The snooping dragon: social-malware surveillance of the Tibetan movement History • •Chinese invasion in 1950 •Uprising in 1959 - Dalai Lama escaped •OHHDL (Office of His Holiness the Dalai Lama) •Diplomatic and foreign meetings, Refugees •IT (emails, web, forums, documents, DB) •Secret contents The attack •Suspicion and Help from ONI-Asia • •Investigation: •connections to mail server from IPs in China an Hongkong) •suspicious file transfers •fraud emails with infected attachments • • • • • Assumptive Progression INFILTRATION Gathering social information FULL ACCESS Social enginering Mail archives Forums Emails from monks to monks + attachment Installation of Rootkids support for file search, retrieve operations and keyloggers (HTTP-based transfers) Social Malware •From Social Phishing • • • • Well-written Email + Well-design Malware Gathering social information Infiltration Amaters!!! •1st mistake: •No operational security •No proxy, no anonymisers •Direct connections from Xinjiang Provice •2nd mistake: •Exposure • • • • Analysis • • •The attack carried out by governmental entities but possibly by motivated individual • •Required skills: • Programing + Social Skills Today good-quality malware available on the Internet: • • Lamas or Llamas? •Tibetan Security Model •users trusted will work sensibly •Sensitive files on local filesystem •No separation of sensitive and risky activities •Capable Administrators • • • Countermeasures • • • • • • • • • • • • • • • •System of information clasification •Use of systems with solid MAC support ( SELinux, Trusted Solaris etc.) •Operational security •Red Team •REALITY: expensive with high administrative cost. Many companies will not adopt. • • Authors’ Predictions • • •Firms will not change their security models •Hackers adopting social malware will have lovely times next few years. •Social response to the threat will be slow •Users will be advised to work sensitivly without exactely specifing how •Avoiding Redresses ‘wicked’ contract terms • • Thank you for your attention