Cyberespionage: Gumshoes Need Not Apply

Posted on September 7, 2007
Filed Under Apparatchiks, Cyberespionage, Security |

The Associated Press adds an interesting twist regarding the Chinese government’s response to the kerfuffle over the cyberespionage allegations:

China on Thursday denied targeting foreign government and military computer networks and said it has not been asked by any nation to investigate alleged hacking…
…Although the issue was raised during a meeting between German Chancellor Angela Merkel and Chinese Premier Wen Jiabao last month, Jiang indicated Merkel hadn’t demanded an investigation.

“According to my knowledge, China’s police have not received any requests from relevant countries for a joint investigation,” Jiang said.

Whoever may be responsible for the attacks, it is no surprise that the target governments wouldn’t ask the Chinese government for help with an investigation. Aside from rehashing their own incompetence, an investigation would only serve to provide a roadmap for further attacks.

A cyberespionage investigation would require:

Step one begins with a forensic analysis of the compromised system. Computer Forensics World provides a reasonable definition of computer forensics and what it entails in a FAQ on its home page:

1. What is Computer Forensics?
There a number of slightly varying definitions around. However, generally, computer forensics is considered to be the use of analytical and investigative techniques to identify, collect, examine and preserve evidence/information which is magnetically stored or encoded.

5. How is a computer forensic investigation approached?
It’s a detailed science. However, very broadly, the main phases are sometimes considered to be: secure the subject system (from tampering during the operation); take a copy of hard drive (if applicable); identify and recovery all files (including those deleted); access/copy hidden, protected and temporary files; study ’special’ areas on the drive (eg: residue from previously deleted files); investigate data/settings from installed applications/programs; assess the system as a whole, including its structure; consider general factors relating to the users activity; create detailed report. Throughout the investigation, it is important to stress that a full audit log of your activities should be maintained.

Based on the above (step one in an investigation) the investigators would get a pretty comprehensive understanding of how systems are configured and defended. Not to mention having an excellent opportunity to review whatever data was on the system. Not the kind of stuff anyone would want to share if they went to the trouble of trying to protect it.

Step two, where an analysis would be performed of the tools and techniques used in the attack, is also an unlikely area for cooperation. Based on what was learned about the overall security environment in step one, step two will provide an excellent example of how those defenses were overcome. Knowing that target users were unable to stop themselves from clicking on links to purported pictures of Britney Spears naked would be pretty handy for a cyberspy.

But surely cyberspies can cooperate in tracking down these hackers? It would be like a cold war movie: two world-weary cyberspies meeting at some digital Checkpoint Charlie, their animosity tempered by a grudging mutual respect as they work together to beat a common foe?

While this may make a good plot line for Rush Hour 4, I don’t think it will happen.

Given that an attack will have gone through multiple systems across cyberspace, it’s the target who has the information to begin tracing the attack. This would require a series of re-hacks of all the systems that have been used and possibly poring over network logs provided by ISPs (plus whatever other traffic that’s being tracked in some bunker somewhere). This isn’t the kind of stuff you want to be sharing with other cyberspies.

We won’t find out the truth about these events. Maybe some Rockford in the future will find out what really happened. For now the story is just political fodder.

I would like to congratulate the anonymous AP reporter for picking up on some critical points:

Officials in the three alleged target countries have refused to go on the record citing China as the source of the hacking…

and

Computer security experts say China has one of the world’s largest amounts of malicious computer activity. The responsibility is unclear, however, because China is home to many insecure computers and networks that hackers in other countries could use to disguise their locations and launch attacks.

At least someone has done their research.

Summits and Spy Games Theory Update
The Guardian had an article yesterday about Britain’s Foreign Office being hacked. Consistent to form with most of the coverage of this subject, it was all based on unidentified officials who provided no other evidence than their word.

With to Anglo-Chinese summit planned for the near future, this would seem to blow a hole in my summit and spy game theory. I blame Andrew MacKinlay, a Labour backbencher, for jumping on the bandwagon and not waiting for a senior-level summit between Britain and China.

Oh well, here’s his website. Too bad it’s GFW’d in China. ZING!