Tag Archives: cyberspace

Kaspersky and Symantec Kicked Out of China – For a Reason

The great cyber triangle of US-Russia-China seems to be shaping up in a definitive way. For a while China was technologically and skill-wise behind the US and Russia, the two early leaders in cyberspace, but it’s catching up, and fast.

It was announced last week that Kaspersky Lab and Symantec have been taken off the list of approved vendors in China’s government cybersecurity software market.  Reuters recently reported one example: http://www.reuters.com/article/2014/08/03/us-china-software-ban-idUSKBN0G30QH20140803

Traditionally very polite, the Chinese did not cyberwhine, did not make any fuss, did not lay any blame, but simply took the pair off the list. Some Western and Russian analysts were very quick to assume and announce  that this was a trade protectionist move to favor China’s national cybersecurity companies. That’s definitely wrong. If that were true, China would bar foreign companies from the country altogether – their private market is huge and very profitable. But they didn’t; they specifically only addressed their government cyberspace security. Apparently Chinese cyber experts found some extracurricular activities in products from both companies, which is not terribly surprising. Furthermore, they probably realized that detecting all the malware in modern software is practically impossible, and correctly decided to keep the foreign security well-wishers away, at least from their government.

The Chinese perception of individual privacy is different from the Western, and they don’t seem to be very concerned about the privacy of the regular common users, at least currently. However, they will probably watch Kaspersky’s and Symantec’s products sold to the Chinese private sector very carefully from now on. If they detect any sizeable collection of data from customers’ computers they will probably bar Kaspersky, Symantec, or both from doing business in China altogether.

The great cyber triangle is definitely becoming more and more equilateral. Interestingly, for the first time that I can recall, China is taking the lead in a trend that is logical and most likely to continue.

Why do Russia and China not cyberwhine?

Usually in my posts I try to provide answers. This time I can only manage a question, but it’s an interesting one.

We constantly hear complaints, if not outright whines, about the US being attacked in cyberspace, either by China or Russia. We’ve gotten used to these attacks, and our response is becoming more and more like “what else is news?”

But there’s an interesting angle here: in the more-or-less symmetrical US-Russia-China great cyber triangle we rarely if ever hear about Chinese or Russians being hacked. Is it that they are not being attacked? Not at all. For example, recently Russia detected a five-fold increase in powerful DDoS attacks over the last year, the longest one lasting ninety days. That one was by any standard a major cyber security event. Was it a big media deal in Russia? Not really– it was barely mentioned.

Initially I thought this difference was mainly a cultural thing. In Russia boys grow up in a culture where if you’re beaten up, you don’t cry “Mommy, he hit me!”, and for sure you don’t complain to teachers or the police. Just heal your bruises and learn to defend yourself. I believe that in China the culture in this respect is somewhat similar. The reaction to cyber attacks on the US is just the opposite. Instead of developing a really effective technology of cyber defense and immediate counterattack, we whine loudly time after time and waste our credibility with vague threats, when everyone knows there will be no real response.

However, cultural difference is probably not the reason for Russia’s and China’s  mute response. As an example of the opposite response, we can recall frequent border disputes between Russia and China in 1960s (over the areas where nobody was present for many miles except a few occasional border guards). During those clashes there were extensive media coverage on both sides, with many diplomatic notes saying something like “This is the 104th serious warning.”

So, the question remains: compared to our constant whining, what is the reason for the very muted Russian and Chinese responses to cyber attacks?

Real Target of eBay Hack

Inasmuch as the recently announced hacking of eBay sounded like déjà vu, some aspects of it do warrant further inquiry. The company’s standard “we are dedicated to the security of our customers and are transparent” approach is plausible, but its customers may in fact be in less danger than is automatically assumed.

A common retail hacking usually ends up with a large number of customers’ accounts charged small amounts that go unnoticed for some time, allowing the hacker to accumulate significant amounts and, hopefully, cover their tracks. The relative stealthiness of this approach usually works well with credit card charges that don’t attract the attention of the customers. With this approach the major distinction between hacking of a bank, VISA, or MasterCard and eBay is that eBay customers are usually very involved in every transaction, and are likely to detect any discrepancy faster than during a  casual use of a credit card. This makes eBay a less attractive target for a hacker – the probability of quick detection is a lot higher and the yield per transaction is still small.

Hackers clearly understand that, which raises the question of why they chose to hack eBay. Something other than the retail accounts must have attracted them to eBay, and eBay’s announcement that they had no indication of a significant spike in fraudulent activity on their site corroborates that. The answer probably lies with the huge overall amounts of money passing through eBay every day. I suspect that the hackers went after large corporate transactions with banks and vendors. There are very effective methods of hiding electronic theft from companies that are well beyond the scope of this post. Such methods can deal with large amounts and are assured a very low probability of detection for a significant time, enabling the thieves to cover their tracks. The key here is that with the high level of automation and the large number of transactions via eBay’s corporate network, hackers can reasonably hope for significant time before the transactions are scrutinized manually. The fact that “cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay’s corporate network,” and that the hack occurred “between late February and early March” and was detected only in early May supports this scenario. Furthermore, the accuracy of the attack detection and the time range cited suggest that eBay has only a vague idea of what actually happened and when.

All this tells us that eBay customers’ accounts are in less danger than may appear. Moreover, if someone gets your address, birthday, and telephone number, you cannot – you can’t take back and secure that information by changing your password — which does not offer much protection in the first place. However, eBay should take a very close look at its corporate finances from February through May of this year – they may be missing a few million.

What happened?

All mainstream media have been flooded with never ending announcements of cyber security breaches for quite some time. All of a sudden, in the last couple of weeks, there are none. Total silence. What happened? Have cyber attacks stopped or have they become so stealthy that no one can detect them? Probably neither.

This sudden silence make me wonder about controllability of the media by political powers. Let us put it on our watch list. This could be a litmus test for mainstream media independence.

Meanwhile, since there is no cybersecurity new to discuss, I’d like to touch upon a very interesting subject of laws and rules of cyberspace.

There are two general categories of law: spatial and societal. Spatial laws are native to the space; objects in a space can discover them, but cannot change them. Newtonian laws of motion are an example of spatial laws in our physical space.

No entity has jurisdiction over entire cyberspace, i.e., there is no overall authority in cyberspace. Furthermore, no entity has jurisdiction even over a subspace such as the Internet or the international postal system. Thus, societal or relative laws cannot effectively exist in cyberspace. This means that any attempt to make a relative law for cyberspace is futile. For instance, suppose country A enacts a law that makes it illegal to communicate with any cyber object in country B. This is hardly an enforceable law. For instance, an object in country B can have a related object in a neutral country C. This way, this object in country B can communicate with objects in country A through its related object, with a low probability of detection in cyberspace. Thus this law can be enforced in country A with some chance of success through its government’s means in physical space, but not in cyberspace. This means that any attempt to create societal laws relative to objects in cyberspace is essentially futile.

 

Running out of Time

Victors Sheymov’s Blog on Cyber Security and Intelligence

As a country, we are slowly coming to the realization that we are vulnerable. We are almost subconsciously accustomed to knowing that we are vulnerable to a nuclear attack by a very powerful potential adversary; luckily, there are only two of them on this planet. We are getting used to the realization that we are vulnerable to a possible collapse of the globalized monetary system. But we have yet to realize that we are vulnerable to a cyber attack that could be more damaging than anything except a massive nuclear strike. The most startling fact is that such an attack could be delivered by an individual or a small group with a few thousand dollars and access to nothing more than the Internet. This aspect is politely called “asymmetric warfare,” but in fact it represents the failure of our security technology.

The estimated annual cost of global cyber crimes is $960 billion, but that is just a small part of the threat. Damage to critical infrastructure and major industrial assets can easily surpass that, not to mention the potential of massive loss of life. We are beginning to realize that a cyber attack can literally incapacitate our critical infrastructure. Cyber attacks can explode oil refineries and chemical factories, clog up our streets and make emergency services powerless if they themselves are still available, and leave our houses without heating and air conditioning—or even blown up by the manipulation of gas distribution systems. If this list is not impressive enough, it can be very easily extended. And the reality is that at this time we are not doing much to defend against such attacks.