Tag Archives: War/Conflict

ASEAN Phishing Expeditions

Mila Parkour, the indefatigable phish researcher from DC, points to some recent spear-phishing attacks which to me help confirm that Southeast Asia, and ASEAN in particular, has become something of a focus for the chaps in China.

They also highlight just how vulnerable diplomats in the region are because of poor security.

One is a phish apparently coming from the Indonesian foreign ministry, in particular one Ardian Budhi Nugroho, whom the email correctly describes as from the Directorate of ASEAN Political Security Cooperation. The subject matter is topical and credible:

Dear Sirs/Mesdames,
Enclosed herewith letter from Director for ASEAN Political-Security Cooperation, informing the date of the next Direct Consultations between ASEAN and P5 Nuclear Weapon States, which will be held on 4 – 6 October 2011 in New York. A Tentative Programme of the Direct Consultations is also attached for your kind reference. Thank you for your attention and continued cooperation.

The only good thing about these phishes is that they reveal something of the attacker’s interests. These attacks are timed carefully a week or so ahead of key meetings–in this case a Oct 4-6 meeting in New York of ASEAN and P5 Nuclear Weapon states (one of those states, of course, is China). The email was sent on Sept 20.

The email address given, aseanindonesia@yahoo.com, doesn’t appear to be genuine, but it could easily be. Look, for example, at the email addresses listed here. More than half are either ISP or webmail addresses.

Diplomats need to get wise to these kinds of attacks by using their domain’s email addresses and being more sophisticated about their communications (not sending attachments, for one thing, and telling me they don’t.)

How does all this work? We don’t know who received this but it’ll probably be a list of diplomats attending the talks–not hard to find, as we can see from the above list. It only needs one member of each delegation to open the infected attachment for their whole delegation to be in danger of China–or whoever is behind this attack–to be able to monitor everything they do.

Singapore Details ‘Waves’ of Cyberattacks

Officials and delegates from APEC economies were targeted ahead of last year’s Singapore meeting with malware-laden emails faked so they appeared to have been sent by Singapore government officials on the Organising Committee.

Singapore officials have said the attacks were not the first on the country. Although Singapore regularly highlights threats to national security—including Islamic terrorism—the admission that it has been the victim of cyber attacks is, according to the Straits Times, its most detailed account.

Although it’s hard to read too much into the statements made to judge who may have been behind the attacks, it’s interesting that Singapore is drawing attention to this—not least because there’s bound to be speculation about just this point. The current flood of WikiLeaks cables about this very issue is a coincidence. But the description of the attacks fits a pattern familiar to security experts:

Between September and November 2009 APEC officials, and delegates of several APEC economies were targeted with Trojan-laden emails “with the aim of infiltrating their computers and extracting privileged information.” There were at least seven waves of such attacks, focusing on members of the APEC organising committe and APEC delegates whose email addresses were published on websites or in APEC mailing lists. (APEC, Asia-Pacific Economic Cooperation, is a forum for 21 regional economies set up in 1989. Singapore hosted meetings throughout 2009 culminating in a leaders’ meeting in Singapore from November 14-15.) 

The attacks were first mentioned in a speech by Ho Peng Kee, Senior Minister Of State For Law & Home Affairs, who told a seminar on Sept 28 that “Singapore has its fair share of cyber attacks.” More details were  added in an internal but publicly accessible Ministry of Home Affairs magazine, the Home Team Journal, by Loh Phin Juay, head of the Singapore Infocomm Technology Security Authority and reported in the Straits Times on Saturday, December 4.  (The Straits Times called the perpetrators “cyberterrorists”.)

Loh wrote in the magazine article that “between 2004 and 2005, the Singapore government saw waves of Trojan email attacks which were commonly referred to as the Trojan Riler attacks.” The attacks came in four waves over a span of two years, he said, in the form of more than 900 emails targeting officials in several ministries.  

Loh Phin Juay said that the first two waves in the 2009 attacks used PowerPoint and PDF attachments to emails puportedly warning about possible terrorist attacks on the meeting. A subsequent wave included “legitimate information relevant to the APEC 2009 meetings”—in this case an invitation to an actual APEC symposium.

Some of the malicious emails “contained details of actual APEC events (date, time, venue) not known to the general public.” This suggests to me that either the first wave was successful in gaining access to some sensitive information, or, less likely, that those perpetrating the attack were already privy to it (raising the question why they didn’t use that information in the first wave.) Both officials said no significant disruption was caused by the APEC attack.

Singapore last year set up a special body, the Singapore Infocomm Technology Security Authority (SITSA), “to safeguard Singapore against infocomm technology (IT) security threats. SITSA will be the national specialist authority overseeing operational IT security. SITSA’s mission is to secure Singapore’s IT environment, especially vis-à-vis external threats to national security such as cyber-terrorism and cyber-espionage.”

Neither official speculates about the origin of the attacks. In his speech Ho Peng Kee referred separately to Operation Aurora, a cyber attack from mid 2009 to December 2009 on dozens of Western companies including Google, which alleged the attacks began in China. Loh Phin Juay referred in his article to GhostNet, a cyber espionage network which had its command and control network based in China and which penetrated government and embassy computers in a number of countries, including some in Southeast Asia. (Singapore was not mentioned in reports of the compromised computers.)

But he writes that “to date, the perpetrators of GhostNet remain unknown,” and neither man links the Singapore attacks to either event. The Trojan Riler was, according to Symantec, first discovered on September 8, 2004; It has been associated with corporate espionage but also the GhostNet attacks.

Virus Grounds French Fighters

Here’s more evidence of how vulnerable armed forces are to software attacks, intended or not. The French navy’s fighter jets “were unable to download their flight plans after databases were infected by a Microsoft virus they had already been warned about several months beforehand,” according to the Telegraph:

However, the French navy admitted that during the time it took to eradicate the virus, it had to return to more traditional forms of communication: telephone, fax and post.

Naval officials said the “infection”‘ was probably due more to negligence than a deliberate attempt to compromise French national security. It said it suspected someone at the navy had used an infected USB key.

Last month, you may recall, a virus closed down the British Ministry of Defence.

French fighter planes grounded by computer virus – Telegraph

South Ossetia: The First Cyber/Physical War?

image

BBC picture

Wikipedia is doing a good job of chronicling the war in South Ossetia; its mention of several apparent cyberattacks on both sides makes me wonder whether this is the first instance of a physical war being accompanied by a cyberwar? All those listed on Wikipedia are not parallel attacks, i.e. they are not part of an actual physical war.

So far the attacks have been by Georgian supporters on two Ossetian media sites, and attacks by supporters of South Ossetia on the Georgian National Bank website and the Georgian Ministry of Foreign Affairs (which was reportedly splashed with a collage of of Saakashvili and Hitler photos.) The Georgian news site, Civil Georgia that reported the attacks on the South Ossetian websites itself now appears to be down.

Some attacks appear to preceded the war, suggesting that they were part of a deliberate build-up ahead of the entry of Russian troops into South Ossetia. On July 21 the Georgian president’s website was attacked. I wasn’t able to access the website as of early Aug 9. While tensions have been growing between Georgia and Russia for several weeks, it seems clear that the botnet involved in this attack was set up for this purpose only a few weeks ago.

Of course, none of this means that it’s done at an official level. But it’s interesting that at a time the Georgians and the South Ossetians would presumably like to get their sides of the story out, they can’t because their websites, official and unofficial, are down.

As the Georgian ambassador to the UK put it to Al Jazeera:

“Georgia has been attacked by a formidable force, it is a brutal attack with the use of air force, tanks and even the trademark cyber attack.”

“If this is not an all out war what is?” he asked.

War in South Ossetia (2008) – Wikipedia, the free encyclopedia

Update on Aug 12: some more links

http://lists.grok.org.uk/pipermail/full-disclosure/2008-August/063820.html

http://news.cnet.com/8301-1009_3-10014150-83.html

Angry Pondok Indah-ans


Angry Pondok Indah-ans
Originally uploaded by Jeremy Wagstaff.

If today’s Jakarta Post is anything to go by, the residents of swanky suburb Pondok Indah are taking their opposition to a plan to build a busway through their neighborhood to the streets. Actually, it looks more like the forests.

Russia Declares Cyberwar?

The Guardian reports on what some are suggesting may the first outbreak of official cyberwar between one country and another, after Russian hackers, official or not, have flooded Estonian websites with Denial of Service attacks (DDoS):

clipped from www.guardian.co.uk

Without naming Russia, the Nato official said: “I won’t point fingers. But these were not things done by a few individuals.

 

“This clearly bore the hallmarks of something concerted. The Estonians are not alone with this problem. It really is a serious issue for the alliance as a whole.”

An Unlikely Blogger Expelled

Although it’s not good for Sudan, I think it’s good for blogging: CNN reports that 

The government of Sudan on Sunday gave the top U.N. official in the country three days to leave, marking the latest hurdle in international efforts to bring peace to the nation torn apart by civil war.

Sudan expelled Jan Pronk, the top U.N. envoy to Sudan, who has openly criticized Khartoum as well as rebel groups on his Web log.

Pronk has been running a blog for nearly a year and while it doesn’t look like your average blog (really long posts, no external links, no comments, blogs numbered as if they were official UN documents) it’s an impressively direct account of the Sudanese conflict. His third post started as follows: 

This week the seventh round of the Abuja talks between the Government of Sudan and the rebel movements will start. Will it be the last one, producing a peace agreement before the end of the year? The chances are diminishing.

Not the sort of mealy-mouthed stuff we’re used to from senior UN officials. And it’s probably upset the UN as much as it’s upset the Sudanese government. But if so why had the UN not closed him down earlier? Pronk, according to UPI, did not offer any disclaimers, but the UN has since made clear he was writing in a personal capacity. The UN has “no rules barring blogging specifically, though employees face restrictions when publishing articles and participating in interviews.” It seems Pronk was probably senior enough, and his comments uncontroversial enough, for no one to mind too much. Until last week.

What I like about it is that reporters tend to meet these kind of people in the field, and it’s great to hear them sounding off about the situation, but rarely are their words captured in sufficient quantity for their great background knowledge and high level involvement in such diplomatic processes to be read by a wider audience. I’ve not followed the tragedy in Darfur much beyond what I read in the papers, but Pronk’s year-long posts are a diary of immense and satisfying detail about the process, peppered by great photos, that are worthy of more than the word blog. 

Take this one, for example, from June 28

There is a significant risk that the Darfur Peace Agreement will collapse. The agreement does not resonate with the people of Darfur. On the contrary, on the ground, especially amongst the displaced persons, it meets more and more resistance. In my view it is a good text, an honest compromise between the extreme positions taken by the parties during the negotiations in Abuja. That is why the UN, like all international partners, has endorsed the agreement. However, in politics objective rational calculations will always be confuted by subjective emotional perceptions and aspirations. And those perceptions are that the agreement does not meet the expectations of the people in Darfur, has been forced upon them and, rather than meeting the interests of all parties somewhere halfway, only strengthens the position of the government and a minority tribe, the Zaghawa.

That too me is very clear writing, reflecting his knowledge of the situation on many levels. Not every situation could allow a senior figure involved deeply in the political process to write so frankly and openly, but wouldn’t it be great if they could? This to me is the real potential of blogs and citizen reporting. Someone who really knows what is going on telling us about it.

PS: Jan Pronk has a reputation of sorts in Indonesia, my current abode. He earned the lasting enmity of then president Suharto by

Continue reading

Reporting Timor

Further to my post about the dearth, despite millions of dollars of aid, of any local Timorese media outlet reporting the chaos/civil war going on Timor Lorasae, here are some bloggers who stepped into the breach. Of course, they probably have satellite connections, but they convey authentic and powerful accounts of what they’ve seen:

  • Diligence, “Random observations from an English speaking foreigner in Dili, Timor-Leste”. Still in Dili, it seems. “I can’t see things improving greatly for a number of days except if you are journalist. For them, this is what they get up in the morning for.” Er, true.
  • Lookingglass View, Sue. Nicely written. Still there it seems: “What kind of world do we live in when a 3-year old knows that a Blackhawk means you are safe?”
  • Dili-Dallying, “Two years in Timor-Leste”. “As I sit here, typing this post, I can hear the sound of gun and mortar fire. It’s been going on for four hours already.”
  • tumbleweed in timor lorasae, Singaporean Bridgette, who writes trenchantly and well. She left at the weekend, but is still in contact with folk in Dili. “The police man died. NO ONE should die this way.”

Some good writing in here. Thank God for blogs.

Where Is Technology When You Need It Part XIV

This has absolutely nothing to do with technology, except that surely there’s some technology to prevent this kind of outburst of law enforcement official mastication by members of the post-death personal care industry? From Reuters: Hearse driver arrested for biting policeman: 

BERLIN (Reuters) – A drunken hearse driver has been arrested in the western German town of Krefeld after biting a police officer taking him in for an alcohol test, police said on Monday.

Police had called for a hearse at a funeral home to transport a body to the cemetery.

“The hearse driver nearly fell over when he got out of the car. Then he had to hold onto everything he could find as he stumbled to the house,” said police spokesman Dietmar Greger.

Police decided to take the man to the station to test his blood alcohol level, but when they tried to get him out of their car he started a fight and bit an officer several times in the hand.

The man was confined to a cell until he sobered up and has been charged with civil disorder and drunk driving.

 

News: RFID Tags Could Save Us From Terror

 Further to my column a few weeks back about RFID, the little tags on merchandise that can tell retailers and others an awful lot of information about you, here’s a story from WIRED about how food companies are trying to get the technology declared ‘antiterrorist’.
 
 
“Facing increasing resistance and concerns about privacy,” WIRED’s Mark Baard writes, “the United States’ largest food companies and retailers will try to win consumer approval for radio identification devices by portraying the technology as an essential tool for keeping the nation’s food supply safe from terrorists.” The basic idea is that the technology can help keep precise track of all goods and help in recall efforts should their products be contaminated or laced with poison during a terrorist attack.
 
For sure that could be useful. But it sounds to me like a back door to get the technology on every shelf, which smacks of dishonesty to me. Are terrorists going to start contaminating razor blades and wooly jumpers too?