“Your Account May Have Been Targeted by State-Sponsored Actors”

[Razer]

Just Security's editor:

This post is the latest installment of our “Monday Reflections” feature,
in which a different Just Security editor examines the big stories from
the previous week or looks ahead to key developments on the horizon.

The end of 2015 brought a flurry of announcements from tech companies,
including Facebook, Yahoo, and Microsoft, promising to notify their
users if the company believes that state-sponsored actors are targeting
the users’ accounts. These state-sponsored-attacker notifications share
features of other kinds of attributions. On the one hand, like the
Mandiant report and other reports by cybersecurity companies
highlighting state-sponsored cyberintrusions, private companies are
responsible for the attribution. On the other hand, like the limited
evidentiary disclosures made by the US government in attributing the
Sony Pictures hack to North Korea, the companies withhold the
evidentiary basis for the notifications in order to protect their
detection methods and avoid tipping off attackers.

The notifications contribute to evolving debates about the requisite
evidentiary basis for attribution of state-sponsored
cyberattacks—debates over types of evidence, amounts of evidence, and
levels of public disclosure that should be required for attribution in
different contexts. The notifications also show that while standards of
evidence for attribution are discussed in multilateral fora like the
United Nations, states are not the only parties whose practice matters.

Company Notifications

Google pioneered notifications to users about state-sponsored attacks in
2012. The company explained in a blog post at the time that in response
to “specific intelligence—either directly from users or from [its] own
monitoring efforts”—it would display a banner stating “Warning: We
believe state-sponsored attackers may be attempting to compromise your
account or computer.”

Facebook made a similar announcement in October 2015. In a blog post by
Chief Security Officer Alex Stamos, Facebook explained that it would
show users a warning if the company has “a strong suspicion that an
attack could be government-sponsored.” According to the New York Times,
in the wake of the Iranian nuclear deal and “[j]ust weeks into the new
[Facebook] alert system,” numerous State Department officials who work
on Iran and the Middle East received notifications that their accounts
had been targeted by a state-sponsored actor.

In mid-December, Twitter, which had not previously announced a policy on
state-sponsored attacks, notified some users that their accounts “may
have been targeted by state-sponsored actors,” who were “trying to
obtain information such as email addresses, IP addresses, and/or phone
numbers.” (A copy a notification sent to another user is available here.)

On December 21, Yahoo Chief Information Security Officer Bob Lord
announced that “Yahoo will now notify you if we strongly suspect that
your account may have been targeted by a state-sponsored actor.”
Microsoft followed suit on December 30, announcing in a blog post by
Corporate Vice President for Trustworthy Computing Scott Charney that
Microsoft “will now notify you if we believe your account has been
targeted or compromised by an individual or group working on behalf of a
nation state.”

According to the companies, they issue notifications for state-sponsored
attackers in particular because, as Facebook explains, “these types of
attacks tend to be more advanced and dangerous than others.” The
notifications are intended to prompt users to better secure their
account with the notifying company and other online accounts by, for
example, enabling two-step verification, changing passwords, and
monitoring for unusual activity.

Similarities to and Differences From Other Attributions to Nation-States

The state-sponsored-attacker notifications share similarities with prior
attributions by both the private sector and the US government. On the
one hand, the notifications (and the attributions supporting them) are
done by private companies, like the reports on state-sponsored
intrusions issued by cybersecurity companies like Mandiant and
Crowdstrike that I discussed in an earlier post.

On the other hand, unlike the extensive technical details that often
accompany such reports (see, for example, the Mandiant APT1 report), the
state-sponsored-attacker notifications do not come with evidence to back
up the attribution. Google’s post on the notifications explains: “You
might ask how we know this activity is state-sponsored. We can’t go into
the details without giving away information that would be helpful to
these bad actors, but our detailed analysis—as well as victim
reports—strongly suggest the involvement of states or groups that are
state-sponsored.” Facebook’s post similarly states, “To protect the
integrity of our methods and processes, we often won’t be able to
explain how we attribute certain attacks to suspected attackers.” The
invocation of secrecy to protect “methods and processes” echoes similar
statements made by the FBI in announcing the attribution of the Sony
Pictures hack to North Korea. The FBI press release explained that the
“need to protect sensitive sources and methods” prevented the Bureau
from sharing details of its evidence against North Korea. The FBI
provided a general description of the evidence supporting the
attribution, including, for example, “significant overlap between the
infrastructure used in this attack and other malicious cyber activity
the U.S. government has previously linked directly to North Korea.” But
the lack of detailed information triggered significant skepticism within
the security community, prompting FBI Director James Comey to release
additional information several weeks later.

Unlike the other types of attribution, the state-sponsored-attacker
notifications do not name the state involved. They simply inform a user
that some “state-sponsored actor” has targeted the user’s account. Of
course, upon receipt of a notification, some users may have a pretty
good idea which state is targeting them, and the pattern of accounts
targeted may reveal the state’s identity to the company or to the public
if/when the notifications become public. That may be what happened with
the Facebook notifications to State Department employees discussed
above. Still, the notifications’ failure to name the particular state
involved renders them somewhat less accusatory than attributions that
name a specific state...

In full, with links:
https://www.justsecurity.org/28731/your-account-targeted-state-sponsored-actors-attribution-evidence-state-sponsored-cyberattacks/

-- 
RR
"You might want to ask an expert about that - I just fiddled around with
mine until it worked..."

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cpunks.org/pipermail/cypherpunks/attachments/20160118/c21a8acb/attachment-0002.sig>