GhostNet & Creating a Culture of User Security



April 08, 2009

Quick update, OpenOffice now ships with macro security set for 'High' so that "Only signed macros from trusted sources are allowed to run. Unsigned macros are disabled". By going to Tools -> Options -> -> Security -> Macro Security You can also set the security level to 'Very High' so that "Only Macros from trusted file locations are allowed to run. All other macros, regardless whether signed or not, are disabled." So if you are concerned with these articles, use OpenOffice.

Listening to CBC's Search Engine Podcast (which was removed by CBC sadly) I was reminded again of how much our perceptions of security have changed and how much organizations and activists need to do to be mindful of the people they are working to support. For those folks who missed the news on this item, the office of the Dalai Lama brought in the Munk Centre for International Studies' Citizen Lab to investigate some issues they were having with their computers. Turns out that an Microsoft Word document containing a Trojan horse that allowed the attacker to list and access any documents available to their computer (including on their networks), any keystrokes made on that computer and even allowed the attacker to turn on the victim's webcam and see/hear their conversations. This large-scale cyber spying operation was given the name GhostNet. Now this has been possible for a long time, in fact the code for the Trojan horse that was used can be downloaded from the Internet and manipulated by hackers for all kinds of purposes. What's new is that the folks from the Citizen Lab were able to backtrack and access the control server that was directing these hacks. They were also able to identify that the attackers seemed to have a political target as this Trojan horse was distributed through crafted email and attachment concerning Tibet. Now given that the control server was hosted in China, that the interface was written in Chinese and that China has a strong interest in monitoring activists concerned about their occupation of Tibet, it is most likely that Chinese intelligence is behind this. This is a concern, but not my main one.

Call for NGO Awareness

My main concern is that mission based organizations need to be aware that these threats are out there and take measures to address security issues more seriously. It's one thing to have a teenager hack your computer to gain access to your credit card number or force your computer to do a DOS attack against Yahoo. Heck, even organized crime writing software in order to go phishing and extract data from individuals computers is something where we can think of it as bad luck. It's a much different thing have a government begin spying on individuals and organizations who are outspoken against it using these tools. We are entering an age of Information Warfare, and this case is the biggest publicized example of it. There are technical examples of how these (were) targeted attacks work both for Word docs and even HTML email. Now, most of us don't have information on our computers that identifies the location of political dissidents who are targeted by hostile regimes. However, there are non-profits out there that do have confidential names and contact information for activists whose lives could be on the line in the name of promoting human rights, free speech, or democracy in different parts of the world. It is in the interests of many countries around the world, be it Iran, Burma or Zimbabwe, to track down as much information as they can about their opponents using whatever means necessary. I don't think that there is any country in the world that has binding legislation that prevents them from engaging in using these types of attacks to extract information about areas of political or economic interest. There are already examples of where cyber snooping have had real world impacts.

It's Not About Money

So, particularly in these times most non-profits can't afford to spend a lot of time & money on improving their staff's understanding and use of security. It takes time and money to secure computer systems, of the 1000+ infected computers that were identified, close to 30% were high-value targets such as foreign affairs offices, embassies, intergovernmental agencies, news organizations and NATO. What the attacker was able to gain from the millions of files that they would have had access to is hard to know, and probably those documents will be a source of information available for the attacker for years. However, one would expect that all of these government backed agencies would be aware of security issues, have staff to address them and be able to purchase software to protect their systems. The problem though isn't really with the technology, rather than the culture surrounding technology. This attack infiltrated government computers in the United States, Britain, France, Germany, South Korea, Taiwan. It's ironic that France was one of the government's whose computers were affected - a security audit done by the French Ministry of Defense of office suites gave OpenOffice a much lower security rating than MicroSoft Office back in 2006 - yet if their computers were running OpenOffice they would not have been compromised in this attack. I am sure that most of these offices had some form of virus protection installed on their network and desktops. These anti-virus efforts are not 100% effective, I was quite surprised at how many infected files got through in this report, and these tests would have included up-to-date definitions. With the prevalence of USB keys and laptops it is that much harder to lock down systems and protect our computers from Malware. The report of the GhostNet attack are available online.

The Macro Virus Problem

The default behavior for OpenOffice (and I think MS Word) is to asks before running any kind of macro, thus preventing the commands from executing automatically. Both are sticking with the need for macros as a core part of office optimization, which it might be, but most folks won't ever take advantage of this. It is because MS Office has the lion's share of the market office suite market that it is more vulnerable that OpenOffice. People using OpenOffice will not be exposed to MS Word macro attacks (which are the majority), just as GNU/Linux & Mac users gain some protection from not being both the biggest and easiest targets for attack. I am disappointed that there isn't a secured version of OpenOffice that provides additional security enhancement, but heck, this is open source and if there's enough interest it can and will be done. The security stance from both OpenOffice and Microsoft is that users should never accept files from unknown sources. However, frankly this assumes that you can know who sent you the email, which you can't. In the case of the GhostNet attack that I've been discussing here, the email came from what looks like it could be a legitimate email - - from the domain used it certainly looks like Free Tibet is a legitimate organization. Unfortunately, any techie can tell you how easy it is to send out an email address and have it appear to be coming from an email address like that, or for that matter from Most email systems do not even verify that this email address even exists before accepting it. However, it is quite likely that this email exists and in-fact may have been a trusted address used by staff of this Tibet independence website. So simply having had prior communications with isn't enough to know that the document that they are sending you does not contain a virus or Trojan. The main problem is that people have gotten used to the idea of sending and receiving Word Documents like "Translation of Freedom Movement ID Book for Tibetans in Exile.doc" as a normal part of their daily business practice. Because it is simple and easy to just attach the file we are working on and pass it around via email, people do. People assume that everyone can just open up their .doc file and read it, and in many cases they can. Although OpenOffice is pretty good at reading MS Word documents, older versions of MS Word can only do so if you've taken the time to save it in an older format (Say Word '97). Office files also can contain historical revisions that you want to be able to access when you are editing a document, but that can be very damning if it is made available to whoever receives it. The culture of assuming that everyone can just open up the .doc file is largely responsible for ensuring that people aren't exporting final documents in a presentation format like PDF that everyone can read and that does not posses these risks.

A Simple Change

PDF is an open platform established by Adobe Systems, but that is available in every operating system and from suppliers other than Adobe. OpenOffice has some very nice tools that allow you to easily export to PDF's. I don't think that Microsoft has adopted this yet as it is in their business model to sell more of their products and 3rd party products like Adobe Acrobat (which does have some security vulnerabilities) and anti-virus tools. Making it easier for people to create PDF's will make it more likely that people will share them. Educating people about the risks associated with sending/receiving .doc files is something that needs to be ongoing. People working on issues of human rights and development in particular should be leading the way on this as lives depend on it there, more than anywhere (perhaps). Making the switch to OpenOffice will provide some initial security protection, as will switching to Ubuntu or Apple, because there are still far less tools, examples, and infected systems than there are in a Microsoft Environment. Simply being part of a minority will help change the culture of users (who are ultimately responsible for either disabling the macro warning or so numbed to popup notices that they just approve them without understanding the potential risk, and then move on. OpenOffice is free, supported and will import most of your existing documents without difficulty. Hopefully we'll also be able to see a hardened version of OpenOffice or an extension that can be applied to require administrator approval before being able to trust a document with a macro included.

About The Author

Mike Gifford is the founder of OpenConcept Consulting Inc, which he started in 1999. Since then, he has been particularly active in developing and extending open source content management systems to allow people to get closer to their content. Before starting OpenConcept, Mike had worked for a number of national NGOs including Oxfam Canada and Friends of the Earth.