WIRED:Attempts to bring down vital infrastructural systems can also inflict collateral damage, writes DANNY O'BRIEN
LAST WEEK, a work colleague got an invitation to attend the Nobel Peace Prize in Sweden. It was from somebody he didn’t know well, but who I know personally, so it wasn’t exactly a mail out of the blue. I’ve also met the founder of the organisation whose signature was on the invite which was attached to the e-mail as an Adobe PDF document.
Did he accept? Certainly not. He didn’t even click to open the e-mail attachment. He threw it into the e-mail equivalent of quarantine and I began work on analysing exactly who really sent the e-mail, and to what ends.
Are we paranoid? Perhaps, but we were right. The “invitation” was a fake, personalised to our organisation, the Committee to Protect Journalists, and sent by a hacker. If he’d clicked on the attachment, a piece of malicious software would have been installed on his machine, allowing it to be remotely controlled – apparently from a server located in Bengbu, China.
I spoke to the supposed sender of the invite. He hadn’t mailed it, though he knew about it. He had already received hundreds of replies from strangers wanting to know if it was legitimate – or worse, thanking him for the offer.
Who was the real sender? Whoever it was had gone to a lot of effort. This was no casual phishing or spamming e-mail. The fake invitation was a carefully doctored version of a similar, private, invitation that had been sent to a single Chinese dissident. The contact list contained dozens of human rights activists across the world.
The Nobel prize invite was just one of a flurry of cyber-attacks that have coincided with the award of the prize to Chinese dissident Liu Xiaobo. Last month, the prize website itself was hacked and, for a few hours, any visitor using Firefox and Windows would have been infected with similar malware.
A few days after our dodgy e-mail, Amnesty’s Hong Kong website was commandeered for the same purpose.
It’s natural to assume that the Chinese government, which has already expressed its displeasure at this year’s peace prize award, is behind these attacks. It’s impossible to make a direct link to the Chinese state, though. The level of expertise of the attacks is patchy – some are ultra-sophisticated, while others are using hacking tools that are well-known and easily defended against.
State spycraft is not usually this blatant. Compare that to the Stuxnet worm, a peculiar piece of malware that security researchers are growing to believe might have been crafted by a government to attack parts of the Iranian nuclear programme. Stuxnet spread like a normal worm, but did nothing, unless it found itself near the control systems of a particular Siemens industrial computer. If it was, it executed a specific set of commands that those decoding the virus now believe were aimed at sabotaging a frequency converter drive: for instance, those used in uranium enrichment.
On the internet, the trails that lead to the manipulator of these invasive programs quickly run cold. We know that Stuxnet is oddly well-engineered for a virus, but we don’t know if it really was aimed at the Iranians. By contrast, we know that my Nobel invite was aimed at critics of the current Chinese regime, but we don’t know much about who wrote it. The software that created it is available to anyone with a fair amount of computer knowledge and the motive.
What I think it is reasonable to conclude, however, is that malware has ceased to be simply the tool of common-or-garden criminals. It’s increasingly becoming adapted for far more wide-ranging, if just as malicious, ends.
Countries such as the United States are already preparing to defend themselves against geopolitically motivated attacks perpetrated via the internet. America’s “Cyber Command” has been given a budget of $139 million to defend the country’s military and intelligence infrastructure. But the internet hasn’t been a military theatre for years. It is a civilian space. Right now, it is individual human rights activists who are among the front-line cannon fodder on the West for these “cyber-attacks”, and it’s unlikely that any US cyber-security initiative is going to do much to help them.
In fact, the very existence of a military cyber command is probably going to put them more at risk, by increasing the acceptability to all nations that hacking attacks are fair game.
What we need is to solve the real problem. The problem is not that criminals and spooks create dangerous software that infects our computers. It is that this software works. We need to concentrate on the home front, fixing the crummy security of the software we all run, and making it so that no bad actors, whether they’re foreign agents, street criminals, or even our own governments’ shadier elements, can abuse anyone’s computers for their own ends.
Maybe that’s something governments can fund, or maybe it’s down to computer companies – and we as individuals – taking this problem more seriously.
I know that human rights groups are getting used to these cyber-attacks, and are increasing their understanding of computer security to protect themselves. They run anti-virus software, and scan incoming mail now. They keep their software up-to-date, and quickly compare notes rather than keeping their suspicions to themselves.
Computer companies and politicians need to wake up to the fact the truly vulnerable online aren’t the nuclear power stations or those on the military networks. It’s their own customers, their own voters. It’s obvious something bad is going to target those users soon. We shouldn’t have to wait for an invitation to that disaster before we act on it.
