AUSTRALIA will create its first national cyber strategy to confront the growing threat posed by electronic espionage, theft and state-sponsored cyber attack, with one of the country’s most respected public servants revealing his department endures ”daily” electronic intrusions.
The announcement of the creation of Australia’s first cyber white paper comes as Google revealed it has discovered sophisticated attacks on hundreds of users of its email service, Gmail, aimed at stealing their passwords and monitoring their email.
The Google intrusion was traced back to China and the hundreds of users targeted included officials from the US departments of State and Defence as well as the US Defence Intelligence Agency.
The cyber white paper announcement will be made by the Attorney-General, Robert McClelland, at a cyber security function in Sydney today.
The policy document, to be released in the first half of next year, will seek to create an overarching strategic response to the myriad cyber threats the country faces in the 21st century.
Drawn up by the Department of Prime Minister and Cabinet, the paper will also call for public involvement via a discussion paper to be released next month.
The announcement comes the day after one of Australia’s most respected public servants, the Secretary of the Department of Foreign Affairs, Dennis Richardson, told a Senate committee his department was the daily target of cyber attacks.
”I doubt whether there would be a 24-hour period in which you wouldn’t get something,” said Mr Richardson, who was also the head of ASIO from 1996-2005.
”They can be anything ranging from skilled kids seeing what they can do, to sophisticated hackers getting a kick out of it, through to attempted espionage,” he said.
From foreign spies using the web to steal state secrets and vital economic information, through to organised criminals involved in identity theft or ”hactivists” shutting down or defacing websites for political ends, the growth of the cyber threat is unprecedented.
The white paper will seek to confront the problem by outlining a unified response to the threats posed to government, private industry and the public.
”Cyber is increasingly part of our international relationships with our friends, allies and neighbours across the world, and underpins our broader national interests and indeed our national security,” Mr McClelland will tell the gathering, according to a copy of the speech provided to the Herald yesterday.
”We have the opportunity to work together with the rest of the world to promote cyberspace as a place of increased prosperity and openness.”
In 2009 the government declared cyber security ”one of Australia’s top-tier national security priorities”. The US Defence Department takes the threat so seriously it has designated cyber as the fifth sphere of war – after land, sea, air and space.
While Australia has yet to make that symbolically important move, the Defence Department has previously told the Herald the issue is being ”closely examined”.
Units dedicated to fighting the cyber threat have also sprung up in recent years, with Defence creating the Cyber Security Operations Centre and ASIO creating a cyber espionage branch.
Earlier this week the US took its latest step forward, with the Wall Street Journal reporting that the Pentagon’s formal cyber strategy, due to be released in July, will declare that computer sabotage can constitute an ”act of war”.
When asked about this concept in an interview with the Herald earlier this week, the incoming Chief of the Defence Force, David Hurley, cast doubts on whether computer sabotage can be considered an act of war.
”One of the real difficulties in cyber is attribution of actions to countries. Just because something emanates from a country, it could be very difficult to attribute to the country because of the various paths it can take to get to your network,” he said.
”It’s part of the discussion we’re all having, and if you declare it as an act of war, what are the consequences of that? … I don’t think we’re all signed up to a common thinking about that yet.”
Cyber espionage and foreign interference pose serious threats to Australia’s national security, the federal attorney-general says.
‘The next ten years will undoubtedly see a marked intensification of this activity,’ Robert McClelland told a Sydney summit discussing the decade since the attacks of September 11, 2001.
Mr McClelland pointed to recent prominent cyber attacks such as Ghostnet, which infected computers belonging to the office of the Dalai Lama and Stuxnet which brought Estonia to a virtual standstill.
‘These attacks and the threat to critical infrastructure such as banking, telecommunications and government systems is not something we can be complacent about,’ he said on Tuesday.
The Australian government has made cyber security a top national security priority and is investing to significantly enhance Australia’s cyber security capabilities, he added.
The global and interconnected nature of the internet means the threat extends beyond nations.
‘For this reason it is critical that laws designed to combat cyber threats are harmonised, or at least compatible to allow for international co-operation,’ Mr McClelland told the conference hosted by the United States Studies Centre.
The government is seeking to strengthen international arrangements by moving to accede to the Council of European Convention on Cybercrime.
This is the only binding international treaty on this ‘significant threat’, he said.
‘(Accession to the convention) will help Australian agencies to better prevent, detect and prosecute cyber intrusions.’
The most frequent comment I see on stories reporting some new dramatically successful phishing attack is from an overly nearly well-informed technophile who thinks people who fall for phishing schemes are just stupid.
Despite a success rate so high it’s become standard operating procedure for Chinese military and government cyber-espionage groups, people who respond to phishing e-mails are treated like they’re one walker-assisted step above the elderly shut-ins who send money to help Nigerian princes and ministers of finance mysteriously down on their luck.
If only the stupid fell for phishing scams the successful attacks against companies with sophisticated security — Google, Lockheed Martin, HB Gary, PayPal, various other U.S. military and intelligence agencies — would have been able to shut down the breaches quickly. Others with security at least as good — CitiBank, Bank of America, AOL, Western Union — wouldn’t have to send out alerts every 10 minutes warning people that they weren’t sending out alerts, so don’t mail in your usernames and passwords.
Phishing works, for the same reason grifting works — given a set of facts that seem to fit all their expectations and experience, and the opportunity to either help out a co-worker or profit from something that’s very little trouble for them, most people will take the risk. (See also “4 Security Tips Spurred by Recent Phishing Attacks on Gmail, Hotmail, and Yahoo”).
Phishing e-mails are addressed to far too broad an audience to really fool anyone into thinking an e-mail is from a friend or coworker.
Spear-phishing is different. Spear phishers use the same kind of research, target identification and individually designed approach spymasters use in trying to identify, approach, and successfully recruit foreign nationals into betraying the interests of their country.
The goal isn’t to find a weakness and exploit it — through blackmail, bribery or what have you. It’s to find some specific person and present them with an e-mail that has all the information they need to support their assumption that it’s a perfectly legitimate request from someone they know.
Spear-phishers “first look for who could be the high-value targets of an enterprise — Human Resources personnel who might have access to passwords or personal data, a system administrator who is listed on LinkedIn with a detailed resume describing what he does for the company,” according to Manoj Srivastava, chief technical officer at security-software company Cyveillance.
“Then they go to Facebook, MySpace, Twitter — any social network or forum or other site that could give them information about that person that could be used against them. If they can find pictures the person, or a friend of the person posted on Facebook, the e-mail could look like it came from a friend named in the pictures and be labeled ‘Pictures from the picnic,’ with a malicious payload in the attachments or at the URL the picture links point to,” Srivastava said.
“With enough research on someone with some amount of information about themselves online, an email can very convincingly look like it came from a friend. The idea is not to raise any suspicions,” he said.
Often just the research is enough to turn up enough information to open the firewall a crack — spoofing the e-mail of an employee well enough to get someone inside the firewall to open the message and launch a file or click a link that turns out to contain malware that lets the cracker in.
Antivirus designed to catch malware coming in through email might not catch it being downloaded from a link clicked from inside, a fake application “update” or other vector, according to a March report from NSS Labs showing even good antivirus systems fail when the malware tries to come in through several different entry points.
Cyveillance, among other services that all depend on extensive, real-time examination and analysis of online scams, runs an antiphishing anti-spam service designed to identify potential high-risk e-mail by looking not at the falsified e-mail address, but the request inside the message.
“You have to look at the links and evaluate the level of risk based on whether it is asking that secure information inside the firewall be sent outside using links or sites that may not be secure,” he said.
Successful spear-phishing is not just Google searching and manipulative e-mail-writing, either.
When members of Anonymous hacked HB Gary — the highly regarded security company whose CEO had bragged he was going to bring down the leaders of the hactivist group — they started with a SQL injection attack on HB Gary’s web site, and the low-security content-management system used to run the site.
The SQL injection let Anonymi download the user database from the CMS — including e-mail addresses and hash-encrypted passwords for employees.
If all HB Gary’s employees had used long or difficult passwords, the Anonymi would have been stuck for weeks trying to decrypt the passwords using rainbow tables.
Unfortunately the hashing was relatively simple, as were the passwords used by both the CEO and COO.
Anonymous cracked passwords for the two used them to log into the company’s Google Apps email system and use the CEO’s administrator privileges to reset the passwords for all the other users on the system.
That gave them access to all the e-mail, in which they found passwords and other information they used to create an e-mail that looked, in its lack of capitalization and punctuation, shorthand references to servers and login methods, authentic enough to look to the security specialist in charge of HB Gary’s most valuable data store to ask him to open a hole in the firewall for them to run through.
ArsTechnica’s step-by-step story about the attack includes text of the e-mail chain, which would bore anyone stupid who didn’t know it was Anonymous on one end of the request rather than the legitimate user.
At no point does the security specialist who was taken in look either stupid or stupidly trusting. The request and subsequent exchange are more detailed and technical than most password-repair requests from end users, in fact — requests that are fulfilled in their tens of thousands every day by people in IT.
The amount of trouble the Anonymi went to to crack HB Gary is way out of line with what would make sense for most companies.
Most of us rely for our sense of safety on either anonymity or degree of difficulty. We’re safe from physical or digital attack (mostly) because we’re each one of relatively indistinguishable hundreds of millions online.
We know someone targeting one of us individually could crack us more easily than Anonymous cracked HB Gary, but why go to the trouble?
You and I might not be worth the trouble. Lockheed Martin is. So is each person within it whose combination of online personal data, job description and access to potentially valuable authentication data would make them an attractive potential entry point.
Successful cracks don’t depend on millions of generic e-mails. Ideally they could use just one apiece, directed at just the right person, using just the right amount of corroborating information and context, appearing to come from the right person’s e-mail address or other source.
Why wouldn’t you help someone like that? Perhaps it’s part of your job to do exactly that.
Walk through a couple of spear-phishing exploits and the victims don’t look stupid anymore.
In fact, the attackers look smarter, and the rest of us look a lot more vulnerable.
The office of Victorian Deputy Premier Peter Ryan is refusing to comment on reports an adviser to the minister has been under surveillance by the police watchdog.
A ministerial adviser to Mr Ryan has been named in reports in The Age and Herald Sun newspapers as a target of surveillance by the Office of Police Integrity (OPI).
Mr Ryan, also Police Minister, is on compassionate leave from parliament and was unable to be contacted on Saturday, but his spokeswoman said the OPI operated without influence by politicians.
“Matters to do with the OPI are strictly matters for the OPI,” she said.
“They have the powers they have, they do as they do, we are outside of that process,” the spokeswoman said.
The OPI on Friday admitted they had Sir Ken Jones, one of Victoria’s most senior policeman, under surveillance following complaints.
A media report had earlier revealed the surveillance was underway, and Sir Ken’s wife and supporters had also been targeted.
Sir Ken had a rocky relationship with the police Chief Commissioner, Simon Overland.
Mr Overland forced Sir Ken to go on leave three months early after Sir Ken announced his resignation in May.
Victoria’s Police Association has said Mr Overland used his friendship with OPI’s deputy director, Paul Jevtovic, to influence the OPI to commence the investigation.
It is thought the ministerial adviser allegedly bugged by the OPI was a supporter of Sir Ken.
OTTAWA (AFP) – Canada’s spy chief warned Tuesday that state-sponsored espionage against this country has reached “levels equal to, or greater than those witnessed during the Cold War.”
Richard Fadden, director of the Canadian Security Intelligence Service, said in a report presented to parliament on Monday that foreign governments “continue to covertly gather political, economic and military information” in Canada through diplomatic missions, various organizations and by recruiting agents or informants.
A number of state-owned enterprises and private firms with close ties to foreign government or intelligence services have also pursued “opaque agendas” through investments in Canada.
“Canadian interests have been damaged by espionage activities through the loss of assets and leading-edge technology, leakage of confidential government information or applications, and the coercion and manipulation of ethno-cultural communities,” the report said.
Dubious foreign corporate acquisitions, it said, also “pose potential risks” related to critical infrastructure, control over strategic sectors and the illegal transfer of technology.
The report goes on to explain that Canada’s “open society with strong international relationships and advanced industries such as telecommunications and mining — make it attractive to foreign intelligence agencies.”
Its membership in the North Atlantic Treaty Organization and other multilateral and bilateral defence pacts, and close ties to the United States also make the country an attractive target for espionage, it said.
In the post-Cold War world, state actors are compelled to seek ways of remaining competitive both strategically and economically, the report said.
“As a world leader in communications, biotechnology, energy extraction technologies, aerospace and other areas, Canada remains an attractive target for economic espionage,” it said.
