From traditional hackers to PacCERT

I thought that I would post this piece that formed part of my half-day workshop on information security at PacINET 2008 in the Cook Islands. My slides were almost the same set that I used last year in Honiara.

Historically speaking, information security is not new. There is evidence of people protecting and of course attacking information in all cultures as far back as there is a historical record. If we take early missionary accounts in Fiji, for example, as containing at least a kernel of truth, we find that access to spiritual information was a closely protected monopoly of a priestly class. The confidentiality, integrity, and availability of information from the world beyond – which was extremely valuable information about the weather, the future, the correct course of action, and many other things – was strictly limited to established priests who seem to have been kept under close control by the chiefs.

However, even pre-European contact Fiji had its hackers. Living at the fringes of Vitian society were (and still are in remote areas) medicine men and witches who could also tap into spiritual information. Their status as relative social outsiders made them either an enemy or a counter-balance to the priestly information monopoly. Some witches and medicine men could even hack (I mean, influence) the spiritual world and alter the confidentiality, integrity, or availability of information to priests.

Even the technology focused information security that jumps to mind when we hear terms like infosec, has very old and mostly military roots going back in Europe to before the time of Christ. One perspective that is used in military, governmental, and business circles today is that information security forms the defensive aspect of information warfare – that is the part of information warfare that is concerned with protecting information assets. For example, information security was something that the USA knew that Iraq was lacking in the first Gulf War in 1991 when they disabled Iraqi air defense computers with a virus smuggled in on dot matrix printers (see Dorothy Denning, Information Warfare and Security, 1991).

Of course, with the rise of the personal computer and the Internet in recent history, information security has become much more than a military concern. With the growth of the so-called information economy has come an equal and predicable growth of information crime, leading to some staggering statistics including a 2005 estimate that the cost of computer crime in the USA exceeded the size of the combined economies of all the nations in the South Pacific.

I have been quoted in the past as saying that despite all of the fascinating mathematics and technology that underly modern infosec, information security is fundamentally a very human discipline. Certainly, no one likes to have money stolen from them, but increasingly information security is focusing on our privacy, our public personae, our collective identity, our fundamental rights, and even our legal identity.

Fiji's anti-government bloggers, who are only able to voice their (all too often slanderous) opinions due to technology which assures their anonymity, are playing a role in shaping the future of Fiji and the region. Only time will tell how significant that role is. However, anonymous political activists everywhere should be wary of the behavior of America's Internet giants in repressive regimes, as they are not always on your side. The most striking example is the case of the activist Shi Tao who was essentially handed over to Chinese authorities by US-based Yahoo. Yahoo, and other international firms, have agreed to work with Chinese authorities in order to gain access to the immense Chinese market.

Information security even has a role in protecting the function of entire nations. Take the case of Estonia, a small former Soviet republic on the coast of the Baltic Sea with a population of around 1.3 million people. In May this year, Estonia moved a certain Russian war memorial to a location more desirable to Estonians but less desirable to Russian nationals living both in and out of Estonia. Soon, various blogs were posting instructions on how to wage a denial of service attack against Estonian institutions, and a little while later, this attack was in full swing bringing down government and financial sector systems across the tiny maritime nation. Should this story concern other, perhaps more tropical, small maritime nations who are rushing to get their institutions online? The answer is a resounding, "Yes".

Still, one of the largest challenges facing information security today is the heady combination of social engineering and user ignorance. Many computer criminals have discovered that hacking just does not pay off as well as simply fooling people into giving up either their money (to help move funds out of Nigeria to help a poor window, for example) or enough information to get to their money. To give a somewhat trivial example, I have never received so many chain emails from people I know since I came to Fiji – and I was part of the first wave of Internet users in Canada. It goes without saying that nations with large populations of new Internet users are more at risk.

Technology policy makers in the South Pacific should indeed be worried by all of this. By joining the global information economy, the region is embarking on an enterprise that is as fraught with danger and as ripe with rewards as the great Melanesian and Polynesian migrations of days past. Fortunately, it is not necessary to sail the seas blind – technology policy navigators need only to look across the ocean to the experiences of other nations to see what problems to expect and which solutions are effective.

Franck Martin and myself interviewed on email security

Fijilive has run a story on email security based on interviews with Franck Martin of PICISOC and myself. Here is an excerpt.

While email is an extremely useful technology, it is not very secure, warns Chris Hammond-Thrasher, the author of the Digital Fiji Blog, dfiji.blogspot.com . And he suggested that the best advice to follow is "to always assume that all of your emails are being read by others".
[Emails are not so secure: experts, Fijilive, March 9, 2008]

That's right, email is not secure - it never has been. You do not need to dream up elaborate hacking plots to explain Hunter's emails getting out into the wild.

Why would they [hackers] take weeks to plan a sophisticated attack if they can just trick you into giving them your password or key, or if they can take advantage of a well known software flaw on a server that has not been updated for a couple of months? ... He cites the dangers of the common practice of "writing your password on a sticky note on your PC, leaving your PC unattended while you are logged into email and other services, and allowing others to watch over your shoulder while you type in your password".

The mystery of how Hunter's email was stolen is the biggest non-story in Fiji ICT news.

Photo by: juiceboxgasoline

Blogged with Flock

ICT, information warfare, and the RFMF

Note to RFMF readers: I would be very interested in hearing your comments on this post.

The Royal Fiji Military Force (RFMF) recently posted a document entitled Commander's Intent 2008 on the their website. This statement of intent forms sort of a strategic plan for the RFMF for 2008 and beyond. It is broken up into three main sections:

• One section dealing with "Good Governance in the RFMF", including issues such as policy and legal compliance, formal planning, and budgetary restraint;
  
• One section that is a kind of environmental scan of the current internal and external situation in Fiji, including social and economic pressures, race relations, regional security, and a survey of the RFMF's "competition" within Fiji, "there had been a move to replace the RFMF with a reinvigorated and robust police force," and in the region including Commonwealth forces recruiting soldiers away from the RFMF; and
• A large section outlining the Commander's strategic ideas for the coming year.

I was curious to see what this document would say, if anything, about ICT in general and information warfare in particular. In the environmental scan section the document makes the following optimistic statement about Fiji's ICT potential, "Technologically, Fiji can be the Singapore of the region." Only to burst that bubble in the very next sentence, "Unfortunately we continue to lag behind badly and this has affected our ability to grow like Singapore." No additional information is provided about who we are lagging behind, what is the cause of the lag, nor how said lag can be overcome.

ICT is referred to explicitly three additional times in the list of actions that the RFMF is considering in 2008.

• "Improve logistic support system,"
• "Develop a modern reliable and secure communications system," and
• "Develop a computerization and IT system for the RFMF."

While these seem valuable strategic activities, it should be understood that these three are nearly lost in a lengthy list of 50 actions that are under consideration for the 2008 budget. Clearly, ICT is not high on the military priority list. Let's examine each of these in turn.

LSS
While I do know a thing or two about electronic procurement, I am the first to admit that I know nothing about logistics support systems (LSS); and I am not familiar with what the RFMF currently has deployed. Certainly they will need to equip their logistics personnel with computers, wireless equipment, and assorted electronic inventory management apparatus - not to mention training - in order to take full advantage of a modern LSS.

Secure Communications
My informal survey of civilians who have had email contact with RFMF officers revealed two facts. First, RFMF officers use free email accounts from US vendors (i.e. Hotmail, Yahoo, etc.), at least to communicate with civvies. Using these American services makes spying on RFMF communication quite simple for US intelligence services, not to mention the risk due to the notorious insecurity of these services. Still, these are not a problems as long as these free accounts are limited to use for unclassified communications only. There is a mail exchanger (MX) registered for RFMF email addresses pointing to a server operated by Connect. Could this be the military's current/future secure mail server?

Second, my survey revealed that RFMF officers do not have Internet access in RFMF facilities and that officers must leave their bases in order to access the net. However, this cannot be entirely true. For one thing, there is a webmaster's Unwired email address posted at the bottom of the RFMF home page. This indicates that there is at least one wireless modem in RFMF facilities around the country. For another, according to an issue of the RFMF newsletter, there is an Internet Cafe located at QEB.

Our soldiers are so fortunate to be given this opportunity especially the Other Ranks and they will no longer go to town because we now have our own, and I would urge them to make good use of it," said the Commander Land Forces.
[Internet cafe to boost troops' interoperability, Mataivalu News, Feb. 2007, p13]

The newsletter states that soldiers can purchase Internet access cards in $5, $10, and $15 denominations.

Of course, there is a lot more to digital military communications than email, but one must walk before one can run.

IT
In terms of establishing a state of the art military ICT infrastructure, the RFMF clearly has some challenges to overcome and room to grow. It will be difficult to establish such an infrastructure when the organization seems much more focused on the purely physical side of soldering. While the Commander's intent does mention the "changing nature of warfare", a phrase that evokes the increasing importance of information warfare and asymmetric conflict, the bulk of the 50 potential action items listed in this document involve enhancing the RFMF's physical operational capabilities. Of course, military forces often conceal their information warfare capabilities in terms of signals intelligence, cryptology, and system and network attack and defense - could there be more beneath the surface?

Absent?
In terms of ICT, what is missing from the Commanders statement of intent? There is no mention of plans to develop the RFMF's capacity to wage offensive or defensive information warfare. There is no mention of how the RFMF plans to compensate for the high-tech support and training that they used to receive from the Australian and New Zealand forces. There is no mention of plans to use private contractors to shore up RFMF's high-tech expertise, such as the Indian hackers rumored to have been employed last year or the consultations with FINTEL experts over anti-government bloggers. There is no mention of investing in media and public affairs training for officers.

As I have written about before, Fiji's current crisis is not a traditional military conflict, but rather a battle for the supremacy of ideas - the new ideas of the interim regime vs. the old ideas of the Qarase government. Fiji's current crisis is a 4th generation warfare (4GWF) conflict, where the focus is not on physically outmaneuvering one's opponent, but rather on winning the battle for public opinion. To quote Kim Taipale,

4GWF is political war -- superior political will, when properly employed, can defeat greater economic and military power... In 4GWF conflicts, nonmilitary instruments of power (information) trump military solutions (warfare, technology, and firepower). Information constrains the exercise of kinetic power but kinetic power cannot constrain information power.
[Seeking Symmetry in Fourth Generation Warfare: Information Operations in the War of Ideas. March 2006]

The possibility that political will could overcome the RFMF's monopoly on military power in Fiji should be a concern. Yet most of the activities under consideration, other than winning "the hearts and minds of the local population through professionalism," are purely 3GWF considerations - that is focused on informed, flexible, and rapid physical deployment of military force.

To be successful with its cleanup campaign, the RFMF needs to win a conflict where the battlespace is bounded by communications technologies (including Fiji's ineffable but very effective coconut wireless) and the content of the stories that these technologies communicate. To be successful, it is in this battlespace, the informationspace, that the RFMF needs to increase its operational capacity. [Note: This morning's Fiji Times reports that the interim government is reviving the National Security Council and the Fiji Intelligence Services. Does this signal a change in focus or are these purely civilian initiatives?]

By way of conclusion I offer two quotations - one from a Russian Major-General and one from the most wanted man in the world - both of whom understand 4GWF better than anyone in the Pacific.

We are approaching a stage of development when no one is a soldier anymore but everyone is a participant in combat action. The task now is not to inflict losses in men and material but to thwart an enemy's plans, demoralize it, undermine its worldview, and destroy its intrinsic values."
[Maj. Gen. G.A. Berezkin, Deputy Head of the Russian Federation Defense Ministry Center of Military-Technical Information Studies, in Lessons from the war in Iraq, Military Thought (May 1, 2003). Quoted in Taipale.]

It is obvious that the media war in this century is one of the strongest methods; in fact, its ratio may reach 90% of the total preparation for the battles.
[Osama bin Laden, 2002. Quoted in Taipale.

Photos by: soldiersmediacenter

Secret messages - thinking about cryptology

The history of secrecy is as old as the history of ideas. Whether for reasons of war, religion, power, jealousy, or, of course, love, people of every culture have always found reasons to keep secrets. Of course, keeping a secret is not difficult until you try to communicate it to someone else. What if someone overhears you whispering the secret? Or worse, what if the secret message is intercepted by an assailant and does not even reach the intended recipient?

Simple model for secure communication between Alice and Bob with adversary Eve attempting to view the romantic missive

Historical attempts to foil Eve's efforts have fallen into three categories:

• Physically secure the message from access to all except its intended recipients. This could include hand delivering a love note to your sweetie at school, hiring a bonded courier to transport contract drafts burned on CDs to your business partner, or hiring an armored car to take a bank vault combination to the main branch for safe keeping. In other words, do not let Eve get her hands on it.
  
• Use steganography - Conceal the message in some other innocuous message. This includes communicating messages in innocent looking classified adds in the newspaper, hiding digital signals in what sounds like background noise on telephone calls, or embed messages in otherwise normal JPEGs, MP3, or other files using steghide. [try it!] In other words, do not let Eve know that a secret is being transmitted.
  
• Mathematically encrypt the message in such a way that it is difficult for an adversary to recover the original message even if she gains access to the entire encrypted message. In other words, even if Eve gets the message, make it difficult for her to decode it. An early example is a method used by Julius Caesar to protect military orders. Now, message encryption has become a sophisticated military practice and is the cornerstone of the modern banking and e-commerce industries. It is the greatest asset of political activists in oppressive regimes and the scourge of law enforcement and national security forces when fighting online threats.

It is this final approach - the mathematical approach to protecting information, the field of cryptology - that I would like to investigate in the next few blog posts. How does it work? What if criminals or enemies of the state use it?

Icons by: Mark James
Photo by: dirtyfeet

Online freedom baby, yeah!

I was surprised to see Everyone's guide to by-passing Internet censorship for citizens worldwide as the first item under Information Management on UNESCO's Open Training Platform - an online repository of open license training materials.

To quote from the source:

This guide is meant to introduce non-technical users to Internet censorship circumvention technologies, and help them choose which of them best suits their circumstances and needs.

Everyone's guide to by-passing Internet censorship for citizens worldwide is a great guide for those who want to use the Internet anonymously, or circumvent filtering on their LAN or WAN, or help others to circumvent filtering in their country or organization, or all three. It contains clearly worded advice and has URLs for numerous free and commercial solutions including, to name but a few:

• Proxify
• CGIProxy
• UltraReach
• Anonymizer
• Guardster/SSH
• tor
• JAP ANON

Internet users who desire freedom of expression and intellectual freedom should read this guide. Similarly, law enforcement organizations should read this guide as the same tools and tactics are used by online criminals.

Photo by: Norma Desmond

Do you read your server logs?

Do you read your server logs? I admit that I only read them rarely. Let's face it, they are pretty dull and repetitive. Most sensible administrators - those who do not find reading syslogs eight times a day to be rewarding - will use some sort of log monitoring tool to let them know if anything interesting is going on. My favorite would be logwatch and I have also used swatch in the past. However, these and other fine tools, even after very careful and time consuming configuration, are prone to raising alarms when there is really nothing to see. And these false positives lead, over time, to the never cry wolf syndrome. You just stop listening to the alarms. Or you configure the monitoring tool to ignore potentially interesting information just to shut it up.

One of the systems that I am responsible for is an old Compaq/HP Tru64 Unix box. Tru64 has among its features an alarm that is tripped if too many log entries are made to the system binary log in a short period of time. Recently, we received this alarm stating that over 500 log entries had been made in a one minute period. I immediately thought that one of the drives was dying a most unwelcome death again. However, when I checked the log, it turned out that some IP at a Spanish university (names withheld to protect the guilty) had made over 1000 attempts to brute force the root password via ssh in a two minute period (try THC-Hydra). Of course, root logins via ssh were disabled (check your sshd.conf) and the root password is very strong anyway so no harm was done.

But an attack is an attack and even if revenge is not possible, at least some action should be taken to reduce the likelihood of reoccurence. How can you do that? Let the attacker and the attacker's ISP know that you detected the attack and are motivated enough to do something about it. Hackers, whether pimply-faced script kiddiez or hardened criminals, are lazy and risk-averse and prefer to go after easy prey. If you detected this attack, you might detect others in the future. If you write a complaint email, you might call the police or at least your lawyer next time. How do you find your assailant's ISP? Through the controversial whois database.

After a couple of whois queries (try Sam Spade if you don't want to use the command line), I was able to contact the abuse email of the assailant's institution. Within 24 hours, they acknowledged receipt of my email. Within 48 hours they sent me an email stating that they had contacted the owner of the offending IP and were closing the trouble ticket. While I would like to have seen the assailant suffer in front of my own eyes, this is probably the best resolution that I could hope for. After all, the break in was not successful and no damage was done other than wasting my time - not to mention the fact that Fiji has no cybercrime legislation nor has a computer crime (or attempted computer crime) ever gone before Fiji's courts.

Photo by: kenwood

Blogged with Flock

Security and Pacific technology policy

The following is derived from my workshop on Information Security at PacINET 2007. My slides are available on SlideShare.

Historically speaking, information security is not new. There is evidence of people protecting and, of course, attacking information, information systems, and the flow of information in all cultures as far back as there is a written record. If we take early missionary accounts in Fiji, for example, we find that access to spiritual information was a closely protected monopoly of a priestly class. The confidentiality, integrity, and availability of information from the world beyond – which included extremely valuable information about the weather, the future, the correct course of action, the afterlife, and many other things – was strictly limited to established priests who held a close relationship with the local chief.

However, even pre-European-contact Fiji had its hackers. Living at the fringes of Vitian society were (and still are in remote areas) medicine men and witches who could also tap into spiritual information. Their status as relative social outsiders made them either an enemy or a counter-balance to the priestly information monopoly. Some witches and medicine men could even hack (I mean, influence) the spiritual world and alter the confidentiality, integrity, or availability of information available to priests by counteracting the priestly influence on the divine or by uttering counter-prophecies.

In European culture, information security has a solidly military origin dating back, at least, to Julius Caesar's encrypted military communications. What is commonly termed information security today is really the defensive aspect of information warfare – that is, the part of information warfare that is concerned with protecting information assets.

Of course, with the rise of the personal computer and the Internet in more recent history, information security has become much more than a military concern. With the growth of the so-called information economy has come an equal and predicable growth of information crime, leading to some staggering statistics including a 2005 estimate that the cost of computer crime in the USA exceeded the size of the combined economies of all the nations in the South Pacific.

I have been quoted in the past as saying that despite all of the fascinating mathematics and technology that underly modern infosec, information security is fundamentally about people. Certainly no one likes to have money stolen from them, but increasingly information security is about our privacy, our public personae, our collective identities, and even our fundamental rights. Fiji's anti-government bloggers are only able to voice their opinions due to the security mechanisms provided by their blog hosts which assure their anonymity. Whatever you think of their opinions, they are one of the few voices of opposition to Fiji's interim regime and are undoubtedly playing a role in shaping the future of Fiji and the region. Only time will tell how large or small that role is.

Still, anonymous political activists everywhere should carefully follow the recent behavior of America's Internet giants, as they are not always on your side. The most striking example is the case of the activist Shi Tao who was essentially handed over to Chinese authorities by US-based Yahoo. Yahoo, and many other international firms, have agreed to cooperate with Chinese authorities – even at the expense of their individual customers – in order to gain access to the immense Chinese market.

Information security even has a role in protecting the function of entire nations. Take the case of Estonia, a small former Soviet republic on the coast of the Baltic Sea with a population of around 1.3 million people. In May this year, Estonia moved a certain Russian war memorial to a location more desirable to Estonians, which enraged many Russian nationals living both in and out of Estonia. Soon, blogs were posting instructions on how to wage a denial of service attack against Estonian institutions, and a little while later, this attack was in full swing. Numerous government and financial sector systems across the tiny maritime nation were brought to a stand still and international experts had to be flown in to curb what some described as an Internet riot. Should this story concern other, perhaps more tropical, small maritime nations who are rushing to get their citizens and institutions online? The answer is absolutely “yes”.

Still, one of the largest challenges facing information security today is the heady combination of social engineering and user ignorance. Many computer criminals have discovered that hacking just does not pay off as well as simply fooling people into giving up either their money (to help move funds out of Nigeria to help a poor window, for example) or enough information to get to their money. Wide spread user naiveté is widespread in the South Pacific. I have never received so many chain emails from friends and acquaintances since I came to Fiji – and I was part of the first wave of naive Internet users in Canada!

Technology policy makers in the South Pacific should indeed be worried by all of this. By joining the global information economy, the region is embarking on an enterprise that is as fraught with danger and as ripe with rewards as the great Pacific migrations of days past. Fortunately, it is not necessary to sail the seas blind – technology policy navigators need only look across the ocean to the experiences of other more wired nations to see what problems to expect and which solutions will be effective.

Photo by: bhikku

What was on the laptop?

Nobody likes to loose something that costs two or three thousand dollars, which is the typical cost of a laptop these days. However, when a laptop goes missing from an important government office, the replacement cost should be the least of anyone's worries. Technology can be replaced but the damage done by stolen information can be irrevocable.

Sometime during the afternoon or evening of Friday, July 6, 2007, a laptop, a mobile phone, and other items, possibly including a USB cable, went missing from the Office of the Prime Minister in the Government building in Suva. This fact has been widely reported on by all major media outlets in Fiji. Commentary from government officials, police, and journalists seem to focus on outrage that the PM's office was violated and the new security measures being put in place to ensure that this incident is not repeated in the future. This reaction can be summed up by comments from former Prime Minister Rabuka carried by the Fiji Times.

The theft from the Prime Minister's Office was tantamount to sacrilege and a serious crime against the State, said former Prime Minister Sitiveni Rabuka yesterday. He said such a breach of security never happened during his tenure and it pointed to the need to upgrade security.
[Security concern in the PM's office, Fiji Times, 11/7/2007]

However, the question that no one is asking is, what was on the laptop? What information from the highest office in the country is now "in the wild"? What government information may be lost forever if the laptop was not recently backed up?

Shortly after I arrived in Fiji approximately one year ago, the theft of a government laptop from an employee's home was reported in my home town of Edmonton, Alberta, Canada. It turns out that this laptop contained mental health information for over a thousand patients in the Province of Alberta. Neither the laptop nor the data were recovered.

What motivated a government investigation resulting in a twelve page public report into this incident was not the question of whether the employee or her employer failed to adequately protect public physical assets, i.e. the laptop. The government inquiry was focused on whether the employee or her employer failed to adequately protect confidential patient data. The investigation found that the employer, a regional health management organization, had failed in its responsibilities - chiefly through having inadequate policies in place - and was required to inform all 1000+ patients that their files had been compromised.

The investigation report went on to make the following general recommendations to all government departments in the province of Alberta who use mobile computing equipment such as laptops.

• Perform a Privacy Impact Assessment (which should include an assessment of security risks) before implementing mobile computing.
• Do not store personal or health information on mobile computing devices unless you need to – consider technologies that allow secure, remote access to your network and data instead.
• If you must store personal or health information on a mobile device, use encryption to protect the data – password protection alone is not sufficient.
• Keep the amount of personal or health information stored on mobile computing devices to a minimum, based on your business needs.
• Periodically check your policies against practice to ensure they reflect reality and remain effective.
• Provide specific training on mobile computing to staff to ensure they understand the risks and understand how to protect their equipment.

[Information and Privacy Commissioner of Alberta, Report of an Investigation Concerning a Stolen Laptop Computer, December 5, 2006 - pdf file]

These recommendations are valuable to all organizations with sensitive information stored on laptops and other mobile devices, both in the public and private sectors. Organizations in Fiji would do well to consider adding similar provisions to their information security policies. You do have an information security policy, right?

Photo by: Filipe Morin