Why Mozilla should join the CryptoParty
by Glyn Moody
Invoking the spectre of "cyberwarfare" is one of the standard ploys adopted by politicians anxious to push through bad internet legislation without too much scrutiny. But even if it's an exaggeration to claim such "cyberwarfare" is being waged – although a truly daft proposal from the Dutch government seems likely to spark it – it's certainly true that attacks across the internet are becoming disturbingly common.
Some of those are little more than an updated form of breaking into a company and stealing its money and/or secrets. Any CIO worth his or her salt should be securing the company's network against such break-ins as a matter of course. More problematic are attacks on individuals who don't have big IT departments to support them. Here's one recent example of what's going on:
A malware campaign targeting activists at pro-Tibet organisations could be the work of the same Chinese group behind a major attack on the chemical industry last year, researchers from AlienVault have suggested.
The new attack uses a malicious Word attachment sent by email to organisations including the Central Tibet Administration and International Campaign for Tibet using English-language subject lines promoting a Tibetan religious festival.
This attachment attempts to exploit a relatively old Microsoft vulnerability (CVE-2010-3333), to launch GhostNet’s Gh0st RAT Trojan, normally designed to steal data or even record sound files via a PC’s microphone. It is also capable of performing realtime surveillance on an infected machine.
In that case, it's not clear what harm has been caused by the infection, but given China's record in Tibet, you have to worry that people will have been put at serious risk. In the following case, we do know what some of the consequences were:
On a Monday in July, Ahmed Mansoor sat in his study in Dubai and made the mistake of clicking on a Microsoft Word attachment that arrived in an email, labelled “very important” in Arabic, from a sender he thought he recognised.
With that click, the pro-democracy activist unwittingly downloaded spyware that seized on a flaw in the Microsoft Corp. (MSFT) program to take over his computer and record every keystroke. The hackers infiltrated his digital life so deeply they still accessed his personal email even after he changed his password.
Since then, Mansoor, 42, an electrical engineer and father of four, says he has suffered two beatings by thugs in September during his campaign for citizens’ civil rights in the Persian Gulf federation of the United Arab Emirates.
It will not have escaped your attention that both attacks were made possible thanks to two elements: the carelessness of users who clicked on items of dubious provenance, and the vulnerabilities in Microsoft products. There's not much that can be done about the former – such is human nature – but moving to a GNU/Linux system could greatly reduce a user's vulnerability. That's not to say there are no exploitable holes in open source, simply that there are fewer of them that people have been able to exploit.
One reason for that is because the code is open for inspection by all. Again, that doesn't guarantee that it will be inspected, or that vulnerabilities will be found, but at least it makes both more likely. Over a decade ago, Bruce Schneier put it like this:
As a cryptography and computer security expert, I have never understood the current fuss about the open source software movement. In the cryptography world, we consider open source necessary for good security; we have for decades. Public security is always more secure than proprietary security. It's true for cryptographic algorithms, security protocols, and security source code. For us, open source isn't just a business model; it's smart engineering practice.
Next: Open source and protecting privacy