2012/02/13

Security threats "in the network": detection and countering

A new Internet Security report for July-Dec 2011 from M86 is out: "New M86 Security Labs Report Reveals Spread of Malware Growing via Social Media, Targeted Attacks and Exploit Kits" [PDF]

It triggered a thought that first occurred to me during the "No Internet Censorship" campaign:
The perfect place for those wanting to hide illegal activities is "within the network", to work as Admins for Internet Providers. They can monitor, avoid and intercept Law Enforcement etc. requests and respond in many subtle ways.
This thought arose after two rather disconcerting incidents for me:
  • A TV documentary on Internet Porn mentioned the officers have to view these images and that it can lead to desensitisation over time, and
  • an unprovoked personal attack within an Admin's forum by a "security professional" upon an individual. Sexually explicit language was used and that the language went unremarked by the entire forum was gob-smacking for me.
 We also have the phenomena of the group "Anonymous" acting as Internet Vigilantes. Again, an Admin (with unlimited access rights) within a major Internet Provider is the perfect place for such groups and their activities.


The natural extension of this is the equivalent of Military "counter-intelligence":
for attackers to purposefully gain jobs/positions where they can actively subvert surveillance and Law Enforcement activities.

Good target organisations might be:
  • all Internet Providers, [Application, Service, Storage, ...]
  • high-traffic end-users, [Banks, TV, ...]
  • large Organisations, especially Education, Government, Law Enforcement and Cyber-Security,
  • Internet Security Response teams and researchers,
  • Security Companies (especially anti-virus tools) and
  • Operating System and Software tools companies.
Cyber-Security is not primarily a technical challenge, but the same as physical security (think Banks) and Military Intelligence. It's about Attack and Defence in an endless round of escalation and refinement. People, not machines and technology, are the combatants and weak-points.

Bill 'Ches' Cheswick, well know security expert and author, commented that his efforts in countering the first ever Denial-of-Service attack helped the attacker "debug" his methods. Stopping the attack had the unintended side-effect of making the attacker more effective against all other targets.

The most obvious and serious warning of the efficacy and danger in the subversion of Surveillance and Intelligence gathering was the Russian infiltration/compromise of Britian's MI5 by Burgess, Philby and Maclean during the Cold War. Blunt, quite senior in MI5, went undetected. [The wikipedia entry mentions all five members.]

Saying "can't happen, won't happen" is simple denial and avoidance. The Cyber-Wars are escalating and the rewards have become considerable. Individuals will already have been recruited... With people involved, this is an inevitable consequence.

After 15 years of wide-scale Internet use, it's now a serious and credible Cyber-Security threat for both Government and Commercial organisations.  The measures used to detect and counter these sorts of organisational compromise need be published for strong peer-review, discussion and refinement.

It'd also be nice if there were some sort of specific, anonymised reporting system.
In my career I've been witness to some "interesting" events with nowhere to report them to, leaving "a bad taste in mouth" and a feeling of impotent outrage.

This is in addition to pure International and Commercial espionage activities.

Terrorists would normally prefer much lower-level and direct attacks, unless a Person in a Trusted Position volunteers themselves (e.g. Boyce during the Vietnam War to the Russians and Bradley Manning to "Wikileaks", a non-national, non-terrorist organisation).

No comments: