Twitter
Facebook
Email Lists
Donate
The last few weeks have offered the strongest indications
yet that nation-states are using customized software to exploit security flaws
on personal computers and consumer Internet services to spy on their users. The
countries suspected include the United States, Israel, and China. Journalists
should pay attention--not only because this is a growing story, but because if
anyone is a vulnerable target, it's reporters.
Last week, The New
York Times' David Sanger quoted
several U.S. government contacts who said Stuxnet, the virus suspected of targeting
Iranian nuclear centrifuges, was in fact part of a secret U.S. government
project. This week Google placed warnings on a number of Gmail accounts that
they had been targeted by what Google indicated
was a "state-sponsored attack" (Google would not indicate why it
thought this was the case). And a new piece of malware, over 20 megabytes in
size, coined "Flame" by its discoverers at Kasperky Lab, has been tracked
as being concentrated in the Middle East, and bears
the hallmarks of a state-directed operation.
Flame's design exploits a combination of flaws in a
Microsoft product, including one that used a mathematical attack on a standard
cryptographic technique that was previously
unknown to security researchers. As with Stuxnet, the sophistication of
this attack suggested to investigators that it was created by a nation-state.
As the
investigators state:
Currently there are three known classes of players who develop malware and spyware: hacktivists, cybercriminals and nation states. Flame is not designed to steal money from bank accounts. It is also different from rather simple hack tools and malware used by the hacktivists. So by excluding cybercriminals and hacktivists, we come to conclusion that it most likely belongs to the third group. In addition, the geography of the targets (certain states are in the Middle East) and also the complexity of the threat leaves no doubt about it being a nation state that sponsored the research that went into it.
But who were the targets? Stuxnet was aimed at Iran's uranium
refinement facilities, but accidentally spread to the rest of the world. Flame
appears to have been aimed at a much broader group. Kaspersky says the victims
"range from individuals to certain state-related organizations or
educational institutions."
Google won't reveal names either, but some receiving its
warning on their Gmail accounts have already come forward, and many of them are
journalists working in or on China. Shanghaiist notes that Xander Yang
of France 24's Beijing bureau reported receiving the warning, as did Caijing magazine's Tan Yifei and Venus
Cao of the Southern Weekly. Daniel
Drezner, an academic and blogger for Foreign
Policy, reported the
same warning.
That shouldn't be surprising. Journalists make the perfect
target for such snooping software. They frequently carry a lot of politically
sensitive, confidential information, and use vulnerable technology. They are
often working without the backing of large organizations with good IT support.
Even major media organizations do not expect to face sophisticated
technological espionage attacks.
The lesson of all of this activity is that many governments
see these attacks as an effective, unregulated, and deniable way to target
groups that would otherwise be too politically sensitive or independent to
publically challenge or co-opt. That puts reporters, bloggers, and media
companies high on the hit list.
And while the notoriety of these incidents is because we now
see state actors entering the malware market, the two other categories of
"players"--criminals and hacktivists--also have their reasons to
attack journalists. One of the most damning aspects of both Stuxnet and Flame
was that techniques developed at great expense were placed in code that was
spread on the Internet. That code is now available for other criminals to
examine and learn from. Microsoft worked quickly to patch its systems, partly
because the detection of Flame showed attack strategies that it knew other
cyber-criminals would quickly adopt.
Technologists can help bloggers and reporters who don't have
institutional support protect themselves by being open and responsive. That
means more pro-active investigations like the Kaspersky project, more
transparency like Google's specific warnings, and swift reactions like
Microsoft's.
But for now the best way that journalists and other victims
can defend themselves from these attacks is for them to take them seriously.
Run anti-virus software. Follow our advice on info security
in our journalist
security guide. And if you see or hear anything suspicious, let us know.
Print
Share
Delicious
Digg
Google
Reddit
StumbleUpon
Subscribe
