How to prevent cyber espionage

Security expert Gadi Evron has plenty of experience helping governments fight cyber attacks. In this column, he offers a roadmap companies can use to prevent computer espionage

This column is about computer-based espionage and how we can defend our organizations against it. But I'd like to start with a mood piece of sorts.

There has been too much noise about information warfare lately. Distributed denial of service and defacement attacks like what happened in Estonia and Georgia come to mind.

The following two stories give a better understanding of what it is really about, without resorting to more scary stories about what China is or isn't doing. We'll also touch on other interesting cases such as the Israeli Trojan horse case, when we talk about defensive measures against computer-based espionage and targeted attacks.

The first is a report (without much detail or proof) on North Korea being involved in operations against South Korea using Trojan horses for espionage. The second is a lesson from history called the Farewell Dossier - a collection of intelligence documents KGB defector Colonel Vladimir Vetrov (code-named Farewell) handed over to NATO during the Cold War.

This information led to a mass expulsion of Soviet technology spies. The CIA also mounted a counter-intelligence operation that transferred modified hardware and software designs over to the Soviets, resulting in the spectacular trans-Siberian incident of 1982, in which a huge explosion ripped apart a trans-Siberian pipeline. The resulting explosion was so big, it was supposedly confused for a nuclear explosion by American decision makers until the CIA said, "Oh, that's one of our operations."

It wasn't a bomb that destroyed the natural gas pipeline and sent shock waves through the economy of what was then the Soviet Union. Instead, it was a software virus created by the CIA, according to a book by Thomas Reed, a former US Air Force secretary and National Security Council member.

What does this mean? While destructive attacks are certainly of significance and important to defend against as they impact us directly, regardless of who the attacked party is or where in the world they are (DDoS attacks harm the Internet and its users), smarter, quieter attacks are all around us. How do we defend against them?

I expect most information warfare acts to be targeted, quiet, and covert. Espionage, or spying if you like, is not relevant to us unless we are the target. The diplomats and the intelligence communities of different countries can figure it out for us. It is an old occupation, and well covered by international law. Computers are simply another tool, or capability, to be used by these same people. There is nothing new here as far as how the game is played.

And yet, what if you are a target?

Recognizing there is a threat You may have to defend against computer-based espionage for your own employer. Recent case studies, as well as research, have shown industrial espionage is indeed a big deal, and here are two examples:

One famous case from a few years ago, which I had the unfortunate opportunity to study as the lead incident response guy for the government, is the Israeli Trojan horse case.

Leading IT companies (most of which were local Israeli branches of Fortune 100 companies) were spied on using a Trojan horse built by an incompetent programmer, leaving traces of itself everywhere on the affected systems. This went on for a long period of time, undetected by any of these companies.

The issue was only detected by chance when the creator of the Trojan horse used it for his own private purposes and was discovered during an investigation into a harassment incident. The stolen information was fed directly to their competitors, which was most of the rest of the Israeli IT industry. The services themselves were rendered by civilian intelligence and investigation firms.

In another case Israeli case, the attackers broke into a local branch of the post office (also a small bank in Israel) and placed a wireless gateway connected to a switch inside. Through it they stole a few tens of thousands of Shekels in the few days they were in operation. This case was also broken by complete chance.

In other cases, intelligence agencies for various countries such as France have been spying on their own to make sure their own local companies have an edge competing with companies from other countries.

Here is an interesting quote from " The Industrious Spies, Industrial Espionage in the Digital Age":

"This transition fosters international tensions even among allies. 'Countries don't have friends, they have interests!' screamed a DOE poster in the mid-1990s. France has vigorously protested US spying on French economic and technological developments - until it was revealed to be doing the same."

Defending against computer-based espionage For the purpose of defense, while I'd certainly hope for more resources (read a larger budget) and change my focus on where I apply it - there is no inherent difference in how you defend your organization from computer-based espionage and in protecting against any Joe Hacker.

In espionage, the attacker has more resources, both technical and operational.

Some of what I would do differently I'd concentrate more of my resources on network behavior analysis (which unfortunately, not many tools exist for, so good network security analysts are the main alternative), as well as on social engineering training and procedures.

Further, I'd prioritize cooperation with the physical security part of the organization, and HR (for personnel screening).

I'd also consider putting up a good deterrent as a cyber security policy, both to add to the attacker's risk and increase their cost.

First, I'd make myself too difficult of a target and let people know about it. Second, I'd invest anything I can spare on monitoring my network for anomalies and security incidents, starting with mapping what my network actually looks like. This might add to the risk factor for opponents that can't afford to be caught and scare them. Covertness is the name of the game, or they would have come through the front door.

Entering an "industrial espionage defense" clause into your budget or creating a five-year plan to better protect your organization from organized industrial espionage may just get you a larger budget to cope with your organization's security needs.

Do you have something you'd do differently from (or in addition to) regular security practices when facing espionage from organized hackers? Any experience or thoughts are welcome.

Google accused over privacy law

Privacy groups are accusing Google of violating California law in its reluctance to provide a direct link to its privacy policy on its homepage.

The search engine giant is being asked to write the word "privacy" alongside other information links.

"It's a short, seven-letter word and in the world of privacy it's a very important word," said Beth Givens of Privacy Rights Clearinghouse.

Google says its policy is easy to find and it gives "accessible information".

'Not rocket science'

The issue has been building momentum following a series of blogs in the New York Times questioning Google's compliance with the California Online Privacy Protection Act of 2003.

The law requires any commercial website that collects personal information about its users to "conspicuously post its privacy policy on its website".

Google maintains that it already does and that its privacy policy can be found by going through its search engine or by clicking on "About Google".

In a conference call, a coalition of privacy organisations told journalists that was not good enough and that it had written to Google.

The groups involved include the Electronic Privacy Information Centre, the World Privacy Forum, Consumer Action, the Electronic Frontier Foundation and the ACLU of Northern California.

Ms Givens, of Privacy Rights Clearinghouse, said: "I went through the exercise of finding [Google's] privacy policy and it's not easy. It's not intuitive and it's not a couple of clicks. You have to work at it.

"The Google privacy policy prints out to five pages. It's something I think they would be proud to point to. It's a hefty privacy policy."

Mark Rotenberg of the Electronic Privacy Information Centre in Washington said: "This is not rocket science. The word 'privacy' is not going to take up a lot of space on the Google homepage."

'Constructive dialogue'

The groups told the BBC that writing to Google publicly was not an exercise in naming and shaming but aimed at getting Google to act in compliance with the law.

"We want to open a constructive dialogue with Google," said Pam Dixon of the World Privacy Forum.

"I think this is a reasonable approach. We have sent a reasonable letter. It is a letter without a 'gotcha' quality."

Mr Rotenberg added: "Our hope is that this can be quickly resolved."

Google admits that privacy information should be easy to access and understand, and says it believes it fulfils that requirement.

In its statement, the company said: "In addition to offering a Privacy Centre with our privacy policy and other important information, we also created a YouTube privacy channel with videos explaining our practices and products."

The company says it "ran an ad campaign to draw consumers to our privacy information, posted several blogs that explain our privacy practices in detail and posted detailed frequently-asked questions to help consumers understand the complex aspects of privacy".

Trade agreement could hit privacy

Internet law professor Michael Geist examines the shift from locking down content to locking down the network.

Last week, negotiators from countries such as the United States, European Union, Japan, and Canada huddled at the US Mission in Geneva to negotiate the Anti-Counterfeiting Trade Agreement (ACTA).

The ACTA, which was shrouded in secrecy until a leaked summary of the agreement appeared on the internet last month, has sparked widespread opposition as many worry about the prospect of a trade deal that could lead to invasive searches of personal computers and increased surveillance of online activities.

While internal ACTA discussions began in as early as 2006, the trade negotiations only came to the public's attention last autumn when several governments simultaneously revealed their intention to participate in the negotiations.

Since the announcement, most governments have tried hard to keep the negotiations below the public's radar screen. Both the US and Canadian governments launched public consultations earlier this year that revealed little about the form or substance of the proposed treaty.

European negotiators provided a brief report on last week's negotiations, yet most of the details remain hidden from public view.

Diminished privacy

In recent weeks, fears about the ACTA have spilled into the political arena. In Canada, opposition Members of Parliament have raised concerns in the House of Commons and Toronto-area Liberal MP Bob Rae blogged that it "augurs a ridiculously intrusive national and international apparatus to police practices that are as common as eating and breathing."

With another round of talks set for next month in Japan, participating governments should use the opportunity to lift the veil of ACTA secrecy. Trade negotiators may prefer to remain outside of the spotlight, yet greater transparency is desperately needed.

Public disclosure of the draft documents might put an end to fears about iPod searching border guards by clarifying the full scope of the treaty.

Moreover, it could focus attention on other key concerns including greater internet service provider filtering of content, heightened liability for websites that link to allegedly infringing content, and diminished privacy for internet users.

Greater transparency would also lead to a more inclusive process. To date, the ACTA negotiations have excluded both civil society groups as well as developing countries.

Pharmaceutical fraud

In fact, reports suggest that trade negotiators have been required to sign non-disclosure agreements for fear of word of the treaty's provisions leaking to the public.

Given the need for cooperation from all stakeholders to battle counterfeiting concerns, an effective strategy requires broader participation and regular mechanisms for feedback.

An open ACTA also promises to increase the effectiveness of anti-counterfeiting activities.

For example, there is general consensus that law enforcement and regulators should prioritize health and safety concerns that arise from counterfeit pharmaceutical activities.

Protecting the public from pharmaceutical fraud requires a comprehensive approach, including confiscation of counterfeit and expired drugs, regulatory action against unsafe marketing claims, and assurances that consumer health will not be placed at risk due to the withholding of relevant research data.

If the leaked ACTA information is accurate, the current draft adopts a much more limited approach by focusing on confiscating drugs, thereby leaving the public vulnerable to pharmaceutical fraud.

With the ACTA speculation at a fever pitch, there is a sense that both the US and European Union are anxious to conclude negotiations by the end of the year.

The public should express reservations about this aggressive timeline and insist that all parties open the ACTA now.

Law Lords consider UK hacker case

Extraditing a Briton accused of the "biggest military computer hack of all time" to the US would be an abuse of proceedings, the law lords have heard.

Lawyers for Glasgow-born Gary McKinnon told the House of Lords US authorities had warned him he faced a long jail sentence if he did not plead guilty.

The systems analyst is accused of gaining access to 97 US military and Nasa computers from his London home.

Known as Solo, he was arrested in 2002 but never charged in the UK.

John Reid, home secretary at the time, granted the US extradition request.

His lawyers told London's High Court last year that he was subject to improper threats and extradition would breach his human rights.

Two judges found no grounds for appeal.

'Longer sentence'

At the House of Lords on Monday, David Pannick QC, representing Mr McKinnon, said US authorities had warned his client he faced a life sentence rather than a couple of years in jail unless he agreed to plead guilty and to extradition.

Without co-operation, the case could be treated as a terrorism case, which could result in up to a 60-year sentence in a maximum security prison should he be found guilty on all six indictments.

With co-operation, he would receive a lesser sentence of 37 to 46 months, be repatriated to the UK, where he could be released on parole and charges of "significantly damaging national security" would be dropped.

A US embassy legal official quoted New Jersey authorities saying they wanted to see him "fry".

'No threat'

Mr Pannick said it was not disputed that the courts could refuse to extradite people if they considered there had been an abuse of process.

Mr McKinnon has never denied accessing the computer networks between February 2001 and March 2002.

He said he was motivated by curiosity and only managed to get into the networks because of lax security.

Clare Montgomery QC, representing the Home Secretary, argues no threats were made, and the extradition should go ahead.

Judgment is expected within three weeks

Blogger arrests hit record high

More bloggers than ever face arrest for exposing human rights abuses or criticising governments, says a report.

Since 2003, 64 people have been arrested for publishing their views on a blog, says the University of Washington annual report.

In 2007 three times as many people were arrested for blogging about political issues than in 2006, it revealed.

More than half of all the arrests since 2003 have been made in China, Egypt and Iran, said the report.

Jail sentence

Citizens have faced arrest and jail for blogging about many different topics, said the World Information Access (WIA) report.

Arrested bloggers exposed corruption in government, abuse of human rights or suppression of protests. They criticised public policies and took political figures to task.

The report said the rising number of arrests was testament to the "growing" political importance of blogging. It noted that arrests tended to increase during times of "political uncertainty", such as around general elections or during large scale protests.

Jail time followed arrest for many bloggers, said the report, which found that the average prison sentence for blogging was 15 months. The longest sentence found by the WIA was eight years.

It acknowledged that the true number of bloggers arrested could be far higher than the total it found as, in some cases, it proved hard to verify if an arrest had taken place and on what grounds.

For instance, it said the Committee to Protect Bloggers has published information about 344 people arrested in Burma - many of whom are thought to be be bloggers - but the WIA could not verify all the reports.

It also noted that many nations, perhaps as many as 30, imposed technological restrictions on what people can do online. In nations such as China this made it difficult for people to use a blog as a means of protest.

The report pointed out that it is not just governments in the Middle East and East Asia that have taken steps against those publishing their opinions online. In the last four years, British, French, Canadian and American bloggers have also been arrested.

The report predicted that the number of blogger arrests in 2008 would exceed the 36 seen in 2007 thanks to greater popularity of blogging as a medium, greater enforcement of net restrictions, and elections in China, Pakistan, Iran and the US.