It’s China! It’s Israel! It’s…

Pick your favorite bogeyman. The latest outsider attack is probably their fault…

My presentation at BSidesSF this year tried to make the argument that attribution is harder than ever online. Attackers make extensive use of proxies and remote control, so it can be very difficult to trace all the points back to an actual person…and even if you do, they may only be one of a thousand mules following instructions. It was gratifying to hear General Alexander at the RSA keynote on February 17th after my presentation admit to his audience “We don’t have situational awareness”.

I could go into the complicated philosophy of why attribution is a double-edged sword (e.g. users on the Internet do not want to sacrifice their privacy) or go into the long history of technical issues with attribution (e.g. smurfing), but instead I just want to point out the two most recent spectacular attribution failures.

First, WordPress suffered a denial of service attack that came from systems in China. I asked my audience at BSidesSF “how many people in the audience use products made in China” and the entire room raised their hand. Granted, there were only three people in the room (jk), but my point is that “it came from China” should be immediately discounted as a strong attribution link. If a weapon found after an attack has “from China” stamped on it, investigators should not jump to the conclusion that the attacker therefore must also be from China. Even worse is to super-impose Chinese state motives onto a suspected Chinese attacker, all because the weapon is “from China”.

WordPress said last week the attacks might have been politically motivated and aimed at an unnamed Chinese-language blog, but it no longer has that view.

“Don’t think it’s politically motivated anymore,” WordPress Founder Matt Mullenweg said in an e-mail to IDG News Service. “However the attacks did originate in China.”

Mullenweg did not elaborate on the change in view or offer details on the source of the attacks.

I had tried to warn against this in my Operation Sloppy Night Dragon post.

Second, I have a lot of respect for Ralph Langner who has been credited with exposing the details of the Stuxnet attack. When I listened to his recent interview he made points like Stuxnet was very basic because it did not need to be complex and Stuxnet was directed at Natanz, never at Busheir. Why did he say at first it was probably directed at Busheir? In the interview he said it was because he assumed that would be a target of Mossad…in other words, his bias on international politics overshadowed his analysis of the facts. He recently reiterated it was the Mossad.

“My opinion is that the Mossad is involved,” Ralph Langner said while discussing his in-depth Stuxnet analysis at a prestigious TED conference in the Southern California city of Long Beach.

We should not lose sight of the fact that he already has admitted he made one serious mistake because he believed Mossad was to blame before his investigation started. The Mossad certainly has a lot of people spooked, but every suspicious bird and rock is not necessarily their handiwork.

Every piece of dog poop you see, on the other hand, should in fact be attributed to the CIA.

I appreciate Langner’s honest, clear and open style; yet it seems when he switches to geopolitical analysis he overlooks important data points like the significance of Pakistan and German intelligence operations.

Note the recent mass exodus of US special forces and operatives from Pakistan after the arrest of Davis. The US denies he was anything more than a diplomat, but let’s face the fact that a fight with Afghans and Iranians makes Pakistan a really good proxy. The British certainly made this point when they told the CIA under Tenet that Iran was stealing nuclear secrets from Pakistan. Without the Davis incident (he killed two motorcyclists that probably were trying to assassinate him) we would have far less data on how Pakistani operations might be attributed back to American objectives. Instead an exodus of US operatives now is suggested by some to be related to the drop in US drone attacks in Afghanistan (e.g. disruption of intelligence channels); it probably also is impacting other Pakistan-originated operations that could affect Iran (e.g. Stuxnet).

While there is a case to be made that Pakistan has been a proxy to US and Israeli objectives, that is far from achieving attribution. Maybe Britain was acting on its own, with the support of Germany, on behalf of the US. Time will tell and probably reveal a more complicated picture than we might believe today; and that is just for the physical world. Take for example the overthrow of Iran’s Mossadegh in 1953. It served British objectives, but today we know it was an American-led operation masked to look like an insider revolt against nationalism, despite the fact that the prior year Iran’s nationalist movement fit American interests. Attribution of crowd events was hard. Attribution of Internet crowd events is even harder.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.