Tuesday, May 12, 2009

"On the internet, nobody knows you're a dog!"

---------------------------------------------------------------------------------- CONNECTIONS Computer tools, like this one showing money flows, help researchers visualize the reslationships between different sets of data generated from the internet. Sorting valuable data from junk is a challenge for experts.

Tracking CyberSpies Through the Web Wilderness
Published: May 11, 2009

For old-fashioned detectives, the problem was always acquiring information. For the cybersleuth, hunting evidence in the data tangle of the Internet, the problem is different.

“The holy grail is how can you distinguish between information which is garbage and information which is valuable?” said Rafal Rohozinski, a University of Cambridge-trained social scientist involved in computer security issues.

Beginning eight years ago he co-founded two groups, Information Warfare Monitor and Citizen Lab, which both have headquarters at the University of Toronto, with Ronald Deibert, a University of Toronto political scientist. The groups pursue that grail and strive to put investigative tools normally reserved for law enforcement agencies and computer security investigators at the service of groups that do not have such resources.

We thought that civil society groups lacked an intelligence capacity,” Dr. Deibert said.
They have had some important successes. Last year Nart Villeneuve, 34, an international relations researcher who works for the two groups, found that a Chinese version of Skype software was being used for eavesdropping by one of China’s major wireless carriers, probably on behalf of Chinese government law enforcement agencies.

This year, he helped uncover a spy system, which he and his fellow researchers dubbed Ghostnet, which looked like a Chinese-government-run spying operation on mostly South Asian government-owned computers around the world.

Both discoveries were the result of a new genre of detective work, and they illustrate the strengths and the limits of detective work in cyberspace.

The Ghostnet case began when Greg Walton, the editor of Infowar Monitor and a member of the research team, was invited to audit the Dalai Lama’s office network in Dharamsala, India.

Under constant attack — possibly from Chinese-government-sponsored computer hackers — the exiles had turned to the Canadian researchers to help combat the digital spies that had been planted in their communications system over several years.

Both at the Dalai Lama’s private office and at the headquarters of the exiled Tibetan government, Mr. Walton used a powerful software program known as Wireshark to capture the Internet traffic to and from the exile groups’ computers.

Wireshark is an open-source software program that is freely available to computer security investigators. It is distinguished by its ease of use and by its ability to sort out and decode hundreds of common Internet protocols that are used for different types of data communications. It is known as a sniffer, and such software programs are essential for the sleuths who track cybercriminals and spies on the Internet.

Wireshark makes it possible to watch an unencrypted Internet chat session while it is taking place, or in the case of Mr. Walton’s research in India, to watch as Internet attackers copied files from the Dalai Lama’s network.

In almost every case, when the Ghostnet system administrators took over a remote computer they would install a clandestine Chinese-designed software program called GhOst RAT — for Remote Administration Terminal. GhOst RAT permits the control of a distant computer via the Internet, to the extent of being able to turn on audio and video recording features and capture the resulting files. The operators of the system — whoever they were — in addition to stealing digital files and e-mail messages, could transform office PCs into remote listening posts.

The spying was of immediate concern to the Tibetans, because the documents that were being stolen were related to negotiating positions the Dalai Lama’s political representatives were planning to take in negotiations the group was engaged in.

After returning to Canada, Mr. Walton shared his captured data with Mr. Villeneuve and the two used a second tool to analyze the information. They uploaded the data into a visualization program that had been provided to the group by Palantir Technologies, a software company that has developed a program that allows investigators to “fuse” large data sets to look for correlations and connections that may otherwise go unnoticed.

The company was founded several years ago by a group of technologists who had pioneered fraud detection techniques at Paypal, the Silicon Valley online payment company. Palantir has developed a pattern recognition tool that is used both by intelligence agencies and financial services companies, and the Citizen Lab researchers have modified it by adding capabilities that are specific to Internet data.

Mr. Villeneuve was using this software to view these data files in a basement at the University of Toronto when he noticed a seemingly innocuous but puzzling string of 22 characters reappearing in different files. On a hunch, he entered the string into Google’s search engine and was instantly directed to similar files stored on a vast computerized surveillance system located on Hainan Island off the coast of China. The Tibetan files were being copied to these computers.

But the researchers were not able to determine with certainty who controlled the system. The system could have been created by so-called patriotic hackers, independent computer activists in China whose actions are closely aligned with, but independent from, the Chinese government. Or it could have been created and run by Internet spies in a third country.

Indeed, the discovery raised as many questions as it answered. Why was the powerful eavesdropping system not password-protected, a weakness that made it easy for Mr. Villeneuve to determine how the system worked? And why among the more than 1,200 compromised government computers representing 103 countries, were there no United States government systems? These questions remain.

Cyberforensics presents immense technical challenges that are complicated by the fact that the Internet effortlessly spans both local and national government boundaries. It is possible for a criminal, for example, to conceal his or her activities by connecting to a target computer through a string of innocent computers, each connected to the Internet on different continents, making law enforcement investigations time consuming or even impossible.

The most vexing issue facing both law enforcement and other cyberspace investigators is this question of “attribution.” The famous New Yorker magazine cartoon in which a dog sits at a computer keyboard and points out to a companion, “on the Internet, nobody knows you’re a dog,” is no joke for cyberdetectives.

To deal with the challenge, the Toronto researchers are pursuing what they describe as a fusion methodology, in which they look at Internet data in the context of real world events.
“We had a really good hunch that in order to understand what was going on in cyberspace we needed to collect two completely different sets of data,” Mr. Rohozinski said. “On one hand we needed technical data generated from Internet log files. The other component is trying to understand what is going on in cyberspace by interviewing people, and by understanding how institutions work.”

Veteran cybersecurity investigators agree that the best data detectives need to go beyond the Internet. They may even need to wear out some shoe leather.

“We can’t become myopic about our tools,” said Kent Anderson, a security investigator who is a member of security management committee of the Information Systems Audit and Control Association. “I continually bump up against good technologists who know how to use tools, but who don’t understand how their tools fit into the bigger picture of the investigation.”


Post a Comment

<< Home