Tag Archives: official

Singapore Details ‘Waves’ of Cyberattacks

Officials and delegates from APEC economies were targeted ahead of last year’s Singapore meeting with malware-laden emails faked so they appeared to have been sent by Singapore government officials on the Organising Committee.

Singapore officials have said the attacks were not the first on the country. Although Singapore regularly highlights threats to national security—including Islamic terrorism—the admission that it has been the victim of cyber attacks is, according to the Straits Times, its most detailed account.

Although it’s hard to read too much into the statements made to judge who may have been behind the attacks, it’s interesting that Singapore is drawing attention to this—not least because there’s bound to be speculation about just this point. The current flood of WikiLeaks cables about this very issue is a coincidence. But the description of the attacks fits a pattern familiar to security experts:

Between September and November 2009 APEC officials, and delegates of several APEC economies were targeted with Trojan-laden emails “with the aim of infiltrating their computers and extracting privileged information.” There were at least seven waves of such attacks, focusing on members of the APEC organising committe and APEC delegates whose email addresses were published on websites or in APEC mailing lists. (APEC, Asia-Pacific Economic Cooperation, is a forum for 21 regional economies set up in 1989. Singapore hosted meetings throughout 2009 culminating in a leaders’ meeting in Singapore from November 14-15.) 

The attacks were first mentioned in a speech by Ho Peng Kee, Senior Minister Of State For Law & Home Affairs, who told a seminar on Sept 28 that “Singapore has its fair share of cyber attacks.” More details were  added in an internal but publicly accessible Ministry of Home Affairs magazine, the Home Team Journal, by Loh Phin Juay, head of the Singapore Infocomm Technology Security Authority and reported in the Straits Times on Saturday, December 4.  (The Straits Times called the perpetrators “cyberterrorists”.)

Loh wrote in the magazine article that “between 2004 and 2005, the Singapore government saw waves of Trojan email attacks which were commonly referred to as the Trojan Riler attacks.” The attacks came in four waves over a span of two years, he said, in the form of more than 900 emails targeting officials in several ministries.  

Loh Phin Juay said that the first two waves in the 2009 attacks used PowerPoint and PDF attachments to emails puportedly warning about possible terrorist attacks on the meeting. A subsequent wave included “legitimate information relevant to the APEC 2009 meetings”—in this case an invitation to an actual APEC symposium.

Some of the malicious emails “contained details of actual APEC events (date, time, venue) not known to the general public.” This suggests to me that either the first wave was successful in gaining access to some sensitive information, or, less likely, that those perpetrating the attack were already privy to it (raising the question why they didn’t use that information in the first wave.) Both officials said no significant disruption was caused by the APEC attack.

Singapore last year set up a special body, the Singapore Infocomm Technology Security Authority (SITSA), “to safeguard Singapore against infocomm technology (IT) security threats. SITSA will be the national specialist authority overseeing operational IT security. SITSA’s mission is to secure Singapore’s IT environment, especially vis-à-vis external threats to national security such as cyber-terrorism and cyber-espionage.”

Neither official speculates about the origin of the attacks. In his speech Ho Peng Kee referred separately to Operation Aurora, a cyber attack from mid 2009 to December 2009 on dozens of Western companies including Google, which alleged the attacks began in China. Loh Phin Juay referred in his article to GhostNet, a cyber espionage network which had its command and control network based in China and which penetrated government and embassy computers in a number of countries, including some in Southeast Asia. (Singapore was not mentioned in reports of the compromised computers.)

But he writes that “to date, the perpetrators of GhostNet remain unknown,” and neither man links the Singapore attacks to either event. The Trojan Riler was, according to Symantec, first discovered on September 8, 2004; It has been associated with corporate espionage but also the GhostNet attacks.

Wikipedia: Important enough to whitewash

This is an edited version of my weekly column for Loose Wire Service, a service providing print publications with technology writing designed for the general reader. Email me if you’re interested in learning more.

Wikipedia has gone through some interesting times, good and bad, but I think the last couple of weeks has proved just how powerful it is.

Powerful enough for those who feel denigrated by it to have been trying to spin, airbrush and generally rewrite how history — or at least Wikipedia — remembers them.

Take WikiScanner, cooked up by a young student, Virgil Griffith. WikiScanner does something very simple: It searches the Internet addresses of an organization — government, private, company or whatever — and matches them with any anonymous edit of a Wikipedia entry.

This means that while the edits themselves may be anonymous, the organization where the person is based is not. We may not know who did it, in other words, but we’ve got a pretty good idea of whom they work for.

The results have been surprising. Users of WikiScanner have come up with dozens of cases of companies, organizations and government departments apparently changing entries to either delete stuff they may not like, or making the text more palatable.

Some examples of apparent — none of these is confirmed but the Internet addresses match — self-interested alterations that have hit the news in the last few weeks:

* Diebold removes sections critical of the company’s electronic voting machines

* Apple and Microsoft trade negative comments about each other

* Amnesty International removes negative comments about itself, according to the Malta Star

(My own searches threw up no examples at all of institutions in my current home of Indonesia spinning on Wikipedia. Shame on them. What have they been doing with their time? One Indonesian embassy official seems to have spent most of his day editing an entry on rude finger gestures, but that’s about it. Clearly these people are not working hard enough for their country.)

The point about all this: Wikipedia is often derided as irrelevant and unworthy. Clearly, though, it’s important enough for these people, either officially or unofficially, on their own initiative or at the behest of higher-ups, to rewrite stuff to make themselves or their employer look better.

You might conclude from this that Wikipedia is not reliable as a result. I would argue the opposite: These edits have nearly all been undone by alert Wikipedians, usually very quickly.

(Wikipedia automatically stores all previous versions of a page and keeps a record of all the edits, and the Internet address from where they originate.)

The truth is that Wikipedia has come of age. Wikipedia is now important enough for ExxonMobil, The Church of Scientology, the U.S. Defense Department and the Australian government to spend time and effort trying to get their version of events across. If it was so irrelevant or unreliable, why would these people bother?

Of course, coming of age isn’t always a good thing. A recent conference on Wikipedia in Taiwan highlighted how Wikipedia is no longer an anarchic, free-for-all, but has somehow miraculously produced a golden egg.

It is now a bureaucracy, run by the kind of people who like to post “Don’t … ” notices on pantry walls. I’m not saying this is necessarily a bad thing. We all hate such people until our sandwich goes missing. Then we turn to them — or turn into them.

WikiScanner reveals that it’s probably good that such people take an interest in Wikipedia, because it’s clear that the site is under threat from people who would censor history and whitewash the truth to suit them.

Thanks to Virgil and the Wikipedians, that’s not going to happen anytime soon.

The Jakarta Post – The Journal of Indonesia Today

Russia Declares Cyberwar?

The Guardian reports on what some are suggesting may the first outbreak of official cyberwar between one country and another, after Russian hackers, official or not, have flooded Estonian websites with Denial of Service attacks (DDoS):

clipped from www.guardian.co.uk

Without naming Russia, the Nato official said: “I won’t point fingers. But these were not things done by a few individuals.

 

“This clearly bore the hallmarks of something concerted. The Estonians are not alone with this problem. It really is a serious issue for the alliance as a whole.”

An Unlikely Blogger Expelled

Although it’s not good for Sudan, I think it’s good for blogging: CNN reports that 

The government of Sudan on Sunday gave the top U.N. official in the country three days to leave, marking the latest hurdle in international efforts to bring peace to the nation torn apart by civil war.

Sudan expelled Jan Pronk, the top U.N. envoy to Sudan, who has openly criticized Khartoum as well as rebel groups on his Web log.

Pronk has been running a blog for nearly a year and while it doesn’t look like your average blog (really long posts, no external links, no comments, blogs numbered as if they were official UN documents) it’s an impressively direct account of the Sudanese conflict. His third post started as follows: 

This week the seventh round of the Abuja talks between the Government of Sudan and the rebel movements will start. Will it be the last one, producing a peace agreement before the end of the year? The chances are diminishing.

Not the sort of mealy-mouthed stuff we’re used to from senior UN officials. And it’s probably upset the UN as much as it’s upset the Sudanese government. But if so why had the UN not closed him down earlier? Pronk, according to UPI, did not offer any disclaimers, but the UN has since made clear he was writing in a personal capacity. The UN has “no rules barring blogging specifically, though employees face restrictions when publishing articles and participating in interviews.” It seems Pronk was probably senior enough, and his comments uncontroversial enough, for no one to mind too much. Until last week.

What I like about it is that reporters tend to meet these kind of people in the field, and it’s great to hear them sounding off about the situation, but rarely are their words captured in sufficient quantity for their great background knowledge and high level involvement in such diplomatic processes to be read by a wider audience. I’ve not followed the tragedy in Darfur much beyond what I read in the papers, but Pronk’s year-long posts are a diary of immense and satisfying detail about the process, peppered by great photos, that are worthy of more than the word blog. 

Take this one, for example, from June 28

There is a significant risk that the Darfur Peace Agreement will collapse. The agreement does not resonate with the people of Darfur. On the contrary, on the ground, especially amongst the displaced persons, it meets more and more resistance. In my view it is a good text, an honest compromise between the extreme positions taken by the parties during the negotiations in Abuja. That is why the UN, like all international partners, has endorsed the agreement. However, in politics objective rational calculations will always be confuted by subjective emotional perceptions and aspirations. And those perceptions are that the agreement does not meet the expectations of the people in Darfur, has been forced upon them and, rather than meeting the interests of all parties somewhere halfway, only strengthens the position of the government and a minority tribe, the Zaghawa.

That too me is very clear writing, reflecting his knowledge of the situation on many levels. Not every situation could allow a senior figure involved deeply in the political process to write so frankly and openly, but wouldn’t it be great if they could? This to me is the real potential of blogs and citizen reporting. Someone who really knows what is going on telling us about it.

PS: Jan Pronk has a reputation of sorts in Indonesia, my current abode. He earned the lasting enmity of then president Suharto by

Continue reading

Guerrilla Marketing Via Lederhosen

I’m getting a bit cheesed off with all the advertising/sponsorship shenanigans at the World Cup, and I’m not even there. The idea that you can only buy tickets using the sponsor’s credit card, that food like McDonalds and drink like Coke can somehow be an official partner of a sport, all seem to indicate a world gone mad, but all that is eclipsed by the fact that you can’t enter a stadium wearing a rival sponsor’s attire: Hundreds of — one report suggested more than 1,000 — Dutch fans had to watch the Ivory Coast game in their underwear after stewards ordered them to remove their orange lederhosen.

The story, as far as I can work out, goes like this. The idea is the brainchild of a Dutch brewery called  Grossbrauerei, which produce a beer called Bavaria. The brand marketing manager is one Peer Swinkels (“Bavaria is beer with guts, for men with guts”), who has launched several elaborate ploys to market the beer. One involves, er, sponsoring a motor racing event, along with a “Burning Rubber” Gala Night. (Event organiser: “We assure you that the name of this gala night is not a joke”). Another involved relaunching the career of Albert West, a slightly over the hill Dutch singer in towns with the word “West” in its name — Amsterdam West, Rotterdam West, Utrecht West, Leiden West, Hengelo West, etc: (“This sort of subtle humour is always combined with down-to-earth realism in the Bavaria-campaign. Albert liked the idea. He can laugh at himself. That is what makes Albert such a nice guy.”)

You had to be there, I guess.

Anyway, the lederhosen. This is an inspired idea and goes to the heart of some already controversial sponsorship over the most important item at the Cup: the beer.  The lederhosen, you see, sported the name of Dutch brewery Bavaria, which is not the official beer of the World Cup. (Anheuser Busch’s Budweiser is the official beer.) The lederhosen are orange, carry the regulation braces, as well as a tail. They come free with a 12–pack of Bavaria, and have become something of a cult item among Dutch fans, who wear orange from birth, although there are reports that they are just being handed out for free too:

Leeuwenhose

Briliiant. You get your product into the stadium and onto the world’s television without having to pay a dime. As a marketing ploy they are somewhat less subtle than the use of an aging Dutch rock star but they do deserve some credit: taking the mickey out of those German beerfests, selling a beer called Bavaria, right in the heart of Germany. And, to boot, embarrassing the U.S. beer partner Budweiser, who like other sponsors paid between $45 and $50 million for the privilege of having only their brand on display. In fact, Bavaria has already been making trouble: Heineken, the official sponsor of the Dutch national team, ordered fans to leave their lederhosen outside the ground at a friendly game against Cameroon. (A Dutch court has since ruled that fans should be allowed to wear the trousers, apparently, although this won’t wash in Germany.)

This explains why stewards are ordering fans to strip. FIFA spokesman Markus Siegler: “Of course, FIFA has no right to tell an individual fan what to wear at a match, but if thousands of people all turn up wearing the same thing to market a product and to be seen on TV screens then of course we would stop it.” The issue might be particularly sensitive because Anheuser Busch has its own problems, being forced by longstanding trademark issues to settle for merely Bud brand (not the full Budweiser brand, which is in dispute in Germany) in return for allowing local brewer Bitburger to sell its beer in unbranded cups outside the grounds.

Peer, of course, sounds suitably outraged but must be loving it. Officially, this kind of activity is appalling and the offline equivalent of subdomain spam, but so much more imaginative. At the same time it raises lots of interesting dinner party discussions about the rights of the individual against the rights of a sponsor (if I chose to wear those pants and wasn’t paid to do so, then does it constitute advertising, and should I not be allowed to wear what I choose so long as it does not appear to be a deliberate effort to advertise?); what constitutes a group, whether orange is an acceptable colour for a national soccer team, and whether people should even be allowed to wear lederhosen. T

Is The West Under Attack?

Trying to make some sense of the announcement (PDF) last week by Britain’s secretive National Infrastructure Security Coordination Centre (NISCC) that

Parts of the UK’s Critical National Infrastructure (CNI) are being targeted by an ongoing series of email-borne electronic attacks. While the majority of the observed attacks have been against central Government, other UK organisations, companies and individuals are also at risk.

The press release makes several points:

  • Not new, just newly publicised: These attacks have been underway “for a significant period of time” (grammar not being the NISCC’s strong point, apparently);
  • Not vanilla phishing: These attacks are separate from industrial espionage and phishing attacks: “the attackers are specifically targeting governmental and commercial organisations”;
  • The bad guys are in Asia: The attacks seem to be coming from “the Far East”;
  • After information: The goal seems to be “the covert gathering and transmitting of otherwise privileged information is a principal goal. The attacks normally focus on individuals who have jobs working with commercially or economically sensitive data.”
  • They’re not script kiddies: The attackers are sophisticated and focused, using email lists to target people with similar interests and are able to use newly available files as part of social engineering tricks to entice recipients to open the embedded trojans.

But we’re still a bit in the dark about much of this this. Who, for example, is behind it? Quite a few experts have been wheeled out to point out who the culprits may be:

“To have achieved what this gang are doing then it either has to be state-sponsored or the highest level or organised crime,” said Dr Andrew Blyth, head of Glamorgan University’s Computer Forensics Department, who has worked with the UK’s law enforcement agencies to develop technology to combat high-tech crime.

But not everyone thinks this is some massive government-level conspiracy:

Sophos security consultant Carole Theriault didn’t confirm the NISCC’s suspicion that the attack was an organized effort. “From the Trojans themselves there’s nothing to suggest that they’re any part of a real campaign,” she told Information Week. “It’s possible that what the NISCC is seeing is just a lot of Trojans that hit agencies in a lot of different ways.”

This is significant, since Theriault and Sophos were brought in to help NISCC analyse the attacks, so they have more knowledge than most, and would, one might expect, back in behind the NISCC view of things. Sophos acknowledges the problem has been getting worse — it says it “has seen a threefold increase in the number of keylogging Trojans alone in the last year” — but suggests that the malicious code is not so much espionage as pure financial theft: “Malicious code is increasingly being written not just to cause a nuisance, but to steal money – whether targeting individual users of online banking or massive global corporations and government institutions,” the press release quotes Theriault.

Interestingly my colleagues at the WSJ have done a thorough look at the report and its broader implications: In a piece that appears in Monday’s WSJ (not yet available online), Cassell Bryan-Low quotes authorities as saying

The problem appears to be more widespread than the U.K. government initially indicated. The attacks started at least two years ago and have targeted institutions in the U.S., Canada and Australia, among dozens of other countries, authorities say.

It also quotes an unidentified law enforcement official as pointing the finger that no other story seems to actually do:

U.S. institutions have suffered similar attacks for at least a couple of years, and investigators suspect that the hacking is coming mostly from computers in China, according to a law-enforcement official. Hundreds of U.S. institutions have been targeted, this official said. Many of the targets are involved in technology research and development but also include financial institutions, he said. Government agencies and suppliers, such as defense contractors, were also targeted, he added.

Of course, just because the computers are in China doesn’t mean that the Chinese government, or even groups in China, are behind the attack, since China’s vast network of unsecured computers is one of the biggest conduits for spam and other sleazeware. But it doesn’t take a genius to draw the conclusion that if the attacks are sourced from the ‘Far East’, then China stands out among the possible culprits. So why has the NISCC chosen to release this warning now. And what happens next?

Nokia’s “Care” Centres

Please note that I don’t work for Nokia, this is not an official Nokia site, and although I’m flattered by all the attention this post gets, posting your problem isn’t going to help you. I’ve invited Nokia several times to offer some text that I can include here to direct users to a real Nokia site, but without success, so I’m doubtful they’re going to be reading anything here. Instead, I suggest those of you in India visit this link for more information about where to get help. Alternatively you can send them an email here.

——

Is it a sign of Nokia’s demise, or just a glimpse of an opportunity missed?

I had to take my 7650 in for mending yesterday: The keypad doesn’t respond well when I press ‘6’, which I do a lot. So rather than swear every time I key in an SMS with the letters M, N and O in, I thought I’d get it fixed. They have quite a few official Nokia Help Centres (I think they’re called Care Centres) around my town so I tried one.

It was not a particularly helpful help centre — there was only one customer in there, and the spare customer helper person disappeared out for her lunch as soon as I came in — but that wasn’t what bothered me. What bothered me was that the conversation with every customer seems to go like this:

— My phone doesn’t work.
— OK, leave it with us and we’ll check it.
— Great, a thousand thank yous (this is a polite country).
— Have you backed up your data?
— Pardon?
— We’ll have to erase your data when we check the phone.
— Er, erase? You mean all my phone numbers, treasured text messages, settings, photos of my grandchild?
— Yes. And those mildly pornographic pictures of your wife you keep in a sub-folder.
— (Gulp.) Don’t you have any way to back up the memory first? This is a phone, not a computer. I’ve never backed it up in my life. How do you back it up?
— No, we don’t do that kind of thing.
— You don’t do that kind of thing? What do you do then? Ruin people’s lives? Push otherwise normal people into madness? You expect to write down all the numbers and key them in again? You expect my grandchild to be happy when I explain to her the photo got deleted by my friendly Nokia Care Centre? (exit to sounds of flying phones, curses, scratched nails on blackboards etc etc)

Ok, that’s not necessarily a real conversation, but I find it too weird that Nokia can’t back up the memory on its own cellphones. Sure, they’ll probably argue liability and all that, but I’ve heard of some very angry customers who didn’t realise that handing over their cellphone to a Nokia Care Center would erase all their data. It must be easy to take a snapshot of the memory and then reload it. I’m not surprised customers don’t back up their cellphone memory. Have you ever tried to use Nokia’s PC backup software? It’s about as easy and helpful to use as a home-labotomy kit.

I can’t help concluding from this that Nokia either doesn’t get it, or is losing it. Maybe their help centres elsewhere are more helpful. But if the company wants to retain market share, and to encourage people to store more on and do more with their phones, they’ve got to help them keep that stuff there.

Update: Blaster B Suspect Is About To Be Arrested

 There must be at least one frightened teenager out there today. AP reports that U.S. investigators have identified a teenager as one author of a version of the Blaster worm and plan to arrest him early Friday (U.S. time). A witness reportedly saw the teen testing the infection and called authorities, an official said. The worm and its variants infected more than 500,000 computers worldwide.
 
The “Blaster.B” version of the infection, which began spreading Aug. 13, was remarkably similar to the original Blaster worm that first struck two days earlier; experts said the author made few changes, renaming the infecting-file from “msblast” to an anatomical reference. Can’t help feeling sorry for the kid. He is going down.