Technics: Stewart Baker: Major source on China's cyberespionage presents an important intro to his perspective

Hold on, the top foto is not porn!  It's evidence of a cyber-espionage attack.  That's what the author, Stewart Baker, has to tell us about the cyber war conducted by China against the USA.  Mr. Baker is a former government official now practicing law.  This blog-entry from his Skating on Stilts blog is the predecessor article to the "gottcha" piece already entered on refWrite page 4 today.  Please read both of these very important articulations of what Baker sees as an imminent threat, not just to the USA's govt and business firms, but also to any of its institutions that, for any reason, become subject to China's apparent  hack attacks.  And, remember, what China is now largely aiming in the direction of the USA coud as easily be aimed at other countries, large and small, upon which it has designs.  I'm thinking of Taiwan, the Philippines, Vietnam, Thailand and others.  But also Russia, Germany, France.  China has the advantage, indeed the hegemony, worldwide now in cyberespionage.

-- Technowlb, refWrite Backpage technics newspotter, analyst, and columnist



Skating on Stilts (Oct 07,2k12)

by Stewart Baker

Cybersecurity and Attribution -- 

Good News At Last?

No, we’re not suddenly turning into the Huffington Post.  But trust me, this photo is directly relevant to the topic at hand:  How the US should respond to massive state-sponsored cyberespionage.

Right now, policymakers are intent on improving network security, perhaps by pressing the private sector to improve its security, or by waiving outmoded privacy rules that prevent rapid sharing of information about attackers’ tactics and tools.

Those things would improve our network security, but not enough to change our strategic position – which is bad and getting worse.  The hard fact is that we can’t defend our way out of the current security crisis, any more than we can end street crime by requiring pedestrians to wear better and better body armor.

That’s why I’ve been urging a renewed strategic focus on catching attackers and punishing them.  Catching and punishing rulebreakers works for street crime.  It even works for nation states.  So why hasn’t it worked in the realm of network attacks?  Mostly because our intelligence community insists that attribution is just too hard. 

I think that’s wrong, and I’ll spend this post explaining why. 

My theory is simple: The same human flaws that expose our networks to attack will compromise our attackers’ anonymity. Or, as I put it in speeches, “The bad news is that our security sucks.  The good news is that their 

security sucks too.”

In this post, I’d like to go beyond theory to show how hackers’ 

human frailties and errors make attribution easier. I’ll start with a groundbreaking investigation by  Nart Villeneuve and a team from 

Trend Micro. The team was the first to identify by name a hacker 

taking part in the vast China-based campaigns to steal the secrets of

military and aerospace companies as well as Tibetan activists. This

particular network campaign, dubbed “Luckycat” by researchers, 

followed familiar lines: careful social engineering of emails to lure 

the target into opening a poisoned attachment or link, followed by 

rapid compromise of the target’s computer, lateral privilege 

escalation to compromise the entire network, and a  leisurely, 

months-long strip-mining of the network for information. Dozens of

campaigns like this have been spotted in recent years, almost all of 

them aimed at targets of interest to the Chinese government. But 

because the attackers use Internet cut-outs – intermediate command-and-control computers and domains located

around the world – it has been hard to follow them home.

That’s still true, but it turns out that the attackers are only human.  They make mistakes when they’re in a hurry or

overconfident.  They leave bits of code behind on abandoned command-and-control computers. They reuse 

passwords and email addresses and computers.

The Trend Micro investigators exploited these errors, tying one of the command-and-control domains to an email 

address and then to a QQ address. (QQ is China’s enormously popular instant messaging system. Owned by 

Chinese Internet giant Tencent, it has nearly as many users as Facebook -- 711 million in September 2011, when

Facebook had 750 million.)

That QQ address in turn was tied to two online nicknames, “dang0102” and "scuhkr," whose users had posted in a

notorious Chinese hacker forum and had “recruited others to join a research project on network attack and 

defense at the Information Security Institute of the Sichuan University."

The University and its "information security" institute has several ties to the hackers; indeed, the nickname 

"scuhkr" looks like a tribute to SiChuan University, whose internet domain is scu.edu.cn. The investigators 

identified a second attacker as someone who, they concluded, “also worked and studied at the Information 

Security Institute of the Si Chuan University and has published several articles related to “fuzzing” vulnerabilities 

in 2006.”

Exploiting other mistakes made by the intruder, the investigators found that the Luckycat malware had first been road-tested on a Chinese version of Windows XP. Finally, they were able to establish that tools and tactics used in the Luckycat campaign overlapped with those used in the notorious Shadownet campaign against the Dalai Lama.

That wasn’t the end of Luckycat’s unraveling.  The New York Times was able to put a name to scuhkr: 

“The owner of the alias, according to online records, is Gu Kaiyuan, a former graduate student at Sichuan University, in Chengdu, China, which receives government financing for its research in computer network defense.

Mr. Gu is now apparently an employee at Tencent, China’s leading Internet portal company, also according to online records. According to the report, he may have recruited students to work on the university’s research involving computer attacks and defense.

The researchers did not link the attacks directly to government-employed hackers. But security experts and other researchers say the techniques and the victims point to a state-sponsored campaign.” 

The Times actually spoke to Gu, who knew enough about the Western press to declare  “I have nothing to say.” (A few days later, Gu would claim that the nicknames found by the investigators were used by two different people and deny that he was the hacker.  Tencent and the university similarly denied any knowledge of the attacks.)

This report is entertaining in many ways. And not just the part where we imagine Gu’s face when the New York Times gets him on the line. The investigators deserve great 

credit for their imaginative and determined exploitation of the digital clues that scuhkr left behind.

That said, there’s nothing inimitable about what they did.  Scuhkr's lapses are typical of an intelligence operative

in a hurry and not expecting much scrutiny.  It takes stern discipline never to reuse email addresses, nicknames,

domains, and command-and-control machines. Inevitably, some attackers will fail to observe perfect discipline.  

And those lapses will be increasingly costly because identifying data is proliferating everywhere; both the Trend 

Micro researchers and the New York Times used pre-existing databases to crime-scene data to real-world identities.

At last, it looks as though one aspect of computer technology is going to favor the defense. More and more data 

is being collected about network activities, making it harder for attackers to completely cover their tracks. At 

the same time, more data is being collected about perfectly innocent activities, and this information, like the 

university jobs forum used by the New York Times, can provide the crucial link that allows us to locate hackers 

in the real world.

That’s where the picture at the top of the story comes in. It’s a visual taunt posted by an Anonymous hacker after

he had stolen and disclosed personal data from several US law enforcement agencies.  (Roughly translated, the 

sign says, “Pwned by Wormer and CabinCrew, Love You Bitches!”) The photo was taken in a suburb of Melbourne 

with an iPhone. We know that because Apple routinely buries GPS coordinates in each photo it takes, because … 

well, why not, when bits are free?

So when the FBI was assigned to track down the attacker, it used the coordinates to find the subject of the photo.

Open source map data, plus postings on Twitter and Facebook, led the FBI to an Australian woman. Her boyfriend turned 

out to be Higinio Ochoa, a Texas programmer whom the FBI promptly arrested.  The courts agreed that it was, 

er, a righteous bust; Ochoa has been sentenced to 27 months in federal prison for his hacking.

These investigations -- Luckycat and Ochoa -- are leading indicators of a trend that will make attribution easier 

over time.  “Well, why not?” data will only increase, and attackers will find it harder to avoid leaving bits of it 

behind.  At the same time, open source databases tied to the real world are also growing rapidly.  Big data tools 

will make it easier to search and find connections among these vast and mostly open networks. As a result, more 

and more attackers are someday going to find themselves in the shoes of Higinio Ochoa and Gu Kaiyuan.

That day can’t come fast enough, and US policymakers should be doing all they can to bring it about.  The 

defensive security tools used by government and private networks should put a premium on forcing network users 

to leave lots of information in immutable logs as they move through the network. Law enforcement agencies 

should put be collecting and sharing everything about the tactics, tools, and data lapses of network intruders. 

And intelligence agencies should be building their own storehouses of identifying information so they can 

eventually link foreign hackers to particular intrusions.

Of course, attribution is only half the answer.  It won’t deter attacks unless it leads to retribution. But that’s a 

post for another day …

PHOTO CREDITS: iStockPhoto; Gizmodo; Wikipedia

UPDATE: Corrected photo subject's home town.