Real Phone Hacking

By | November 22, 2011
0 Comment

Interesting glimpse into the real world of phone hacking–not the amateurish stuff we’ve been absored by in the UK–by Sharmine Narwani: In Lebanon, The Plot Thickens « Mideast Shuffle.

First off, there’s the indictment just released by the Special Tribunal for Lebanon which, in the words of Narwani,

appears to be built on a simple premise: the “co-location” of cellular phones — traceable to the accused four — that coincide heavily with Hariri’s whereabouts and crucial parts of the murder plot in the six weeks prior to his death.

Indeed, the case relies heavily on Call Data Record (CDR) analysis. Which sounds kind of sophisticated. Or is it? Narwani contends that this could have been manufactured. Indeed, she says,

there isn’t a literate soul in Lebanon who does not know that the country’s telecommunications networks are highly infiltrated — whether by competing domestic political operatives or by foreign entities.

There is plenty of evidence to support this. The ITU recently issued two resolutions [PDF] basically calling on Israel to stop conducting “piracy, interference and disruption, and sedition”.

And Lebanon has arrested at least two men accused of helping Israel infiltrate the country’s cellular networks. What’s interesting about this from a data war point of view is that one of those arrested has confessed, according to Narwani, to lobbying for the cellular operator he worked for not to install more secure hardware, made by Huawei, which would have presumably made eavesdropping harder. (A Chinese company the good guy? Go figure.)

If this were the case–if Lebanon’s cellular networks were so deeply penetrated–then it’s evidence of the kind of cyberwar we’re not really equipped to understand, let alone deal with: namely data manipulation.

Narwani asks whether it could be possible that the tribunal has actually been hoodwinked by a clever setup: that all the cellular data was faked, when

a conspiring “entity” had to obtain the deepest access into Lebanese telecommunications networks at one or — more likely — several points along the data logging trail of a mobile phone call. They would have to be able to intercept data and alter or forge it, and then, importantly, remove all traces of the intervention.

After all, she says,

the fact is that Hezbollah is an early adherent to the concept of cyberwarfare. The resistance group have built their own nationwide fiber optics network to block enemy eavesdropping, and have demonstrated their own ability to intercept covert Israeli data communications. To imagine that they then used traceable mobile phones to execute the murder of the century is a real stretch.

Who knows? But Darwani asserts that

Nobody doubts Israel’s capacity to carry out this telecom sleight of hand — technology warfare is an entrenched part of the nation’s military strategies. This task would lie somewhere between the relatively facile telephone hacking of the News of the World reporters and the infinitely more complex Stuxnet attack on Iran’s nuclear facilities, in which Israel is a prime suspect.

In other words, there’s something going on here that is probably a lot more sophisticated than a tribunal can get behind. I’m no Mideast expert, but if only half of this is true it’s clear that cellphones are the weakest link in a communications chain. And that if this kind of thing is going on Lebanon, one has to assume that it’s going on in a lot of places.

Korean Banks

By | November 22, 2011
0 Comment

The Washington Post report that it seems the attack on South Korea’s Nonghyup agricultural bank back in April was the work of North Korea. The evidence?

South Korean investigators said they determined that 10 servers used in the bank incident were the same ones used in previous cyberattack operations against South Korea, including one in 2009 and another in March, that they blamed on the North. Investigators say they determined, for instance, that a “command and control” server used in the 2009 operation was registered to a North Korean government agency operating in China.

This is interesting. Command and control servers are compromised computers that are used by bad guys to “run” other computers—zombies—that actually do the grunt work. There’s definitely a common thread between the 2009 and 2011 DDOS attacks, and plenty of circumstan

Southeast Asia’s Third Mobile Tier

By | November 22, 2011
0 Comment

The mobile revolution is moving from second tier countries in Southeast Asia to the third and final tier. Whereas previously Indonesia and the Philippines were seeing the biggest growth in mobile Internet traffic, now it’s Burma (Myanmar) and Cambodia which top the list in terms of user- and usage-growth, according to the Opera State of the Mobile Web report for July:

    • Myanmar and Cambodia lead the top 10 countries of the region in terms of page-view growth (6415.0 % and 470.1 %, respectively).
    • Myanmar and Cambodia lead the top 10 countries of the region in growth of unique users (1207.5 % and 179.1 %, respectively).
    • Myanmar and Cambodia lead the top 10 countries of the region in growth of data transferred (3826.6 % and 353.2 %, respectively)

Of course these figures are from a low base, and the Opera data is not the easiest to trawl through. (The Opera mobile report is always interesting reading, so long as you take into account that the Opera browser is for many people a Symbian browser and so of declining popularity in some quarters. Also their data is never presented in quite the order one would like, so you have to dig. )

Looking at the figures in more detail, and throwing them into a spreadsheet of my own, it’s clear that Burma is definitely an outlier. Cambodia’s growth is impressive, but Burma’s is by far the greatest out of all 27 countries surveyed. Here’s how it looks:

2011-07 Page view growth SEA

So is the Burma usage real, or is this just a jump from nothing to slightly more than nothing? I suspect it may actually be a sizeable jump. Opera are coy about the actual number of users (so we may actually be dealing with a small dataset). But the figures suggest that this is a real spurt in usage: Burmese mobile users are transferring more data per page view than any other of the 27 countries surveyed, and the page views per user is on a par with the Philippines and Thailand.

I’d cautiously suggest that Burma, along with Cambodia and Laos, are beginning to show exhibit some of the signs of what one might pompously call “mobile societies”: using the mobile phone as an Internet device as a regular part of their activities. Take the page views per user, for example, which measures how much they’re using the mobile phone to view the Internet (Brunei seems to be in a league of its own; I don’t know what’s going on there, except that in terms of nightlife, I’d have to say not much):

2010-07 Page views per user SEA

It’s probably too much to conclude that mobile phones as Internet devices are now mainstream in this third tier of the region, but it’s a healthy sign, with lots of interesting implications.

Libya: We’re Back. Iran: We’re Not

By | November 22, 2011
0 Comment

In its latest quarterly report Opera looks a how quickly Libyans have gone back online with their mobile devices after six months in the dark. The graphic pretty much sums it up:

Talking of Internet blocking, Opera noticed that Iran continues to mess with Internet access for its citizens:

While we can speculate on government intervention or an operator shutting down Opera Mini access, the numbers are striking. Opera Mini usage in Iran dropped 36% in July. Most of the user loss occurred over five days, from July 4th to July 9th. Iran is no stranger to these quick drops. After reaching new highs, Opera Mini usage drops quickly. On June 14, 2011, Opera Mini reached an all-time high in Iran. The next day, usage plummeted more than 48%.

One can indeed only speculate, but the June plummet may be to do with the June 12 second anniversary of the 2009 election, when marchers took to the streets [Inter Press Service report via Asia Times]. (The lag between the Sunday June 12 march, the spike in traffic two days later, and then the plummet could either be explained by the marchers using their cellphones and then losing interest, or the sudden interest of the security services in curtailing mobile traffic to disrupt more planned marches.

The July drop in traffic I can’t explain: I’ve looked for events around that time, but can’t find any.

Southeast Asia’s Viral Infection

By | November 22, 2011
0 Comment

Southeast Asia is fast developing a reputation as the most dangerous place on the Internet. It’s not a reputation the region can afford to have.

By one count Thailand has risen to be the country with the most number of malware infections, by one account, and by another to be the second, all in the past few months.

PandaLabs’ report on the second quarter of 2011 [PDF] lists Thailand as having the second highest rate of malware infection (after China) with nearly 57% of computers scanned by their antivirus software as being infected. The global average is about 40%. Thailand was second in the previous quarter too, but with an even higher infection rate, of 65%. Most of these infections seem to come from worms.

Indeed, this trend seems to have started last year. The AntiPhishing Working Group’s report for the second half of 2010 lists as top in terms of infected countries–nearly 67%, higher than China’s 63%. (I should point out that the chief analyst for the APWG is Luis Corrons, who is technical director of PandaLabs, so the source of this data may actually be one place.)

Indonesia, meanwhile, now equals the United States as the highest single source of Distributed Denial of Service attacks, according to data from Kaspersky (Expect More DDoS Attacks Tomorrow, published on Monday):

The US and Indonesia topped the rating with each country accounting for 5% of all DDoS traffic. The US’s leading position is down to the large number of computers in the country – a highly attractive feature for botmasters. Meanwhile, the large number of infected computers in Indonesia means it also ranks highly in the DDoS traffic rating. According to data from Kaspersky Security Network, Kaspersky Lab’s globally-distributed threat monitoring network, in Q2 2011 almost every second machine (48%) in Indonesia was subjected to a local malware infection attempt.

A couple of points here:

  • Indonesia has a lot fewer computers connected to the Internet compared to the U.S.: about 40 million vs 245 million. This means that Indonesia is generating 5 times as much DDOS traffic per computer as the U.S.
  • The discrepancies in the infection rates between Kaspersky and Panda are artifacts of the way these companies measure these things. Basically, as far as I understand, they gather data from users, so a lot depends on just how popular that particular piece of antivirus software is in the country, and on factors such as the likelihood of people actually using antivirus software.

The Kaspersky report shows that Southeast Asia features heavily in the proportion of DDOS traffic:

  • Indonesia 5%
  • Philippines 4%
  • Vietnam 4%
  • Thailand 4%
  • Singapore 4%
  • Malaysia 3%

Internet traffic optimizer Akamai, meanwhile, reported that [PDF, may have to answer a short survey before reading] Burma (Myanmar) accounted for 13% of the world’s attack traffic (i.e. DDOS traffic). This was the first time that Burma appeared on the list. I’ve spoken to Akamai and they’re not clear why this is the case, but they did point to the fact that their data covers the first quarter of 2011, a few months after a massive DDOS attack on Burma which happened to coincide with the country’s elections.

The suspicion at the time that this was self-inflicted: basically pro-government hackers preventing Burmese from using the Internet to get alternative sources of election information. Makes sense. Akamai’s theory is that this traffic that they saw in the first quarter of this year was residual traffic from those massive attacks. But the truth is that no one knows.

More generally, it’s not good that Southeast Asia is now becoming this malware and DDOS capital. There are lots of reasons for it, which I’ll be exploring as part of a project in the months to come.

Full version of the Kaspersky report: DDoS attacks in Q2 2011 – Securelist