One of the first stories of note I covered was news, broken first by The Indy, that a cyber crime boss had released a video to the darknet offering up a Porsche or Ferrari to the cyber goon-for-hire who could come up with the most lucrative scam.
Now, if it’s true, the story is an interesting one in what it tells us, or confirms to us, about the economics of cyber crime.
Namely, that if the bad guys have this kind of money knocking about – to blow on a kind of bizarre “employee of the month” competition – then how can the police, government and even security vendors hope to attract and retain the best talent?
If nothing else, Rapid7 global security strategist Trey Ford told me by email, it shows the sheer professionalism of cyber gangs today and the vast scale of the underground economy.
“With every part of our lives revolving around increasingly connected technologies, the line between physical and virtual is gone, and the opportunities for attackers are immense,” he added.
“The general public needs to understand this is no longer a world of script kiddies and evil foreign governments, where the average person is unlikely to be a victim. Cyber crime is big business, and everyone is a potential target.”
It sounds obvious but it’s worth saying again, and stories like this at least raise these raise these problems in the public eye.
The other alternative, of course, is that it’s a hoax. Amichai Shulman, co-founder and CTO of Imperva, was not convinced by the story.
“I find it odd that criminal organisations resort to ‘advertising’ an ‘employee of the month’ program. I don’t think that we’ve seen this with recruiting skilled chemists for drug making and drug design or astute economists for money laundering schemes,” he argued. “This leads me to speculate that this is a hoax.”
Well that was a messy week, made significantly messier by news that broke in Australia that I covered for The Reg on Lenovo. This story has taken enough twists and turns in the past few days to satisfy even the most ardent F1 fan.
The original piece in the well-respected Australian Financial Review claimed that intelligence agencies in the “Five Eyes” allied countries of US, UK, Oz, New Zealand and Canada had banned Lenovo from top secret networks since the mid-2000s (when the firm acquired IBM’s PC biz) after finding serious backdoor vulnerabilities.
Although it didn’t claim Lenovo was in cahoots with the Chinese government, or that it had used such vulnerabilities to spy on foreign powers, the article rightly stated that the PC giant’s biggest shareholder is part-owned by Beijing.
Although it used unnamed sources to corroborate the ban across intelligence agencies like GCHQ and the NSA, the story also quoted an Australian Department of Defence spokesman as saying Lenovo “never sought accreditation” for use of its kit in secret and top secret networks at the department.
Now, whether the firm didn’t seek accreditation because it knew it wouldn’t get it is conjecture at this stage, although IBM servers and mainframes are accredited for such use.
In a carefully worded statement, Lenovo said it was “not aware of any sort of a restriction of sales”, and bigged up its “strong relationship” with the Australian government. Strange then that it didn’t seek accreditation for use on the department’s most secure networks.
The story got more murky when a Lenovo spokesperson emailed me a couple of days later with a hard-to-find link to a Department of Defence statement on the story which said the following:
Reports published on 27 and 29 July 2013 in the Australian Financial Review allege a Department of Defence ban on the use of Lenovo computer equipment on the Defence Secret and Top Secret Networks.
This reporting is factually incorrect. There is no Department of Defence ban on the Lenovo Company or their computer products; either for classified or unclassified systems.
As we reported in an update at The Reg, the original AFR story didn’t claim a department-wide ban had been instituted at all, only that Lenovo hadn’t sought accreditation. The ban piece related to the Five Eyes intelligence and security agencies – a different entity altogether.
Just why the DoD decided to release a statement contradicting an assertion no-body made remains to be seen.
It’s possibly just down to plain old incompetence and human error – after all it’s easy to misread a sentence which refers to “multiple intelligence and defence sources in Britain and Australia” as instituting a ban, but then goes on to clarify that in the case of Australia’s defence department it is just the “non-accreditation” piece that was officially confirmed.
However, the conspiracy theorists will claim it did so after pressure from Beijing, after all the DoD statement was not widely publicised – it appeared to have been filed away on a little visited part of the site – but Lenovo was very quick to alert journalists to it.
I also understand that Fairfax Media, which owns the AFR, has received complaints from senior Chinese officials in the past over a certain controversial story.
The AFR has quite rightly written a follow-up piece to clarify the mix-up, which includes clarification from “subject matter experts” stating that intel agency the Defence Signals Directorate doesn’t use Lenovo kit, despite having previously used IBM gear.
Aside from all of this though is another question: if intelligence officials in the UK and elsewhere knew something about serious backdoor vulnerabilities in Lenovo gear, whether deliberate or accidental, did they share such information with the private sector and if not why not?
That kind of information could seriously hurt a company’s bottom line, although Lenovo remains the world’s biggest PC vendor.
This is exactly the sort of thing the UK government’s much lauded Cyber Security Strategy launched in 2011 was meant to promote – improved information sharing between public and private sector. GCHQ should be an asset exploited for the benefit of UK PLC.
China, where the links between government and private business are more secretive and certainly more pervasive, remains streets ahead in this regard.
Last week I popped over to the Quarry Bay HQ of Verizon Business in Hong Kong to hear more about the annual Data Breach Investigations Report.
The report’s really come on since I covered it way back in 2008, and this year pulled data from an unprecedented 19 reputable sources including Scotland Yard, the US Department of Homeland Security and many more.
The Register covered the main news from the report when it was launched the week before – that China was responsible for a whopping 96 per cent of state-affiliated attacks – so I was keen to get some other APAC-relevant insight from the team.
Unfortunately there wasn’t much to be had, in fact the report itself only mentions Asia Pacific once as a break-out region, to illustrate the top 20 threat types across the whopping 47,000 security “incidents” recorded over 2012.
What this probably tells us is that methods of collecting the data at the moment are pretty non-standardised across the globe, which makes drawing any clear comparisons difficult between regions.
Another thought that occurred: it’s fairly obvious that organisations across the globe suffer from the same kinds of information security risk – whether hacktivist, financially motivated criminal or state sponsored espionage-related.
As Verizon’s HK VP Francis Yip said: “No one is immune from cyber crime. As long as you have an IP address, you are a target, no matter how long you spend online.”
In this respect, there were no startling new trends as such to pull out of the report, aside from China’s consistent and persistent appearance as number one source of state-sponsored shenanigans.
This is probably good news for under fire CISOs, now tasked not only with deflecting financially motivated cyber crime and attempts from hacktivists to take down their sites and steal credentials, but also under-the-radar information theft from APT-style attacks.
What’s also good news, is Verizon’s assertion that the cloud is no less safe than any other form of computing system, as long as IT teams make sure they carry out due diligence on providers.
“Cloud can actually be more secure, because these providers are doing it on an industrial scale with staff who know what they are doing,” argued Verizon’s APAC head of identity and privacy services, Ian Christofis.
While all this is certainly true I definitely got the impression from the briefing that many firms are still failing on the security basics.
“Could try harder” is probably a suitable report card take-away for businesses from 2012.
Just finished a piece detailing, for possibly the first time, exactly what’s going on in the shady world of cyber crime in China.
Researchers at California uni have gone to exhaustive lengths to document the extent of the underground and the MO of its participants.
To be honest, a lot of it is pretty similar to the underground economy operating quite nicely thank you very much elsewhere in the world. Cyber hoods buy and sell their wares online, never meeting, in a highly efficient manner.
However, there are some distinctly Chinese elements to what the researchers found. The crims in the PRC are advertising and communicating with each other in many cases via a public web platform – Baidu PostBar – and Tencent’s hugely popular QQ service.
With just a bit of effort the researchers uncovered all of this by inputting some common criminal jargon – various terms are substituted for underground slang to escape detection.
The whole underground economy is said to cost China over 5bn yuan (£500m) a year and snared around a quarter of web users in 2011.
It’s pretty obvious the government is on it – or will be, once it realises that online will be one of its few remaining growth areas when the economy really starts to slow – but it doesn’t look like the police at the moment really have their focus on breaking such trades.
Every ‘crack down’ they make seems like a glorified PR exercise – the main victims seemingly porn peddlers, political dissidents and other trouble makers.
For the outside observer too, it will be interesting to see how fast things move. When the Chinese authorities want something actioned it is done pretty bloody quick – so it all depends on whether the will is there from the top.
In the meantime, it’s reassuring to see that the same cyber crime problems are felt throughout the world – but probably not reassuring if you’re a web business looking to tap the vast market that lies behind the Great Firewall.
This week we saw more news emerge of the escalating tit-for-tat cyber attacks apparently being launched by actors sympathetic to the Philippines and China over a naval stand-off in the South China Sea.
Scarborough Shoal – also known as Panatag Shoal or Huangyan island – is the region long-disputed by the two countries and things got serious earlier this month after Filipino navy officials tried to arrest Chinese fisherman operating in the area but were stopped by Chinese surveillance boats.
Cue a barrage of cyber attacks on Philippine government and university web sites by apparent Chinese hackers, and then reprisals from the other side.
It’s pretty basic stuff, site defacement and DDoS attacks designed to send a clear message to the other side, and in this kind of thing China is probably a world leader.
Although it will never be revealed exactly how many patriotic hacktivists there are in the People’s Republic, what’s more interesting is their relationship with the government. In all but the most repressive states – think Iran or Syria – governments disassociate themselves from any hacking behaviour, but I learnt recently that China has done the opposite.
It has long been suspected, but China has effectively made a deal with the hacking community, a source told me, which goes thus:
- Never hack your own government or companies in your own country
- If you find anything of interest in your hacking activities which could help your country improve its status on the world stage, hand it over.
- When called upon to help the ‘cyber military’, make sure you respond
The deal is simple, the source explained, follow these rules and you can hack away with impunity. It means attacks of the sort seen this month on the Philippines can be carried out with the covert blessing of the government and the Party.
Of course the PRC’s standard response to these accusations is that it denounces all hacking activities, that it is taking steps to prevent cyber crime and that China itself is as much a victim of such attacks as western countries.
Even if tracking technologies mature to the level where the source of such attacks can be pinpointed, by operating at arm’s length, the government will always have the advantage of plausible deniability. It’s just a case of whether the international community will eventually lose patience with China and demand action, economic superpower or not.