To catch a criminal, sometimes you have to think like one.
So researchers on the trail of cybercrooks that use armies of infected computers, known as botnets, to send out spam e-mail or to attack websites are building botnets of their own. Fortunately, the new approach is being tested using a high-powered computing cluster that is safely isolated from the Internet.
“We set up what we thought would be the closest to a botnet in the wild,” says Pierre-Marc Bureau, a researcher with computer security firm ESET, part of the project led by a team at Ecole Polytechnique de Montreal with collaborators at Nancy University, France, and Carlton University, Canada. “To our knowledge, this is the first such realistic experiment,” he says.
Over 3,000 copies of Windows XP were installed on a cluster of 98 servers at Ecole Polytechnique. Each virtual computer system was wrapped in software that linked it up to the others as if it were an individual computer connected to the Internet or a local network. Every system was also infected with the Waledac worm, a piece of now well understood and largely vanquished software that at the start of 2010 was estimated by Microsoft to control hundreds of thousands of computers and to send out 1.5 billion spam messages a day.
The team mimicked the control structure needed to take charge of a Waledac botnet, in which a central command-and-control server sends orders to a handful of bots that then spread those instructions to other machines.
In recent years, researchers have developed techniques to eavesdrop on live botnet communications and even to inject messages into these communications. Building a complete botnet in an experimental environment allows much more freedom, though, says Bureau. “When you experiment on a live botnet, you may provoke a bad reaction from its owner that harms infected machines,” he explains, and then “you are also potentially controlling the machines of innocent users, which has ethical and legal problems.”
Having their own botnet also gave the researchers the luxury of being able to observe it inside and out as it operated normally or was attacked by someone trying to disable the network, and also to run multiple trials that yielded statistically significant results.
It was, Bureau says, something of a challenge to convince the owner of a cluster worth around $1 million that installing malware onto it was a good idea.
The Lebanese army has said it has dismantled two Israeli spy systems planted in the mountains above Beirut.
The army said it was alerted to the long-range surveillance devices by the Shia Islamist movement, Hezbollah. One of the devices bore writing in Hebrew.
Meanwhile, an explosion in the southern port of Sidon late on Wednesday sparked reports of a possible Israeli attempt to destroy a third device there.
Israel denied any involvement, saying there had been “no unusual activity”.
Fake rocks
On Wednesday, the Lebanese army released a statement saying troops had located two sophisticated, Israeli-made surveillance devices in the mountains of Sannine and Barouk, north and south of the capital, Beirut.
Pictures on the army website showed devices concealed inside large fake rocks on the slopes of the mountains.
The system found in Sannine included a camera, a device to send images and a third to receive signals, the army said.
The device found in Barouk was “more complicated”, it added.
The army urged citizens to inform it about any suspicious objects they found
The system was placed at a height of 1,715m and made up of two artificial boulders.
One boulder contained equipment for transmitting and receiving signals, which covered the towns of the western and central Bekaa Valley – a Hezbollah stronghold – towns in southern Lebanon, and parts of Syria.
It had the ability to communicate with wireless transmission stations in Lebanon and the Palestinian territories, the army said.
The other boulder contained a large number of batteries which would have provided power for the equipment for a number of years, it added.
One picture showed a device bearing the words “mini cloud” in Hebrew, along with the name of the manufacturer – “Beam Systems Israel Ltd” – in English.
One picture showed a device bearing the words “mini cloud” in Hebrew
The army said it planned to remove the cameras and urged citizens to inform authorities about any suspicious objects they found.
Earlier this month, Hezbollah said it had discovered an Israeli device spying on its private telecommunications network.
In a speech late on Wednesday, Hezbollah leader Sheikh Hassan Nasrallah said underground Israeli spy radars were sending pictures “day and night”.
He told supporters that Hezbollah was ready to fight any Israeli attack on Lebanese sovereignty, despite internal divisions over a UN-backed tribunal investigating the 2005 assassination of former Lebanese Prime Minister Rafik Hariri.
More than 100 people in Lebanon have been arrested since last year on suspicion of collaborating with Israel.
Hezbollah fought a 34-day war against Israel in 2006 that left 1,200 Lebanese and 160 Israelis dead. Lebanon and Israel remain officially in a state of war.
Israel and the US have accused Syria of helping Hezbollah rearm. Earlier this year, Damascus denied it was supplying Scud missiles to the group.
The Justice Department would have no problem distinguishing WikiLeaks from traditional media outlets, if it decides to charge WikiLeaks founder Julian Assange with violating the Espionage Act, a former federal prosecutor told lawmakers Thursday.
“By clearly showing how WikiLeaks is fundamentally different, the government should be able to demonstrate that any prosecution here is the exception and is not the sign of a more aggressive prosecution effort against the press,” said Kenneth Wainstein (pictured at right), former assistant attorney general on national security, during a House Judiciary Committee hearing about WikiLeaks and the Espionage Act on Thursday.
The hearing was the first to publicly address WikiLeaks. It consisted of testimony from legal scholars and attorneys as well as former Green Party presidential candidate and consumer advocate Ralph Nader. Testimony focused primarily on whether the 1917 Espionage Act should be revised to make it easier to prosecute recipients of classified information.
But Wainstein’s remarks, coming from a former prosecutor, hint at arguments the Justice Department is likely to make if it proceeds with prosecuting Assange under the existing Espionage Act.
Wainstein was addressing the strong First Amendment challenges that would arise if the government prosecutes Assange for publishing classified information. Free-press defenders say if WikiLeaks can be charged with espionage for publishing such information, there is no reason why a similar prosecution couldn’t be lodged against other news organizations for publishing similarly classified or sensitive information.
But Wainstein said that WikiLeaks has shown itself to be fundamentally different in three ways and is therefore vulnerable to prosecution.
While traditional media outlets focus on publishing newsworthy information to educate the public, WikiLeaks focuses on obtaining and disclosing any official secrets. The media also gather news about sensitive areas of government operations through investigative reporting, he said, while WikiLeaks uses encrypted digital drop boxes to encourage disclosures of sensitive government information and circumvent laws prohibiting such disclosures.
The media also typically limit disclosures only to sensitive information that specifically relates to a particular story deemed to be of public importance, Wainstein said. WikiLeaks, however, releases troves of documents with little or no regard for their relevance.
In his written statement to the committee (.pdf), Wainstein also cited Assange’s oft-quoted remark that he “enjoy[s] crushing bastards” as evidence that his release of sensitive information is “more personal rather than simply a public-minded agenda.” Furthermore, WikiLeaks’ distribution of an encrypted “insurance” file, containing secrets that would be revealed if anything happens to Assange, “reflects a willingness to use his leaked documents for extortion and personal protection rather than simply to advance the values of transparency and public awareness,” Wainstein argued.
Washington’s hand-wringing over WikiLeaks comes as the organization continues to publish from its leaked trove of 250,000 U.S. State Department cables. Unlike earlier releases, the cables are appearing slowly — only 1,600 have been published thus far — and each cable has been read by a journalist, with some names of U.S. diplomatic sources redacted.
Some of the witnesses at the hearing pointed out that many of the cables published so far have contained information that should not have been classified and took aim at the government’s routine over-classification of documents.
“The suppression of information has led to far more loss of life, jeopardization of American security, and all the other consequences now being attributed to WikiLeaks and Julian Assange,” Nader said.
Gabriel Schoenfeld, a senior fellow at the Hudson Institute, indicated that as a result of so much secrecy, leaks to the press had become one of the primary ways for the public to be kept informed about what its government is doing.
He criticized WikiLeaks, however, for being reckless in the releasing of what he called LMD – “leaks of mass disclosure.” Such leaks are “so massive in volume and indiscriminate” that it becomes difficult to assess the overall level of harm they might cause, he said.
Talk also turned to the so-called Shield Act, which Congress has been mulling as an amendment to the Espionage Act. The amendment would make it illegal to publish the names of informants who provide information to the military and intelligence agencies.
However, Geoffrey Stone, a law professor at the University of Chicago Law School, said the amendment, as it currently stands, would be unconstitutional if applied to nongovernment persons, as it would suppress their right to free speech.
Photo: Kenneth Wainstein
Courtesy National Criminal Justice Reference Service
If you really want to know why the project you and your team just put six months of your life into ended in disaster, this guy can help.
Peter Earnest is a former CIA spy master who knows how to get information from people or – as he and his co-author call it – use elicitation techniques. Which is a nice way of describing the science of interrogation by way of conversation.
In their new book “Business Confidential: Lessons for Corporate Success from Inside the CIA,” Earnest, who worked for the CIA 36 years and is now executive director of the International Spy Museum, and business writer Maryann Karinch, explain how techniques of our national espionage and intelligence services apply to business success.
The section on gathering intelligence and collecting information on people gets to the heart of getting to the bottom of who did what and what was said. The authors offer up verbatim psychological approaches that may be more productive than the typical post-mortem meeting taking place in companies every day.
Perhaps these approaches which involve “flattery, criticism and using the leverage of someone’s emotions” can be put to work in your office.
For instance, if you are a manager trying to get to the bottom of why the deal of the century fell apart, instead of “Who dropped the ball on this?” you might try “direct questioning” which would sound like this: “What signs did you notice that the deal was falling apart?”
Or there’s the “emotional appeal”: “Your concern for your team has always been evident, so just do what’s best for them. Tell me what went wrong so everyone can learn from it.”
There’s always the when all-else-fails “futility” proposition: “I don’t see any way for you to get out of this mess without your career taking a hit. Why don’t you tell me what happened with the project. Maybe I can make some sense of it.”
The “fear down” overture: “You seem very upset about the failure of the project. Don’t worry. Just calm down and we’ll figure this out and fix the problems.”
The “pride and ego down” approach: “I think you’ve been slipping lately, but maybe other members of the team are making you look bad. Tell me exactly what happened with this project.”
Or the “we know all” position: “A few of the team members have sent me e-mails about the project, so I have a pretty good idea of what went on. Tell me what you think happened here.”
The “silence” approach: “Have a seat. Let’s talk about the project.” Then you say nothing, waiting for the person to start blurting things out. Yes, silence is that awkward.
Your technique for obtaining information in business “will be shaped by whether you want an operational relationship or just a quick bit of information from someone you may never see again,” the authors say.
For example, you can simply throw someone a bone – which is giving information to get it. I must say, I find this technique a bit underhanded. Nonetheless, it goes like this:
You say, “There was a proposal talked about at such-and-such meeting” – knowing darn well the proposal was shot down. But you don’t mention that fact.
“When you talk about something that seems to be confidential, that sense of quid pro quo often takes hold,” they say.
Sneaky stuff? Perhaps. But these techniques, based on an understanding of human nature, can get to information without being threatening. Which goes to show that the intelligence mindset used in the world of espionage can also have value in the world of business.
Andrea Kay is the author of “Work’s a Bitch and Then You Make It Work: 6 Steps to Go From Pissed Off to Powerful.” Send questions to her at 2692 Madison Road, #133, Cincinnati, OH 45208; www.andreakay.com or www.lifesabitchchangecareers.com. She can be e-mailed at: andrea [at] andreakay [dot] com.
Allegations that the FBI surreptitiously placed a back door into the OpenBSD operating system have alarmed the computer security community, prompting calls for an audit of the source code and claims that the charges must be a hoax.
The report surfaced in e-mail made public yesterday from a former government contractor, who alleged that he worked with the FBI to implement “a number of back doors” in OpenBSD, which has a reputation for high security and is used in some commercial products.
Gregory Perry, the former chief technologist at the now-defunct contractor Network Security Technology, or NETSEC, said he’s disclosing this information now because his 10-year confidentiality agreement with the FBI has expired. The e-mail was sent to OpenBSD founder Theo de Raadt, who posted it publicly.
“I cashed out of the company shortly after the FBI project,” Perry told CNET today. “At that time there were significant legal barriers between domestic law enforcement and [the Department of Defense], and [this project] was in clear violation of that.” He said the project was a “circa 1999 joint research and development project between the FBI and the NSA,” which is part of the Defense Department.
The OpenBSD project, which was once funded by DARPA but had its funding yanked in 2003 for unspecified reasons, says that it takes an “uncompromising view toward increased security.” The code is used in Microsoft’s Windows Services for Unix and firewalls including ones sold by Calyptix Security, Germany’s Swapspace.de, and Switzerland’s Apsis GmbH.
In national security circles, it’s an open secret that the U.S. government likes to implant back doors in encryption products.
That’s what the FBI proposed in September, although it also claimed that the crypto-back doors would be used only through a legal process. So did the Clinton administration, in what was its first technology initiative in the early 1990s, which became known as the Clipper Chip.
(Credit:
Openbsd.org)
If implemented correctly using a strong algorithm, modern encryption tools are believed to be so secure that even the NSA’s phalanxes of supercomputers are unable to decrypt messages or stored data. One report noted that, even in the 1990s, the FBI was unable to successfully decrypt communications from some wiretaps, and a report this year said it could not decrypt hard drives using the AES algorithm with a 256-bit key.
E.J. Hilbert, a former FBI agent, indicated in a note on Twitter last night that the OpenBSD “experiment” happened but was unsuccessful.
The Justice Department did not respond to a request from CNET yesterday for comment.
NETSEC, the now-defunct contractor, boasted at the time that it was a top provider of computer security services to the Justice Department, the Treasury Department, the National Science Foundation, and unnamed intelligence agencies. A 2002 NSF document (PDF) says NETSEC was “a contractor that NSF utilizes for computer forensics” that performed an investigation of whether data “deleted from an internal NSF server” amounted to a malicious act or not.
A snapshot of the NETSEC Web page from August 2000 from Archive.org shows that the company touted its close ties with the NSA. The founders created the company to build “upon practices developed while employed at the National Security Agency (NSA) and Department of Defense (DoD), the methodologies utilized at NETSEC today are widely regarded as the best anywhere,” it says.
On the OpenBSD technical mailing list, reaction was concerned but skeptical. One post suggested that the best way to insert a back door would be to leak information about the cryptographic key through the network, perhaps through what’s known as a side channel attack. (A 2000 paper describes that technique as using information about the specific implementation of the algorithm to break a cipher, in much the same way that radiation from a computer monitor can leak information about what’s on the screen. Secure environments use TEMPEST shielding to block that particular side channel.)
A 1999 New York Times article written by Peter Wayner about the Clinton administration’s encryption policies, which quoted Perry about OpenBSD, noted that the “the Naval Research Lab in Virginia is using OpenBSD as a foundation of its new IPv6 project.”
Perry told CNET that he hired Jason Wright “at NETSEC as a security researcher, he was basically paid to develop full time for the OpenBSD platform.” In the e-mail to de Raadt, Perry added that “Jason Wright and several other developers were responsible for those back doors, and you would be well advised to review any and all code commits by Wright as well as the other developers he worked with originating from NETSEC.”
Wright’s LinkedIn profile lists him as a “senior developer” at the OpenBSD project and a cybersecurity engineer at the Idaho National Laboratory, and previously a software engineer at NETSEC. He did not respond to a request for comment.
A decades-long push for back doors While the OpenBSD allegations may never be fully proved or disproved, it’s clear that the federal government has a long history of pressing for back doors into products or networks for eavesdropping purposes. The Bush administration-era controversy over pressuring ATT to open its network–in apparent violation of federal law–is a recent example.
Louis Tordella, the longest-serving deputy director of the NSA, acknowledged overseeing a similar project to intercept telegrams as recently as the 1970s. It relied on the major telegraph companies, including Western Union, secretly turning over copies of all messages sent to or from the United States.
“All of the big international carriers were involved, but none of ’em ever got a nickel for what they did,” Tordella said before his death in 1996, according to a history written by L. Britt Snider, a Senate aide who became the CIA’s inspector general.
The telegraph interception operation was called Project Shamrock. It involved a courier making daily trips from the NSA’s headquarters in Fort Meade, Md., to New York to retrieve digital copies of the telegrams on magnetic tape.
Like the eavesdropping system authorized by President Bush, Project Shamrock had a “watch list” of people in the U.S. whose conversations would be identified and plucked out of the ether by NSA computers. It was intended to be used for foreign intelligence purposes.
Then-President Richard Nixon, plagued by anti-Vietnam protests and worried about foreign influence, ordered that Project Shamrock’s electronic ear be turned inward to eavesdrop on American citizens. In 1969, Nixon met with the heads of the NSA, CIA and FBI and authorized a program to intercept “the communications of U.S. citizens using international facilities,” meaning international calls, according to James Bamford’s 2001 book titled “Body of Secrets.”
Nixon later withdrew the formal authorization, but informally, police and intelligence agencies kept adding names to the watch list. At its peak, 600 American citizens appeared on the list, including singer Joan Baez, pediatrician Benjamin Spock, actress Jane Fonda, and the Rev. Martin Luther King Jr.
Another apparent example of NSA and industry cooperation became public in 1995. The Baltimore Sun reported that for decades NSA had rigged the encryption products of Crypto AG, a Swiss firm, so U.S. eavesdroppers could easily break their codes.
The six-part story, based on interviews with former employees and company documents, said Crypto AG sold its compromised security products to some 120 countries, including prime U.S. intelligence targets such as Iran, Iraq, Libya and Yugoslavia. (Crypto AG disputed the allegations.)
