Thursday, April 09, 2009

Cyber-Skirmish At The Top Of The World

By Peter Lee
April 8, 2009
Courtesy Of Aisa Times Online

For the past decade or more, China has been engaged in a game of whack-a-mole to control the burgeoning channels of digital communication between Tibetan dissidents inside Tibet and in the Tibetan diaspora. Despite Beijing's resolve to define the Tibetan issue as a solely internal matter for the People's Republic of China, Tibetan Internet issues have been quietly internationalized, thanks to the efforts of Western activists to provide cyber-security services for Tibetan dissidents and emigres.

In March 2008, Canadian investigators achieved a cyber-security triumph: the exposure of a malicious data-gathering botnet, a large number of compromised computers used to create and send spam or viruses, targeting the Tibetan international community. The botnet's exposure could almost - but not quite - be construed as a counter-intelligence operation against a hacker network apparently operating out of China.

Domestically, China routinely monitors and blocks websites, chat rooms and plain-text e-mail nationwide on a host of sensitive subjects, including Tibet, using thousands of real and virtual cybercops and its US$700 million Golden Shield infrastructure - derisively called "The Great Firewall of China" (GFW). It also employs the technical assistance of local service providers (including the in-China operations of multi-nationals like Yahoo!) to gather information on domestic dissidents.

Efforts in the sensitive Tibetan regions of China are more direct and draconian, especially in the context of heightened tensions following the unrest in March 2008.

Landline, cell and Internet services in Tibetan areas were interrupted during the period of unrest. When the Chinese government became aware that Tibetan dissidents were using the video-sharing website YouTube as a text-free method to communicate, it shut it down. When image-sharing website Flickr emerged as a potential source of visual information, it was blocked. Tibetan radio broadcasts by Voice of America (VOA), Radio Free Asia (RFA) and Voice of Tibet were jammed. A campaign against satellite dishes was intensified to limit the audience of VOA's direct-to-dish Tibet TV service. In order to cut off cell-phone based talk, text, and images, China reportedly limited service and tore down cell phone towers.

When confronting in cyberspace supporters of Tibetan dissidents located outside of China, the Chinese government is apparently abetted by a group of hackers, acting either pro bono or with government encouragement. The hackers disrupt websites, harass activists and, it transpires, organize extensive espionage operations against targeted computers around the world.

China's efforts against the Tibetan independence movement and Tibetan government-in-exile have been countered by a variety of overseas "hacktivists" - computer hackers with an activist bent. Some of these derive a measure of support, including some financial backing, from Western governments.

The hacktivist organization with the highest profile and level of capability and professionalism is probably Citizen Lab, run by Professor Ron Deibert in the University of Toronto's Munk Center for International Studies.

Citizen Lab was in the news recently when it midwived a report [1] by Information Warfare Monitor announcing the existence of a cyberspying operation targeting computers belonging to the Tibetan government-in-exile, Tibetan non-governmental organizations (NGOs), and a host of other governments and organizations around the world.

In 2008, at the request of the Office of the Dalai Lama, Citizen Lab checked the computers of the Tibetan government in exile offices in Dharmsala in India and in various European cities to determine if they were infected with malware.

Citizen Lab investigator Greg Walton collected reams of suspicious code. By plugging a likely bit into Google, he was able to locate the server that the malware was communicating with. He lured the server into establishing communication with a "honeypot" - a computer set up to document and trace cyber-intrusions - and finally penetrated it.

Walton discovered three other servers supporting the malware, and obtained a list of almost 1,300 computers - many located in the offices of emigre Tibetan government and NGOs around the world, but also in numerous Taiwanese, European and Asian governmental offices - from which they were collecting information.
The operation, which the investigators named "GhostNet", used a Trojan hidden in e-mail attachments to compromise a computer's security and download a piece of malware called gh0st RAT (RAT standing for Remote Access Tool). Gh0st RAT allowed a remote operator both to examine files on the computer and to upload them to a gh0st RAT server. Keystrokes could also be logged - a key hacking tool for acquiring passwords - and, purportedly, the computer's microphones and webcam could be activated and the audio and video sent to the gh0st RAT server.

This was not Citizen Lab's first foray into the world of China-related cyber-security. In fact, Citizen Lab finds itself at the center of many issues pertaining to China, Tibet and the Internet.

In October 2008, Citizen Lab issued a report revealing that TOM-Skype, a joint venture by Skype and an arm of Hong Kong tycoon Li Ka-shing's empire offering encrypted voice and text messaging services inside of China, saved copies of text messages on a network of eight servers.

This was a big deal for three reasons.

First, though TOM-Skype admitted that Chinese-mandated filtering software would knock out messages with forbidden keywords, it had previously claimed that the filtered messages were discarded. Not true. The filtered messages were stored on the eight servers.

Secondly, TOM-Skype is supposed to be a private, encrypted service with encryption keys that were the secret property of the service's users. Nevertheless, it was revealed that, presumably at the behest of the Chinese government, TOM-Skype saved both the traffic and the keys needed to decrypt it.

Third, the servers were also apparently storing traffic that did not contain banned keywords - an indication that the Chinese government was selecting individuals and accounts to monitor, and dumping all their traffic on the servers for examination.

The TOM-Skype affair highlights the central role played in the battle between the Chinese state and those who wish to navigate the Internet beyond its control by a unique technical feature of Internet communication: 128-bit encryption.

In the 1990s, Phil Zimmerman, an American political activist, developed an unbreakable open source 128-bit encryption program employing private and public keys that he called, tongue-in-cheek, "Pretty Good Privacy" or PGP. The US government, realizing that propagation of PGP would put an end to the era in which the National Security Agency (NSA) possessed the technical means to monitor every form of electronic communication from telegrams and faxes to computer traffic, bitterly fought Zimmerman's efforts to publicize the code.

The government placed 128-bit encryption on a list of munitions proscribed for export. Zimmerman countered by printing the PGP source code in book form and claimed his right to protection under the First Amendment of the US constitution. In 1996, realizing that mathematicians and programmers overseas were capable of developing equivalent programs, the US government dropped its investigation of Zimmerman and permitted the export of PGP.

Probably, if the Federal Bureau of Investigation and NSA had succeeded in their efforts to keep the 128-bit genie in the bottle until September 11, 2001, changing the security vs freedom equation, we would be living in a world where every government demanded a copy of everybody's encryption key.

As it is, today the open, distributed international architecture of the Internet demands encryption in order to protect both the sensitive data that travels along it and the network itself. All efforts to impose - and evade - monitoring and control of digital information take place in the shadow of 128-bit encryption.

Governments around the world, "free" as well as totalitarian, have responded with a variety of strategies to ensure that encrypted communications yield up their secrets.

Rights of privacy are extremely limited, if not non-existent, when it comes to encryption. Companies and individuals are expected to produce keys at government demand in response to informal requests, pointed demands, subpoenas, or something called "rubber hose cryptoanalysis", a euphemism for the extraction of cryptographic secrets (eg the password to an encrypted file) from a person by coercion.

Governments, especially the United States, are rumored to routinely seed computers, software and even mathematical elements of the decryption algorithm itself with backdoors that enable the surreptitious acquisition of passwords and the precious keys.

Commercial providers of encrypted e-mail worldwide are apparently eager to cooperate with the government and avoid being identified as a provider of genuinely secure communications to terrorists, criminals and any other suspect entity.

In the course of a criminal investigation of steroid smuggling, one provider, Hushmail, revealed [2] that it was able to turn over decrypted traffic to the Canadian government because it had a Java applet that could penetrate its customers' computers to extract the supposedly sacrosanct private key.

And if a key really can't be provided, but plain and encrypted versions of the same message are available and can be attacked with adequate time, skill and resources, the underlying code may be broken.

China has made the somewhat counterintuitive but perhaps inevitable decision to join the family of nations that tolerates but controls encrypted communication - and engages in the never-ending, no-holds-barred struggle to track and crack it.

China, after all, is anxious to reap the economic rewards of being at the forefront of the digital networking revolution. Since China is already near the forefront of the hacking, cracking, phishing (the use of a fake websites or e-mails to obtain to gather confidential data), and cybercrime revolution, it must also accept the need of businesses and individuals to encrypt sensitive data.

China, like governments around the world, insists that businesses offering encrypted communications within their borders provide the means to generate decrypted traffic at the demand of law enforcement.

As the TOM-Skype case shows, any commercial participant in encrypted communication activities will be expected to provide a backdoor and/or a helping hand to Chinese security organizations.
The attention of dissidents - and the security personnel who track them - must turn elsewhere for more private communications.

Secure, non-commercial e-mail encryption is still available to those who have the ability and desire to forego the commercial services and are willing and able to engage in the rather laborious process of maintaining their own collection of encryption keys and coding and decoding their traffic without relying on the web-based public key servers.

However, encryption does not encode the e-mail header, which exposes information on the sender and receiver, thereby providing security forces with a point of entry to generate a social-web map of senders and recipients that is, in itself, a source of dangerous intelligence. Furthermore, the very act of sending and receiving encrypted e-mail possibly attracts unwelcome scrutiny, both in China and around the world,

Beyond e-mail encryption, there are other options for those inside China desiring untrammeled access to the global Internet. They involve exploiting https - the encrypted hypertext transfer protocol designed for secure financial transactions - to establish contact with computers outside China that can be used as proxies.

Detailed online manuals provide instructions to Tibetan dissidents, Falungong adherents, and anybody else hoping to evade the prying eyes of the Chinese security forces and safely surf the web, communicate or blog internationally.

The most widely-used facilities are Dynaweb, Garden and Ultra Surf. These services coordinate their offerings through the Global Internet Freedom Consortium (GIFC), a group that receives some US government funding and is apparently run by friends of Falungong, the outlawed and extremely tech-savvy Chinese religious group-cum-political movement.

The three services gleefully run a never-ending Spy vs Spy war with the Chinese cybercops, continually flooding the zone with new Internet Protocol (IP) addresses - a computer's identification number on a network - that their users (and the Chinese security organizations that inevitably participate in the service) link to with a "tunnel discovery agent" in order to connect to proxy servers - a computer system or application program that acts as a go-between - before the Chinese government shuts them down.

They count VOA and RFA as their clients and proudly state that the service has never been interrupted.

But, in the case of gh0st RAT, maybe score this round to China. In its own analysis of the computer security travails of the Tibetan emigre community, "Snooping Dragon", the University of Cambridge reported [3] that the China hackers availed themselves of Dynaweb's facilities:
However, after a while, we saw a number of accesses through Dynaweb - a set of anonymization proxy servers associated with the Falungong religious movement, which is also detested by the government of China. We are at a loss how to explain this. Perhaps the Chinese detected the start of our clean-up operation and decided to hint that they had compromised Dynaweb - whether to deter people from using it, or to deter the US government from funding it? We just have no idea.
As a public service that aggressively markets its product in a strategy to overwhelm China's security apparatus, the GIFC's partners are vulnerable in turn to the most diabolical weapon in China's arsenal - porn.

Porn is the bugbear of censorship circumvention service providers.
Ironically, it has pushed the service providers themselves to assume the role of censors. In a white paper [4] entitled Defeat Internet Censorship, The GIFC interrupted its triumphalist recitation of its omnipotent software capabilities to note:
With limited resource and bandwidth, an anti-censorship system with unrestricted access will soon be consumed by pornography, gambling and drug-related information and become useless to users in the most-needed regions. Therefore, it is critical and beneficial for an anti-censorship system to have some built-in mechanisms to control content access. At least, it should have the ability to block some high-profile pornography portals in order to save the bandwidth for better uses. It should also provide tools for law enforcing authorities in the free world to monitor the information flow when needed to avoid the encryption channels being exploited for terrorist communications.
In a demonstration that irony is, if not dead, on hiatus at GIFC, the writers of the white paper also proposed that, once China's surfers emerge from the Great Firewall rabbit hole, they be directed toward more wholesome browsing courtesy of GIFC in its role as portal manager and content provider:
To better protect and serve users who have overcome the blocking and reached the other side of [the] GFW, it is highly beneficial to provide them with an uncensored, trustworthy portal site in their own native languages, which provides services such as search engines, directories, bulletin boards, e-mails and chat rooms. These services are better protected when they are tightly integrated with the anti-censorship tools they use. More importantly, such a portal site can shield users from those overseas websites set up by the Chinese regime or communist regime-backed entities. Their websites serve as a trap to collect users' information as well as serve their exported propaganda machinery.
But legitimate porn-surfing by frustrated citizens, dedicated freedom activists and fanatical cultists to whom GIFC caters is probably just the tip of the iceberg.

Beneath the high-minded concern for the morals, safety and education of Chinese web surfers is perhaps the concern that the service could not survive a concerted attack by malicious Chinese government users logging on simultaneously to download a lifetime's supply of porn and bootlegged Jackie Chan movies - and the GIFC might need a Great Firewall of its own to protect itself.

An alternative to a high-profile, high-intensity professional circumvention service under continual attack by the Chinese government is an "anonymizer" program called TOR (The Onion Router).

TOR performs a multiple-layer encryption of requests for web pages and relies on a network of computers supplied by volunteers to strip the address layers (like an onion) until the last server - the TOR exit node - connects to the destination using its own IP address. Each computer only knows the previous link; if the message is intercepted, it cannot be traced back to the originator.

Traffic analysis can reportedly compromise the anonymity of the TOR network, but its true vulnerability is highlighted by a post from the UK entitled "Why You Need Balls of Steel to Operate a TOR Exit Node" [5]:
[After providing service as a TOR exit node for about one year] I was visited by the police in November 2008 because my IP address had turned up in the server logs of a site offering, or perhaps trading in (I was not told the details of the offence) indecent images of children … It was what is known as a "dawn raid" and, amazingly enough, my children were still asleep when it occurred. Thank God … I was overwhelmed by horror to be implicated in such a thing. I was desperately worried about my family. One of the officers had told my wife that Social Services would be informed as a matter of course and there was a possibility that my children would be taken into care …
After an agonizing four-month investigation, the police dropped the case. But the writer concludes: "I think, in retrospect, I was desperately naive to run a TOR exit server on a home computer."

So, it doesn't take much to degrade the TOR system. Just a collection of malicious hackers going on the system masquerading as legitimate users, hogging bandwidth, downloading child porn, or visiting sites flagged by the police as terrorist/criminal-related. If a genuine cyberwar erupts, one would expect that the TOR network will grind to a halt in a matter of minutes.

The latest iteration in the struggle between the Chinese government and dissidents over Internet communication is brought to us by none other than Citizen Lab.

In 2007, Citizen Lab developed and spun off a "censorship circumvention software" it called Psiphon, which establishes an encrypted link from inside a country that limits Internet browsing to a computer in another country that allows free browsing.

Citizen Lab's Ron Deibert undoubtedly did not endear himself to the Chinese government by publicizing the Psiphon service in the aftermath of the unrest in Tibet last year as a way for activists inside China to get the word out to the West. Psiphon also advertised its commercial service to foreigners as a safeguard against Chinese cybersnooping during the 2008 Beijing Summer Olympic Games; apparently the BBC and the US State Department signed up for the service as a way to secure their communications from Beijing.

Psiphon uses the "small is beautiful" strategy, but avoids the problems of TOR by eschewing the "anonymizer" route. Instead, the network's integrity is protected because the owners of the computers in the free-browsing countries - called "psiphonodes" in the company jargon - only invite users of the service, "psiphonsites", that they personally know and trust.

The owners provide a distinct URL or web address (generated by Psiphon) pointing to their computer, and a unique password for each user, that enables the user to connect to the page using the https protocol; once logged in the owner's computer, the user can surf to his or her heart's content.

Well over 150,000 owners have signed up to become Psiphonodes. It is unclear how many users link to these nodes.

User traffic can be monitored by the psiphonodes and apparently some of the operators have been knocked out of their Birkenstocks by the insatiable demand for porn of some of their trusted users - and the legal risk that serving as the connecting node to the offending site exposes them.

Psiphon, as a diffuse set of mini-networks each closely controlled by its own node, is proof against a massive, malicious use attack that threatens the GIFC and TOR services.

Its vulnerability seems to exist not in the world of cyberspace, but in the realm of the system's human users and operators.

A Psiphon system can apparently be compromised if the node or site computer is penetrated through operator carelessness in response to something called "social engineering": the deployment of phishing e-mail that exploits the human target's natural curiosity and desire to engage and communicate, and enables the installation of malware - like the gh0st RAT program that bedeviled the Tibetan government in exile.

For the record, Citizen Lab denied that its investigation of gh0st RAT was related to any vulnerabilities in Psiphon and did not confirm that any of the targeted computers were running as Psiphon nodes serving inside China.

Indeed, the penetration of computers in Dharmsala - one monk reported watching Outlook Express open by itself and send an e-mail off with a document attached - was a pressing issue in itself, and enough to justify the extensive investigation.

However, what happened to the Tibetan computers brings to mind weaknesses that might be exploited at Psiphon node or site on a PC platform: non-professional operators with an uncertain grasp of security working on vulnerable machines, unwittingly downloading malware that enables remote observers to read files, keylog passwords and extract keys.

On a psiphonsite, malware could extract details of the log-in and disable and/or imperil its psiphonode by logging in for a malicious, bandwidth-hogging session. If a psiphonode is identified and penetrated, apparently details of the psiphonsite(s) it is serving - and the pages they have visited - can be extracted.

Balancing Psiphon's reliance on a "network of trust" versus the willingness of the Chinese government (or their bespoke hackers) to pour resources in the cyber struggle with the Tibetan emigre movement, this skirmish in cyberspace might turn out to be a draw.

Interestingly, Citizen Lab seems to be interested in dialing down the rhetoric in the wake of its cybersecurity coup against "GhostNet".

Despite a preponderance of circumstantial evidence - such as the nature of the targets and the existence of three out of four of the gh0st RAT control servers inside China - its report went out of its way to caveat assumptions of Chinese government involvement in the attack and stress that Citizen Lab researchers had not broken any laws in the investigation.

Certainly, Citizen Lab did not wish to find itself - or the Canadian government - characterized as a provider of counter-intelligence services to the Tibetan government in exile in its battle with incessant Chinese cyber-intrusions.

Citizen Lab's restraint may have also reflected Professor Deibert's publicized dismay at the West's growing interest in militarizing the Internet - illustrated by a bipartisan proposal that the Barack Obama administration appoint a "Cybersecurity National Adviser" with the power to disconnect the government and "critical" civilian networks from the Internet in case of national emergency - largely in response to China's perceived intentions and capabilities in cyberwarfare.

On a more strategic level, Deibert's caution may also reflect an awareness that the censorship-circumvention infrastructure may be adequate for low-level skirmishing with malicious Chinese hacker-patriots and the drudges running day-to-day Internet interdiction for China, but perhaps would not be able to withstand a concerted assault by China's cyberwarfare specialists - or cope with an Internet fragmented into Chinese and Western cybersecurity fortresses.

The Internet seems destined to frustrate both hopes of China for national security, and those of dissidents for an irresistible truth weapon.

One of the most famous observations concerning the Internet is by John Gilmore, founder of the Electronic Freedom Foundation: "The Internet treats censorship as a defect and routes around it."

Perhaps the Internet has the same response to censorship's doppelgangers - secrecy, encryption and the user's desire for privacy: it rejects them and finds a way around.

Those bits and bytes just want to be free. And we have to find a way to live with that.

Notes
1. See Tracking GhostNet: Investigating a Cyber Espionage Network
2. See Hushmail warns users over law enforcement backdoor.
3. For the report, click here.
4. See Defeat Internet Censorship: Overview of Advanced Technologies and Products
5. See Why you need balls of steel to operate a Tor exit node

Peter Lee writes on East and South Asian affairs and their intersection with US foreign policy.

(Copyright 2009 Asia Times Online (Holdings) Ltd. All rights reserved.)

No comments:

Post a Comment