Real Phone Hacking

Interesting glimpse into the real world of phone hacking–not the amateurish stuff we’ve been absored by in the UK–by Sharmine Narwani: In Lebanon, The Plot Thickens « Mideast Shuffle.

First off, there’s the indictment just released by the Special Tribunal for Lebanon which, in the words of Narwani,

appears to be built on a simple premise: the “co-location” of cellular phones — traceable to the accused four — that coincide heavily with Hariri’s whereabouts and crucial parts of the murder plot in the six weeks prior to his death.

Indeed, the case relies heavily on Call Data Record (CDR) analysis. Which sounds kind of sophisticated. Or is it? Narwani contends that this could have been manufactured. Indeed, she says,

there isn’t a literate soul in Lebanon who does not know that the country’s telecommunications networks are highly infiltrated — whether by competing domestic political operatives or by foreign entities.

There is plenty of evidence to support this. The ITU recently issued two resolutions [PDF] basically calling on Israel to stop conducting “piracy, interference and disruption, and sedition”.

And Lebanon has arrested at least two men accused of helping Israel infiltrate the country’s cellular networks. What’s interesting about this from a data war point of view is that one of those arrested has confessed, according to Narwani, to lobbying for the cellular operator he worked for not to install more secure hardware, made by Huawei, which would have presumably made eavesdropping harder. (A Chinese company the good guy? Go figure.)

If this were the case–if Lebanon’s cellular networks were so deeply penetrated–then it’s evidence of the kind of cyberwar we’re not really equipped to understand, let alone deal with: namely data manipulation.

Narwani asks whether it could be possible that the tribunal has actually been hoodwinked by a clever setup: that all the cellular data was faked, when

a conspiring “entity” had to obtain the deepest access into Lebanese telecommunications networks at one or — more likely — several points along the data logging trail of a mobile phone call. They would have to be able to intercept data and alter or forge it, and then, importantly, remove all traces of the intervention.

After all, she says,

the fact is that Hezbollah is an early adherent to the concept of cyberwarfare. The resistance group have built their own nationwide fiber optics network to block enemy eavesdropping, and have demonstrated their own ability to intercept covert Israeli data communications. To imagine that they then used traceable mobile phones to execute the murder of the century is a real stretch.

Who knows? But Darwani asserts that

Nobody doubts Israel’s capacity to carry out this telecom sleight of hand — technology warfare is an entrenched part of the nation’s military strategies. This task would lie somewhere between the relatively facile telephone hacking of the News of the World reporters and the infinitely more complex Stuxnet attack on Iran’s nuclear facilities, in which Israel is a prime suspect.

In other words, there’s something going on here that is probably a lot more sophisticated than a tribunal can get behind. I’m no Mideast expert, but if only half of this is true it’s clear that cellphones are the weakest link in a communications chain. And that if this kind of thing is going on Lebanon, one has to assume that it’s going on in a lot of places.

Southeast Asia’s Viral Infection

Southeast Asia is fast developing a reputation as the most dangerous place on the Internet. It’s not a reputation the region can afford to have.

By one count Thailand has risen to be the country with the most number of malware infections, by one account, and by another to be the second, all in the past few months.

PandaLabs’ report on the second quarter of 2011 [PDF] lists Thailand as having the second highest rate of malware infection (after China) with nearly 57% of computers scanned by their antivirus software as being infected. The global average is about 40%. Thailand was second in the previous quarter too, but with an even higher infection rate, of 65%. Most of these infections seem to come from worms.

Indeed, this trend seems to have started last year. The AntiPhishing Working Group’s report for the second half of 2010 lists as top in terms of infected countries–nearly 67%, higher than China’s 63%. (I should point out that the chief analyst for the APWG is Luis Corrons, who is technical director of PandaLabs, so the source of this data may actually be one place.)

Indonesia, meanwhile, now equals the United States as the highest single source of Distributed Denial of Service attacks, according to data from Kaspersky (Expect More DDoS Attacks Tomorrow, published on Monday):

The US and Indonesia topped the rating with each country accounting for 5% of all DDoS traffic. The US’s leading position is down to the large number of computers in the country – a highly attractive feature for botmasters. Meanwhile, the large number of infected computers in Indonesia means it also ranks highly in the DDoS traffic rating. According to data from Kaspersky Security Network, Kaspersky Lab’s globally-distributed threat monitoring network, in Q2 2011 almost every second machine (48%) in Indonesia was subjected to a local malware infection attempt.

A couple of points here:

  • Indonesia has a lot fewer computers connected to the Internet compared to the U.S.: about 40 million vs 245 million. This means that Indonesia is generating 5 times as much DDOS traffic per computer as the U.S.
  • The discrepancies in the infection rates between Kaspersky and Panda are artifacts of the way these companies measure these things. Basically, as far as I understand, they gather data from users, so a lot depends on just how popular that particular piece of antivirus software is in the country, and on factors such as the likelihood of people actually using antivirus software.

The Kaspersky report shows that Southeast Asia features heavily in the proportion of DDOS traffic:

  • Indonesia 5%
  • Philippines 4%
  • Vietnam 4%
  • Thailand 4%
  • Singapore 4%
  • Malaysia 3%

Internet traffic optimizer Akamai, meanwhile, reported that [PDF, may have to answer a short survey before reading] Burma (Myanmar) accounted for 13% of the world’s attack traffic (i.e. DDOS traffic). This was the first time that Burma appeared on the list. I’ve spoken to Akamai and they’re not clear why this is the case, but they did point to the fact that their data covers the first quarter of 2011, a few months after a massive DDOS attack on Burma which happened to coincide with the country’s elections.

The suspicion at the time that this was self-inflicted: basically pro-government hackers preventing Burmese from using the Internet to get alternative sources of election information. Makes sense. Akamai’s theory is that this traffic that they saw in the first quarter of this year was residual traffic from those massive attacks. But the truth is that no one knows.

More generally, it’s not good that Southeast Asia is now becoming this malware and DDOS capital. There are lots of reasons for it, which I’ll be exploring as part of a project in the months to come.

Full version of the Kaspersky report: DDoS attacks in Q2 2011 – Securelist

The Battery DDOS: Tip of An Iceberg

An interesting story brewing about the FBI investigating a DDOS (Distributed Denial of Service) attack on websites selling batteries. But the reporting does not go far enough: In fact, a little research reveals this is part of a much bigger assault on a range of industries.

As a starting point, look at Elinor Mills of the excellent Insecurity Complex at CNET:

U.S. battery firms reportedly targeted in online attack | InSecurity Complex – CNET News: “The FBI is investigating denial-of-service attacks targeting several U.S. battery retail Web sites last year that were traced to computers at Russian domains in what looks like a corporate-sabotage campaign, according to documents published yesterday by The Smoking Gun.”

But a closer look at the source documents suggests this is just the tip of a much bigger iceberg. The Smoking Gun incorrectly reports the email address used by the alleged hacker, a St Petersburg man called Korjov Sergey Mihalivich, as lvf56fre@yahoo.com. In fact, the FBI lists it as lvf56kre@yahoo.com, which yields much more interesting results. Such as this one, from ShadowServer.

ShadowServer shows that the domains under that person’s control, globdomain.ru (not globdomian.ru as reported by the Smoking Gun) and greenter.ru, have been prolific since 2010 in launching DDOS attacks against 14 countries and more than 30 industries and government websites. An update from ShadowServer in January 2011 counted 170 “different victims. Again, these attacks are across many different industries and target some rather high profile sites.” (It doesn’t identify them.)

The DDOS attacks use the BlackEnergy botnet, described by Arbor Networks’ Jose Nazario in a 2007 paper [PDF]. Back then Nazario reported the botnet’s C&C systems were hosted in Malaysia and Russia.

The same email address used for those two domains has registered other domains: trashdomain.ru, which has been recorded as the host for a Trojan dropper called Microjoin.

In other words, this is a lot more than about batteries. This appears to be a DDOS for rent to businesses wanting to take out business rivals in a host of fields. Indeed, the FBI investigation makes this clear, and cites the $600,000 damage caused as included attacks on “a wide range of businesses located in the United States.” (This does not include the dozen other countries affected, hence, presumably, the quite low sum involved.)

The batteries attack took place in October 2010, but the FBI document makes clear that as of May 2011 the attacks were still going on.

At present it’s not clear who is behind these attacks–in other words, who is paying for them. This could be a ransom attack–pay up or we will keep DDOSing–but this doesn’t seem to be the case, as Batteries4less.com Chief Executive Coryon Redd doesn’t mention any such approach in an interview with Mills. He seems to believe that “[t]he competitor is going to be U.S.-based and contracting out with a bad guy in Russia.”

Could be right. In which case the investigation has stumbled on a dark world of business tactics stretching from banking to astrology consultants. More research needed, please.

Using Data to Find Bin Laden

Map picture

Where they thought he was and where he was.

Great piece — Geographers Had Predicted Osama’s Possible Whereabouts – ScienceInsider (thanks Daily Kos- Geographers predict Osama’s location) which tells the story of Thomas Gillespie, a UCLA geographer

who, along with colleague John Agnew and a class of undergraduates, authored a 2009 paper predicting the terrorist’s whereabouts, were none too shabby. According to a probabilistic model they created, there was an 88.9% chance that bin Laden was hiding out in a city less than 300 km from his last known location in Tora Bora: a region that included Abbottabad, Pakistan, where he was killed last night.

Here’s their original paper: web.mit.edu-mitir-2009-online-finding-bin-laden.pdf. It’s not as if these guys identified the town correctly (and the Science article has had to backtrack on some of its original assertions and the comments aren’t kind), but they got a lot of things right: They figured out he was much likely to be in a house than a cave, and in a relatively large town rather than a village, and that he was in Pakistan rather than somewhere else. They also predicted the kind of building he would be living in. In the end they were less than 300 km off.

Not bad, when you look at what the CIA was saying about him before (of course, they may have been trying to put people off the scent, but we know that it was only earlier this year that they had an idea he might be in the house:

Singapore Details ‘Waves’ of Cyberattacks

Officials and delegates from APEC economies were targeted ahead of last year’s Singapore meeting with malware-laden emails faked so they appeared to have been sent by Singapore government officials on the Organising Committee.

Singapore officials have said the attacks were not the first on the country. Although Singapore regularly highlights threats to national security—including Islamic terrorism—the admission that it has been the victim of cyber attacks is, according to the Straits Times, its most detailed account.

Although it’s hard to read too much into the statements made to judge who may have been behind the attacks, it’s interesting that Singapore is drawing attention to this—not least because there’s bound to be speculation about just this point. The current flood of WikiLeaks cables about this very issue is a coincidence. But the description of the attacks fits a pattern familiar to security experts:

Between September and November 2009 APEC officials, and delegates of several APEC economies were targeted with Trojan-laden emails “with the aim of infiltrating their computers and extracting privileged information.” There were at least seven waves of such attacks, focusing on members of the APEC organising committe and APEC delegates whose email addresses were published on websites or in APEC mailing lists. (APEC, Asia-Pacific Economic Cooperation, is a forum for 21 regional economies set up in 1989. Singapore hosted meetings throughout 2009 culminating in a leaders’ meeting in Singapore from November 14-15.) 

The attacks were first mentioned in a speech by Ho Peng Kee, Senior Minister Of State For Law & Home Affairs, who told a seminar on Sept 28 that “Singapore has its fair share of cyber attacks.” More details were  added in an internal but publicly accessible Ministry of Home Affairs magazine, the Home Team Journal, by Loh Phin Juay, head of the Singapore Infocomm Technology Security Authority and reported in the Straits Times on Saturday, December 4.  (The Straits Times called the perpetrators “cyberterrorists”.)

Loh wrote in the magazine article that “between 2004 and 2005, the Singapore government saw waves of Trojan email attacks which were commonly referred to as the Trojan Riler attacks.” The attacks came in four waves over a span of two years, he said, in the form of more than 900 emails targeting officials in several ministries.  

Loh Phin Juay said that the first two waves in the 2009 attacks used PowerPoint and PDF attachments to emails puportedly warning about possible terrorist attacks on the meeting. A subsequent wave included “legitimate information relevant to the APEC 2009 meetings”—in this case an invitation to an actual APEC symposium.

Some of the malicious emails “contained details of actual APEC events (date, time, venue) not known to the general public.” This suggests to me that either the first wave was successful in gaining access to some sensitive information, or, less likely, that those perpetrating the attack were already privy to it (raising the question why they didn’t use that information in the first wave.) Both officials said no significant disruption was caused by the APEC attack.

Singapore last year set up a special body, the Singapore Infocomm Technology Security Authority (SITSA), “to safeguard Singapore against infocomm technology (IT) security threats. SITSA will be the national specialist authority overseeing operational IT security. SITSA’s mission is to secure Singapore’s IT environment, especially vis-à-vis external threats to national security such as cyber-terrorism and cyber-espionage.”

Neither official speculates about the origin of the attacks. In his speech Ho Peng Kee referred separately to Operation Aurora, a cyber attack from mid 2009 to December 2009 on dozens of Western companies including Google, which alleged the attacks began in China. Loh Phin Juay referred in his article to GhostNet, a cyber espionage network which had its command and control network based in China and which penetrated government and embassy computers in a number of countries, including some in Southeast Asia. (Singapore was not mentioned in reports of the compromised computers.)

But he writes that “to date, the perpetrators of GhostNet remain unknown,” and neither man links the Singapore attacks to either event. The Trojan Riler was, according to Symantec, first discovered on September 8, 2004; It has been associated with corporate espionage but also the GhostNet attacks.

Hoodiephobia, Or We Don’t Lie to Google

Boris johnson the knight

Does what we search for online reflect our fears?

There’s a growing obsession in the UK, it would seem, with ‘hoodies’—young people who wear sports clothing with hoods who maraud in gangs. Michael Caine has just starred in a movie about them (well, a revenge fantasy about them.) This Guardian piece explores the movie-making potential of this phenomenon.

Recently a female documentary film maker was saved from a group of iron bar-wielding “feral girls” by the bike-riding mayor of London (I’ve always wanted to write the headline for the story).

So is this “growing fear” reflected online?

Well, yes, it is.

Here’s what a graph of British people searching for ‘hoodies’ looks like:

image

As you can see, it’s been a growing interest, more than doubling in the past five years.

But it’s also showing a weird seasonal element. Interest drops off in the summer months, and then rises towards the end of the year. Every year for the past five years, searches have peaked in either December or November. The lowest point each year is June or July.

I don’t know why that is. One guess would be that in the summer attacks tail off. It would be interesting to see if there’s any correlation there with the actual figures on attacks. (Update: Commenters have rightly pointed out that the seasonal interest probably has more to do with online shoppers. Thanks, and sorry for not thinking of this.)

The Guardian piece quotes research by the group Women in Journalism back in March as finding that, among other things, 79% of adults are more wary of teenage boys than they were a year ago, and that the most commonly used descriptions of such boys in the UK press were ‘yobs’ and ‘thugs’ followed by ‘sick’, ‘feral’, ‘hoodies’ and ‘louts’ (PDF version of the report is here.)

Online, however, the trend is clearer: ‘Hoodie’ (light blue) is the preferred search term, and has been since late 2006, replacing the ‘thug’ and ‘scum’ of the mid 2000s:

image

I don’t know whether this is meaningful, but another word used to describe this perceived underclass of British use is ‘chav’, a term of obscure origin. Compare searches for the words ‘chav’ and ‘hoodie’ and you see this:

image

Clearly the word ‘chav’ (in red) was most popular—or one that people were hearing but not familiar with, and so needed to look it up—in late 2004. It has been in decline since then and has indeed been overtaken by ‘hoodie’ (in blue):

image

I don’t know whether this is meaningful or not. Wikipedia cites ‘chav’ as common parlance by 2004 (unfortunately Google’s data does not go further back than that, but the rise in 2004 is clear.)

I tend to believe that Google searches are as revealing as anything else about what people are interested in, or worried about—indeed more so than surveys, because people don’t lie to Google.

Telling the Story in the Third Dimension

image

The bitter end of the Tamil Tigers has been fought away from the news crews, but not the satellites.

But did we make the most of this technology to tell the story of human suffering and the end of a 35-year guerrilla movement?

A month ago the U.S. government released satellite images apparently showing how tens of thousands of Sri Lankan civilians had been squeezed into the last tract land held by the LTTE, a story covered somewhat cursorily by the media. This three paragraph piece from The Guardian, for example:

image

A week ago (May 12) Human Rights Watch issued its own report based on images it had commissioned from commercial satellites. The photos, the organisation said, “contradict Sri Lankan government claims that its armed forces are no longer using heavy weapons in the densely populated conflict area.”

The full report was available as a preliminary analysis, downloadable in PDF.

The report was carried by the BBC and others.

But I could find no one who had dug into the report to find a way to bring this remote tragedy closer to home.

For example, it could be as simple as double checking the images and coordinates given against Google Earth (easy enough; just enter the lat/long digits into Google Earth and see where they take you. HRW could have done a better job of providing the full coordinates here, to the full six decimal places–9.317999, for example—rather than the meager two they gave: 9.32.)

But a much better way of presenting the data lurks in a link on page four. Click on the link, and, if you’ve got Google Earth installed, the KML file (a KML file is a XML-based way of expressing geographic information that can be read by programs like Google Earth) will load a layer that tells the grim story in a different way.

The first is the most recent picture from Google Earth, dated 2005. As you can see, very little human habitation (click on each image to enlarge).

image

The one below is from May 6. A dense city has appeared in the meantime, with its own streets:

image

Four days later, most of it is gone:

image

Toggling between these images in Google Earth is a sobering experience. Of course, such imagery does not explain what exactly happened to these people, but it asks tougher questions than any talking head can. And yet CNN chose to focus on that, and on familiar footage of the war.

My point is this: we’re now in a world of three dimensions. We journalists can see things our predecessors couldn’t.

If I was an editor I would have mined that HRW report until I’d found a way to use their imagery to tell the story. Buried in that single, 50 KB KML file is a wealth of detail:

image

Which could have been used as time lapse, or juxtaposed over a map like the one the BBC used for its report:

image

The bottom line: We as journalists need to understand this kind of thing better so we know what is possible, what is doable, and, if nothing else, to be able to know that when we see a link to a KML file, we may be on the way to a treasure trove of information to help us tell the story.

The Traffic Light Scam

image

If true, this is a scam that is going to fuel the conspiracy theories of every driver who feels they were fined unfairly for crossing a red light. Police in Italy have arrested the inventor of a smart traffic light system, and are investigating another 108 people, on suspicion of tampering with the software to speed up the transition from amber to to red, netting the local police and others in on the scam millions of dollars of extra fines.

The question is: Is this kind of thing limited only to Italy?

The Independent writes:

Stefano Arrighetti, 45, an engineering graduate from Genoa who created the “T-Redspeed” system, is under house arrest, and 108 other people are under investigation after it was alleged that his intelligent lights were programmed to turn from amber to red in half the regulation time. The technology, which was adopted all over Italy, employs three cameras designed to assess the three-dimensional placement of vehicles passing a red light and store their number plates on a connected computer system.

Those now under investigation include 63 municipal police commanders, 39 local government officials and the managers of seven private companies.

The fraud, The Independent says, was uncovered by Roberto Franzini, police chief of Lerici, on the Ligurian coast, who – in February 2007 – noticed the abnormal number of fines being issued for jumping red lights. “There were 1,439 for the previous two months,” he said. “It seemed too much: at the most our patrols catch 15 per day.” He went to check the lights and found that they were changing to red after three seconds instead of the five seconds that had been normal.

Unanswered, of course, is why it’s taken two years for the fraud to be stopped and investigated. The inventor’s lawyer has said he is innocent. Mr Arrighetti’s LinkedIn page is here. He is described as the owner of Kria, a Milan-based company which sells the T-Redspeed and other traffic monitoring systems.

image

Image of Arrighetti from Insight24 webcast

The T-Redspeed system is described in the company literature as “the newest and most innovative digital system for vehicle speed and red light violation detection. Based on special video cameras, it doesn’t require additional sensors (inductive loops, radars or lasers). It measures the speed of the vehicles (instantaneous and average) up to 300 km/h.”

Some forum posters have suggested a system used by British authorities, RedSpeed, is the same, but on first glance it doesn’t look like it. That said, reducing the amber phase seems to be a widespread source of extra revenue: The National Motorists Association of America has found six cities that have shortened the amber phase beyond the legal amount, apparently as a way to increase revenue.

Illustration from Kria brochure (PDF)

An Answer to Our Scanning Prayers?

 NeatDesk

I’m always amazed at how weak the market for scanners is. The devices aren’t always that good, and the software that accompanies them is generally speaking pretty awful. Those that were once good, like PaperMaster, are now dead.

So it’s good to hear that NeatReceipts, once interested mainly in, well, scanning receipts, is now called The Neat Company, and is about to launch NeatDesk – “the all-new desktop scanner and digital filing system.” It’s got what looks like a pretty cool Automatic Document Feeder scanner that will take receipts, business cards and documents—in the same scan.

I used NeatReceipts and thought it was a good effort—it did a good job of trying to parse receipts, although the user interface was overly complex and the software not particularly stable. Neat Co says the software has been completely overhauled.

The device is going to sell for $400+ once it’s launched. More anon.

The Neat Company – Preorder Sale

Update: Evernote have added PDF preview for Windows. Is there room anymore for Paperport and its ilk? This is a great addition to Evernote and something I think really pushes it into the ‘capture all your cr*p’ category. Good on them.