News

Commentary: Cyber-spies should make IT Pros pause for thought

Patrick Gray

We all know it's happening, and now the Financial Times has apparently confirmed it. The cyber war games have begun.

The Chinese military has successfully hacked unclassified US government computers serving defence chief Robert Gates after months of effort, the newspaper claims.

The newspaper did not say what led its anonymous Pentagon sources to lay blame on the Chinese People's Liberation Army, but recent reports in Germany suggest the detection of Chinese-made Trojan software on government systems is a shared experience.

The Chinese government is, of course, denying the claims, describing them as "absurd".

For its part, the German government has been discussing developing its very own Trojan for use in anti-terror investigations. It's a noble aim, but it's also a sad statement on operating system security.

We should live in a world where OS security is sufficient to render the development of software that can stealthily install itself on a target machine futile. In the USA, the FBI and Drug Enforcement Administration (DEA) have already acknowledged using such Trojans with court approval.

Now it's gone political.

While it's easy to point the finger at China and condemn the country for its alleged modern-day border incursions, it would be naive in the extreme to assume Western nations are not engaged in identical behaviour.

You can bet your bottom dollar the IP address of Iranian President Mahmoud Ahmadinejad's computer network is pinned to a wall with a little red "x" over it deep inside a windowless US government building.

This story sounds like it's only of relevance to policymakers in Canberra. It's not. Politicians are not frontline soldiers in this war, you are.

We've known for some time that 0day vulnerabilities are a reality. With governments now involved, we can safely say that various nation states have researched and catalogued scores of them.

That makes defence in depth - and the detection of successful network penetration and exploitation - extremely important.

Whether you're running a network of classified systems or a civilian SCADA process control system, the game just got more interesting. Without solid detection capabilities and an appropriately segmented network, your systems could be the first casualties in this new breed of military strike.

Host-based detection, in particular, will play a crucial role in the defence of sensitive networks in both the public and private sector.

The problem is host-based detection is currently quite unreliable. Last year Joanna Rutkowska, a malware researcher at Singapore-based IT security firm COSEINC, demonstrated her "Blue Pill" concept - malware that installs itself as a hypervisor; a lightweight virtualisation layer that completely subverts the operating system and any chance of detecting it.

Microsoft even developed its own Blue Pill, the SubVirt Trojan, in conjunction with University of Michigan researchers in March, 2006. (Click here for the paper [PDF].)

It's like VMWare, but... pure evil.

Technologies like Intel's vPro, which will allow virtualised security software to run parallel to an operating system instead of on top of it, show some promise, but they are untested and some say conceptually flawed.

So back to defence in depth it is. Be paranoid, lock everything down, think in layers. As it turns out, your data centre could be a new battleground.