By

Ominous Claims from Ominous People

I was looking at Scribd, and I came across this report from the Public Security Technical Program</a> on BotNet Traffic, and the authors have this to say about it:

This report is written as a comprehensive reference ‘how to’ Combat Robot Networks and Advanced Persistent Threats on a national scale</em>

Now, while the report is mostly on Botnet Analysis, listing a series of well-known Botnets, we notice that it also has some interesting claims in the summary, which should alarm everyone who is concerned about their Privacy in Canada. The first claim that they make in this report is the following:

This report represents a departure from traditional cyber security studies that have relied on interviews to canvas opinions about the cyberthreat. This report is informed by actual data, in addition to a case study of botnet activity during Vancouver’s 2010 Olympic Games. Cyber intelligence estimates for this study are derived from a network sample of 839 petabytes(1) of communications traffic examined over the period of a year, covering 70% of all Internet communications traffic in Canada. Detailed threat analysis was performed on a malicious traffic sample size of 200 Petabytes. This represents the largest statistically valid sample set of cyber threat activity in Canada to date, upon which police can rely on evidence-based decision-making to combat botnets and their controllers. </em>

For the non technical readers, a petabyte(PB) is 1024 terabytes or TB, and a terabyte is 1024 gigabytes, or GB. Most drives these days weigh in at 720 GB to 1TB. This amount of data is insane, since the infrastructure to store close to an Exabyte of data is extremely huge. Considering that Petabyte storage is in the millions of dollars in cost, it’s likely that they did not store all the data, and in the footnote you can see that they only stored 8.3 TB of network traffic in Canada for their analysis.

Of course, we don’t know what their methodology is, and the fact is that they won’t tell us because 58 of these pages have been redacted before this report became unclassified. Here’s the info about the full report’s security status:

The tradecraft in operation by carriers is considered to be exceptionally sensitive and is handled in a compartmented fashion. Full disclosure of techniques and proactive defence measures may not be possible. The main body of this report will be unclassified. Sensitive information has been placed in a classified annex and handled through the appropriate channels. Notwithstanding, significant findings remain classified. The full report is classified CONFIDENTIAL / CTI / PROTECTED C CRITICAL INFRASTRUCTURE / EMERGENCY MANAGEMENT INFORMATION and is not subject to ATIP. The Emergency Management Act (EMA) includes a consequential amendment to the Access to Information Act (ATIA) that allows the Government of Canada to protect from disclosure specific critical infrastructure / emergency management (CI/EM) information supplied in confidence to the government by third parties. </em>

This is interesting, I wasn’t aware of this particular amendment. I took a quick look at it, and sure enough, there’s something right here that covers this</a>. We will never know how they did their research, but it’s very likely that the Government intercepted and did traffic analysis on 70% of all Canada’s network traffic. I’m pretty sure that this is illegal, but we don’t have anything super definitive, other than a graph taken a MONTH AFTER the Olympics of all traffic going over the BELL-AS Backbone that they were listening to.</a>

The report then proceeds to list the worst ISPs, which appear to be various Canadian hosting companies, including iWeb and NetNation. They then have a section that refers to Threat Agent Analysis, which seems to be the most screwed up part of the entire report, and involves the RAND Corporation. Here’s the paragraph that mentions an organization near and dear to me, the Chaos Computer Club: Colloquial usage has almost taken “hacker” in a pejorative sense, where it is likely to remain. Notwithstanding, any serious assessment of the threats to information systems needs to have an unequivocal definition of the hacker. For this purpose you can think of a hacker as: “a person who exploits information technology for the sake of the technology.” This distinguishes them from criminals, terrorists of spies who may exploit a computer system using the same means but for entirely different motives - like money or secrets. Hacking groups have adopted social and political agendas since the beginning. The Chaos Computer Club has had several agendas in its lifetime, and across the spectrum. The truth is that most hackers are opportunists with one-day agendas with a force of conviction traced along a compass heading which is more often influenced by the magnetic attraction of the moment. In this sense, many within the community view hackers as rebels without a cause, or at most with one that is morally flexible.

Hacktivists are electronic guerrillas with political agendas ranging from ending censorship to outright sabotage. The concept of righteous hacking is in vogue. Participants stem from two sources: traditional crackers who are looking for altruism from otherwise illicit activities, and political motivated activists who see hacking as a tool for advancing “the cause”. As far as hacktivists are concerned, the Internet is not only rule-free and ethically liberal but also serves as a large wall for political graffiti. There seems to be a general acceptance (at least within these spheres) that the end justifies the means. Hacktivism as almost died out as a meaningful threat in 2005. Recent hacktivism around the 2010 Olympics failed before it even began. </em>

This is hilariously funny. I’m not sure what Hacktivism that they were referring to, and if they had access to the V2010ISU’s files on me. I think it’s time I stated the impracticality of “Hacking the Vancouver 2010 Winter Olympic Games”.

Opposition to the Vancouver 2010 Winter Olympic games was localized in Vancouver. While other anarchist groups protested the torch, and other Anti-Olympic groups issued statements of solidarity, there was very little that could have been done to disrupt it electronically. The fact is that if the Vancouver 2010 Winter Olympics got hacked in any serious way by Hacktivists, the RCMP would have thrown my ass in jail so fast, it would have been ridiculous, whether I had anything to do with it or not, because I was known to be technical. It’s not that I couldn’t have done it (and yes, there were numerous opportunities), it’s the fact that the risk to myself was so damned high that it wasn’t worth it. It’s next to impossible to do Hacktivism on a local scale without putting yourself in immediate risk just for being considered a hacktivist.

OK, back to the document, the next idiotic quote can be attributed to the TAO collective in Toronto. They’re kinda like Riseup, except stupid:

“Hacktivists are savvy, subversive and seasoned veterans of the Cola War” - Tao Collective.</em>

The Electronic Disturbance Theater is also quoted: On the other hand, assuming that hackers are driven to pernicious ends by the dark side of the force and labelling those enemies of the state, is overly alarmist and erodes the credibility of the security community. “We need to seriously question and abandon some of the language that the state uses to demonize genuine political protest and expressions” - Electronic Disturbance Theatre. </em>

Finally, they decide that the least signficant threat to Canadian interests is “Cyberterrorism” in this paragraph: It is our finding that, one of the ¬least significant network threats to Canadian interests is posed by terrorist and extremist groups. The Internet provides the capability to disseminate propaganda and recruit members but there is a natural aversion to mingling with the hacker community. Cyber-terrorism simply has not materialized and the National Information Infrastructure is all but immune from netcentric acts of cyber terrorism. Terrorist organizations collectively lack the knowledge, capacity and will to launch significant attacks over cyberspace. All they could muster would be buried in the noise of attacks that are repelled on the NII every morning. They also do not appear to be partnering with entities that do have the means. A terrorist attack against cyberspace will most likely be delivered with an improvised explosive device, constructed locally and placed near a carrier office. The recent 2006 alleged terrorist plot in Toronto and in England 2007 support this hypothesis. </em>

The report then goes through two sets of recommendations. The recommendations are insanely huge and are as weird as the report itself gets, here’s three of them:

  • Tax Credits for the National Cyber Strategy</li>
  • Increase in the number of Public-Private-Partnerships</li>
  • Increased funding of Research into Cyber Defence</li> </ul> They also recommend developing various sources of information including sources listed as "Dark Web", "Dark Matter", "Dark Space" and "Dark Universes". This just sounds comical seeing this report link World of Warcraft Gold Farming to Organized Crime! It starts getting very interesting when you start looking at the Technical Recomemndations: The principle challenge facing law enforcement and national security institutions addressing cyberspace is an absence of appropriate of tools, tradecraft, and permissions enabling clear and credible path from detection through to prosecution. The staggering growth of the Internet over the past 20 years has outpaced the capacity for law-enforcement and security institutions to adapt their procedures, obtain sufficient political guidance, and build the necessary capabilities to sustain effective policing within this domain </em> That makes sense, and corresponds with what we've already seen with the logs of this blog. However, things get even more relevant shortly: Undercover or covert investigations - carried out through the use of specially constructed online persona consistent with legends used for conventional undercover work. Online personas need to possess identity congruence, ensuring that the characteristics of the persona are consistent and include such things as the geolocation of the IP address from which the persona accesses the Internet, the characteristics of the computer system, and remotely searchable information such as cookies, browser type, etc. The working assumption should be that a clever target will attempt to reverse interrogate and verify the identity of any online persona attempting to enter the circle of trust. Consequently, online personas require as much attention to detail as the construction of conventional undercover and or covert identities for criminal and security investigations. Online personas can be manually managed in order to collect evidence, or they can be programmed to automatically harvest data, for example from message boards and other communication streams. Some systems, such as Cloakroom</strong> allow for the tagging and structuring of data directly within the investigation environment, which facilitates its incorporation into an investigation being carried out within an advance link analysis and visualization platform (such as Palantir). </em> Hey, look, it's Cloakroom Connect, that product from SecDev that they wanted to integrated with HBGary's stuff. You know, the darknet that is built directly into Bell Canada's infrastructure? Yeah, that one! Furthermore, it talks about the various practices of Law Enforcement Agents (LEAs) and how they investigate or conduct Open Source Surveillence, and makes a very obvious point: Most web browsing sessions are visible by all web site owners that investigators visit. The identity of police can be easily ascertained and a case burnt. Even innocuous browsing to a university site, political, media or activist site can have a chilling effect and raise unwarranted allegations of investigation. </em> This is true, since the visits to wikileaks.ca by the RCMP led me to file an ATIP regarding any investigation of Wikileaks supporters in Canada. Of course, there's the fact that the RCMP DOES visit political, media and activist sites and does work to criminalize dissent. I'm also certain that CSIS engages in similar tactics, although it should be pointed out that CSIS Agents are not LEAs. ISP staff who handle LEA circuits and contracts are generally not required to go through security vetting. Until recently this has included personnel performing lawful intercept operations. Still most ISPs have no cleared staff or criminal background checks.</em> This is also a good point. However, I'm wondering if there's going to be system administrators with radical tendencies that are going to find themselves forced out of a job. Eventually the report discusses the need for anonymity, and the report starts to resemble the brochure that was used for selling Cloakroom Connect. The bias towards SecDev is clearly apparent here. Under the heading "Future Work", they then get into anonymity again. This also uses ridiculous buzzwords like Web 3.0, Information Peacekeeping and Cyberterrorism 3.0. This definitely sounds completely sinister and talks about "reshaping the debate" and using Psyops over social networks to "counter the propaganda". They then talk about the Tor Project Many private and public sector enterprises or citizens use anonymizers, or less-attributable mechanisms for web browsing. Organized crime, terrorist cells and foreign espionage programs go to extraordinary means to obfuscate their identity and activities on-line by constructing covert communications access points. Most of the non-attributable systems used in public and private sectors in Canada today remain attributable and insecure. The TOR Onion Routing software provides a pseudo-anonymity layer for the internet users. PSIPHON is a social-network based software that allows users to circumvent internet censorship in the various countries that use various filters. A basic version is distributed free to respect the civil liberties environment from which these products come from. Although both TOR and PSIPHON are popular with civil libertarians, privacy advocates and criminals, neither is suitable for public safety or highly sensitive commercial operations.</strong> The project would build high-assurance clandestine non-attributable network access. It is imperative that an organization look after the network access all network layers including obfuscating the financial trail, people, processes, gateway technologies, host machines, software configurations and data leakage. Some innovated means already deployed by threat agents to avoid capture include: virtual machines and spiders can act as transient instances of software implants leaving no physical real estate within target environments; fast-flux nets using encrypted peer-to-peer communications; Persistent virtual environments to establish electronic dead letter boxes, enable brush meets, broker information and launder money; compromised launch points can be buried deep into the host infrastructure. It would also be necessary to engineer broadband secure wireless roaming capability established to provide covert communications globally. </em> This reads like they're trying to sell something, like perhaps Cloakroom Connect. They don't get into details as to why Tor is inadequate, they just say that it is. They talk more about the need for lawful access, and they get into hypothetical situations. This report is vague, has a lot of incredible claims, and is clearly written for the purposes of villifying everyone who isn't the government. They don't expose how they did the packet analysis on the Bell network, because you know, that's tradecraft, and they spend a LOT of time getting off-topic talking about things like the Chaos Computer Club and Hacktivism for something that's supposed to be a paper about Botnets. I think this has a lot of interesting questions that we need answers to, like: