As we await the naming of our new “Cyber Czar,”  it’s worth noting just what a jungle it is out there on the internet, and how much we need one.

While working in networking , I had the opportunity to see firsthand the level of garden-variety denial of service attacks a typical DNS server exposed to the public internet faces (DNS, in many ways the soft white underbelly of the internet, is discussed a bit here).

While impressive, though, my experience was limited to small business networks - imagine what it’s like when entire governments go at it: in 2008, the Department of Defense reported almost 360 million attempted attacks - that’s close to a million every day (up from ‘only’ about 6 million in 2006).

Here then, a short list of recent cyber-spying activity…

June 1, 2009: US Turkish hackers breach US Army web servers, redirecting traffic to sites featuring anti-American and anti-Israeli statements.

Spring 2009, US: The Pentagon reveals their $300 billion Joint Strike Fighter program was compromised in an attack originating from China; an unknown amount of data downloaded (fortunately, the more sensitive data was safely stored on non-internet exposed machines).

April 2009, worldwide: 1,295 computers in 103 countries are discovered to be infected by a sophisticated rootkit malware attack dubbed ‘Ghostnet,’ again originating from China.

November 6, 2008: US Newsweek reports that several computers on the campaign office networks of both Obama and McCain were compromised during the summer - Trojan malware sends an unknown amount of data detailing candidate policy positions to a “foreign entity”.  FBI launches investigation.

June 11, 2008: US Virginia Representatives (and longtime China human rights critics) Frank Wolf and announces that four of his Capitol Hill PCs were compromised by malware which copied and transferred an unknown amount of data.  FBI announces attack originated from China, declines to comment further.

December, 2007:  UK Director-general of British intelligence agency MI5 sends letter to 300 British companies warning that their networks are under attack.  Announcement explicitly names “Chinese state organizations” as source.

December, 2007: US 37,000+ attempted attacks on both government and private networks reported for the year, US Congress is informed that Chinese espionage represents “the single greatest risk to the security of American technologies”.  New 40,000 person US Air Force unit created to combat problem.

September 24, 2007: US FBI announces that the  Department of Homeland Security network had been attacked by malware originating (and communicating with) China.  Although from an “unclassified” network, an unknown amount of data copied and transferred  over the past 2 (!) years.  IT contractor Unisys denies any fault,  FBI investigates.

August 27, 2007: Germany While on a state visit to China, German newsweekly Der Spiegel reports that “many” computers in  Chancellor Angela Merkel’s office (as well as those in several other ministries) were found to be infected with trojan malware communicating back to Chinese-registered URLs. A 160GB data transfer stopped in progress, how much data lost previously remains unknown.  China denies involvement.

Whew.  Nervous yet?    The most common attack method used here is ‘trojan’ malware: software embedded into files of common Microsoft Office applications such as Word or PowerPoint.  The file arrives as an attachment in an email “spoofed” to appear from a trustworthy source, and the malware executes when the user opens the file (under certain conditions malicious javascript can also launch exploits merely from the unsuspecting user visiting a malicious website, although browser and OS upgrades help prevent this).

How can it all be done so anonymously?  What helps hide the actual source of these attacks is a technology called “Dynamic DNS”.  The ‘real’ (internet-wide) DNS system is what allows human-readable names (like digitalmissive.com) to map to an actual IP address - and to geek out for a second here, it is a marvel of a distributed database (it’s really amazing how well it works).  However, most non-enterprise ISPs don’t need to worry about their customers needing URL names, so they just maintain a pool of interchangeable IP addresses that they swap around to their customers as needed - meaning they’re often changing.  How then to publicly contact a computer (i.e. from the internet)  whose address is non-static?  Enter Dynamic DNS (because who doesn’t want to host a website from their home PC? …I kid).  Anyway, think of Dynamic DNS as an additional independent layer of DNS – a private service out on the internet has a valid public name reserved for you, and a little piece of software on your PC (or your home router) regularly calls out to that service and says ‘hey this is my IP address as of right now!’   Problem solved – but that additional layer is entirely private and uncontrolled, and so can be used in a ‘rogue’ fashion.  Add to that China’s non-transparent approach to all things internet, and conditions are favorable for these anonymous attacks.

Rightly, we know little of the highly classified political and technical goings-on to address the issue – I just have to assume that it’s on the good guys’ radar and that they’re on it, even if it’s not quite on the general public’s radar yet.  Something called ‘Reverse DNS’ can help a lot, and I’m sure MS is continuing to tighten up the security of the Office file formats (although there are serious legacy-compatibility issues there) - so we’ll see.

Apologies if this is all a little upsetting - my next post will be on the new colors the iPod Nano comes in.