Aujourd’hui a été mis à jour un rapport SHADOWS IN THE CLOUD: Investigating Cyber Espionage 2.0 [2], un rapport conjoint de Information Warfare Monitor [3] et Shadowserver Foundation [4]. Ce rapport met à jour les tactiques d’espionnages à l’ère du Web 2.0. Il est capital et il illustre clairement le besoin d’éducation et de mise sur pied de politiques de sécurité informatiques. Leur conclusion est d’ailleurs éclairante quant aux besoins d’établir des politiques et des pratiques de sécurités claires et efficaces :
Finally, a major implication of the findings of Shadows in the Cloud relates to the evolution towards cloud computing, social networking and peer-to-peer networking technologies that characterize much of the global networked society today. These new modes of information storage and communication carry with them many conveniences and so now are fully integrated into personal life, business, government and social organization. But as shown in the Shadow investigation, these new platforms are also being used as vectors of malware propagation and command and control (Office of Privacy Commissioner of Canada 2010).
It is often said that dark clouds carry with them silver linings, but in this case the clouds contain within them a dark hidden core. As we document above, blog hosting sites, social networking forums and mail groups were turned into support structures and command and control systems for a malignant enterprise. The very same characteristics of those social networking and cloud platforms which make them so attractive to the legitimate user — reliability, distribution, redundancy and so forth — were what attracted our attackers to them in setting up their network. Clouds provide criminals and espionage networks with convenient cover, tiered defences, redundancy, cheap hosting and conveniently distributed command and control architectures. They also provide a stealthy and very powerful mode of infiltrating targets who have become accustomed to clicking on links and opening PDFs and other documents as naturally as opening an office door. What is required now is a much greater reflection on what it will take, in terms of personal computing, corporate responsibility and government policy, to acculturate a greater sensibility around cloud security.
Sur le site de Infowar monitor, on peut lire un commentaire qui m’interpelle particulièremen [5]t :
Is the cyber threat overblown?
Am I the only person — well, besides Glenn Greenwald and Kevin Poulson — who thinks the “cyber-warfare” business may be overblown? It’s clear the U.S. national security establishment is paying a lot more attention to the issue, and colleagues of mine — including some pretty serious and level-headed people — are increasingly worried by the danger of some sort of “cyber-Katrina.” I don’t dismiss it entirely, but this sure looks to me like a classic opportunity for threat-inflation.
Mind you, I’m not saying that there aren’t a lot of shenanigans going on in cyber-space, or that various forms of cyber-warfare don’t have military potential. So I’m not arguing for complete head-in-the-sand complacency. But here’s what makes me worry that the threat is being overstated.
Toute nouvelle technologie devient une porte d’entrée possible des cyberespions. La porte la plus facile à utiliser a toujours été et restera celle de l’humain et non pas celle des machines. Ce sont les usagers eux-mêmes qui représentent le plus grand risque. C’est vieux comme le monde et ça le restera pour les temps à venir. Ayant travaillé à Bell Canada, je suis au fait des risques d’intrusions que posaient les systèmes téléphoniques modernes. Ayant aussi fait une formation d’officier lors de mon passage au Collège Militaire Royal de St-Jean, lors de nos cours de géostratégie et d’histoire militaire, nous parlions du concept d’épée et de boucliers. Ce concept dit en gros que pour chaque épée qu’on développe, un bouclier peut être développé pour la contrer et vice-versa. Cette lutte épée vs bouclier est donc incessante depuis la nuit des temps et risque fortement de continuer. Comprenez bien que le débat sécuritaire est capital, mais il a aussi tendance à facilement dégénérer et à créer de fausses peurs qui justement servent à faire vivre l’industrie de la sécurité et de la paranoïa, nommément, celle de l’ISIQ dont j’ai maintes fois parlées ici [6] et celle du Web 2.0 bashing et de la baloune du vol d’identité. Les derniers chiffres de Phonbuster [7] parle d’une baisse constante du vol d’identité au canada et comme je l’ai maintes fois répété, le vol d’identité n’est pas un problème Web puisque 70% de ceux-ci se font dans votre récupération, vos déchets, par téléphone et dans votre boîte aux lettres [8].
Bien des conneries ont été dites aujourd’hui par rapport à Twitter et aux autres technologies Web 2.0 cités dans ce rapport [2]. J’aimerais juste ici répété ce qui est écrit noir sur blanc dans ce même rapport :
The attackers’ command and control infrastructure consists of three interrelated components. The first component consists of intermediaries that simply contain links, which can be updated, to command and control servers. During our investigation we found that such intermediaries included Twitter, Google Groups, Blogspot, Baidu Blogs, and blog.com. The attackers also used Yahoo! Mail accounts as a command and control component in order to send new malicious binaries to compromised computers. On at least one occasion the attackers also used Google Pages to host malware. To be clear, the attackers were misusing these systems, not exploiting any vulnerability in these platforms. In total, we found three Twitter accounts, five Yahoo! Mail accounts, twelve Google Groups, eight Blogspot blogs, nine Baidu blogs, one Google Sites and sixteen blogs on blog.com that were being used as part of the attacker’s infrastructure. The attackers simply created accounts on these services and used them as a mechanism to update compromised computers with new command and control server information. Even a vigilant network administrator looking for rogue connections exiting the network may overlook such connections as they are routine and generally considered to be safe web sites. The use of social networking platforms, blogs and other services offered by trusted companies allows the attackers to maintain control of compromised computers even if direct connections to the command and control servers are blocked at the firewall level. The compromised computers can simply be updated through these unblocked intermediaries to point to a new, as yet unknown, control server.