UPDATE 2011-12-18: also see Countering cyber war (.pdf, NATO Review, Winter 2001/2002).

In January 2011, ITU published The Quest For Cyber Peace (website). Here is its foreword:

“In the world of 2011, we enjoy the benefits of a boundless global information society, but with these benefits comes the threat of cyber attacks. They can arise anywhere, at anytime, and cause immense damage in the blink of an eye. This potential damage is increased exponentially by the linking of information and communication technologies (ICTs) with vital national infrastructures.

We must act now to stem this growing threat.

At the World Summit on the Information Society (WSIS), world leaders and governments entrusted the International Telecommunication Union (ITU) with the task of coordinating a mechanism for building confidence and security in the use of ICTs. Since that time, Secretary General Touré has launched the Global Cybersecurity Agenda (GCA), and ITU has actively pursued fulfillment of this mandate through a number of initiatives. Above all else, ITU remains deeply concerned about cyberthreats among its Member States.

The World Federation of Scientists (WFS) promotes international collaboration in science and technology between scientists and researchers from all parts of the world. It strives to advance the free exchange of information so that everyone can benefit from the progress of science. In 2009, the WFS’s Permanent Monitoring Panel (PMP) on Information Security drafted the Erice Declaration on Principles of Cyber Stability and Cyber Peace, which calls for concerted, international action to ensure that information networks and systems remain stable, reliable, available, and trusted. The Declaration was adopted by the Plenary of the WFS on the occasion of the 42nd Session of the International Seminars on Planetary Emergencies in Erice (Sicily) on 20 August 2009 and has been distributed to every Member State of the ITU.

To achieve the mutual goal of ensuring Cyber Peace, collaboration between ITU and members of the science and technology community is critical. We cannot effectively confront the threat of cyberwar without the involvement of those with expert knowledge and insight of the technologies that are changing the global landscape.

This volume gives voice to that community. It represents a necessary step in the process of building international cooperation to address these challenges. We are grateful for the opportunity to present all our views on this critical issue.”

Direct link to .pdf: here.

Also, be reminded of these great resources:

• Strategic Studies Quarterly (USAF)
• International Journal of Critical Infrastructure Protection (Elsevier)

Inspired by Swa Frantzen’s DigiNotar breach – the story so far post at the ISC Diary, I looked at the CRL for DigiNotar Public 2025 Root CA (.crl) and found a spike in the number of certificate revocations during June/July 2010: 3282 out of 4880 revocations (67%) between December 2007 (oldest in the CRL) and August 2011 (most recent) occurred in June+July 2010. See the list counting those revocations.

Is there a business-as-usual explanation? I know that as per January 1st 2011, new PKIoverheid certs MUST be issued under the new SHA-256 based root, “PKIoverheid G2”. The CRL of the Dutch DoD smartcard “Defensiepas” (.crl) shows a big spike in September 2010: 32176 out of 71835 revocations (45%) between April 2009 and September 2011 occurred in September 2010. For that spike I settle with the migrate-to-G2 explanation: after all, the trust path for Defensiepas-certificates involves PKIoverheid. But the trust path for DigiNotar Public 2025 certificates doesn’t. It is orthogonal to PKIoverheid*. Perhaps some DigiNotar customer(s) went broke and dropped certs, or decided to migrate existing Public 2025 certs to PKIoverheid G2 certs? I have no idea. I contacted DigiNotar and am awaiting response.

If you can confirm 3000+ certs were revoked for business-as-usual reasons: please comment to this blog, or contact me via e-mail at koot=>uva.nl (“@” in stead of “=>”) or via Twitter at @mrkoot.

(*) Yes, the compromise of DigiNotar Public 2025 Root CA resulted in Dutch govt no longer trusting DigiNotar PKIoverheid G2 CA, but that is unrelated to this narrative AFAIK.

UPDATE 2012-01-21: let me emphasize that the Dutch investigation and the spike are probably only correlated; there is no evidence for any causal relation.

UPDATE 2011-09-12: new spike in bridge connections occurring as we speak. For better information than my speculative thoughts, see the tor-talk mailinglist. I know hidden services and bridge connections are orthogonal; I’m considering the scenario where Dutch govt and Fox-IT are attempting some Tor-level attack — I don’t know whether expected benefit of successful attack would justify its cost though. Also see this and this response to my question on tor-talk — the latter mentions simpler / more likely explanations for the spike. I don’t oppose Ockham’s razor 🙂
 
On September 3rd 2011, Cryptome published Massive Automated Tor Bridge Requests: Why?  from the Tor-talk mailinglist. Some believe (credits to @ly_gs for enlightening me) that the August 2011 spike in Tor users via bridges may be related to the Dutch police investigation on Tor hidden services hosting child pornography, which also took place during that month. Wire Update News has an English-language article here, but I decided to translate myself the full August 31st press release from the Dutch Public Prosecutor (see below). Any ‘unnatural’ use of the English language is due to me translating as literal as possible, avoiding (mis)interpretation. Hyperlinks and parts between […] are mine.

Child porn on anonymous, deeply hidden websites
August 31st, 2011, National Office of the Dutch Public Prosecutor

During an investigation on the internet, the Dutch National Crime Squad stumbled upon large amounts of child pornography on anonymous meeting places and deeply hidden websites.

The reason for the investigation is the Amsterdam child porn case in which Robert [Mikelsons] is a prime suspect [Al Jazeera, CBS]. The National Crime Squad of the Dutch National Police (KLPD) started a multidisciplinary investigation team to map [Mikelsons]’s (international) network.

During the investigation, it was found that [Mikelsons] used hidden places, so called ‘hidden services’, on internet. He used the Tor-network, a worldwide network that enables anonymous surfing on the internet.

The investigated ‘hidden services’ comprised websites, forums and other hidden meeting places where child pornography images are exchanged. Visitors also communicate in chat channels about the abuse of children and the production and distribution of child porn.

Under responsibility of the National Office (“Landelijk Parket”) of the Dutch Public Prosecutor and with permission of the examining judge of the Rotterdam Court the investigators entered twelve ‘hidden services’ by breaking their security.

Images erased
The investigative team was able to gain administrative privileges to four websites. The two servers hosting the websites turned out to be located in the United States. The National Office of US Department of Justice was consulted about the investigation in advance. All images, userlists and chats containing personal data that were found on the child porn sites are handed over to the FBI. It involves tens of thousands of images of abused children. After securing [a copy of] the images [as evidence and/or for further investigation], the servers were completely erased.

On the other eight entered ‘hidden services’ the investigators were not able to gain administrative privileges. They were, however, able to erase the images, after copies were downloaded and secured for further investigation. One of these sites, “Violent Desires”, contained besides child pornography also a discussion forum, where visitors chatted about the kidnapping, abusing and killing of children. On all erased websites, the Dutch police team informed visitors about the investigation.

The police has not gained access to all hidden child pornography websites. On 11 websites the investigators registered themselves as visitor and left behind warnings containing the Dutch police logo. It remains unclear from which countries these ‘hidden services’ were hosted. In total, more than 220,000 child pornographic images and videos were found throughout the investigation.

A first comparison of the photo’s and video’s to material confiscated by police earlier showed that the findings partially contain new and unknown child pornography. It involves recent photo’s and video’s that are no more than five years old. The images will be made available internationally to police services if necessary. On the websites in the United States, investigators found two images that are already known from the Amsterdam case. The involved parents have been informed.

Aim
The most important aim in combating child porn is tracing and ending the abuse of children and arresting producers of child pornography. In this investigation the police also wants to make clear that anonymity inside the Tor-network nor national borders are in the way of the investigation of child porn.

The investigative team was made up of digital experts of the National Crime Squad, the Specialist Investigation Applications Service (DSRT), police Amsterdam-Amstelland, vice experts of IPOL Service and investigators of other KLPD services. Internet security company Fox-IT provided the team with technical advice, infrastructure and support.

Freedom of expression
The police investigation, which took place during the whole month of August, did not target the Tor-network itself, but the ‘hidden services’ hosting child porn within this anonymous, underground part of the internet. The Tor-network makes internet users anonymous by sending their IP address [sic] via various servers. Originally, Tor was a project of the US Navy.

The network primarily exists of private persons who enable Tor to function with their computers and internet connection. The use of the Tor-network is not by definition criminal. In countries without freedom of expression, for example, Tor is used by journalists and opponents of the ruling regime.

Both the Dutch investigation and the spike in the number of Tor users connecting via bridges happened in August 2011. Correlation, or also causation? [Update: Probably just correlation.] I don’t know what activities were performed during the investigation, but exploring de-anonymization attacks against Tor may fit the Dutch investigators’ aim of identifying those involved in child porn. The press release does not state that Tor hidden services (.onion sites) were the only lead from the Amsterdam case. Failure of Tor-level attacks may be irrelevant to mention in the press release, or preferred not to be disclosed because that would strengthen offenders’ confidence in relying on Tor for criminal purposes. Success might deliberately not be disclosed for the sake of ongoing investigations, or out of fear that criminals will then move to I2P or other systems perhaps less well-studied in digital forensics than Tor. This is all very speculative, of course.

I will update this post to reflect advancing insight, e.g. state “ONLY CORRELATION” if that turns out to be the case. Comment below, or contact me by e-mail (koot=>uva.nl) or Twitter (@mrkoot).