Tracking GhostNet

Dear Friends and Colleagues

Please find below a link to Tracking GhostNet: Investigating a Cyber Espionage Network, the second major report from the Information Warfare Monitor – a joint project of the SecDev Group (Ottawa) and the Citizen Lab (Munk Centre for International Studies, University of Toronto).

Tracking GhostNet: Investigating a Cyber Espionage Network

This report documents the GhostNet – a suspected cyber espionage network of over 1,295 infected computers in 103 countries, 30% of which are high-value targets, including ministries of foreign affairs, embassies, international organizations, news media, and NGOs.

The report can be downloaded here.

For security reasons, we have redacted parts of the report until affected parties can be notified by the relevant authorities. A full uncensored report will be released in one week.

A New York Times story by John Markoff about the report is here.

This report is the culmination of a 10 month investigation of alleged Chinese cyber spying against Tibetan institutions. It documents a vast suspected cyber espionage network of over 1,295 infected computers in 103 countries, referred to in the report as GhostNet. Close to 30% of the infected hosts are considered high-value political and economic targets, and include computers located at ministries of foreign affairs, embassies, international organizations, news media, and NGOs.

The capabilities of the attack tools used by the GhostNet system were far-reaching, and include the ability to retrieve documents, and turn on web cameras and audio systems. The investigation was able to conclude that Tibetan computer systems were compromised by multiple infections that gave attackers unprecedented access to potentially sensitive information, including documents from the private office of the Dalai Lama.

While our analysis reveals that numerous politically sensitive and high value computer systems were compromised in ways that circumstantially point to China as the culprit, we do not know the exact motivation or the identity of the attacker(s), or how to accurately characterize this network of infections as a whole. One of the characteristics of cyber-attacks of the sort we document here is the ease by which attribution can be obscured. Regardless of who or what is ultimately in control of GhostNet, it is the capabilities of exploitation, and the strategic intelligence that can be harvested from it, which matters most. This report underscores the growing capabilities of cyber attacks, the ease by which cyberspace can be used as a vector for signals intelligence, and the importance of taking information security seriously by security professionals and policy makers worldwide. We look forward to your comments.

Breaching Trust

I am pleased to announce our release of a major investigative report, Breaching Trust: An analysis of surveillance and security practices on China’s TOM-Skype platform, written by Nart Villeneuve, Psiphon Fellow, the Citizen Lab, at the Munk Centre for International Studies, the University of Toronto.

The full report can be downloaded here.

John Markoff of the New York Times has just released a story about the report, which will appear in tomorrow’s paper, but can be found online here.

Major Findings of this report are as follows:

  • The full text chat messages of TOM-Skype users, along with Skype users who have communicated with TOM-Skype users, are regularly scanned for sensitive keywords, and if present, the resulting data are uploaded and stored on servers in China.
  • These text messages, along with millions of records containing personal information, are stored on insecure publicly-accessible web servers together with the encryption key required to decrypt the data.
  • The captured messages contain specific keywords relating to sensitive political topics such as Taiwan independence, the Falun Gong, and political opposition to the Communist Party of China.
  • Our analysis suggests that the surveillance is not solely keyword-driven. Many of the captured messages contain words that are too common for extensive logging, suggesting that there may be criteria, such as specific usernames, that determine whether messages are captured by the system.

As my colleague Rafal Rohozinski and I say in the foreword to the report, “If there was any doubt that your electronic communications – even secure chat – can leave a trace, Breaching Trust will put that case to rest. This is a wake up call to everyone who has ever put their (blind) faith in the assurances offered up by network intermediaries like Skype. Declarations and privacy policies are no substitute for the type of due diligence that the research put forth here represents.”

Access Denied review: IEEE Spectrum

“In the dot-com heyday of the ’90s and early 2000s…there was a myth that the Internet can’t be controlled,” says Ronald Deibert, a researcher at the University of Toronto’s Citizen Lab. “There was some mysterious, magical property associated with it that will route around censorship.” The most exhaustive study yet of Internet censorship—Access Denied: The Practice and Policy of Global Internet Filtering, published this month by the MIT Press—pretty much disproves that notion.

From IEEESpectrum

Everyone's Guide to By-Passing Internet Censorship for Citizens Worldwide — NEW RELEASE

I am pleased to announce that we have finished the Citizen Lab’s latest output, Everyone’s Guide to By-Passing Internet Censorship for Citizens Worldwide and also available for download here

This guide, which is intended for the non-technical user, provides tips and strategies on how to by-pass content filters worldwide. It is now in English but we are busy making translations into multiple languages. Stay tuned!

Many thanks to the Citizen Lab’s team that worked on this project, especially Jane Gowan, Nart Villeneuve, Julian Wolfson, Francois Cadieux, Sarah Boland and James Tay.

ONI Releases Belarus Internet Watch Report

The OpenNet Initiative today released “The Internet and Elections: the 2006 Presidential Election in Belarus.” The report presents the findings of ONI’s effort to monitor the Internet during Belarus’ recent presidential elections.

Amidst fears that the authoritarian regime of President Aleksander Lukashenka was going to close down Belarus political cyberspace during the elections, ONI testing found little evidence of systematic and comprehensive filtering, despite earlier ONI investigations that established the regime’s capability to do so. ONI monitoring during the elections showed that, on average, opposition and independent media websites remained accessible throughout the monitoring period. ONI testing revealed a number of serious irregularities that disrupted access to certain opposition and independent media websites at strategic moments during and after the vote.

To read the report, click HERE

Internet Filtering in Yemen. Yet Another Western Filtering Story

We (the OpenNet Initiative) have just released our new report on Internet filtering in Yemen.

Two things to note about this report. First, the Yemen report is the first that we are releasing in simultaneous English and Arabic translations. It is important to us to have an impact among the constituencies that matter most to the topics we are investigating, so look for future reports to have similar simultaneous translations.

The second issue concerns the findings of the report itself. Our investigations confirmed that Yemen is using a western filtering product, Websense, to filter access to information on the Internet. Although Yemen filters mostly pornography, the Yemen case offers yet another troubling example of a commercial company aiding a regime that violates human rights (in this case freedom of speech and access to information). Below is my quotation from the press release:

As a developing Middle East country on the frontline of the “War on Terror,” Yemen faces numerous difficult and unique security and policy challenges. The pressures (both domestic and international) to compromise human rights and political liberties in favor of order and security are enormous and likely difficult to resist. In light of these pressures, it is remarkable that Yemen does not presently extensively filter political opposition, dissident, and human rights websites, focusing its attention primarily on pornographic and other sexual-related material. However, the largely secretive nature of its filtering regime, combined with the use of yet another US commercial filtering product, raises serious questions about accountability and respect for basic human rights for both Yemen itself and the company providing the filtering technology, Websense.

China Web Registration Regulation OpenNet Initiative Bulletin 11

The OpenNet Initiative has just released a new bulletin on China’s Web registration regulations. These new regulations add yet additional threads to the country’s web of constraints on freedom of speech. By requiring citizens to register their blogs and websites, and shutting down the sites of those who do not comply, the Chinese authorities are effectively augmenting the already stifling climate of self-censorship and suspicion that exists for online communications in that country. By requiring website operators to register their personal information with the Ministry of Information Industry, these controls intimidate users of the Internet and allow the state to more effectively keep tabs on online content

OpenNet Initiative Report on Internet Filtering in Tunisia

The OpenNet Initiative has released our report on Internet Filtering in Tunisia. The press release can be found here.

Here is the blurb:

Drawing on open sources and a detailed year-long technical investigation, ONI research describes Tunisia’s aggressive targeting and blocking of on-line content, including political opposition Web sites, human rights groups, and sites that provide access to privacy-enhancing technologies. ONI research reveals that Tunisia’s government Internet agency, ATI, uses SmartFilter — filtering software produced by Secure Computing, a US-based company — as the basis of its filtering regime. Since all of Tunisia’s ISPs operate through ATI, the system is difficult to circumvent. Moreover, Tunisia’s public policy on filtering is opaque at best. The state falsifies the information provided to users who try to reach filtered sites; the error page received claims the site is not accessible for technical reasons. In sum, Tunisia’s control over its citizens’ access to Internet content places it at odds with the goals of the World Summit on the Information Society.