[Infowarrior] - 'Hacktivists' Update Their Mission

[Richard Forno]

A New Breed of Hackers Tracks Online Acts of War
'Hacktivists' Update Their Mission

By Kim Hart
Washington Post Staff Writer
Wednesday, August 27, 2008; D01

http://www.washingtonpost.com/wp-dyn/content/article/2008/08/26/AR2008082603128_pf.html

TORONTO -- Here in the Citizen Lab at the University of Toronto, a new  
breed of hackers is conducting digital espionage.

They are among a growing number of investigators who spend their time  
monitoring how traffic is routed through various countries, where Web  
sites are blocked there and why it's all happening. Now they are  
turning their scrutiny to a new weapon of international warfare: cyber  
attacks.

Tracking wars isn't what many of the researchers, who call themselves  
"hacktivists," set out to do. Many began intending to help residents  
in countries that censor online content. But as the Internet has  
evolved, so has their mission.

Ronald J. Deibert, director of the Citizen Lab, calls the organization  
a "global civil society counterintelligence agency" and refers to the  
lab as the "NSA of operations."

Their efforts have ramped up in the past year as researchers gather  
evidence that Internet assaults are playing a larger role in military  
strategy and political struggles. Even before Georgia and Russia  
entered a ground war earlier this month, Citizen Lab's researchers  
noticed sporadic attacks aimed at several Georgian Web sites. Such  
attacks are especially threatening to countries that increasingly link  
critical activities such as banking and transportation to the Internet.

Once the fighting began, massive raids on Georgia's Internet  
infrastructure were deployed using techniques similar to those used by  
Russian criminal organizations. Then, attacks seemed to come from  
individuals who found online instructions for launching their own  
assaults, shutting down much of Georgia's communication system.

Now, two weeks later, the researchers are still trying to trace the  
origins of the attacks, but they are difficult to decipher. "These  
attacks in effect had the same effect that a military attack would  
have," said Rafal Rohozinski, who co-founded the Information Warfare  
Monitor, which tracks cyber attacks, with Citizen Lab in 2003. "That  
suddenly means that in cyberspace anyone can build an A-bomb."

The cyber attacks that disabled many Georgian and Russian Web sites  
earlier this month marked the first time such an assault coincided  
with physical fighting. And the digital battlefield will likely become  
a permanent front in modern warfare, Deibert said.

Seven years ago, Deibert opened the Citizen Lab using grant money from  
the Ford Foundation. Soon after, he and Rohozinski helped begin the  
OpenNet Initiative, a collaboration with Harvard's Law School, and  
Cambridge and Oxford universities, which tracks patterns of Internet  
censorship in countries that use filters, such as China. The project  
has received an additional $3 million in funding from the MacArthur  
Foundation. Deibert and Rohozinski also launched the Information  
Warfare Monitor to investigate how the Internet is used by state  
military and political operations. And Citizen Lab researchers have  
created a software tool called Psiphon that helps users bypass  
Internet filters.

The combined projects have about 100 researchers in more than 70  
countries mapping Web traffic and testing access to thousands of sites.

A number of companies specialize in cyber security, and several  
nonprofit organizations have formed cyber-surveillance projects to  
keep international vigil over the Web. Shadowserver.org, for example,  
is a group of 10 volunteer researchers who post their findings about  
cyber attacks online.

The small Toronto office of Citizen Lab serves as the technological  
backbone for the operations. World maps and newspaper clips cover the  
walls. Researchers move between multiple computer screens, studying  
lists of codes with results from field tests in Germany, Cambodia,  
Iran and Venezuela, to name a few.

"We rely on local experts to help us find out why a particular site is  
being blocked," Deibert said. It could be a problem with the Internet  
service provider, a temporary connection glitch or a downed server.  
"But what's more effective is blasting a site into oblivion when it is  
strategically important. It's becoming a real arms race."

He's referring to "denial of service" attacks, in which hundreds of  
computers in a network, or "botnets," simultaneously bombard a Web  
site with millions of requests, overwhelming and crashing the server.  
In Georgia, such attacks were strong enough to knock key sources of  
news and information offline for days.

And Georgian Internet service providers also limited access to Russian  
media outlets, cutting off the only remaining updates about the war.  
On the night of Aug. 12 -- the height of the fighting -- "there was  
panic in Tbilisi brought about by a vacuum of information," Rohozinski  
said.

Shadowserver saw the first denial of service attack against Georgia's  
presidential Web site on July 20. When the fighting began, Andre M. Di  
Mino, Shadowserver's founder, counted at least six botnets launching  
attacks, but it was "difficult to tell if it was a grass-roots effort  
or one commissioned by the government."

The organization detects between 30 and 50 denial of service attacks  
every day around the world, and Di Mino said they have become more  
sophisticated over the past two years.

"It really went from almost a kiddie type of thing to where it's an  
organized enterprise," he said. But he's hesitant to label this  
month's attacks as form of cyberwar, although he expects networks to  
play an expanded role in political clashes.

Jose Nazario, a security researcher with Arbor Networks, said cyber  
attacks used to target a computer's operating system. But he's seen a  
"tremendous rise" in attacks on Web browsers, allowing attackers  
access to much more personal information, such as which sites a person  
visits frequently. An attacker then could learn which servers to  
target in order to disrupt communication.

It's unclear who is behind the attacks, however. In some cases, the  
locations of botnet controllers can be traced, but it's impossible to  
know if an attacker is working on the behalf of another organization  
or government. "It's going to take a year to figure this out," Nazario  
said.

The data trail often goes cold when it crosses borders because there  
is little legal framework for such investigations. And many countries  
are still weighing whether a cyber attack is an act of war.

"If a state brings down the Internet intentionally, another state  
could very well consider that a hostile act," said Jonathan Zittrain,  
co-founder of Harvard's Berkman Center for Internet Society, and a  
principal investigator for the OpenNet Initiative.

There are also strategic reasons not to disrupt networks in order to  
monitor the enemy's conversations, or to spread misinformation.

"That's an amazing intelligence opportunity," he said.

Using the Internet to control information can be more important than  
disrupting the networks when it comes to military strategy, Rohozinski  
said. In Georgia, for example, the lack of access to both Georgian and  
Russian sources of information kept citizens in the dark while the  
fighting continued.

"Sometimes the objective is not to knock out the infrastructure but to  
undermine the will of the people you're fighting against," he said.  
"It's about the nuts and bolts, but it's also about how perceptions  
can be shaped through what's available and what's not."