by Maarten Van Horenbeeck

Part of the targeted attack research I've been doing has involved working together with many Tibetan non-profits as well as human rights organizations that operate within China. Together with the latest unrests in Lhasa, the amount of attacks we have been seeing has sharply increased.

Today, various media outlets are reporting on these findings:

Brian Krebs at the Washington Post: Cyber attacks target pro-Tibet groups
The BBC - Tibet: the cyber wars
SANS ISC - Overview of Cyber attacks against Tibetan communities
UPI - Analysis: Cyber attacks on Tibet groups

While most concentrate on the Tibetan groups, the findings for them are virtually identical to the work we've done on other targeted attacks. In some cases, as referenced in the UPI article, there is significant overlap in methodology, and even control servers, between the various groups.

While the source of the attacks cannot be identified using the technical data available, it is clear that these groups are under a coordinated attempt to spy on their digital communications, or a clever attempt at discouraging them from trusting these communications. Given many such groups work in a network-centric manner, both can be equally serious problems.

Cheers,
Maarten

by Maarten Van Horenbeeck

I've always been a great proponent of information sharing. If you live in Belgium, one of the best organizations to meet new interesting security folks at is ISSA. About once a month they organize events that really anyone can attend. These often have fun talks, but more interestingly, you match your ideas on the infosec world with your peers, and gives you some solid ground while you're up in the air trying to think of ways to better protect information assets.

And up in the air I was, last week. Speaker at the event was Uri Biber of Getronics, who gave an interesting talk about social engineering. I'd have to admit that, as with all social engineering presentations I've seen, I thought it was a bit light on content. That wasn't the presenter's fault though - there just isn't much standardization nor a framework to base your social engineering efforts on. That could be improved, but more about this later.

What made the session interesting was a practical exercise at the end. Dividing attendees in attackers and defenders, people were forced to think about how to protect their organization's assets at a critical point in time (just before a major deal and at the end of a really lousy quarter). It was an interesting exercise as we're generally not forced to think this tactically about information control. While we can manage the flow of information across our network, people are generally out of scope. We include them in policies, do some awareness training, but that's where our conceivable efforts end.

There have to be more advanced ways to harden our organisation, though. One of the ideas I had was to apply inoculation theory to ensure members of your organization help keep certain corporate messaging intact. This technique was invented by McGuire and Papageorgis shortly after the Korean war, to ensure that US soldiers not only believed democracy was the best way forward, but actually strongly pronounced that belief.

A brief description of inoculation theory entails that attacks on existing beliefs make beliefs stronger. Strong beliefs engender attitudes that propagate those beliefs. It always consists of four major steps:

• Create message your belief to the target audience;
• Warn the audience that others will try to convince them otherwise;
• Create a weak attack on your message that causes your audience to defend it.

Instead of merely passively accepting your message, your audience will be forced to think about it as a system, its advantages and disadvantages, and overcome an attack on their belief. As the attack is weak, the vast majority of recipients will not be convinced that their belief is wrong. On the other hand, they will gather and process more information to prove to themselves that they were in fact right. Afterwards, the belief is protected against future, stronger attacks - as the recipient has been taught to defend his beliefs.

Several research studies have confirmed these findings, from different points of view. Not only was it confirmed by direct research, but also by some with a slightly different focus: it has been proven that distribution of a message together with weak arguments against it, and strong arguments in favor, better defend an audience's belief system than merely strong arguments supporting it.

by Maarten Van Horenbeeck

Information Operations is defined by the US Department of Defense as 'The integrated employment of the core capabilities of electronic warfare [EW], computer network operations [CNO], psychological operations [PSYOP], military deception, and operations security [OPSEC], with specified supporting and related capabilities to influence, disrupt, corrupt, or usurp adversarial human and automated decision making while protecting our own'. 

This definition has a very military connotation, but can easily be broken down to its components in order to clarify it.  Information Operations can be considered the employment of electronic, psychological and operations security to gain competitive advantage over an adversary.

One interesting question to ask is whether China or Russia have a similar view of this concept as the US military does. The US Department of Defense is one of the only organizations to have publicly studied the Chinese interpretation of Information Operations. Timothy L. Thomas, from the Foreign Military Studies Office at Fort Leavenworth is one of the subject matter experts. He has published a number of books that review Chinese state of the art in information warfare.

One of these books, Dragon Bytes, deals with the change the Information Warfare (another term quite commonly used for the offensive aspects of Information Operations) concept has undergone since its inception in China. He discusses how as of the first Gulf war, Chinese strategists have been working on integrating the concept of Information war in Chinese military strategy. This started with a thorough study and discussion of the US methodology and framework, to be followed in 1997-1998 by a specific Chinese approach to the field.

Thomas quotes the well-known Chinese IW strategist Dr Shen Weiguang, who as of 1996 has described information warfare to be linked to control. Controlling the flows of information between all parties involved is as such of prime importance in gaining dominance. It may not be necessary to have direct decision power over a country or province if one can manipulate the information it is receiving and as such have it make the decisions one wants it to make through deception or selective information distribution.

In addition, his book attempts to highlight some of the differences in strategic thinking. One chapter explains the way stratagems influence strategic decision-making. Stratagems are small, practical tools of deception that can be used in an information warfare context. There are in total 36 stratagems, in popular press often referred to as the 36 strategies. Reviewing these in comparison to US documentation on deception shows a major difference in how these countries formalize their deception techniques: the US has significant guidelines and procedures on how to implement deception (these are quite similar to project management checklists) with less focus on the actual strategies, while China focuses on integrating ancient strategic thinking, making available less public information on the procedures surrounding them. This collaborates with the description of China as a high context culture assigned to it by many authors.

In his chapter on stratagems, Thomas makes an interesting inference. He links a claim by Dr Shen that “people have come up with 36 ways to disrupt the Internet and 36 ways to defend against such disruption” to the actual stratagems, and poses the question whether China may have translated these into the information age.

It does not require much theorization to assess the result of material implementation of the stratagems. The first of the 36 stratagems states that sometimes one should “fool the emperor to cross the sea”. This entails that one should perform ordinary activities (read: make a Powerpoint) and blend in with normal events (read: send it by e-mail) in order to lower our enemy’s guard (read: have them click).