Tuesday, May 22, 2012

Adobe Systems, a national security threat?

Slopping coding and software development practices by Adobe Systems has made things easier for China based cyber espionage actors. The number one vector for these intrusions has been carefully crafted e-mails containing malicious attachments or links. And the most commonly targeted vulnerable applications have been Adobe Systems products. Let's look at this a little closer. Below is a table listing the number of high severity vulnerabilities within the National Vulnerability Database for several different products. Adobe product vulnerabilities dominate those of Microsoft Windows. But there are obviously serious issues across the entire software industry which may be a subject for another post.



Year Adobe Adobe Reader Adobe Flash Microsoft Powerpoint Microsoft Windows XP SP3
2012 44 9 0 14 12
2011 166 49 19 57 90
2010 184 63 25 59 62
2009 77 42 33 18 73
2008 34 12 17 11 23
2007 13 3 2 3 3

Looking in further detail, here are the vulnerabilities which have actually been exploited in the wild during the period January, 2011 to today, Adobe Systems vulnerabilities dominate those of Microsoft 7 to 2. This information can be found from searching the National Vulnerability Database for the string "exploited in the wild" and cross correlating with the analysis of virus researchers.

Adobe:CVE-2012-0779,CVE-2011-4369,CVE-2011-2462,CVE-2011-2110,CVE-2011-0627,CVE-2011-0611,CVE-2011-0609

Microsoft:CVE-2012-0158,CVE-2011-3402

Should software firms be held liable for the losses their bugs impose on customer's? Why are people
still using Adobe products? This points to wider issues of market failure within the software and information security industry which has now caused issues of national security concern to governments world wide.

Monday, May 21, 2012

US government publications/statements link China to decade long campaign of cyber espionage operations

The last 6 months has seen a series of extraordinary revelations by US government officials who have revealed that China based actors are responsible for an extensive industrial cyber espionage campaign and, further, link this activity to the Chinese government itself. This started in October 2011 when the Office of the National Counterintelligence Executive issued the 2011 report on Foreign Economic Collection and Industrial Espionage which is available here. The report has many interesting details and is well worth reading but from the executive summary we have the key paragraph.

"Chinese actors are the world’s most active and persistent perpetrators of economic espionage. US private sector firms and cybersecurity specialists have reported an onslaught of computer network intrusions that have originated in China, but the IC cannot confirm who was responsible.”

This is the first time the US government has officially named Chinese actors as carrying out extensive cyber espionage, but it is worded carefully to not say the Chinese government or name any entities within China. Then in January 2012 Mike McConnell,Michael Chertoff, and William Lynn writing in the Wall Street Journal stated something stronger, naming the Chinese government as responsible.

"Only three months ago, it would have been a violation of national security rules for us to share what we are about to say, even though, as the former Director of National Intelligence (DNI), Secretary of Homeland Security, and Deputy Secretary of Defense, we have long known this to be true: The Chinese government has a national policy of economic espionage in cyberspace. In fact, the Chinese are the world’s most active and persistent practitioners of cyber espionage today.”

"Evidence of China’s economically devastating thefts of proprietary technologies and other intellectual property of U.S. companies is growing exponentially, and only in October 2011 were the details declassified in a report to Congress by the Office of the National Counterintelligence Executive. By contrast, as a matter of official national policy, the United States does not engage in or allow economic espionage.”

The full article is available here.

Then from a Senate Armed Service Committee hearing on Cyber Command from March 2012(transcript and video is available here) we have the following.

From Chairman Levin's opening remarks.

Chairman LEVIN."...General Alexander has stated that the relentless industrial espionage being waged against U.S. industry and Government chiefly by China constitute ‘‘the largest transfer of wealth in history.’’ The committee needs to understand the dimensions of this technology theft and its impact on our national security and prosperity..."

From an exchange between Chairman Levin and General Alexander(commander Cyber Command and Director NSA).

Chairman LEVIN."...The industrial espionage campaign I noted in my opening statement, and you made reference to it in your statement, particularly China’s aggressive and relentless industrial espionage campaign through cyberspace. I wonder. Can you us some examples in open session of the technologies that have been stolen through penetration of major DOD contractors and perhaps the Department itself."
General ALEXANDER. "...We are seeing a great deal of DOD-related equipment stolen by the Chinese. I cannot go into the specifics here, but we do see that from defense industrial base companies throughout. There are some very public ones, though, that give you a good idea of what is going on. The most recent one, I think, was the RSA exploits. RSA creates the two-factor authentication for things like PayPal. So when you get on and order something and pay for it over the network, the authentication is done by encryption systems that RSA creates. The exploiters took many of those certifications and underlying software which makes it almost impossible to ensure that what you are certifying or what someone else is certifying is in fact correct.
Now, RSA acted quickly and is replacing all those certificates and has done that in priority order for the Defense Department and others.
But when you think about it, the ability to do it against a company like RSA is such a high-order capability, RSA being one of the best, that if they can do it against RSA, that makes most of the other companies vulnerable."

(The Chinese state actor then used the stolen RSA information to attempt to breach Lockheen Martin and other Defense contractors, see for example this article in the New York Times.)
From an exchange between Senator McCain and General Alexander.

Senator MCCAIN. "I want to thank the witnesses. I would ask General Alexander. Do you agree that Secretary Panetta and the FBI have said that cyberattacks may soon be the number one threats to the United States?"
General ALEXANDER. "Absolutely, Senator."
Senator MCCAIN. "And would you agree that the major threats to our national security come from outside the United States specifically, obviously from unclassified information, from China"
General ALEXANDER. "Absolutely."

In late April 2012 Rep. Mike Rogers (R-Mich,chairman) and Rep. Dutch Ruppersberger (D-Md,ranking member) of the House Permanent Select Committee on Intelligence wrote an op-ed for Politico which opens with a very strongly worded article.
"The Chinese government has been quietly pursuing a strategy to help project that nation into superpower status. China steals as much intellectual property as it can from U.S. companies and uses it to artificially and unfairly compete in the global marketplace. Beijing uses this information to further its military modernization and, most important, to help fuel economic growth."
and continues
"Every morning in China, thousands of highly trained computer spies now wake up with one mission: Steal U.S. intellectual property that the Chinese can use to further their economic growth. American companies are hemorrhaging research and development on products ranging from fighter engines, to pesticides, to cutting-edge information technology."
The full op-ed is available here.
Then on the 18, May 2012 the Department of Defense released its 2012 report on "Military and Security Developments involving the People's Republic of China" which mentions concerns regarding China and cyber espionage. At the news conference launching this report there was the following exchange between a reporter and Dave Helvey, the acting deputy assistant secretary of defense for East Asia. The official is much more cautious than the members of congress and only talks about China based actors.

Q:David, Bob Burns from AP."On the topic of cyber espionage, which you mentioned very prominently in the report, do you see signs of them accelerating this capability, in particular as it could be applied against U.S. targets?"

MR. HELVEY:"Well, we continue to highlight in this report some of the concerns that we have about China's investment in cyber capabilities.We note that China's investing in not only capabilities to better defend their networks but also they're looking at ways to use cyber for offensive operations.We also highlight a number of areas where we see China engaging in cyber activity focused on computer network exploitation.That continues to be a concern of ours, and we've raised it and we've talked to the Chinese about it, most recently during the Strategic Security Dialogue in Beijing.As well, Secretary Panetta raised that with General Liang in their visit. So this is something that we continue to pay very careful attention to, and we've raised these concerns with the Chinese."
The full transcript is available here.

Turning now to non-government sources we have the following from the March 26,2012 testimony of Richard Bejtlich, CSO,Mandiant before the U.S.-China Economic and Security Review Commission.

"For the most part, our team and I use the strict definition of APT as created by the Air Force in 2006, namely as an unclassified reference to intrusions sets ultimately traced back to actors in China. Our intelligence team currently tracks approximately twenty distinct APT groups. These groups include all of the parties identified by reports publicly released by other security companies, as well as actors that we believe are unknown to many of those other companies. “
"Most of the APT groups we track target the US defense industrial base (DIB). Some of these groups also target US government agencies, think tanks and political organizations, and other commercial or private targets.”

So there are at least 20 distinct groups of cyber espionage actors tied to China. Is further attribution possible? Yes of course, despite what is commonly said regarding the difficultly of attribution. A Reuters report based on authoritative information clearly attributes at least some Chinese cyber espionage activity to the People's Liberation Army's Third Department Technical Reconnaissance Bureaus. The report also links this activity with the intrusions detailed within the 2009 Information Warfare Monitor report “Tracking GhostNet: Investigating a Cyber Espionage Network”, the subsequent IWR report “Shadows in the Cloud: Investigating Cyber Espionage 2.0” details similar activity. These reports make for fascinating reading and are available here. A couple of actors involved in these activities have even been named, in particular, Lost33 and Yinan Peng. An excellent report on the PLA Third Department is available from the Project 2049 Institute, “The Chinese People's Liberation Army Signals Intelligence and Cyber Reconnaissance Infrastructure”. Further information on the PLA and Cyber Espionage is available from a report prepared for the U.S.-China Economic and Security Review Commission, “Occupying the Information High Ground: Chinese Capabilities for Computer Network Operations and Cyber Espionage”.

Early reporting on Titan Rain suggest Chinese based cyber operations have been underway for many years.
http://www.time.com/time/magazine/article/0,9171,1098961-1,00.html

Here is some links to useful summaries of significant cyber events over the last few years.
Of course others do it too, see reports below on Buckshot Yankee.
  • William Lynn (writing when he was United States Deputy Secretary of Defense) in Foreign Affairs magazine on "Defending a New Domain".
  • Extensive Washington Post article with many interesting details, here
  • Here is a LA Times article which suggests the intrusion came from Russia.