About these ads

Archive

Archive for March, 2011

PsyOps Tweets

March 30, 2011 3 comments

Only a couple of days after the post dealing with the impact of Internet Connectivity and Social Networks for propaganda (and more in general for PsyOps Operation) my dear friend and Colleague David Cenciotti reported to me an interesting article dealing with the use of  Twitter for psyops campaign (after the tweets of war for aleged military operations I already talked about)… Only a few hours and it happened exactly what I had theorized (even if in a quite sophisticated manner).

As a matter of fact, as reported in the above quoted article, it looks like a patriot hacker, named The Jester (th3j35t3r) used Twitter to send specific messages to erode the morale of the loyalist enemy troops. For sure no one ever before today had never thought of taking so literally the well-known twetter motto “Follow me”, which sounds much better as “Follow My Thoughts”.

This occurrence confirms the need of keeping the internet connections up and running during military operations. Next prophecy? Will we soon see wi-fi drones in the Unified Protector Operation? And Maybe Loyalist hackers performing wardriving against them?

About these ads

Mobile Warfare… Certified…

March 30, 2011 3 comments

In this post I explained that, what I called the mobile warfare (that is social protest driven by mobile technologies and social networks), is rapidly spreading all over the Middle East, apparently with a systematic time scale (so far events in Tunisia, Egypt and Libya have been separated by approximately a month).

Many observers claim that, in the shorter term, Syria and Bahrain could be the next targets of internal protests (last week 150 people were killed in Syria and today the government led by PM Naji Otri has resigned, apparently a quantum shift).

But the wave coming from Maghreb, led by the mobile warfare, seems unstoppable and in the longer term, also Iran and Iraq, the main barriers of fundamentalism, could be affected as well.

Of course, one of the most exciting things of Infosec, is the fact that the reality is always one step ahead of the imagination. As a matter of fact I tried to imagine different ways in which bad guys from totalitarian regimes could prevent mobile technologies and social networks from achieving their scope to encourage citizens to join the protests, including DDoS, Internet connectivity disruption and so on… I could not imagine, however, that one could think to issue rogue certificates for some high profile websites used for email and chat in order, maybe, to intercept cumbersome and subversive communications.

That is exactly what happened with the Comodo Affaire in which some fraudulent certificates were issued by the Comodo Certificate Authority, exploiting a vulnerability of a couple of Italian affiliates (sigh!) globaltrust.it and instantssl.it allowing to issue a legitimate signed certificate on behalf of any requesting entity. This vulnerability was used in order to issue rogue Certificate Signing Request (CSR), that is false request to obtain legitimate SSL certificates for the following web sites:

  • login.live.com
  • mail.google.com
  • http://www.google.com
  • login.yahoo.com
  • login.skype.com
  • addons.mozilla.org

For those of you, who are not too much practical with Public Key infrastructure and Cryptography, this means that, in simple words, once obtained a rogue certificate one may build a false web site (for instance a false mail.google.com website) to capture precious information normally “traveling” on the web encrypted, for instance username and password of private email. This is called a man-in-the-middle attack.

Since it was discovered that the rogue Certificate Signing Request originated from an ISP located in Iran, an alleged political origin for the attack was proposed, motivating it with the attempt of the Iranian government (enforced by a Cyber Army), to intercept communications and more in general emails and chats belonging to political leaders not “too close” to the positions of Mr. Mahmoud Ahmadinejad (mmhh.. at least for the alleged purpose, to me it reminds Operation Aurora, doesn’t it?)

Now, it looks like that a lonely ranger Iranian hacker, not belonging to any army, claimed the to be the only author of hack (at this link the complete history and a detailed analysis of the event). Probably a real Iranian involvement will not ever been confirmed, but to me, the doubt that this action was planned to stop the mobile warfare remains intact. Otherwise I would not be able to understand why only certificates related to secure communication methods were affected, often used by dissidents to organize protests and share news with the world.

Corps of (Network and Security) Engineers

March 29, 2011 7 comments

A couple of posts ago, in the article “Tweets Of War”, I discussed about the possibility to use consumer mobile devices and Internet connectivity as a kind of weapons, for instance to tweet the positions of enemy troops in order to address allied bombs as did, for instance by some rebels in Libya (simply go to twitter.com and issue a search for the tweets by #LibyanDictator.

Of course this fact raises the question of the importance of internet connectivity during military actions, and, as a consequence, also of the importance of information security, which may not be limited to “simple” message encryption: as an example, referring to the above mentioned example, we cannot authenticate tweets so we may not exclude a priori that they are spoofed tweets in order to drive the allied bombs towards the wrong target (we might always think to authenticate them with a Comodo Certificate!).

As a matter of fact, maintaining the internet connectivity has become a primary priority, that is the reason why U.S. army, for instance, is thinking to implement appropriate technologies and countermeasures in order to maintain or restore Internet connectivity during military actions. Times change and I would almost say that what was once considered the corps of engineers, today, in a mobile warfare, should be called  Corps of (network and security) Engineers. What the Corps of Engineers do in the real battlefield (build connections and bridges), the Corps of (network and security) Engineers do in the Cyber-battlefield (build internet connections and connectivity bridges).

Strictly speaking, why maintaining the Internet Connectivity is so important? Of course, the main reason is for the purpose of propaganda in terms of “evangelism to the cause”, gathering of the faithful, and why not, foreign public involvement.  We have seen  so far, how much has been important (and keeps to be important) for the winds of change blowing in the Maghreb, the role of mobile technologies and social networks, at the beginning for spreading the movements (also beyond the boundaries) and then to bear witness to the World of what was really happening, in all the cases playing a crucial role for the advent of the Odissey Dawn operation (while I am writing, you only need to go to Twitter for being spectator of the dramatics occurrences in Libya: from the reporting of events to requests for help, doctors, etc.). This role is much more important during the military operations where, typical case, both parties claim real or alleged success in combat operations, or provide each other the responsibility for civilian casualties.

But a closer look shows an even more important factor, apparently secondary, but probably potentially decisive in a situation similar to the one occurring in Libya where you are fighting a civil war between rebels and loyalists. In a similar context the Internet may play a primary role for conveying PsyOps messages, not only to encourage citizens to join the protests, as it is happening in Syria, where Facebook is being used to gather followers to revolt; but also for opposite purposes convincing rebels to disarm and return back to their families without further bloodshed. This does not sounds new since such a similar operation had been attempted from the Egyptian Government (actually with a tragicomic outcome) by overtaking the main mobile operators and flooding their mobile subscribers with propagandistic messages which were supposed to encourage the younger people to support the falling government and abandon the protests (a complete report at this link in Italian). One might say that this is not a new concept (read for instance the following article issued in 2001), the difference is that, in 2011, both the transmission technologies and, most of all, the reception technologies (read mobile devices) are much more sophisticated and spread making this kind of operation really effective if compared to how it could be ten years go.

Of course there is a further dramatic question to be addressed for psyops messages propagated through the Internet, and it is the one pertaining to information security, some aspect of which I have already addressed in this post. On one hand, whatever message is transmitted through the Internet may be suitable to man-in-the middle attacks and hence hacked if not properly secured throughout the propagation process: hacking in this case would correspond, for instance, to alter, if not invert, the content. What if the above mentioned tweets were spoofed providing false coordinates? Maybe am I flying with the fantasy if I say that the authors could have negotiated a priori with the recipients some predefined semantics with which to transmit the messages.

On the other hand, it is likely that the Corps of (Network and Security) Engineers will not have to worry about only to establish and maintain the internet connectivity in military operations, but also to face, in a cyber-battlefiedl, enemy malware weapons and/or jamming of Denial-Of-Service tools specifically conceived to attack psyops sources at the root (it is appropriate to say!) in order to make them unusable. In any case, they will not have to underestimate in any way  the impact of hacking from a psyops perspective (in favor or against, (just think of echo raised from the recent  Libyan TV hacking).

Mobile Warfare in Syria

March 27, 2011 8 comments

Sources report that last week 150 people were killed during the protests against president Bashar al-Assad in Syria. Also in this circumstance, as already happened in Tunisia, Egypt and Libya, the world is witnessing to the protests thanks to the hundreds of citizen reporters equipped with their mobile devices and Internet connections.

The mobile warfare is acting in these countries too: as a matter of fact the tweets allow to follow the protests in real time, by mean of continuously up-to-date short messages, while Facebook allows the spread of the movements throughout the Nation (and not only): the blue social networks calls to join the revolution, by mean of continuously increasing groups, the largest of which The Syrian Revolution 2011, currently counts more than 90.000 supporters. In the same time, more and more videos shot by mobile devices are flooding YouTube.

In a certain sense it looks like the Middle East is playing a global Risk board game, whose troops are represented by mobile devices, whose effects on the social landscape effects on the social landscape have no geographical boundaries, especially for those governments that restrict the civil liberties of their citizens. This global Risk match is far from the end, since the invasion of the Mobile Warfare (and its effects for the governments)  is also happening in Yemen and Bahrain, which are suffering similar outbreaks of protests. It is interesting to notice that all the peaks of the revolutions were spaced, in a time scale, by approximately one month:

  • Tunisia, Jan 14th 2011: president Ben Ali ousted;
  • Egypt, Feb 11th 2011: president Mubarak stepped down;
  • Libya, March 19th 2011: after two weeks of fight Operation Odissey Dawn begins

If we perform a kind of extrapolation, does this mean that peaks of the protest in Syria and Jordan will reach the maximum at the half of April?

Mobile Warfare spreading into Middle East

Speculation aside, as far as Syria is concerned, what is happening is following the same pattern advised in Maghreb area with the only difference that, so far, Syria did not decide to disrupt the internet connection in order to stop the stream of information towards foreign countries.

From a political and social perspective, all the involved countries have too many aspects in common: long-living governments (in Syria the al-Assad Dynasty governed continuously for 40 years, which become 42 in case of the monarchy of Bahrain), younger generations with no dream and trust on future, eager for more freedom. Most of all, younger generations which have access to internet connections and social networks (I was in Syria for work three years ago and can confirm that, even then, the penetration of internet, mobile technologies and social network was well established), through which they may observe, study (and compare), the (apparently) better conditions of their occidental peers.

I think the process is irreversible, and indeed is likely to increase (Saudi Arabia, Iran and Iraq will probably be suffering other outbreaks in the middle term). Meanwhile will be interesting to notice if the involved governments will apply preventive measures, on large scale, for instance the disruption of the Internet connections, or targeted specifically on mobile devices or preventing to reach the social networks for sharing tweets, groups or videos…

Android Virtual Machine on RIM Tablet, A Security Concern?

The rumors were confirmed and at the end it looks like that the forthcoming RIM Tablet, named Playbook, will be able to run Android Applications. This will be possible thanks to an optional “app player” that will provide an application run-time environment for Android v2.3 code (no mention so far for Honeycomb), allowing users to download Android applications directly from BlackBerry App World and run them on their (future) BlackBerry PlayBook.

This does not sound new to me (at this link an article in Italian in which I discussed about the rumors of an Android Virtual Machine for the Playbook), but in my opinion the point of interest does not rely on the fact that the announced “app player” builds a bridge between the Android and RIM worlds (as a matter of fact the RIM Tablet will offer also a second “app player” for the Blackberry Java applications), but it is really interesting to point out the information security perspective since it looks like that the paradigm Write (Malware Once), Use Many, will undoubtedly come true.

We know that, from the beginning of the 2011, the poor Android is suffering of multiple infections, and this peak of malware is not only due to the fact that the Google platform captured #1 ranking in the mobile platforms but, most of all, to the fact that the number of users which leverage the Android capabilities for professional use is growing day by day. Of course, the effort for developing malware is commensurate  with the value of the target, hence this evidence (together with the fact that Android is an Open Platform and the android market policies are not as strict as the ones from Cupertino) explains why the Android is a little too much sick in this period (and also because, in my opinion, security issues are the main reasons at the base of Mountain View’s decision to hold Honeycomb tight, not making its source code publicly available (at least so far).

Now, the perspective to use the Android as a “malware bridge” to other platforms might sound very appealing to cyber crooks, so this improbable openness from the RIM side could become a little bit embarrassing for Google from an Infosec perspective, further encouraging other malware writers to address their efforts towards the Android. Android Virtual Machine spreading for sure makes life easier for developers but, undoubtedly ends up making it harder (from a security perspective) for users and IT Manager.

And what about the future? It looks like the scenario could become even more complicated since the Android Virtual Machine (the notorious Dalvik, in the middle of a lawsuit against Larry Ellison’s Oracle) could soon land on other devices. As a matter of fact, Myriad, a member of the Open Handset Alliance, which collaborates with Google to develop Android is working for an Alien Android (that is a Dalvik compatible Virtual Machine, called Alien Dalvik) capable to run Native Android application on alien platform, furthermore at the same speed of the Original Android (so, not bad, the malware infections will propagate at the same speed then the original platform). Of course this could sound even more appealing for malware writers.

Definitively the Android is no longer satisfied to be reference platform for the market, rather seems to be pointing to became the reference platform also for malware. Who knows if one day we will ever see an Apple infected by an Android?

Tweets Of War

March 24, 2011 4 comments

In a recent post, I discussed the influence and the role of (consumer) mobile technologies and social networks (“Mobile Warfare”) in the events that are changing the political landscape in the Mediterranean Africa, coming to conclusion that they are setting new scenarios which will have to be taken seriously into consideration by all those governments which still put in place severe limitations to human rights.

To me, “to be taken into consideration” means that all those governments will have to deploy “extreme measures” (hopefully less extreme than completely unplugging the Internet connection as already done by Egypt and Libya) in order to prevent mobile technologies from acting as catalyzers for the protests and also from turning common citizens into real time reporter for the most powerful magazine ever issued: the social network). More realistically these measures might include threats specifically targeted for mobile equipment involving hacking techniques commonly known in the infosec arena, such as Distributed Denial Of Service, or also malware aimed to alter the normal functioning of the devices.

On the opposite Site is also clear that modern army will also deploy “unconventional weapons” targeted to maintain Internet connectivity during military operations, mainly for PSYOPS purposes (or at least I was supposed to believe so). As a matter of fact the tweets, pictures, and videos shot from mobile devices during the dramatic days in Tunisia, Egypt and Libya had a dramatic impact on the foreign public opinion. In Tunisia and Egypt the dramatic images shot  from mobile devices contributed to create the international pressure which led to the fall of their respective governments; in Libya, they acted as an accelerator for the definition of “No Fly Zone” and the consequent “Odissey Dawn” operation.

But there is also another point which makes more and more important to maintain Internet connectivity during military operations and is not simply related to PSYOPS, rather than to real military operations. A simple screenshot of twitter may give a dramatic evidence of this, simply searching the #LibyanDictator term.

It looks like twitter was used by rebels to provide NATO with coordinates of the enemy forces.

More in general, think to have a Mobile device with a GPS, and an Internet Connection, and you may “simply” pass the coordinates of the enemy troops to allied forces…

On the opposite front: think to make mobile devices unusable or, worst case, to alter their GPS with a malware and you may avoid to pass precious information to enemy, or worst, provide him with false coordinates (and watch him bombing his allies in few minutes)…

Probably I am going too much far with my imagination, anyway is clear that war strategists will have to become more and more familiar with virtual (that is made of bit and bytes) mobile (and social networks) battlefields.

Relazione Tavola Rotonda Mobile Security

Ho pubblicato su Slideshare la relazione da me redatta della Tavola Rotonda “Mobile Security: Rischi, Tecnologie, Mercato” tenutasi il 14 marzo a Milano all’interno del Security Summit 2011.

La relazione, che ho inserito all’interno di un thread del gruppo Linkedin Italian Security Professional, è visibile al link sottostante. Ancora un grazie al gruppo che ha ospitato questo interessantissimo appuntamento!

Follow

Get every new post delivered to your Inbox.

Join 3,174 other followers