Skating on Stilts

This is another excerpt from the book I'm writing on technology, terrorism, and my time at DHS, tentatively titled "Skating on Stilts."  (If you want to read the excerpts in a more coherent fashion, try the categories on the right labeled "Excerpts from the book." I'm afraid I can't fix the bug in TypePad that prevents me from putting them in the category in reverse-chronological order, but I have started putting chapters up in pdf form from time to time.)  Comments and factual quibbles are welcome, either in the comments section or by email:  fact.check.baker@gmail.com.  If you're dying to order the book, send mail to the same address.  I'm still looking for an agent and a publisher, so feel free to make recommendations on that score too. 

--Stewart Baker

The Office of His Holiness the Dalai Lama is partly a religious, partly a diplomatic mission. The Dalai Lama travels widely and seeks audiences with foreign diplomats and officials to demonstrate support for his faith and for Tibetan independence. The Chinese government in turn vehemently opposes an independent Tibet and does all it can to discourage official meetings with the Dalai Lama.

The Dalai Lama’s travel schedule is thus a matter of high state interest, and the planning of his meetings has an element of cat and mouse about it. The Dalai Lama’s office finds that the best way to set up those meetings is first to send an email to the officials the Dalai Lama hopes to meet and then follow up quickly with a telephone call.

But around the early part of 2008, something odd began to happen. The Dalai Lama’s office would send an email to a diplomat as usual proposing a meeting. Then it would call to discuss the details, again as usual. But the diplomat’s office would be strangely cool. “We’ve already heard from the Chinese government,” the diplomat’s staff would say, “and they’ve strongly discouraged us from having this meeting.”

***

The Dalai Lama and his office had been using the Internet since the 1990s.   His network administrators know the risks, and they'd been careful about computer security for years. They’d implemented the standard defenses against network attacks. They didn’t know what had happened. But the evidence of a serious breach was simply too strong.

They called in a team of Western computer security experts. What the experts found was deeply troubling, and not just for the Dalai Lama.

Some of the Dalai Lama’s staff participates in Internet forums. They chat with other, like-minded individuals about the Dalai Lama’s goals and activities. Sometimes one of their online acquaintances sends them Word or .pdf documents relevant to those activities.

The experts concluded that hackers had monitored these forums and then forged an email from a forum participant to a member of the Dalai Lama’s staff attaching a document of mutual interest. When the staff member opened the document, he also activated a piece of malware packed with it. While the staff member was reading the document, the malware installed itself in the background.

The malware was cleverly designed; two-thirds of commercial antivirus software programs would have missed it. (Hackers often subscribe to antivirus software so they can test their malware against it at leisure.)  Even if one attachment was stopped, it would be a simple matter to retransmit the message using a different bit of malware; the attackers could keep trying until something got through.

Once installed, the malware would “phone home,” uploading information about the victim’s computer and files to a control server operated by the hackers. Next, the captured computer would download more malware to install on the staff member’s machine. This was often a complete administrative program that would allow the attackers to control the staffer’s computer, and in some cases the entire network.

The administrative malware took full advantage of the empowerment made possible by today’s technology. It featured a graphic interface with dropdown menus offering even an unsophisticated attacker a wide variety of options.

Want to record every keystroke as the user types so you can steal all his passwords?  Check one of the options on the menu.

Want to turn on the user’s microphone, turning it into a bug so you can listen to the office conversations?  Check another box.

Want video straight from the user's desktop camera?  That's just another option on the menu.

In the end, the Dalai Lama's office was living a version of Orwell's 1984.  Telescreens in each room spied on the occupants.  But in this version of 1984, Big Brother didn’t even have to pay for this spy equipment. It had been purchased and installed by the victims.

Once the hackers had compromised a single computer on the network, it wasn’t hard to compromise more. Every time an infected computer sent a document by email, malware could be attached to the file. The recipient couldn’t possibly be suspicious; the email and attachment were exactly what he expected to receive from his colleague. He opened the document. The malware installed itself in the background. The cycle began again.  It was an entire network of surveillance, dubbed Ghostnet by the security team.

Ghostnet has lessons for all of us.  You may be sure you wouldn’t fall for the Spanish lottery, and perhaps not even for a Facebook call for help, but it’s hard to find any comfort in this story.

Do you rely on standard commercial antivirus software to scan attachments?  Do you open documents sent by people you’ve met on line?  How about documents from prospective customers or clients?  Or old friends you recently connected with on line?  Do you open mail and documents sent to you by coworkers?  

Of course you do. So do I. And that means that most of us are no more able to defend ourselves from this attack than the Dalai Lama was.

If there were any doubt about the scope of such attacks, they were eliminated by what  the security team did next.

They took another look at the IP address of the hacker’s control server, and asked a simple question.

“Do you think hackers who need a graphic interface to steal secrets are really good at locking down their own computers?” I imagine the Canadian team sharing a mischievous smile as they asked.

Perhaps a veil should be drawn over exactly what they did next. Hacking is illegal in most jurisdictions, even if you're hacking someone who has just hacked you.  Using methods they decline to specify, the security team was able to verify that whoever attacked the Dalai Lama’s network was indeed much better at breaking into other people’s computers than at keeping intruders out of their own.

Finding themselves inside the hackers’ control servers, the security team naturally had a look around. They watched as reports came in from the Dalai Lama’s computers. But that’s not all. Reports were coming in from other computers as well. Hundreds of them.

The hackers who compromised the Dalai Lama’s network were collecting data from nearly 1300 other computers. Who else had been targeted by the attackers?  That wasn’t hard to find out. All the security team had to do was to ask who owned the IP addresses of the compromised computers.

What they found was a Who’s Who of Asian organizations that ought to be highly concerned about -- and pretty good at -- computer security. Indian embassies in the United States, Germany, and the United Kingdom. The foreign ministries of Iran, Indonesia, and the Philippines. The Prime Minister’s office in Laos. All were in thrall to the attackers’ servers. Computers in sensitive businesses, from the Asia Development Bank to Vietnam’s petroleum company, were also sending the attackers their data.

And, even though this set of attacks does not seem to have been aimed at the United States, Ghostnet was collecting reports from computers that belonged to Associated Press and the auditing firm of Deloitte & Touche.  Oh, and NATO too.

No one was safe.

The security team split on the question whether to assign responsibility for Ghostnet to China. Some said it must be the Chinese government. Others were willing to let the facts speak for themselves. The Chinese government denies everything.

But there’s not much comfort for us in the denials. The attacks happened, and they worked. If a government wasn’t responsible, then this kind of capability is already in the hands of organized crime. Indeed, with its script-spy graphic interface and unsecured control servers, the whole episode underlines a troubling fact. Thanks to exponential empowerment, today’s hackers don’t even have to be very good.  Empowered by democratizing technology, they can still beat our best defenses.

In fact, something similar to Ghostnet is already being used by organized crime.  Most businesses depend on bank clearinghouse accounts or electronic fund transfers to pay their bills.  They log on to bank sites using passwords; for larger amounts they may also be asked a set of “challenge questions” seeking information only the businesses know.  But corporate officials also open email attachments from business contacts, and once attackers have access to the officials' keystrokes, neither the password nor the challenge questions offer any security.  Hackers have stolen more than $100 million from US businesses using this technique, the FBI reported in October 2009.

I wasn’t in government in 1998 or 2003, when the Clinton and Bush administrations called for new computer security measures. I didn’t get the classified briefings that galvanized both presidents. Now I figure I don’t have to.

This is scary enough.