Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

1/21/2010
11:00 AM
Gadi Evron
Gadi Evron
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Google/China Reality Check Amid The Fog Of Cyberwar

We've all heard about the Chinese attacks against Google by now. We've heard of Google's moral standing, how corporations now impact international relations, and how censorship is bad and freedom is good. However, some important questions lost in the fog of war need to be asked.

We've all heard about the Chinese attacks against Google by now. We've heard of Google's moral standing, how corporations now impact international relations, and how censorship is bad and freedom is good. However, some important questions lost in the fog of war need to be asked.Nobody knows for sure it was China that attacked Google and the other affected corporations, and if someone does, he or she is not saying so publicly. In fact, Google CEO Eric Schmidt told Newsweek that he has no clear evidence, but invites us to draw our own conclusions.

The evidence against China would be thrown out of any court of law, and just because we have grown comfortable in blaming China of attacks does not mean they are behind them.

The Chinese network is a hotbed of criminal activity used by criminals around the world to launch Internet attacks, which reduces the possibility of blaming any single attack coming from it as state-sponsored. However, it also raises the question of why such activity has been allowed to go on for so long.

Many networks around the world, including some inside the U.S., are just as abused by criminals. These have been shown to be used against nation-states in past attacks, such as with Estonia -- which I had the honor of writing the post-mortem analysis for -- and in Georgia last year.

Looking at the current incident, Google is a trustworthy and capable corporation. However, when making accusations one needs to provide proof. And "it feels like China" isn't good enough.

In the fog of war, with world news discussing the diplomatic implications for the U.S., Google's business and China's censorship, and applauding Google's moral stance, some important questions are left unanswered.

For some time now, cybercriminals have been winning the "war." Security professionals can write analyses of attacks, as well as mitigate specific attacks. But in nearly all instances we haven't been able to impact criminal operations. For some years, one of my beliefs has been that we should take the offensive in the fight against cybercrime.

For reasons ranging from the criminals' willingness to play a scorched Earth game to legal and ethical limitations, we must be careful to not start a war the Internet can't win. This means we can't use the criminals' weapons against them.

While reporting is vague, Google has supposedly broken into a server in Taiwan (unless information of working through Taiwanese authorities, or that someone else has done this for Google, becomes available). If this happened, then Google broke the law in order to defend itself from criminal activity. This should be legal, but it isn't. Google needs to disclose exactly what it has done. Ethics change, and morally I believe it is in the right. Our ethics just need to catch up.

Another question many of us should ask is about Microsoft and the Internet Explorer Web browser. It has been disclosed that a previously unknown software vulnerability (0day) in Internet Explorer was what attackers used. Exploit code enabling any criminal to make use of the vulnerability to attack has been made public, and in the past such events were followed further exploitation. But Microsoft initially planned to patch this vulnerability in February.

Only when Germany and France issued warnings to users to not use Internet Explorer, and ZERT considered releasing a third-party patch, did Microsoft say it would release an early patch.

While creating software updates is very complicated, and Microsoft is usually a responsible organization, not patching this type of vulnerability for a whole month as the default response is irresponsible and unethical. We should all call on Microsoft to act responsibly, and write our representatives and the press about it.

Microsoft should be commended for issuing an early patch; after all, it was far from easy. However, until such time as Microsoft announces a new policy on patching software vulnerabilities, it's in my opinion unsafe to continue using Internet Explorer for surfing the Web, so switch to one of the many alternatives, such as Mozilla's Firefox browser.

This targeted attack, while impressive, is no new threat. Security risk assessment should already include corporate espionage. An example for a targeted attack is the GhostNet incident, exposed last year by Canadian researchers, demonstrating in detail how such attacks work. As another, the public disclosure of German intelligence cyber-espionage operations, showed that indeed, everyone does it.

I call upon my fellow security professionals worldwide to refrain from creating fear when speaking of this incident. Computers are just the most recent weapon to be used for old motives -- espionage. Unlike cybercrime and cyberwar, it is well-recognized in law and in diplomacy, and it is not the security experts who should be called on for answers.

Follow Gadi Evron on Twitter: http://twitter.com/gadievron

Gadi Evron is an independent security strategist based in Israel. Special to Dark Reading. Gadi is CEO and founder of Cymmetria, a cyber deception startup and chairman of the Israeli CERT. Previously, he was vice president of cybersecurity strategy for Kaspersky Lab and led PwC's Cyber Security Center of Excellence, located in Israel. He is widely recognized for ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19740
PUBLISHED: 2019-12-12
Octeth Oempro 4.7 allows SQL injection. The parameter CampaignID in Campaign.Get is vulnerable.
CVE-2019-19746
PUBLISHED: 2019-12-12
make_arrow in arrow.c in Xfig fig2dev 3.2.7b allows a segmentation fault and out-of-bounds write because of an integer overflow via a large arrow type.
CVE-2019-19748
PUBLISHED: 2019-12-12
The Work Time Calendar app before 4.7.1 for Jira allows XSS.
CVE-2017-18640
PUBLISHED: 2019-12-12
The Alias feature in SnakeYAML 1.18 allows entity expansion during a load operation, a related issue to CVE-2003-1564.
CVE-2019-19726
PUBLISHED: 2019-12-12
OpenBSD through 6.6 allows local users to escalate to root because a check for LD_LIBRARY_PATH in setuid programs can be defeated by setting a very small RLIMIT_DATA resource limit. When executing chpass or passwd (which are setuid root), _dl_setup_env in ld.so tries to strip LD_LIBRARY_PATH from th...