Join our Mailing List

"We Tibetans are looking for a legitimate and meaningful autonomy, an arrangement that would enable Tibetans to live within the framework of the People’s Republic of China."

Tracking Cyberspies through the Web Wilderness

May 14, 2009

The New York Times
May 11, 2009


For old-fashioned detectives, the problem was
always acquiring information. For the
cybersleuth, hunting evidence in the data tangle
of the Internet, the problem is different.

"The holy grail is how can you distinguish
between information which is garbage and
information which is valuable?" said Rafal
Rohozinski, a University of Cambridge-trained
social scientist involved in computer security issues.

Beginning eight years ago he co-founded two
groups, Information Warfare Monitor and Citizen
Lab, which both have headquarters at the
University of Toronto, with Ronald Deibert, a
University of Toronto political scientist. The
groups pursue that grail and strive to put
investigative tools normally reserved for law
enforcement agencies and computer security
investigators at the service of groups that do not have such resources.

"We thought that civil society groups lacked an
intelligence capacity," Dr. Deibert said.

They have had some important successes. Last year
Nart Villeneuve, 34, an international relations
researcher who works for the two groups, found
that a Chinese version of Skype software was
being used for eavesdropping by one of China’s
major wireless carriers, probably on behalf of
Chinese government law enforcement agencies.

This year, he helped uncover a spy system, which
he and his fellow researchers dubbed Ghostnet,
which looked like a Chinese-government-run spying
operation on mostly South Asian government-owned computers around the world.

Both discoveries were the result of a new genre
of detective work, and they illustrate the
strengths and the limits of detective work in cyberspace.

The Ghostnet case began when Greg Walton, the
editor of Infowar Monitor and a member of the
research team, was invited to audit the Dalai
Lama’s office network in Dharamsala, India. Under
constant attack -- possibly from
Chinese-government-sponsored computer hackers --
the exiles had turned to the Canadian researchers
to help combat the digital spies that had been
planted in their communications system over several years.

Both at the Dalai Lama’s private office and at
the headquarters of the exiled Tibetan
government, Mr. Walton used a powerful software
program known as Wireshark to capture the
Internet traffic to and from the exile groups’ computers.

Wireshark is an open-source software program that
is freely available to computer security
investigators. It is distinguished by its ease of
use and by its ability to sort out and decode
hundreds of common Internet protocols that are
used for different types of data communications.
It is known as a sniffer, and such software
programs are essential for the sleuths who track
cybercriminals and spies on the Internet.

Wireshark makes it possible to watch an
unencrypted Internet chat session while it is
taking place, or in the case of Mr. Walton’s
research in India, to watch as Internet attackers
copied files from the Dalai Lama’s network.

In almost every case, when the Ghostnet system
administrators took over a remote computer they
would install a clandestine Chinese-designed
software program called GhOst RAT -- for Remote
Administration Terminal. GhOst RAT permits the
control of a distant computer via the Internet,
to the extent of being able to turn on audio and
video recording features and capture the
resulting files. The operators of the system --
whoever they were -- in addition to stealing
digital files and e-mail messages, could
transform office PCs into remote listening posts.

The spying was of immediate concern to the
Tibetans, because the documents that were being
stolen were related to negotiating positions the
Dalai Lama’s political representatives were
planning to take in negotiations the group was engaged in.

After returning to Canada, Mr. Walton shared his
captured data with Mr. Villeneuve and the two
used a second tool to analyze the information.
They uploaded the data into a visualization
program that had been provided to the group by
Palantir Technologies, a software company that
has developed a program that allows investigators
to "fuse" large data sets to look for
correlations and connections that may otherwise go unnoticed.

The company was founded several years ago by a
group of technologists who had pioneered fraud
detection techniques at Paypal, the Silicon
Valley online payment company. Palantir has
developed a pattern recognition tool that is used
both by intelligence agencies and financial
services companies, and the Citizen Lab
researchers have modified it by adding
capabilities that are specific to Internet data.

Mr. Villeneuve was using this software to view
these data files in a basement at the University
of Toronto when he noticed a seemingly innocuous
but puzzling string of 22 characters reappearing
in different files. On a hunch, he entered the
string into Google’s search engine and was
instantly directed to similar files stored on a
vast computerized surveillance system located on
Hainan Island off the coast of China. The Tibetan
files were being copied to these computers.

But the researchers were not able to determine
with certainty who controlled the system. The
system could have been created by so-called
patriotic hackers, independent computer activists
in China whose actions are closely aligned with,
but independent from, the Chinese government. Or
it could have been created and run by Internet spies in a third country.

Indeed, the discovery raised as many questions as
it answered. Why was the powerful eavesdropping
system not password-protected, a weakness that
made it easy for Mr. Villeneuve to determine how
the system worked? And why among the more than
1,200 compromised government computers
representing 103 countries, were there no United
States government systems? These questions remain.

Cyberforensics presents immense technical
challenges that are complicated by the fact that
the Internet effortlessly spans both local and
national government boundaries. It is possible
for a criminal, for example, to conceal his or
her activities by connecting to a target computer
through a string of innocent computers, each
connected to the Internet on different
continents, making law enforcement investigations
time consuming or even impossible.

The most vexing issue facing both law enforcement
and other cyberspace investigators is this
question of "attribution." The famous New Yorker
magazine cartoon in which a dog sits at a
computer keyboard and points out to a companion,
"on the Internet, nobody knows you’re a dog," is no joke for cyberdetectives.

To deal with the challenge, the Toronto
researchers are pursuing what they describe as a
fusion methodology, in which they look at
Internet data in the context of real world events.

"We had a really good hunch that in order to
understand what was going on in cyberspace we
needed to collect two completely different sets
of data," Mr. Rohozinski said. "On one hand we
needed technical data generated from Internet log
files. The other component is trying to
understand what is going on in cyberspace by
interviewing people, and by understanding how institutions work."

Veteran cybersecurity investigators agree that
the best data detectives need to go beyond the
Internet. They may even need to wear out some shoe leather.

"We can’t become myopic about our tools," said
Kent Anderson, a security investigator who is a
member of security management committee of the
Information Systems Audit and Control
Association. "I continually bump up against good
technologists who know how to use tools, but who
don’t understand how their tools fit into the
bigger picture of the investigation."
CTC National Office 1425 René-Lévesque Blvd West, 3rd Floor, Montréal, Québec, Canada, H3G 1T7
T: (514) 487-0665
Developed by plank