old. "When we first started waving the flag, not many people paid attention," says Carnegie Mellon professor Lorrie Cranor. "It's gratifying that people are starting to." Cranor may be more responsible than anyone else for establishing the field. She founded CyLab's Usable Privacy and Security Laboratory and an annual symposium; she also edited the major textbook on the subject and teaches one of the few usable-security-specific courses in the nation. Polite and warm, Cranor strives to be user-friendly herself: when she gets too technical while describing her work to a decidedly non-Ph.D. NEWSWEEK reporter, she pauses, laughs ("Were you expecting a more usable definition?"), and resumes the discussion in geek-free English. Her interest in patterns and complexity extends outside the lab: she's a master quilter whose designs have been featured on the covers of textbooks and journals.

Much of Cranor's work involves poking holes in the conventional wisdom about how users should choose and remember passwords. Take one common tip that Internet users hear: to make a super-strong password, think of a phrase, and string together the first letter of each word. The result is called a mnemonic password. The famous Ghostbusters line "Dogs and cats, living together!" becomes, with a few substitutions, "D&c,lt!"—a sequence to make an IT director swoon. It's easy to remember, and who could guess it?

In fact, Cranor can. In a 2006 study, her team asked 144 volunteers to come up with mnemonic passwords. Guessing that the subjects would summon well-known phrases from memory, the researchers built a simple program to crawl the Web for famous quotes, ad slogans, song lyrics, and nursery rhymes, quickly amassing 249,000 entries. By security standards, that's a relatively small universe of phrases upon which to base passwords. Using that list, their crude program cracked 4 percent of the mnemonics, which weren't so unique after all—two subjects chose the Oscar Mayer wiener jingle—suggesting that motivated hackers could fare even better.

Instead of a mnemonic password, research suggests that users are better off constructing passwords out of the phrase itself—a passphrase. As the technologist Thomas Baekdal notes, a short but hard-to-remember string like "J4fS<2">

What drives Cheswick and other researchers particularly nuts is that the "dictionary" attacks that these complicated passwords are supposed to repel have been largely supplanted by "phishing," which tricks users through deceptive e-mails and look-alike Web sites into unwittingly handing over passwords directly to hackers. For all the hoops the users have to jump through, researchers say they're mostly fighting the last war. "Users have this secret feeling that they don't need these rules, and they're right," says Cheswick, who is known as one of the fathers of Internet security.

That hasn't stopped Web sites from continuing to foist increasingly complex requirements on users. And a natural consequence of passwords that are more complicated, and that require periodic resets, is that people forget them more frequently. To deal with that, many sites—notably free Web e-mail services—have adopted "security questions" such as "Where did you go to elementary school?" and "What is your pet's name?" In theory, answering such questions proves that you are you. In practice, it's riddled with flaws. Last fall, Sarah Palin's personal e-mail account, gov.palin@yahoo.com, was hacked by a student in Tennessee who knew from rudimentary Web searches her birth date, ZIP code, and that she had met her husband in high school. And in July, Twitter executives were embarrassed by a similar attack, which resulted in the theft of some 300 internal documents, including strategy memos and financial forecasts. A May 2009 study from Microsoft Research and Carnegie Mellon eviscerated the -security-question strategies employed by three of the top four Web-mail providers, finding that subjects could guess their acquaintances' AOL and Yahoo challenges more than a quarter of the time. Hacking isn't the only problem caused by the spread of these questions: according to the study, one in five subjects forgot the answers to their own questions in six months.

One way humans deal with password overload is to rely on a single password and simple variants for nearly every electronic interface in their lives—as I did. That's highly problematic because if that all-powerful password is cracked at just one site, it gives a hacker the keys to the kingdom. That's why Adrian Perrig, the technical director at Carnegie Mellon's CyLab, promotes disposable passwords: generated by special devices, people use these passwords once, then throw them away. It used to be expensive for companies to give employees special fobs that could synchronize with a server and make one-time passwords possible, but nowadays we all carry a device capable of this task: a cell phone. RSA, the company that manufactured the most recognizable model of password fob, now bakes the technology directly into BlackBerrys.

Perrig's scheme is dubbed Phoolproof Phishing Prevention. Using this system, a user enters his log-in name at a given site, and in a moment, his phone beeps with a text message containing a temporary password. A criminal can steal your password silently. But if he snatches your cell phone, you'll know right away. Another benefit: if a hacker is listening in on an unsecured wireless network, or through a nasty piece of malware called a keylogger, the password is no good after the one session. Last December, Bank of America became the first major U.S. bank to let customers link mobile phones (or, for $20, a wallet-size card) to their accounts, a breakthrough in Internet banking. So far, though, only a fraction of customers have opted in.

Another promising direction might be image-based passwords. No, not that personalized icon that greets your log-in at Bank of America, Vanguard, and many other banking sites; it's a nice marketing trick, but has little security benefit. "We saw that and laughed at it right from the beginning," says Cranor; one study showed that all a phisher needed to do was insert a sentence like "Our image server is down; please log in anyway" into a fake Web page, and people would do so. Paul van Oorschot, a professor of computer science at Carle-ton University in Ottawa, has developed schemes that replace text entry with mouse clicks on certain pixels in an image—say, the headlight of a sports car. This approach has flaws, usable-security proponents say, and hasn't been tested enough. But it's cheap, and resistant to phishing.

As often happens with academic research, it has taken some time for the industry to take notice. But lately, people inside tech companies have begun paying more attention to the usable-security work being done at Carnegie Mellon and elsewhere. Cormac Herley, a Ph.D. at Microsoft Research, recently published two papers questioning the industry's accepted wisdom on security: "Do Strong Web Passwords Accomplish Anything?" (conclusion: sometimes, but not really) and "Passwords: If We're So Smart, Why Are We Still Using Them?" The latter paper concludes that in the short to medium term, passwords, flawed as they are, are here to stay. "Right now, we all agree that the password system is terrible, yet how much money is it costing companies?" van Oorschot asks. "Are they feeling enough pain that they're willing to do anything about it?"

For now, the answer is no. And as Bank of America's customers have shown, even if a more secure option exists, many won't opt for it. But as time goes on, the combination of a major security breach and users' growing fatigue at juggling so many passwords will likely make the world more receptive to the innovations being cooked up at Carnegie Mellon. Until then, we'll all have to keep on trying to remember our own variations of gr8199.

Hackers Stole IDs for Attacks

By SIOBHAN GORMAN

WASHINGTON -- Russian hackers hijacked American identities and U.S. software tools and used them in an attack on Georgian government Web sites during the war between Russia and Georgia last year, according to new research to be released Monday by a nonprofit U.S. group.

In addition to refashioning common Microsoft Corp. software into a cyber-weapon, hackers collaborated on popular U.S.-based social-networking sites, including Twitter and Facebook Inc., to coordinate attacks on Georgian sites, the U.S. Cyber Consequences Unit found. While the cyberattacks on Georgia were examined shortly after the events last year, these U.S. connections weren't previously known.

The research shows how cyber-warfare has outpaced military and international agreements, which don't take into account the possibility of American resources and civilian technology being turned into weapons.

Identity theft, social networking, and modifying commercial software are all common means of attack, but combining them elevates the attack method to a new level, said Amit Yoran, a former cybersecurity chief at the Department of Homeland Security. "Each one of these things by itself is not all that new, but this combines them in ways we just haven't seen before," said Mr. Yoran, now CEO of computer-security company NetWitness Corp.

The five-day Russian-Georgian conflict in August 2008 left hundreds of people dead, crushed Georgia's army, and left two parts of its territory on the border with Russia -- Abkhazia and South Ossetia -- under Russian occupation.

The cyberattacks in August 2008 significantly disrupted Georgia's communications capabilities, disabling 20 Web sites for more than a week. Among the sites taken down last year were those of the Georgian president and defense minister, as well as the National Bank of Georgia and major news outlets.

Taking out communications systems at the onset of an attack is standard military practice, said John Bumgarner, chief technical officer at the USCCU and a former cyber-sleuth at the National Security Agency and the Central Intelligence Agency.

The USCCU assesses the economic and national-security implications of cybersecurity threats and briefs top U.S. officials, officials in key industries and international institutions.

"U.S. corporations and U.S. citizens need to understand that they can become pawns in a global cyberwar," said Mr. Bumgarner, who wrote the report.

The White House completed a review of cybersecurity policy in April. Among the issues Obama administration officials are now studying is how laws of war and international obligations need to be reworked to account for cyberattacks.

Homeland Security department spokeswoman Amy Kudwa said she couldn't comment on a report that she hadn't seen and hadn't been released yet.

Last year was the first time such cyberattacks were known to have coincided with a military campaign.

The Georgian attacks, according to the group's findings, were perpetrated by Russian criminal groups and had no clear link to the Russian government. However, the timing of the attacks, just hours after the Russian military incursion began, suggests the Russian government may have at least indirectly coordinated with the cyberattackers, Mr. Bumgarner's report concluded.

"Russian officials and the Russian military had nothing to do with the cyberattacks on the Georgian Web sites last year," said Yevgeniy Khorishko, a spokesman at the Russian Embassy in Washington.

The USCCU plans to release a nine-page report on the attacks to the public on Monday.

Mr. Bumgarner traced the attacks back to 10 Web sites registered in Russia and Turkey. Nine of the sites were registered using identification and credit-card information stolen from Americans; one site was registered with information stolen from a person in France.

The 10 sites were used to coordinate the "botnet" attacks, which harnessed the power of thousands of computers around the world to disable the Georgian government sites as well as those of large Georgian banks and media outlets. The botnet attack commandeered thousands of other computers and instructed them to try to access the target Web sites all at once, overwhelming them.

The Russian and Turkish computer servers used in the attacks had been previously used by cybercriminal organizations, according to the USCCU.

Early reports last year pinned the attacks on the cyber equivalent of the Russian mafia, known as the "Russian Business Network." Mr. Bumgarner said it wasn't possible to connect the attacks directly to that group. Security experts disagree on whether the group still exists.

Some of the software used to carry out the attacks was a modified version of Microsoft code commonly used by network administrators to test their computer systems, Mr. Bumgarner found. The code remains freely available on Microsoft's Web site, he said, declining to name it.

A Microsoft spokesman declined to comment on the finding because he hadn't seen the report.

Once the botnet attacks had launched, Mr. Bumgarner said, other would-be attackers noticed them and started to collaborate on various Web forums, including Twitter and Facebook.

Mr. Bumgarner used data-mining tools to review Facebook pages (which some people don't keep private) and Twitter for certain Russian words that indicated they were likely involved in the attack. He saw users on those sites and others swapping attack code and target lists, and encouraging others to join.

"It's a difficult problem to handle," said Facebook spokesman Barry Schnitt, because it is impossible to detect such collaboration without monitoring conversations. Facebook has mechanisms to verify user identities and users can report inappropriate activities on the site, he said, but it doesn't monitor communications of its users.

Twitter didn't respond to requests to comment.

—Jessica E. Vascellaro contributed to this article.

Write to Siobhan Gorman at siobhan.gorman@wsj.com

Chinese Hack Film Festival Site

Chinese hackers have attacked the website of Australia's biggest film festival over a documentary about Uighur leader Rebiya Kadeer.

Content on the Melbourne International Film Festival site was briefly replaced with the Chinese flag and anti-Kadeer slogans on Saturday, reports said.

In an earlier protest on Friday, Beijing withdrew four Chinese films.

Melbourne's The Age newspaper says private security guards have been hired to protect Kadeer and other film-goers.

She is due to attend the screening of Ten Conditions of Love, by Australian documentary-maker Jeff Daniels, on 8 August.

'Vile language'

Chinese authorities blame Kadeer, leader of the World Uighur Congress, for inciting ethnic unrest in Xinjiang - charges she denies.

“ Hey, we're an independent arts organisation and it's our programme! ”
Richard Moore Head of the Melbourne International Film Festival

Earlier this month, around 200 people died and 1,600 were injured during fighting in the region between the mostly Muslim Uighurs and settlers from China's Han majority.

Kadeer, 62, spent six years in a Chinese prison before she was released into exile in the US in 2005. In 2004, she won the Rafto Prize for human rights.

Richard Moore, head of the Melbourne International Film Festival, told the BBC that he had come under pressure from Chinese officials to withdraw the film about Kadeer and cancel her invitation to the festival.

He said the attacks on the festival's website began about 10 days ago.

"We've been subjected to a number of these attacks and we can see behind the scenes on our website that there are hundreds, well, if not thousands, of people from outside of Australia trying to get into our website and trying to damage us," Mr Moore told the BBC's World Today programme.

"This has been going on... since obviously the call from a Chinese consular official who told me in no uncertain terms that I was urged to withdraw this particular documentary from the film festival and that I had to justify my actions in including the film in our programme," he went on.

"Hey, we're an independent arts organisation and it's our programme!"

He said police were investigating the website attacks, which appear to come from a Chinese internet address.

Story from BBC NEWS:
http://news.bbc.co.uk/go/pr/fr/-/2/hi/entertainment/8169123.stm

Published: 2009/07/26