Looks like Israel has approached a “wait and see” strategy, as these last days of cyber war have seen almost exclusively actions against that country without any appreciable response. In a certain sense, most of all at the Israeli site, the cyber conflict seems to have fallen into a rest, even if new actors have entered the scene, as is the case of the Mauritania Hacker Team, who opened with the leak of 2500 Israeli emails and claimed to have hacked the Central Bank of Israel. Despite these events the number and intensity of the attacks is no longer that of the early days.
The frequency of the attacks has drastically fallen, even because the early cyber fighters seem to have disappeared, apart from the AlienZ who, every now and then reappear with some dumps against arab sites (and not only).
In the meantime, Iran is suffering several sparse attacks from the Anonymous, targeting that country in the name of #OpIran, and in contemporary attacks its Azerbaijani neighbors considered close to Israel.
Interesting to notice I also found evidence of internal attacks in Iran against reformist websites considered close to former President Mohammad Khatami. The storyboard follows the same line both in real and virtual world.
Apparently Israel seems not to respond to attacks. A temporary truce or a real turnaround?
Cross Posted from TheAviationist.
2011 has been an annus horribilis for information security, and aviation has not been an exception to this rule: not only in 2011 the corporate networks of several aviation and aerospace industries have been targeted by digital storms (not a surprise in the so-called hackmageddon) but, above all, last year will be probably remembered for the unwelcome record of two alleged hacking events targeting drones (“alleged” because in the RQ-170 Sentinel downed in Iran episode, several doubts surround the theory according to which GPS hacking could have been the real cause of the crash landing).
But, if Information Security professionals are quite familiar with the idea that military contractors could be primary and preferred targets of the current Cyberwar, as the infographic on the left shows, realizing that malware can be used to target a drone is still considered an isolated episode, and even worse, the idea of a malware targeting, for instance, the multirole Joint Strike Fighter is still something hard to accept.
However, things are about change dramatically. And quickly.
The reason is simple: the latest military and civil airplanes are literally full of electronics, which play a primary role in managing avionics, onboard systems, flight surfaces, communcation equipment and armament.
For instance an F-22 Raptor owns about 1.7 millions od line of codes , an F-35 Joint Strike Fighter about 5.7 millions and a Boeing 787 Dreamliner about 6.5 millions. Everything with some built in code may be exploited, therefore, with plenty of code and much current and future vulnerabilities, one may not rule out a priori that these systems will be targeted with specific tailored or generic malware for Cyberwar, Cybercrime, or even hacktivism purposes.
Unfortunately it looks like the latter hypothesis is closer to reality since too often these systems are managed by standard Windows operating systems, and as a matter of fact a generic malware has proven to be capable to infect the most important U.S. robots flying in Afghanistan, Pakistan, Libya, and Indian Ocean: Predator and Reaper Drones.
As a consequence, it should not be surprising, nor it is a coincidence, that McAfee, Sophos and Trend Micro, three leading players for Endpoint Security, consider the embedded systems as one of the main security concerns for 2012.
Making networks more secure (and personnel more educated) to prevent the leak of mission critical documents and costly project plans (as happened in at least a couple of circumstances) will not be aviation and aerospace industry’s information security challenge; the real challenge will be to embrace the security-by-design paradigm and make secure and malware-proof products ab initio.
While you wait to see if an endpoint security solution becomes available for an F-35, scroll down the image below and enjoy the list of aviation and aerospace related cyber attacks occurred since the very first hack targeting the F-35 Lightning II in 2009.
Of course aviation and aerospace industries are not the only targets for hackers and cybercriminals. So, if you want to have an idea of how fragile our data are inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011 and 2012 (regularly updated) at hackmageddon.com. And follow @pausparrows on Twitter for the latest updates.
As usual the references are after the jump…
February 2012 brings a new domain for my blog (it’s just a hackmaggedon) and confirms the trend of January with a constant and unprecedented increase in number and complexity of the events. Driven by the echo of the ACTA movement, the Anonymous have performed a massive wave of attacks, resuming the old habits of targeting Law Enforcement agencies. From this point of view, this month has registered several remarkable events among which the hacking of a conf call between the FBI and Scotland Yard and the takedown of the Homeland Security and the CIA Web sites.
The Hacktivism front has been very hot as well, with attacks in Europe and Syria (with the presidential e-mail hacked) and even against United Nations (once again) and NASDAQ Stock Exchange.
Scroll down the list and enjoy to discover the (too) many illustrious victims including Intel, Microsoft, Foxconn and Philips. After the jump you find all the references and do not forget to follow @paulsparrows for the latest updates. Also have a look to the Middle East Cyberwar Timeline, and the master indexes for 2011 and 2012 Cyber Attacks.
Addendum: of course it is impossible to keep count of the huge amount of sites attacked or defaced as an aftermath of the Anti ACTA movements. In any case I suggest you a couple of links that mat be really helpful:
- List of all vulnerable websites attacked by anonymous Part II (updated daily) (via cylaw.info)
- List of Websites Hacked, Defaced & Taken Down By Anonymous (via valuewalk.com)
Arbor Networks and Radware, probably the two leading vendors focused on DDoS prevention and mitigation, have just published nearly in contemporary (probably not a coincidence) their 2011 reports which analyze, with similar methodologies applied to different stakeholders, one year of DDoS Phenomena occurred during the last year.
These reports are particularly meaningful since they come in a moment in which the waves of DDoS attacks unleashed by the OpMegaUploadas are not completely gone. To all the (too) many information security professionals whose sleep is disturbed by the booms of the Low Orbit Ion Cannons, I suggest to give a look to both documents:
- 2011 Worldwide Infrastructure Security Report issued by Arbor Networks;
- 2011 Global Application & Network Security Report issued by Radware.
As a matter of fact both reports provide a really interesting overview of this kind of attack which has become the flagship of the hacktivism movements.
From a methodological perspective both reports provide the results of a survey: the one conducted by Arbor Networks consisted of 132 free-form and multiple choice questions, covering a 12-month period from October 2010 through September 2011, whilst the one conducted by Radware consisted of 23 questions concerning the DDoS faced in 2011.
The participants of the Arbor Networks survey included 114 self-classified Tier 1, Tier 2 and other IP network operators from the U.S. and Canada, Latin/South America, EMEA, Africa and Asia, whilst the participants from the Radware survey included 135 organizations with large, medium and small size;ì,
Although the targets of the survey were not completely heterogeneous, and also the analyzed time windows were not exactly the same, I spent some time in comparing the results. In both cases, the message is clear: the DDoS attacks are becoming more and more complex, but the two vendors came to the same conclusion with a substantial difference. Does really size matter?
Hacktvism on the top
In both cases hacktivism ranks at number one among the attack motivations. The 35% of the Arbor Networks participants reported political or ideological attack motivations as the most common, immediately followed by Nihilism/Vandalism (31%). Analogously, the 22% of the Radware participants indicated a political/hacktivism motivation behind the attacks, immediately followed by “Angry Users” (12%). Curiously the 50% of the Radware participants indicated an unknown motivation, against the 19% of the Arbor Networks participants. Although hacktivism ranks undoubtedly at number one, the difference are not surprising: albeit the questions aimed to obtain the same information, they were slightly different: in one case (Arbor Networks) participants were asked to indicate Attack motivations considered common or very common, in the other case (Radware) participants were asked to indicate which motivations from a defined list, they considered behind the DoS /DDoS attacks experienced. Moreover also the different sample of participants may offer a further explanation. Arbor Networks participants are mainly operator, which have more sophisticated equipment to detect and counter attacks, Radware participants are heterogeneous organizations of different sizes, so their response may be “tainted” by emotive considerations or also by a smaller technological culture.
DDoS Attacks are becoming more and more complex assuming the nature of APTs
I was particularly impressed by a statement found in the Radware Report: “The nature of DoS / DDoS attacks has become more of an Advanced Persistent Threat (APT) and, therefore, much more serious.” The report is also more explicit and suggests that, for instance, during a DDoS Attack perpetrated by the Anonymous there is an external ring formed by the volunteers self-made hackers that use LOIC or similar tools (too often without any precautions), and an inner circle formed by skilled hackers who have access to more sophisticated attack methods and tools. The Arbor Networks report substantially agrees with this statement using the term Multi Vector DDoS, emphasizing a shift to Application Layer (Layer 7) DDoS Attacks. In both cases HTTP is the preferred protocol to convey Application Layer DDoS.
Size matters! Or not?
It is interesting to notice the opposite position of the two vendors with regard to the importance of the size for DDoS Attacks. Radware does not consider the size of the attack as the primary factor: the first myth to be debunked is the fact that not necessarily average organizations might experience intense attacks (according to Radware, in the observed period 32% of attacks were less than 10Mbps, while 76% were less than 1Gbps), the second myth to be debunked is the fact that the proper way to measure attacks is by their bytes-per-second (BPS) and packets per-second (PPS) properties. A smaller HTTP connection-based attack can cause more damage with much less traffic than a “traditional” UDP attack.
Arbor Networks has quite a different opinion: his respondents reported a significant increase in the prevalence of flood-based DDoS attacks in the 10 Gbps range. This represents the “mainstreaming” of large flood-based DDoS attacks, and indicates that network operators must be prepared to withstand and mitigate large flood attacks on a routine basis. Moreover, the highest-bandwidth attack observed by respondents during the survey period was a 60 Gbps DNS reflection/amplification attack, which however represents a 40 percent decrease from the previous year in terms of sustained attack size for a single attack.
At the end…
There are few doubts about the fact that DDoS attacks are becoming multi-layered and more and more complex, and even that they are mainly motivated by hacktivism. There are also few doubts about the fact that technology is enough mature to provide a crucial support to mitigate them. In any case, there is a further element to take into consideration that is the human factor: as usual technology is useless if the IT Staff is not prepared to face such a similar attacks, gaining an adequate awareness in terms of procedures and (I would say) culture. As Radware stated “the very public attacks last year raised awareness of DoS / DDoS and made organizations acquire better and more capable mitigation solutions” but maybe is not enough…
The more I look inside the Middle East Cyber War between Israel and the Arab Hackers, the more I realize that it follows exactly the same shape than the real conflict.
In particular this last week has seen a strong reduction of the cyber events between the involved parties, although it is not clear if this was due to stronger cyber defenses enforced, or it was rather a kind of “calm before the storm”.
Among the reported events I considered particularly meaningful the attack of InLightPress, a Palestinian news website, of whom I did not find any other report except the one quoted in the Infographic which comes from a Pro-Israeli Website (this is the reason why this event must be considered with the necessary caution). Maybe it is not directly related to the Middle East Cyber War, anyway it looks like this attack was not originated by Israeli hackers, but had rather been “commissioned” by the Palestinian Authority. In the real world political parties or movement have different wings (typically hawks and doves), it looks like this is true for the cyber world as well. On the other hand, some believe that also the attack carried on last week against the Israeli newspaper Haaretz, considered close to Pro-Palestinian movements, has an internal origin, that maybe explains the subsequent excuses by the alleged authors of the attack (BTW at the above link there is an interesting list of the hack published in pastebin by the Israeli Hackers).
Do you believe the descending trend of the cyber events will be confirmed in the next period, or it is rather a temporary cyber truce before the digital storm?
One of the most visionary information security predictions for 2012, was the one issued by Fortinet which defined the term Crime As A Service: “Crime as a Service (CaaS), [...] is just like Software as a Service (SaaS), but instead of offering legal and helpful services though the Internet, criminal syndicates are offering illegal and detrimental services, such as infecting large quantities of computers, sending spam and even launching direct denial of service (DDoS) attacks“. At first glance I marked this prediction as exaggerated but then I could not imagine that I should have witnessed a huge demonstration only few days after. Of course I am referring to the #OpMegaUpload when, immediately after the FBI takedown, the Anonymous redirected users towards a website when they could DDoS a large group of targets with a simple web click and most of all, without the need to install the Infamous LOIC.
Even if this has been, so far, the most noticeable example, is not the only one of a malicious tool used as a service for criminal (in this case one shot) campaigns. More in general, using very familiar terms (borrowed and adapted from Cloud Terminology) I believe the CaaS is assuming three shapes:
- Software As a (Crime) Service or Saa(C)S, in which the criminals offer malicious software (and the needed support) as a service. An example? The latest Zeus Variant dubbed Citadel, recently spotted by Brian Kerbs, which provides the purchaser with help desk and even a dedicated Social Network;
- Infrastructure As (Crime) Service or Iaa(C)S, in which the criminals offer malicious services (or infrastructures) to attack specified targets, services may include complex “traditional” infrastructures such as botnets, but also “innovative” large scale fashioned services such as DDoS or also sharper services such as password cracking. Try to surf the web and you will discover how easy it is to purchase such a criminal kind of services.
- Platform As a (Crime) Service or Paa(C)S: in which the criminals offer malicious platforms that users may adapt to fit their needs. An example? The brand new HOIC (High Orbit Ion Cannon) the new DDoS tool, evoluti0n of the infamous LOIC, that may be assimilated to a real malicious service platform that users may tailor to fits their needs thanks to the booster scripts. I believe we are not so far from criminal organizations selling customized booster scripts for every kind of need and, why not, offering support services as well.
Last but not least this services are self provisioned, and this is the reason why I used the term “Crime as a Self Service”: in every scenario, be the malicious service a Saa(C)S, Iaa(C)S or Paa(C)S, the user selects directly the target (or the victim), and that’s it!