Information as a Weapon of Mass Destruction

This piece is a couple of months old now but still it strikes me as being very important:

By pdp

Date: Oct 5, 2007

Return to the article

---

Information is the single most important thing that moves the global economy, influences political regimes, and constructs human behavior. It is a tool of our trade and a powerful ally, but is mainly a weapon of mass destruction. Information management and manipulation, social engineering, and traffic shaping are the black crafts of the digital age. Petko D. Petkov, a.k.a. pdp, discusses just a few of the many disciplines that largely involve information as a tool to spread false beliefs and fears (and influence the masses, too).

---

Information is the single most important thing that moves the world economy, influences political regimes, and constructs human behavior. Information is a sequence of bits and pieces that, when put together, defines meaningful thoughts.

Meaningful to whom? Strings, numbers, records—these are the things that our reasonable mind relies on. Our lives are based on facts, which can be manipulated for our own good or bad.

Being a security expert, I see more of the latter. Information has become the equivalent of gold in today’s electronic age. It is a tool of our trade and a powerful ally, but mainly a weapon of mass destruction. There are countless real-life examples in which information is used to cause harm and even more real-life cases of information terrorism, which has reached a size beyond our imagination.

Call it Black PR, industrial espionage, information warfare…all make use of the latest information-gathering techniques to stay ahead in the black information market. Information management and manipulation, social engineering, and traffic shaping are the black crafts of the digital age.

In this article I discuss just a few of the many disciplines that largely involve information as a tool to spread false beliefs and fears (and influence the masses, too).

The knowledge of these disciplines was acquired by performing information security audits for the government sector and big financial organizations during the last four years of my life and also by participating in various discussion forums on the topic of modern Black PR practices.

Black Public Relations (Black PR)

Those who control the information flow now govern the world. New technologies and web applications have changed the entire communication blueprint. The big corporations have realized that they might lose control over the masses by letting normal people produce and share their own content—a trend that is already happening with the growth of Web 2.0 social technologies.

Getting into a person’s mind and maintaining a good reputation is becoming more and more difficult than ever before. Companies are being forced to compete under different sets of rules and exposed practices that were unthinkable years ago.

There are many evidences that Black PR (the process of harming someone’s identity and repute) leaves its eastern roots and is being chosen as a main communication tool by many western industries. According to Ivana Kalay (founder of SpinHunters, the first PR security company in the world), the tendencies show that many highly skilled black-hats (skilled information security hackers who pursue their interests illegally) will be hired by large enterprises to get into internal rival’s network and steal sensitive information.

This information includes employee names, data with consumer complaints, and shareholder’ details. After profound professional analysis, this information will be used to create various communication plans to be used against the former owner.

Of course, none of the companies will make this type of confession, but the CEO of one of the most influential PR firms (Burson-Marsteller) and present chief strategist for the Hillary Clinton election campaign was recently accused of wire-tapping his ex-associates.

Black PR leads not only to the collapse of small/middle-sized business but also to the birth of a new black-hat hacker elite, which will be well funded and politically protected.

Black-Hat Hacking (the Dark Tangent of the Internet)

Black-hat is a term that is mainly used to describe individuals who have a superior understanding of IT technology and who use their skills for illegal purposes. Black-hats are not born; they are made because of necessity.

IT professionals turn to black-hat hacking mainly because of the lack of career opportunities where they live, as shown by security company F-Secure in its latest revolutionary YouTube video titled “F-Secure Re: Solution.” F-Secure points out that countries that do not have well-developed information technology industries are more likely to become hosts for illegal black-hat hacking activities.

It is important to understand that the clear division between black-hats and white-hats that exists today is primary based on the separation of ethical principles among hackers. While white-hats are willing to share the information they possess for the good of society, black-hats are most keen on selling it to highest bidder.

The background of the organizations who buy black-hat–generated content varies from military institutions to the local Mafia. Information is the most powerful trade in the digital world.

In 2001, eWeek reported that there is a significant raise of black-hat attacks against critical U.S. government, banking and e-commerce websites—all sponsored by the Russian Mafia.

Since then the number of Russian Mafia hacker syndicates has risen dramatically. eWeek commented further:

Authorities said the Russian Mafia members gain access to a company’s computer systems, download proprietary information—such as trade secrets, customer databases, and credit card information—and then demand money to patch the system against other hackers.

Where does all this information go? Who is the end consumer? It is hard to say. However, the truth is that hacking has turned into a 24/7 high-demand business, essential for both sides of the fence.

In 2007, the IT security industry has put a formal face among many countries in the developed world. On the other hand, black-hats are still underground and their number is significantly greater.

In the digital world, hacking is a way to get access to sensitive information that usually costs loads of money, depending on whom they are selling it to. Irresponsible disclosure of private information might lead to the rise and fall of nations.

Information Warfare (0 or 1, Dead or Alive)

Information has a different meaning when it comes to waging wars: It means survival and successful outcome. Given the fact that every country relies on machines in order to function, it is no wonder why the battles of today started on the Internet.

In the digital age, enemies convey well-planned propaganda against each other with the purpose of convincing the opposition to give up. This is achieved though a set of strategically delivered information that could be misleading but is also primarily designed to dis-inform.

This information is also very often designed to promote specific objectives and attack the internal information system of the opposition.

Information warfare is also about securing information flows and the systems that rely on it. Any glitch in the information streams could lead to disaster. The unavailability of the banking system could lead to panic, which easily might turn into civil wars within the opposing countries.

This is where Black Public Relation practices combine with the power of the black-hat hacker elite and turn into the cleverest tools for conducting wars without loss.

Summary

To sum up, information is the most essential primitive we have to learn to live with. But we must also be very careful when dealing with it.

Information is sometimes designed to dis-inform; it is sometimes designed to manipulate our thinking. It is a tool and an expansive asset. It can be used for good and bad, although as a security expert I see more of the latter.

---

© 2007 Pearson Education, Inc. Informit. All rights reserved.

800 East 96th Street Indianapolis, Indiana 46240

Read Full Post »

CT Blog – Jihadinets

My latest thinking on terrorism and virtual worlds is posted over on the CT blog under the title of jihadinets.

Jihadinets

Terrorists are early adopters of new technologies – especially if they’re cheap and easy to acquire. Al-Qaeda’s global embrace of the Internet was no surprise.  The virtual world of jihadi chat rooms, online recruitment and networked proliferation of deadly terrorist techniques has entered the public consciousness following the high-profile capture of British Internet jihadi’s.  No serious security observer doubts that radical Islamist groups are adept at exploiting online environments.  Therefore, the most visible recent advances in the realm of online collaboration -virtual worlds and social networking sites – will likely be adapted for violent use by extremists. The benefits these platforms provide for military training and operational command & control sharing are clear. The inevitable adoption of these systems by extremists will likely mirror past online developments: quiet experimentation across a number of platforms and mainstream systems, followed by the creation of password-protected digital enclaves that incubate future destruction.

The real-world Afghanistan may be gone as a terrorist training safe-haven but creating virtual Afghanistans is literally and figuratively child’s play.  From the Provisional IRA to al-Qaeda terrorists have traditionally relied on pliant host governments to conduct their necessary face-to-face training. That may no longer be necessary.  Geographically dispersed terrorist groups could easily come together to learn the complex technical tradecraft of terror, such as bomb making – but within a virtual environment.  This would radically, reduce the attack failures that have been a feature of recent attempted terrorist attacks.  Training camps have also traditionally played a significant role in terrorist movements, by indoctrinating recruits into their new cause. This essential discourse will be replicated, virtually across voice-enabled worlds. Systems such as the virtual world Second Life are unlikely to be used in this way, as potential jihadis will seek to operate behind private protected systems.  However, password protected environments do become compromised over time as the monitoring of jihadi forums by the SITE Institute clearly shows.  Unfortunately, terror has a dangerously clever and elusive option.  A practical and shockingly accessible pathway to this future exists today. The same criminal gangs that use ‘malware’ and ‘spybots’ that secretly ‘recruit’ tens of thousands of unsuspecting home PCs and laptops into digital  ‘zombies’ will ultimately become subcontractors to terror. Untraceably cheap and disposable ‘just-in-time’ virtual worlds that fuse the benefits of virtual worlds like Second Life with the criminal effectiveness of zombie botnets are inevitable. They will be where tomorrow’s bin Laden’s educate, train and coordinate their aspiring killers.

Botnet originator’s can control the zombie group remotely and use it to launch Distributed Denial of Service attacks, to great effect, as was recently seen in Estonia.  The suspicion remains that botnet time was rented to attack Estonia from Russian trans-national criminal syndicates and when this time ran-out the attacks fell-off.  Since January 2007 numerous computers have been infected by a virus known as, Storm Worm, giving the criminal syndicates controlling the virus and hence the computers, processing power estimated beyond the power of the worlds top ten supercomputers.  There is clearly an argument for using these botnet systems for more than just spam. It is not yet true to say that the next conflict will be fought virtually on computers alone but it may be rehearsed there.

Combining, fusing and blending virtual worlds and botnets for the purpose of extremist planning would solve many of the terrorist’s problems involved with using the public Internet.  A virtual world that only existed for 72 hours on a botnet system would be impossible to trace.   Users could come together discreetly and learn specific skills in virtual worlds constructed for that purpose.  The barriers to creating such a world are being constantly reduced as companies, such as Mulitverse, now provide tools for creating DIY worlds. Virtual worlds require a relatively small software interface, which sits over a number of dispersed servers that host the world.  Botnets could act as temporary servers and software could be written to create a small 3-D environment geared towards training terrorists in specific skills.  Botnet systems would be rented, exploited and utilized to host a virtual world where terrorists would rehearse their real world performances. For the moment, botnets are best-of-breed platforms for  Just-in Time Jihadinets.

How can traditional counter-intelligence operations deter or undermine this emerging threat? They can’t. Not unlike Iraqi IEDs, these innovative technologies require new doctrines, new training and new tactics to cope. Would the rise of jihadidworlds make ‘humint’ the more important counterintelligence investment? Or do novel forms of digital surveillance and subterfuge become more valuable? Should network penetrators be close and intimate? Or is their work best done from a (virtual) distance? Should these worlds be continually hunted down and disrupted? Or should they become vehicles for more targeted intelligence gathering?

The answers to those questions depend in large part whether policymakers believe that a (virtual) world war is being waged or if these are merely criminal activities that pose little national – or international – security threats. But if the physical past can service as a digital prologue to the future, it’s clear that allowing terrorist training infrastructures to take root in either nation-states or virtual worlds invites lethal violence. Safe havens for ‘terror capital’ online are every bit as much a threat as safe havens in Afghanistan, Iran or North Korea. Policymakers who take the safety and security of their citizens seriously must invest in both the capacity and capability to deny aspiring terrorists this medium for mayhem.

Roderick Jones
Michael Schrage

Roderick Jones is a former member of the UK’s Special Branch (now counter-terrorism command) and Vice President of Concentric Solutions a security consultancy.

Michael Schrage is a senior advisor with MIT’s Security Studies Program and a Sloan School adjunct lecturer.

 

Read Full Post »

Online Games Use Fraud Software

Wired reports that online games are going to use software that examines how users behave in games and then flags irregularities to prevent ‘cheating’ within the games. As I have argued here this idea could be used to modify defined anti-social behavior within virtual environment.

Article here:

Online Games Use Fraud Software to Combat Cheats

By Emmet Cole

Cheaters in multiplayer online games beware: Game developers are turning to advanced financial fraud-detection software to keep you from crooking your way to online riches.

Massively Multiplayer Online games are one of the fastest-growing sectors of the game industry and naturally, MMO cheating is on the rise. Security experts say cheaters use automated shortcuts to enhance their avatars’ status. Many are doing so just for fun, but some are making real-world cash through ill-gotten virtual gains.

To fight back, game developers have taken a page from banks and credit card companies. They’re using fraud-detection software to analyze the rushing stream of events that occur in an ordinary MMO day, in search of something fishy.

“If players cheat, the software can recognize a deviation from the norm and flag it,” says David Whatley, the CEO of Simutronics, which makes the MMO game platform HeroEngine.

The software works by creating a model of how players normally behave during a game.

For instance, the software might raise a red flag if it notices a player suddenly reaching 20,000 kills in a game where the average number of kills is in the low hundreds — the same way your credit card company might give you a call you if it notices a spike in your purchases from outfits in Nigeria.

Online games are growing fast, attracting more than 20 million gamers, according to unofficial estimates. And as the gaming community grows, so does the number of cheaters. Some cheats just try to enhance their character or status, but there’s also real-world money to be made selling in-world objects like armor, real estate or currency.

Simutronics is using software created by StreamBase, a firm that usually works on financial applications. John Partridge, a co-founder of StreamBase, says the software can analyze more than 500,000 game messages per second in popular games. In less intensive games, it can examine as many as a million messages per second. The software performs the analysis in real-time so MMOs can catch cheaters red-handed.

“You could argue that financial services is a big MMO,” says Partridge. “It’s massively multiplayer and it’s online. Maybe it’s not a game, but the information that traders are working off of is like an event in one of these virtual world role-playing games.”

The MMO developer BioWare has recently adopted StreamBase’s technology, as has Second Life’s Linden Lab and Avatar Reality, which is creating the MMO Blue Mars for launch in late 2008.

In the fight against MMO cheats, the numbers are not in the developers’ favor. “There are more of them than there are of us,” says Tim Keating, the director of development for the online game company Heatwave Interactive.

What’s worse, game developers don’t have access to all the code that’s running on their networks. MMOs, by definition, are populated by people strewn across the planet, each using local software to access the game.

Because the software — for instance the front end used by World of Warcraft — does not reside on the company server, cheaters can “hack it, mimic it, sniff its packet flow, twiddle values and bits, and anything else,” Whatley points out.

MMO cheating can have real-world consequences, says Partridge. Credit card thieves have been known to launder money through virtual worlds by buying up in-game objects. They then sell the virtual objects for cash. By the time the credit card theft is discovered, the real-world griefers are long gone.

Partridge said he knows of one case that “amounts to several hundred thousand dollars per month in lost revenue,” though he declined to provide further details.

The problems that MMO developers experience today are a harbinger of the kinds of problems we can expect to see in all other kinds of software in the future, says Gary McGraw, CTO of Cigital, a software security and consulting firm, and the author of Exploiting Online Games: Cheating Massively Distributed Systems.

McGraw says companies moving their software online, such as Adobe, should study MMO cheating methods.

“By studying these games, we can learn an awful lot about the kinds of attacks that we can expect over the next decade,” says McGraw.

Read Full Post »