Platt Perspective on Business and Technology

The China Conundrum and its implications for international cyber-security – 14

Posted in business and convergent technologies by Timothy Platt on September 29, 2011

This is my fourteenth posting to date in an ongoing series on cyber-security and issues related to it, with China taken as a central, organizing point of discussion (see Ubiquitous Computing and Communications – everywhere all the time, postings 69 and scattered following.) This is also a direct continuation of my most recent prior posting to this series – Part 13.

I briefly discussed a seeming longer term cyber-security challenge that has been identified as coming from China in Part 13, and the security company that found this, McAfee, has named it Operation Shady RAT (with RAT an acronym for Remote Access Tool.) And when I wrote that posting I briefly noted in passing that the legitimacy of this event as a single, organized cyber-attack has been questioned, but I still proceeded to discuss it as if it was.

The day after I posted that note live to this blog, I participated in a cyber-security/infrastructure security meeting in which it was generally stated and assumed that McAfee was in error as identifying the five year’s of accumulated activity they reported on here, as a single long-term operation. I acknowledge that some reported events are very real and have direct and immediate implications as far as ongoing and future cyber-security are concerned. And some are in fact false alarms and in some cases even intentional red herrings or hoaxes. For a working example of the later, I would suggest Iran’s reporting of a supposed cyber-attack on their infrastructure that they termed Stars (see First Stuxnet and then Stars – a continuing cyber-security story. But I only identify as false alarm a proposed cyber-challenge with reservations. And my goal in this posting is to share some of my thinking as to when prudence and caution, and effective due diligence would call for taking presumed cyber-threats as genuine and when to more actively doubt them.

McAfee might have been right in identifying Operation Shady RAT as a specific organized threat and they may have been overly cautious and in error in that. This is a type of incident that I would suggest needs to be taken seriously, and even if this time it was a false alarm. Operation Shady RAT should still be used as a learning opportunity as if palpably real.

• Specific computer systems were identified as being targeted here, and with specific approaches found that would be used to compromise some very specific and known vulnerabilities.
• If a seeming zero-day attack had been found in this with the uncovering of a previously unknown but genuine vulnerability that would have made it much more of an imperative to take this event seriously. But even very well known exploits need to be taken seriously.
• The key here is specificity, and the finding and identification of some specific malware code that looks to have been deployed.

I, in fact, discount that this putative assault looks to have come from a particular source – here China, in my assessment as to how to treat this event. As I have discussed in both my Stuxnet and related series (see Ubiquitous Computing and Communications – everywhere all the time, postings 58 and scattered following) and in this more China-centric series one of the hallmarks of cyber-threat and cyber-conflict is that the sources of any given attack or challenge can be masked, and the actual target of an assault may in fact be the seeming source, branded as having made an attack.

As a logical extension of my reasoning in this posting up to now, it would appear that I would in fact assume any and every putative cyber-event to be real and to represent a real potential source of future risk. That is in fact my default assumption unless and until I have specific reason to think otherwise. So why and under what circumstances would I presume otherwise and label a presumed and announced cyber-event as questionable, or even as being a hoax? I turn back to Iran’s Stars announcements as a working example there, and to my earlier posting where I discussed that.

• As noted before, Iranian security officials were seemingly the only people on the planet with as much as a single line of code for the malware they spoke of, even though the presumed method of delivery should have left copies of this scattered far and wide – exactly as with Stuxnet and other more credible events.
• Iran had definite and very clear-cut political reasons for needing to claim they were being attacked from the outside, and by the people they immediately proclaimed to be the source.
• And the Iranian government has not exactly developed a reputation for credibility, and either in this where they talk of the threat and assault but keep all presumed evidence of this to themselves or in the case of Stuxnet which was clearly a real event.

Here, prudence would dictate the conclusion that Stars was probably a contrived hoax, and one that was perpetrated largely for internal-to-Iran, politically motivated reasons.

Was Operation Shady RAT real? I have decided to plan and act as if it was, and with several very distinct learning points to think about coming from it, including but not limited to the following:

• It is possible to launch and sustain a very long-term series of organized cyber-incursions that will not become visible through overt interference with normal computer or network functioning, or through routine malware screening. At least sampling testing should be done in greater depth on randomly selected end-user computers, servers and other network components and on a regular basis.
• Human users are still and will remain the most serious and least remediable risk element in any information system and with time any system can and will become compromised due to user practices. Ongoing training is vital, but even that cannot be relied on with absolute confidence.
• It is a real mistake to limit your thinking as to what systems might be at risk, on the basis of your thinking about any given model of potential attackers. In the real world, cyber-assault is not going to simply fit within the narrow confines of any particular corporate or industrial espionage model, or any particular state-sponsored model with its assumptions as to the types of targets that would be addressed for compromise. Think in terms of novel targets, and targets of opportunity that are swept up too, as would-be hackers set out to meet their own and perhaps idiosyncratic needs. Think of any and every computer or computer system that carries potentially sensitive information as a potential target. And with botnets and related threats think of any computer or system that offers computational capacity that could be suborned as a target too. That means every computer and network system should be considered a target.

And when you chose to plan and act on the assumption that a presumed attack or threat is not real, it is because it is more important to do so in understanding and responding to the non-cyber context that this proclaimed event was said to spring from. Stars may meet that set of criteria but Operation Shady RAT probably does not.

I will be posting again to this series, and am already thinking through a possible posting that definitely focuses more specifically on China for that.

You can find this and related postings at Ubiquitous Computing and Communications – everywhere all the time.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: