Corporate espionage in the news: Hilton and the Oil industry

Is anyone calling espionage by means of computers cyber-espionage yet? I hope not. At least they shouldn't call it cyber war.

Two news stories of computerized espionage reached me today.

The first, regarding the Oil industry, was sent by Marc Sachs to a SCADA security mailing list we both read. The second, about the hotel industry, was sent by Deb Geisler to science fiction convention runners (SMOFS) mailing list we both read.

US oil industry hit by cyberattacks: Was China involved?
http://www.csmonitor.com/USA/2010/0125/US-oil-industry-hit-by-cyberattacks-Was-China-involved

At least three US oil companies were the target of a series of previously undisclosed cyberattacks that may have originated in China and that experts say highlight a new level of sophistication in the growing global war of Internet espionage.

Starwood Charges That Top Hilton Execs Abetted Espionage
http://www.meetings-conventions.com/article_ektid31918.aspx

Starwood's claim points to a "mountain of undisputed evidence," including e-mails among Hilton senior management, that Klein and Lalvani worked with others within Starwood to steal sensitive documents by sending them via personal e-mail accounts, among other methods, and that such information was shared and used by all of Hilton's luxury and lifestyle brands, as well as in the development of Hilton's now-shelved Denizen brand. In the new filing, Starwood says, "This case is extraordinary, and presents the clearest imaginable case of corporate espionage, theft of trade secrets, unfair competition and computer fraud...Hilton's conduct is outrageous."

As to whether China is involved, maybe. But the automatic blaming has got to stop. Many other countries have been known to be conducting corporate espionage, such as France, and as the second story above shows, so do corporations themselves.

But.. here are a few questions:

- My dog barked, was China involved?
- The traffic light turned red, was China involved?
- I am tired. Is China involved?

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

China Hacks Google, Etc.

Many news sources are reporting on how Google and other corporations were hacked by China.

The reports, depending on vendor, blame either PDF files via email as the original perpetrator, or lay most of the blame on an Internet Explorer 0day.

Unlike my colleagues (save for the ones reporting), I rather not discuss this too much before more data is available.

Regardless of what really happened, which I hope we will know more on later, these things are clear:

1. Unlike GhostNet, which showed an interesting attack, but unfortunately many of us jumped to conclusions without evidence that it was China behind them -- based on Ethos alone I'd like to think that when Google says China did it, they know. Although being a commercial company with their own agenda, I am saving final judgement.

2. The 0day disclosed here shows a higher level of sophistication, as well as m.o. which has been shown to be used by China in the past.

3. If this was China, which some recent talk seems to make ambiguous, but still likely; they would have more than just one weapon in their arsenal.

4. This incident has brought cyber security once again to the awareness of the public, in a way no other incident since Georgia has succeeded, and to political awareness in a way no incident since Estonia has done.

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

China, is it our cyber defense red herring?

There are thousands of articles perpetuating the claim that China is out to get us on the Internet. And yet, all these discussions are begging the question, is it China attacking? Also, are they even the "usual suspects"?

While I can point to real facts of China making active use of information warfare, cyber warfare, or whatever else you choose to call it (such as the release of 0 days being patched by Microsoft
and originally reported by the Taiwanese government, search Microsoft's site), I can also point to Germany (intelligence Trojan horse), the US (The Farewell Dossier) and other countries such
as North Korea (without much detail, so questioned).

We have a failing, that even as experts we see an IP source in China for an attack, and as it is popular, and we are still used to think in the physical world, jump to the conclusion the actor is from China. The actor is often from the US, Eastern Europe, Russia, Brazil, and many other countries. That in turn does not mean these actors are then sponsored by these countries. Information warfare is about covertness, not about being loud. The Internet is perfect for plausible deniability, as I've learned when writing the postmortem analysis of the 2007 attacks against Estonia, for the Estonian CERT.

The Chinese know more about the uses of being covert than any of the rest of us, in their strategy, their actions, and their history. If they are being so indiscreet it is for a specific reason, perhaps as a smoke-screen, or indeed, they are not doing it to begin with.

I am not saying the Chinese government does not attack, I am saying naming them continually is nothing but a baseless red herring, and an easy scape-goat we have all grown used to. Thus, blaming China by itself has become acceptable just because people did it often enough. The story of Ethos manufacturing itself.

Malicious computers in China are a problem we can't and shouldn't deny. However, continually claiming China is the Big Bad and attributing every attack to them, is beyond ridiculous. Nothing to see here, move along.

Then again, maybe if we keep saying it's the Chinese with every attack we see, they will get some ideas and make it true for us. It may eventually prove true, but our current proof is based mainly on people claiming it in the past. We are better than this.

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

GhostNet and computer spying on Tibet. It's just Spear Phishing.

Gary Warner covers the recent GhostNet story, where the New York Times told of academic research, uncovering a computer spy network using Trojan horses to spy on Tibet and the Dalai Lama, with fingers pointed at China.

While interesting as a case study and the researchers did good work... It's not new, it's really just old news called Spear Phishing. Using a "technology" called RAT.

You can read more about what Gary has to say here:
http://garwarner.blogspot.com/2009/03/ghostnet-or-gh0st-rat-cyber-persecution.html

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron