Has the U.S. government been caught with its virtual hands in the world's cookie jar? And might it lose control of the Internet as a consequence?

If you were among the forces on the planet wanting to wrest control of the Internet from the U.S.-friendly agencies that manage it, that's the story you'd surely want to tell. 

But things are rarely what they seem.  The barrage of Flame news – including word that Flame and Stuxnet appear to have common authorship -- should not be viewed in a vacuum.

---

A group of nations led by China, Russia and several Middle Eastern countries would love to see the end of U.S. dominance over the operational control of the Internet, and these nations think they have found their vehicle for accomplishing that: A U.N. body called the International Telecommunications Union.

 

The organization, which manages international telephony agreements, will meet in Dubai in December and attempt to extend its charter to take operational control of the Internet away from the U.S.-dominated nonprofit International Corporation for Assigned Names and Numbers, or ICANN. 

Even as news of Flame first hit, an ITU working group was meeting in Geneva to finalize the agenda for the Dubai meeting. At almost the same time, there was a hearing in an obscure congressional subcommittee where experts rang alarm bells about an ITU coup.

The argument that the U.S. should not be in a position of power as far as overseeing the Internet will be bolstered by a world set aflame by news that the U.S. may have exploited its technological advantage to attack sovereign nations with Flame and Stuxnet.

Some technology experts say the Dubai meeting could very well decide the direction of the world's most valuable resource - information - for the rest of the 21st century:   The future of Internet anonymity, free speech and perhaps freedom itself could be at stake.

"I think there is a political story that is being missed here," said Chris Bronk, a former State Department official who worked in that agency’s Office of eDiplomacy and is now a professor at Rice University. "There's much more to this. … Stuxnet was better than bombs in the short run, but this could hurt the U.S. down the road.”

Conspiracy theorists -- including several interviewed for this story who requested that their comments remain off the record -- point out that the world learned about Flame from a Moscow-based antivirus company (Kaspersky Labs), and the ITU chose Flame as the subject of its first-ever international cyber-warning, claiming for the first time an important role in cybersecurity affairs.  They see the grand publicity surrounding Flame as little more than a power grab by the ITU in advance of the Dubai meeting, dubbed the World Conference on International Telecommunications (WCIT).

“If you want to be cynical, this is definitely a play by an international group to try to gain control over arguably the world’s most valuable resource,” said Paul Rohmeyer, a Stevens Institute of Technology professor who specializes in cybersecurity and international issues, and one of the few members of the conspiracy camp willing to connect the dots publicly.

But you don't have to draw such a direct connection to see the relationship between Flame and ITU's desire to find and flex new power. Kaspersky Labs, the Russian firm that continues to publish the most informative details about Flame, has a solid reputation in the security research world, and there’s no reason to believe it is acting on behalf of Russian national interests. Still, it's impossible not to view Flame -- and recent revelations about Stuxnet -- without understanding the diplomatic backdrop.

“If I were advising Russia, I would be all over the place waving these stories around,” said Eneken Tikk, formerly the legal and policy advisor for NATOs Cooperative Cyber Defense Centre in Estonia.  “It seems like a great opportunity to increase pressure on talks around cyber threats to international peace and security and gather a coalition of potential victims to say, ‘We see the U.S. establishing itself on the Net in offensive way, we need an international umbrella to do something.’”

If the U.S. is guilty of escalating cyberwar by writing computer code that disabled critical Iranian computers, there is no question that forces around the globe will try to exploit the news to their own ends. While most analysts have focused on the potential that Flame invites other countries to counterattack the U.S. with similar cyber-bombs, the real threat might be the rationale it could provide for ending the free-flow of information around the Web.

“It's very concerning from a purely political standpoint. You can see why a group like ITU would be incentivized to release this news,” Rohmeyer said. “I’m guessing that's what they are trying to set up. They are building their case for internationalization. They have everything to gain and the established order, which is U.S.-based, has everything to lose.”

U.S. officials aren't blind to the threat; they've made very public warnings about it. In February, Federal Communications Commission member Robert McDowell wrote an op-ed piece in the Wall Street Journal where he criticized the ITU:

"The most lethal threat to Internet freedom may not come from a full frontal assault, but through insidious and seemingly innocuous expansions of intergovernmental powers," he wrote. "Scores of countries led by China, Russia, Iran, Saudi Arabia, and many others, have pushed for, as then-Russian Prime Minister Vladimir Putin said almost a year ago, 'international control of the Internet' through the ITU."

McDowell also testified before that congressional subcommittee on May 31, and warned that "pro-regulation" forces led by China and Russia are far more organized than U.S. allies.

"While precious time ticks away, the U.S. has not named a leader for the treaty negotiation," he said.

Some in Congress were even more blunt:

“If we're not vigilant, just might break the Internet," said Rep. Greg Walden, R-Ore.

The dire-sounding warnings aren't coming solely from U.S. government officials, either.  Even the so-called “father of the Internet,” Vint Cerf, expressed grave concern that day in Congress.

“(The Dubai meeting) holds profound—and I believe potentially hazardous— implications  for the future of the Internet and all of its users," he testified. "If all of us do not pay attention to what is going on, users worldwide will be at risk of losing the open and free Internet that has brought so much to so many.”

Nor is the alarm coming just from the U.S. Toomas Hendrik Ilves, president of Estonia, rang alarm bells on Friday during the International Conference on Cyber Conflict in Tallinn.

“The outcome of (the Dubai meeting), and related processes, will help determine the topography of the Web for the next two decades,” he said. “While this conference may fall into the domain of ministries of commerce and communications, make no mistake, there will be major cybersecurity ramifications. More ominously, we will face calls to limit free expression as we know it on the Web today.”

But as Western nations try to draw battle lines, the reality of Flame and Stuxnet muddies the argument considerably.  The U.S. risks losing moral high ground through stories about such cyberattacks.

"When we had plausible deniability for Stuxnet, we could make the argument more easily,” Bronk said. “This completely cuts at the knees the Internet freedom agenda.  How can the U.S. use clandestine cyberattack to go after a threatening regime, and then push the free agenda? "

As Rohmeyer sees it, the combination of U.S. cyberattacks and the Dubai meeting puts the Internet at “an age-old crossroads.”

What might change mean?
The ITU has its roots in an organization created during the 1860s to standardize cross-border telegraph traffic in Europe. It became a U.N. body after World War II, focused almost entirely on simplifying international telephony. Only recently has it tried to extend its charter to Internet traffic, most notably with the creation of an agency called The International Multilateral Partnership Against Cyber Threats, or IMPACT, based in Kuala Lumpur. Modeled after national computer emergency response teams, IMPACT’s stated mission is to share time-critical computer vulnerability and virus information around the globe. The U.S. has so far refused to join ITU’s IMPACT. Russia, China, Iran and about 140 other nations are members.  

IMPACT tried to take the lead in international dissemination of information about Flame, using the virus as cause for its first-ever warning.

How might ITU change the way the Internet works? No one knows, of course, but there are obvious reasons for concern.  Chinese officials have repeated stated they want an Internet where users must register by IP address, effectively ending anonymity and, perhaps, Internet-based uprisings. 

McDowell warns that Russia, Tajikistan and Uzbekistan asked the U.N. General Assembly to create an “International Code of Conduct for Information Security” to mandate “international norms and rules standardizing the behavior of countries concerning information and cyberspace.”  Even  ITU’s head of corporate strategy, Alexander Ntoko, raised eyebrows  earlier this year in Cancun when he predicted that anonymity online would end.

“Why countries are interested in the ITU varies. … China and Russia, their motivations are not very friendly to human rights or openness,” said Cynthia Wong, a lawyer for Center for Technology and Democracy. “Other places feel like they don't have a voice in the current process. “

One of the main criticisms of the process is a lack of transparency and the limitations on participation of non-governmental groups, according to complaints publicized but the Center for Technology and Democracy and human rights groups.  But it’s clear the ITU plans new ways to raise revenue, which might lead to some form of a per-click tax, according to witnesses who testified before Congress at that May 31 hearing.  wong also expects the ITU to push for mandatory standards for packet delivery – Net standards have been voluntary so far -- which could be a precursor for giving nations more control over incoming and outgoing Internet traffic at their borders.

One state, one vote
“Part of the problem with ITU process is that it's so opaque, so it is really hard to understand what might be at stake,” Wong said.  “But what we do know is Russia and some of the Arab states have put cybersecurity on the table.  There are proposals for greater regulation of traffic routing for security purposes.  Depending on how such regulations are implemented, it could be used to justify greater intrusions on privacy and fundamentally change how the Internet currently works technically.”

In other words, such proposals would make it easier for nations to control Internet traffic.

Practically speaking, it will be difficult for ITU to grab control over the central tool governing the Web – the domain name system – in Dubai. That system is currently operated by ICANN. But a sizable block of non-U.S. countries agreeing to mandatory routing standards could still wield considerable power. Treaty negotiations are one state, one vote. The U.S. government could make a reservation with something in the treaty, but if ITU standards become mandatory, all Internet users could be impacted. One potential outcome would see a “splitting” of the Internet, where traffic from nations following one standard is denied by a bloc of nations following another.

But Wong’s chief concern currently is that groups like hers aren’t welcome in the proceedings. On May 17, the Center for Democracy and Technology and 20 other non-governmental agencies from around the world sent a letter of protest to Secretary-General Dr. Hamadoun Touré, who is running the meeting, saying “there has been scant participation by civil society” in the run-up to Dubai.  But Wong thinks the influential Internet protests around SOPA demonstrate that no government agency will be able to pull a fast one on a recently empowered digital constituency.

“One of the lessons you can pull from SOPA is this: The time when governments can go behind closed doors and make important decisions about how we use the Internet is gone. That’s not acceptable anymore,” she said. “There is a community of users who are paying attention, and are really concerned about the future of the Internet. They are not going to find it acceptable anymore to use these old ways of creating laws. And it behooves governments involved in this to pay attention to that.” To that end, several groups have collaborated to create WCITLeaks.org, to encourage anonymous uploading of conference-related documents.

The experience of SOPA might make the Flame and Stuxnet sagas even more important. Could the potential for Internet users to rise up against U.N. control of the Net be blunted if the alternative seems to be continued control by the U.S., its image damaged by Flame and Stuxnet?  Rohmeyer thinks so: Like many technology experts, he’s skeptical of claims that Flame is the most powerful virus ever created. As others have pointed out, Flame is so large that it’s clearly not designed for stealth operation – whoever created it almost begged for it to be found. He thinks a big part of the publicity around Flame is a function of this battle for control of the Net.

“Is the U.S. releasing viruses so powerful that it needs to lose its control of the Internet?” he said. “I don't think by itself the release of Flame rises to threshold. I’m dubious of is effectiveness, and suspicious of those claims.” 

There are also open questions about ITU’s ability to take operational control over the Internet and cybersecurity.

'No country is an island on the Internet'
“The ITU has been kind of like one big group hug,” said Rohmeyer.  “Do U.N. groups have a track record of success with this kind of operation? The ITU was a standard-setting body for telephony. Once you move out of the connectivity realm into operational controls – wow! That gives them an enormous amount of power. ICANN seems to be functioning. When I woke up this morning, the Internet seemed to be working. I don’t think (ITU) has been in this business before.”

Not everyone in the U.S. is against giving ITU more control over cyberspace.  Jody Westby, who launched the Central Intelligence Agency’s famed In-Q-Tel technology investment arm and is now a highly sought-after U.S. cyberexpert, penned a column for Forbes last week strongly endorsing U.S. participation in IMPACT.

“No country is an island on the Internet, and the U.S. cannot expect to be able to adequately respond to cyberattacks or malware infiltrations without the input and involvement of others around the globe,” said Westby, who disclosed that IMPACT was previously a client of her consultancy firm. “The U.S.’s ‘our way or the highway’ attitude in the important area of cybersecurity appears petulant.”

She also said that, absent U.S. participation, other nations will look to Russia and China for leadership.

“The U.S. appears as the shirking nation state quietly standing on the sidelines while being accused of engaging in cyberwarfare tactics,” she said.

But Rohmeyer was was among those who wondered aloud what was in it for the U.S.

“There is no upside for the U.S. (in participation),” he said. “Is the Internet going to be managed better? Will it be more open?”

Many experts think the end result of Dubai will mean the already tense balance between bottom-up governance, where private firms dictate policy through collaboration, and top-down governance, where governments mandate Internet policies, will grow even more stressed. So will the tension between anonymity, free speech and U.S.-friendly control on one side, they say, vs. accountability, control, and Chinese/Russian/Arab interests on the other. McDowell, from the FCC, has repeatedly warned that even a positive outcome for the U.S. in Dubai offers little reason to celebrate. 

“Given the high profile, not to mention the dedicated efforts by some countries, I cannot imagine that this matter will disappear,” he testified before Congress. “Similarly, I urge skepticism for the ‘minor tweak’ or ‘light touch.’ As we all know, every regulatory action has consequences.”

Phillip Hallam-Baker, writing in the online magazine CircleID, compared the balancing act to the uneasy management of the Church of the Holy Sepulchre in Jerusalem, where power is shared awkwardly among various Christian groups and squabbles are common.

“Backing ICANN appears to be the only sensible course for the U.S. But the problem with this approach is that the U.S. cannot risk ICANN itself being captured by hostile powers, and that in turn means that the U.S. cannot ever release its de facto control of ICANN,” he wrote. “It is an inherently unstable situation that is only maintained through constant vigilance on all sides. “

*Follow Bob Sullivan on Facebook.
*Follow Bob Sullivan on Twitter. 

 

What if two computer viruses got together on your computer and had a baby? 

It does happen, says security firm BitDefender, and the result is more mutant than mutt. The firm has taken to calling the third, new piece of malware produced by the odd couple — with apologies to Mary Shelley — "Frankenware." The spontaneous software offspring might be dangerously unpredictable, and it can be harder to defend against, BitDefender says.

There are so many computer viruses flying around out there that they can't help bumping into one other while wreaking havoc on our computers. In fact, virus writers account for this. In order to protect and defend a hard-won compromised computer, some virus writers actually install their own antivirus programs after they infect a PC. That way, another bad guy can't come along and hijack an already hijacked machine, said Catalin Cosoi, head of the Online Threats Lab at BitDefender, based in Romania.

---

But what happens when an already-infected machine is attacked by a virus that inserts code into every executable file it finds on a machine? What if a virus infects a virus?

In rare cases, says Cosoi, a third virus with unpredictable capabilities is created. But it's not that rare: His firm recently searched 10 million pieces of malicious software and found 40,000 distinct examples of this. 

"As with evolution, these things happen accidentally," he said. "The combination doesn't usually work, but sometimes it does."

It helps if the two pieces of malicious software have complementary features, he said — for example, if one is a keylogger while the other is designed with a wormlike ability to propagate quickly.

The good news is that, generally, such hybrid viruses can be easier to detect than their parents, because antivirus software that uses "signature" definitions — which identify malicious programs by looking for telltale lines of computer code — have "twice the chance" to detect the troublemaker. On the other hand, some other virus detection tools might overlook the Frankenware because the new file will be a different size from its parents, Cosoi said. 

John Harrison, a product manager with Symantec, said his firm had never found something like the Frankenware BitDefender is describing, but he did say most PCs that are successfully attacked by virus writers have multiple malicious programs on them. Generally, when a computer has a security vulnerability, the secret doesn't last long, and a hacker feeding frenzy follows.

"We've seen computers with 25 different pieces of malware on them, even more," he said. "They are often stealthy. ... By the time the user notices the PC has slowed down or there's a blue screen, it could be the 100th piece of malware." 

So the idea that two such programs could collide and accidentally create a hybrid isn't that far-fetched. But the real question is: Could such Frankenware pull a Frankenstein and wreak unexpected havoc on the real world?

Cosoi wasn't ringing any alarm bells. Virus writers do what they do for money, and this kind of random, destructive interaction wouldn't profit anyone. For that reason, he thought all the incentives in the computer underworld would probably be enough to limit such possibilities. In other words, virus writers will probably work to prevent such an occurrence because it would hurt their business.

And, most important, nothing of the sort has been discovered. The 40,000 Frankenware samples that BitDefender has found are no more dangerous than their "parents."

However, it's important to note that virus writers, even if they seem quite professional in their craft, hardly undertake rigorous product testing. Mistakes happen.

"If you throw a bunch of malware on a computer, that doesn't automatically mean it will create new malware and it rarely works," he said. "But when it does, it could be dangerous. I can see how a new kind of malware that spreads faster and is more viral than any of the two (parents) ... could turn into something more dangerous."

 Don't miss the next Red Tape:
*Get Red Tape headlines on your Facebook Wall
*Follow Bob on Twitter. 
*Get an e-mail newsletter with Red Tape stories (requires Newsvine registration).

The best way to protect yourself from an online financial scam is to diligently check your bank accounts. At least, until now.

Israeli-based Security firm Trusteer has found an elaborate new computer virus that not only helps fraudsters steal money from bank accounts -- it also covers its tracks.

---

Think of a crime plot involving a spy who plans to break into a high-security building and begins by swapping out security camera video so guards don't notice anything is amiss. Known as a surveillance camera hack, the technique has been used in dozens of movies.

A new version of the widely prevalent SpyEye Trojan horse works much the same way, only it swaps out banking Web pages rather than video, preventing account holders from noticing that their money is gone.

The Trojan horse employs a powerful two-step process to commit the electronic crime. First, the virus lies in wait until a customer with an infected computer visits an online banking site, steals their login credentials and tricks the victim into divulging additional personal information such as debit card information.  Then, after the stolen card number is used for a fraudulent purchase, the virus intercepts any further visits to the victim's banking site and scrubs transaction records clean of any fraud.  That prevents -- or at least delays -- consumers from discovering fraud and reporting it to the bank, buying the fraudster critical extra time to complete the crime.

Trusteer calls it a "post transaction" attack, because much of the virus' effectiveness is attributable to its ability to control what victims see after fraudulent transactions occur. Amit Klein, chief technology officer for Trusteer, said he believes criminals have used the technique for a few months, and it has infected real consumers. 

"I predict that the use of post transaction attack technology will significantly increase as it enables criminals to maximize the amount of fraud they can commit using their initial investment in malware toolkits and infection mechanisms," Klein said.

The new SpyEye came to Trusteer's attention when a large retail bank in the United States spotted it and shared with the firm, he said.

'A very scary tactic'
The virus' evidence-covering techniques are elaborate. First, it keeps track of all fraud committed by the criminal, and makes sure to remove those line items from online transaction lists.  It also edits balance amounts to prevent consumers from getting suspicious.

"This is a very scary tactic," said Avivah Litan, a financial fraud analyst at consulting firm Gartner. "Everybody thinks all they have to do is check their transactions and their balances. That's not true anymore."

The new virus technique ups the ante in the cat-and-mouse game between security companies and the computer criminals who try to steal consumers' money.  Consumer reports of fraud are still a very important part of fraud-fighting techniques, Litan said. 

"Most banks 'let the first transaction through,' because if they stopped everything that was potentially fraud, consumers would get annoyed," she said.  In some cases, fraud-checking tools kick in only after initial reports, so this version of SpyEye could buy criminals important time as they try to turn stolen data into cash.

"Usually they only need one day more to get the money, to push the fraud through," she said. "They always want to keep the security guys running after them."

Such cover-your-tracks techniques have been used before by virus writers, Klein said. In a simpler version, criminals who raided online bank accounts and wired money out of them would try to hide the transaction from victims using the same Web page interception trick. But this new flavor has more potential for success, because it involves stolen debit card numbers used at third-party merchants, creating complex transactions involving multiple banks and multiple security systems. 

Victim account holders who check their balance at an ATM -- or even at a second uninfected computer -- would be able to spot the fraudulent transactions. The virus doesn’t impact bank systems, merely the characters that are displayed within the infected system's Web browser.  That means paper statements would reveal the fraud, too.

Of course, consumers who rely on paper statements could be a full 30 days behind when it comes to spotting fraudulent transactions.

While Klein is worried about the "post transaction" attack, he said consumers who have vulnerable Web browsers are bound to be victims of one fraudster or another.

"My take is that if your computer is infected with financial malware, it's game over anyway," he said. "My takeaway is you need to prevent getting infected with financial malware in the first place."

 Don't miss the next Red Tape:
*Get Red Tape headlines on your Facebook Wall
*Follow Bob on Twitter. 
*Get an e-mail newsletter with Red Tape stories (requires Newsvine registration).