Crapaganda.com

The Chinese government has announced plans to track the real-time location of all cell phones in the city of Beijing, purportedly to ease traffic problems that have plagued the city. Human rights activists have expressed concerns that this plan may well be the newest attempt by the Chinese government to surveil its citizenry against any attempted uprising. As Wang Songlian of the Chinese Human Rights Defenders network told the Guardian:

For ordinary people, the government is worried about social unrest. Often there’s a spark somewhere and everyone gathers and puts out information. By registering people and tracking them, it enables them to find out about particular protests and punish individuals.

Location privacy is an endangered concept. As technology evolves, many networked devices are becoming increasingly more portable and affordable — and increasingly sharing one’s real-time location data without a users’ explicit knowledge or consent. The threats to location privacy in the era of the smart phone are multifarious, including applications that leak private data and obsolete laws that fail to protect civil liberties. As the situation in China demonstrates, modern smart phones may also act as a mechanism for governments to vacuum up data on citizens who might protest authoritarian regimes. While EFF continues to champion cell phone location privacy inU.S. courts and on the Hill, the fundamental privacy conundrum posed by modern cell phones is that they cannot function properly without simultaneously exposing locational information.

This means that Beijing citizens have few choices when it comes to protecting their location privacy from the government, an especially problematic scenario considering China passed a lawlast year mandating that people register their cell phones in their real names. Currently, the only solution for true location privacy, whether in China or anywhere else, is turning off the mobile phone and removing the battery. Unfortunately, there’s no feasible and easily achievable consumer-facing software or hardware anywhere that can effectively circumvent location tracking while leaving modern smart phones functional.

There are, however, some hacktivists and academics beginning to explore creative solutions to this problem. Among the ideas being circulated is the possibility of a “mobile mesh network” connectivity – having cell phones connect directly to one another, rather than routing signals through cell phone towers. While there may be other security concerns around mesh networking, such communication methods hold promise for maintaining communications in “Internet blackout” scenarios such as those seen recently in Egypt and Libya. We look forward to future developments in this arena.

Source: Electronic Freedom Foundation

Canadian researchers have uncovered a vast “Shadow Network” of online espionage based in China that used seemingly harmless means such as e-mail and Twitter to extract highly sensitive data from computers around the world.

Stolen documents recovered in a year-long investigation show the hackers have breached the servers of dozens of countries and organizations, taking everything from top-secret files on missile systems in India to confidential visa applications, including those of Canadians travelling abroad.

The findings, which are part of a report that will be made public today in Toronto, will expose one of the biggest online spy rings ever cracked. Written by researchers at the University of Toronto’s Munk Centre for International Studies, the Ottawa-based security firm SecDev Group and a U.S. cyber sleuthing organization known as the Shadowserver Foundation, the report is expected to be controversial.

The researchers have found a global network of “botnets,” computers controlled remotely and made to report to servers in China. Along with those servers, the investigators located where the hackers stashed their stolen files, allowing a glimpse into what the spy ring is looking for.

“Essentially we went behind the backs of the attackers and picked their pockets,” said Ron Deibert, director of the Citizen Lab at the Munk School of Global Affairs, which investigated the spy ring.

The report, titled Shadows in the Cloud, comes one year after the same team discovered a spy ring with links to China that it dubbed GhostNet. Using information gleaned from that investigation, investigators followed a trail of websites that led to a much larger operation, also with links to China.

“Is the buyer paying the thief to go after this stuff, or is the thief doing it themselves because they know they can find a buyer? ”— Rafal Rohozinski, co-author of the report

The report is careful not to conclude the Chinese government is behind the operation, since it is difficult to tell who is orchestrating the attacks. Last year, the Chinese government denied any involvement in GhostNet after the researchers uncovered nearly 1,300 infected computers in 103 countries linked to servers in China.

But computers belonging to exiled Tibetan leader, the Dalai Lama, who is denounced by China, have been the most compromised.

Almost every e-mail sent to or from the Dalai Lama’s offices in 2009 has shown up in the files, the report says. Nearby India has also taken the brunt of the cyber attacks, with numerous secret government documents recovered by the Canadian researchers. They include 78 documents related to the financing of military projects in India, details of live fire exercises and missile projects, and two documents marked “secret” belonging to the national security council.

Sensitive data from 16 countries, such as visa applications by Canadian citizens, were also recovered. It is believed the hackers accessed those files through computers at India’s embassies in Kabul, Dubai, Nigeria and Moscow, which were corrupted.

Rafal Rohozinski, a principal of the SecDev Group and a principal investigator and co-author of the report, said such a collection of sensitive information represents a new era in online spying. A decade ago, hackers generally looked for quick paydays – for example, by blocking access to a gambling site and demanding a ransom. But the Shadow Network operation exposes much bigger game: information that, if it isn’t being collected by governments, could be sold to the state.

“It’s like the world of art theft, where you steal things that have a very high value, so long as you can find a buyer,” Mr. Rohozinski said.

“So the question of course is, who’s the buyer? Is the buyer paying the thief to go after this stuff, or is the thief doing it themselves because they know they can find a buyer? That’s one of those things that we don’t really have a good answer for.”

A small number of computers at the University of Western Ontario were also found to be connected to the network, and potentially used to surrender files, although it is not clear how they were affected. Similarly, computers at New York University and Kaunas University of Technology in Lithuania were also linked to the infected network.

The Shadow Network structure was ingenious for its simplicity. Command servers, which are used to issue instructions to computers – such as “send me all of your documents” – connected to victims through a variety of seemingly innocent networks such as Google groups, Yahoo e-mail and Twitter accounts. Those intermediaries were used to relay links or files to a recipient in a target organization. Once the user clicks on the link or opens an attachment in an infected e-mail, the computer relays a beacon to the command server, which instructs it to start sending files to a dump zone.

The revelations are a warning to governments, Mr. Deibert said, since countries are only as strong as their weakest link in a global data network. So while files may be safe in paper form in a locked cabinet, as soon as nations begin exchanging data electronically, cracks can be exploited, as they appear to have been with India.

“Unfortunately, Canada has no cyber security strategy, although one’s been promised for many years,” Mr. Deibert said. “We have no foreign policy for cyberspace either, which is mind boggling, considering how important this domain is for us.”

Source: The Globe and Mail

It came as a surprise this month to Wang Jianwei, a graduate engineering student in Liaoning, China, that he had been described as a potential cyberwarrior before the United States Congress.

Larry M. Wortzel, a military strategist and China specialist, told the House Foreign Affairs Committee on March 10 that it should be concerned because “Chinese researchers at the Institute of Systems Engineering of Dalian University of Technology published a paper on how to attack a small U.S. power grid sub-network in a way that would cause a cascading failure of the entire U.S.”

When reached by telephone, Mr. Wang said he and his professor had indeed published “Cascade-Based Attack Vulnerability on the U.S. Power Grid” in an international journal called Safety Science last spring. But Mr. Wang said he had simply been trying to find ways to enhance the stability of power grids by exploring potential vulnerabilities.

“We usually say ‘attack’ so you can see what would happen,” he said. “My emphasis is on how you can protect this. My goal is to find a solution to make the network safer and better protected.” And independent American scientists who read his paper said it was true: Mr. Wang’s work was a conventional technical exercise that in no way could be used to take down a power grid.

The difference between Mr. Wang’s explanation and Mr. Wortzel’s conclusion is of more than academic interest. It shows that in an atmosphere already charged with hostility between the United States and China over cybersecurity issues, including large-scale attacks on computer networks, even a misunderstanding has the potential to escalate tension and set off an overreaction.

“Already people are interpreting this as demonstrating some kind of interest that China would have in disrupting the U.S. power grid,” said Nart Villeneuve, a researcher with the SecDev Group, an Ottawa-based cybersecurity research and consulting group. “Once you start interpreting every move that a country makes as hostile, it builds paranoia into the system.”

Mr. Wortzel’s presentation at the House hearing got a particularly strong reaction from Representative Ed Royce, Republican of California, who called the flagging of the Wang paper “one thing I think jumps out to all of these Californians here today, or should.”

He was alluding to concerns that arose in 2001 when The Los Angeles Times reported that intrusions into the network that controlled the electrical grid were traced to someone in Guangdong Province, China. Later reports of other attacks often included allegations that the break-ins were orchestrated by the Chinese, although no proof has been produced.

In an interview last week about the Wang paper and his testimony, Mr. Wortzel said that the intention of these particular researchers almost did not matter.

“My point is that now that vulnerability is out there all over China for anybody to take advantage of,” he said.

But specialists in the field of network science, which explores the stability of networks like power grids and the Internet, said that was not the case.

“Neither the authors of this article, nor any other prior article, has had information on the identity of the power grid components represented as nodes of the network,” Reka Albert, a University of Pennsylvania physicist who has conducted similar studies, said in an e-mail interview. “Thus no practical scenarios of an attack on the real power grid can be derived from such work.”

Read the rest of the story at: Academic Paper in China Sets Off Alarms in U.S. (NY Times)