Nart Villeneuve

Information Warfare Monitor. (2010). Shadows in the Cloud: An investigation into cyber espionage 2.0. (mirror)

The report documents a complex ecosystem of cyber espionage that systematically targeted and compromised computer systems in India, the Offices of the Dalai Lama, the United Nations, and several other countries.

The investigation recovered a large quantity of stolen documents – including sensitive and classified materials – belonging to government, business, academic, and other computer network systems and other politically sensitive targets. These include documents from agencies of the Indian national security establishment, and the Offices of the Dalai Lama. The stolen data included information voluntarily provided to Indian embassies and consulates by third-party nationals, including Canadian visa applications, as well as those belonging to citizens of other countries. Additionally, sensitive personal, financial, and business information belonging to Indian officials was systematically harvested and exfiltated by the attackers.

The report analyzes the malware ecosystem employed by the Shadows’ attackers. The system leveraged multiple redundant cloud computing systems, social networking platforms, and free web hosting services in order to maintain persistent control while operating core servers located in the People’s Republic of China (PRC). Although the identity and motivation of the attackers remain unknown, the report provides evidence that the attackers operated or staged their operations from Chengdu, PRC.

Villeneuve N. (2010). The “Kneber” Botnet, Spear Phishing Attacks and Crimeware. SecDev.cyber/Information Warfare Monitor Report.

This investigation focused on a spear phishing campaign that is linked with the Kneber botnet and focused on a case in which the attackers took portion of blog posts by authors Brian Krebs and Jeff Carr (two prominent members of the security community) and used them as the content of their malicious emails. Numerous individuals with .gov and .mil email addresses were sent these spoofed emails that prompted them to download a security fix for Microsoft Windows. This investigation revealed that Zeus was being used to infect targets within the government and military sectors with second instance of malware designed to ex-filtrate data from the compromised computers.

Instead of simply stealing banking, credit card and social networking credentials, the Zeus malware downloaded an additional piece of malware on to the compromised machines which focused on ex-filtrating sensitive documents. We found that at least 81 compromised computers that had uploaded a total of 1533 documents to the drop zone. We found sensitive contracts between defense contractors and the U.S. Military, documents relating to, among other issues, computer network operations, electronic warfare and defense against biological and chemical terrorism. We found the security plan for an airport in the Unites States as well as documents from a foreign embassy as well as a large UN- related international organization. In addition, the personal computers of employees with security clearances who work for a variety of companies and government agencies were compromised.

Information Warfare Monitor. (2009). Tracking GhostNet: Investigating a Cyber Espionage Network. (mirror)

This report documents the GhostNet – a suspected cyber espionage network of over 1,295 infected computers in 103 countries, 30% of which are high-value targets, including ministries of foreign affairs, embassies, international organizations, news media, and NGOs.

The capabilities of GhostNet are far-reaching. The report reveals that Tibetan computer systems were compromised giving attackers access to potentially sensitive information, including documents from the private office of the Dalai Lama. The report presents evidence showing that numerous computer systems were compromised in ways that circumstantially point to China as the culprit. But the report is careful not to draw conclusions about the exact motivation or the identity of the attacker(s), or how to accurately characterize this network of infections as a whole. The report argues that attribution can be obscured.

The report concludes that who is in control of GhostNet is less important than the opportunity for generating strategic intelligence that it represents. The report underscores the growing capabilities of computer network exploitation, the ease by which cyberspace can be used as a vector for new do-it-yourself form of signals intelligence. It ends with warning to policy makers that information security requires serious attention.

Villeneuve, N. (2008). Breaching Trust: An analysis of surveillance and security practices on China’s TOM-Skype platform. JR01-2008.(mirror)

This report reveals troubling security and privacy breaches affecting TOM-Skype—the Chinese version of the popular voice and text chat software Skype. It also raises troubling questions regarding how these practices are related to the Government of China’s censorship and surveillance policies.

Villeneuve, N. (2010) Barriers to cooperation: An analysis of the origins of international efforts to protect children online Access Controlled: The Shaping of Power, Rights and Rule in Cyberspace Eds. R. Deibert, J. Palfrey, R. Rohozinski, J. Zittrain. Cambridge, MA: MIT Press.
In this chapter, I present an analysis of the widespread adoption of filtering as the primary solution to combating the proliferation of child pornography on the Internet. While international agreements concerning the protection of children played a role in spurring state action, the emphasis on domestic implementation over dynamic cooperation facilitated the preference for filtering as the solution to the problem of Internet child pornography. Internet filtering is a solution that states can implement domestically irrespective of international agreements, and it does not require sustained cooperation. The goal of filtering is to block domestic access to Internet content located in another country. Dynamic cooperation—in contrast to blocking domestic access to foreign-hosted child pornography—refers to the continual cooperation necessary to have foreign-hosted content removed at its source.

Rob Faris and Nart Villeneuve. (2008). Measuring Global Internet Filtering. Access Denied: The Practice and Policy of Global Internet Filtering Eds. R. Deibert, J. Palfrey, R. Rohozinski, J. Zittrain. Cambridge, MA: MIT Press.
Many countries around the world block or filter Internet content, denying access to information–often about politics, but also relating to sexuality, culture, or religion–that they deem too sensitive for ordinary citizens. Access Denied documents and analyzes Internet filtering practices in over three dozen countries, offering the first rigorously conducted study of an accelerating trend.

Deibert R. and Villeneuve, N. (2005). Firewalls and Power: An Overview of Global State Censorship of the Internet. Human Rights in the Digital Age. Eds. Mathias Klang and Andrew Murray. Portland, Or.: GlassHouse.
The practice of individual states restricting access to information and freedom of speech and communications goes beyond national sovereignty concerns to affect the well being of individuals worldwide. In this respect, state censorship of the Internet must be considered a truly global issue for consideration by citizens of every country.

Villeneuve, N. (2008). Search Monitor Project: Toward a Measure of Transparency. Citizen Lab Occasional Paper #1.(mirror)

This report interrogates and compares the censorship practices of the search engines provided by Google, Microsoft and Yahoo! for the Chinese market along with the domestic Chinese search engine Baidu. This report finds that although Internet users in China are able to access more information due to the presence of foreign search engines the web sites that are censored are often the only sources of alternative information available for politically sensitive topics. This report finds that search engine companies maintain an overall low level of transparency regarding their censorship practices and concludes that independent monitoring is required to evaluate their compliance with public pledges regarding commitments to transparency and human rights.

Villeneuve, N. (2007). Evasion tactics: Global online censorship is growing, but so are the means to challenge it and protect privacy. Index on Censorship. (36, 4), 71 – 85.(mirror)

There is a growing resistance to Internet censorship and surveillance, although it is often characterised as a struggle confined to dissidents in a few select authoritarian regimes. Battles are being fought all over the globe and the development and use of technologies that protect privacy and make it possible to circumvent censorship are rapidly increasing. The same tools helping dissidents to evade censorship in repressive countries are also being used by citizens in democratic countries-to protect themselves from unwarranted Internet surveillance.

Villeneuve, N. (2006). The filtering matrix: Integrated mechanisms of information control and the demarcation of borders in cyberspace. First Monday. (11,1). (mirror)

The implementation of national filtering is most often conducted in secrecy and lacks openness, transparency, and accountability. States are increasingly using Internet filtering to control the environment of political speech in fundamental opposition to civil liberties, freedom of speech, and free expression. The consequences of political filtering directly impact democratic practices and can be considered a violation of human rights.

Citizen Lab. (2007). Everyone’s Guide to Bypassing Internet Censorship. Citizen Lab.

This guide walks users through the process of assessing their needs and and capabilities and lists clusters of circumvention technology options for users to choose from.

Villeneuve, N. (2005). Choosing Circumvention: Technical Ways To Get Around Censorship. Handbook for Bloggers and Cyber-dissidents. Reporters Without Borders.

In response to state-directed Internet filtering and monitoring regimes many forms of circumvention technologies have emerged in order to allow users to bypass filtering restrictions. This chapter guides users through the process of selecting a circumvention technology that meets the users specific needs.