About these ads

Archive

Archive for February, 2012

Middle East Cyberwar Update (Part VI)

February 28, 2012 2 comments

Looks like Israel has approached a “wait and see” strategy, as these last days of cyber war have seen almost exclusively actions against that country without any appreciable response. In a certain sense, most of all at the Israeli site, the cyber conflict seems to have fallen into a rest, even if new actors have entered the scene, as is the case of the Mauritania Hacker Team, who opened with the leak of 2500 Israeli emails and claimed to have hacked the Central Bank of Israel. Despite these events the number and intensity of the attacks is no longer that of the early days.

The frequency of the attacks has drastically fallen, even because the early cyber fighters seem to have disappeared, apart from the AlienZ who, every now and then reappear with some dumps against arab sites (and not only).

In the meantime, Iran is suffering several sparse attacks from the Anonymous, targeting that country in the name of #OpIran, and in contemporary attacks its Azerbaijani neighbors considered close to Israel.

Interesting to notice I also found evidence of internal attacks in Iran against reformist websites considered close to former President Mohammad Khatami. The storyboard follows the same line both in real and virtual world.

Apparently Israel seems not to respond to attacks. A temporary truce or a real turnaround?

(At this link you can find the complete Middle East Cyber War Update and follows @paulsparrows for the latest updates.)

Read more…

About these ads

Exclusive Infographic: All Cyber Attacks on Military Aviation and Aerospace Industry

February 22, 2012 2 comments

Cross Posted from TheAviationist.

2011 has been an annus horribilis for information security, and aviation has not been an exception to this rule: not only in 2011 the corporate networks of several aviation and aerospace industries have been targeted by digital storms (not a surprise in the so-called hackmageddon) but, above all, last year will be probably remembered for the unwelcome record of two alleged hacking events targeting drones (“alleged” because in the RQ-170 Sentinel downed in Iran episode, several doubts surround the theory according to which GPS hacking could have been the real cause of the crash landing).

But, if Information Security professionals are quite familiar with the idea that military contractors could be primary and preferred targets of the current Cyberwar, as the infographic on the left shows, realizing that malware can be used to target a drone is still considered an isolated episode, and even worse, the idea of a malware targeting, for instance, the multirole Joint Strike Fighter is still something hard to accept.

However, things are about change dramatically. And quickly.

The reason is simple: the latest military and civil airplanes are literally full of electronics, which play a primary role in managing avionics, onboard systems, flight surfaces, communcation equipment and armament.

For instance an F-22 Raptor owns about 1.7 millions od line of codes , an F-35 Joint Strike Fighter about 5.7 millions and a Boeing 787 Dreamliner about 6.5 millions. Everything with some built in code may be exploited, therefore, with plenty of code and much current and future vulnerabilities, one may not rule out a priori that these systems will be targeted with specific tailored or generic malware for Cyberwar, Cybercrime, or even hacktivism purposes.

Unfortunately it looks like the latter hypothesis is closer to reality since too often these systems are managed by standard Windows operating systems, and as a matter of fact a generic malware has proven to be capable to infect the most important U.S. robots flying in Afghanistan, Pakistan, Libya, and Indian Ocean: Predator and Reaper Drones.

As a consequence, it should not be surprising, nor it is a coincidence, that McAfee, Sophos and Trend Micro, three leading players for Endpoint Security, consider the embedded systems as one of the main security concerns for 2012.

Making networks more secure (and personnel more educated) to prevent the leak of mission critical documents and costly project plans (as happened in at least a couple of circumstances) will not be aviation and aerospace industry’s information security challenge; the real challenge will be to embrace the security-by-design paradigm and make secure and malware-proof products ab initio.

While you wait to see if an endpoint security solution becomes available for an F-35, scroll down the image below and enjoy the list of aviation and aerospace related cyber attacks occurred since the very first hack targeting the F-35 Lightning II in 2009.

Of course aviation and aerospace industries are not the only targets for hackers and cybercriminals. So, if you want to have an idea of how fragile our data are inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011 and 2012 (regularly updated) at hackmageddon.com. And follow @pausparrows on Twitter for the latest updates.

As usual the references are after the jump…

Read more…

Middle East Cyber War Timeline (Part 5)

February 19, 2012 1 comment

Click here for the Middle East Cyber War Master Index with the Complete Timeline.

This week of Cyber War on the Middle East front, has shown a slight change on the Cyber Conflict trend. For the first time since January, psyops have deserved a primary role, maybe on the wake of the video released by the Anonymous against Israel one week ago. Not only the Jerusalem Post calls the video into question, but also argues that it may have been forged by Iran, identifying a state sponsored impersonation behind the entry of Anonymous in this cyber war.

But this has not been the only psyops event as an alleged message from Mossad to the Anonymous has appeared on pastebin, whose beginning sounds like a dark warning: If you want to be a hero start with saving your own lives. Although there are many doubts on its truthfulness, it deserves a particular attention since outlines a new age on psyops, what I call “pastebin psyops”.

But a war is not made only of psyops, so this week has also seen more hostile actions, among which the most remarkable one has been the leak of 300,000 accounts from Israeli Ministry of Construction and Housing. This action had been preannounced by a wave of attacks on primary Israeli sites (which targeted also the PM site), and most of all, has been carried on by 0xOmar, the absolute initiator of this cyber conflict.

Palestine has been targeted as well, and it is really interesting to read under this perspective a statement by Ammar al-Ikir, the head of Paltel, the Palestinian telecommunications provider according to whom cyber attacks on Palestinian websites and internet servers have escalated since Palestine joined UNESCO.

On the Iranian front chronicle report of a failed cyber attacks againstPress TV, Iran’s English-language 24-hour news channel and most of all of a controversial statement by Gholam Reza Jalali, a senior Iranian military official in charge of head of the Iranian Cyber Intelligence, according to whom the country’s nuclear facilities have finally been made immune to cyber attacks. And it is not a coincidence that in this week Iran has kicked off the first national conference on Cyber Defense. A matter that deserves a special attention by Tehran because of the growing number of attacks on Iran’s cyber space by US and Israel. On the other hand, Israel did a similar move one month ago, at very early stage of the cyber conflict.

Read more…

February 2012 Cyber Attacks Timeline (Part I)

February 16, 2012 1 comment

February 2012 brings a new domain for my blog (it’s just a hackmaggedon) and confirms the trend of January with a constant and unprecedented increase in number and complexity of the events. Driven by the echo of the ACTA movement, the Anonymous have performed a massive wave of attacks, resuming the old habits of targeting Law Enforcement agencies. From this point of view, this month has registered several remarkable events among which the hacking of a conf call between the FBI and Scotland Yard and the takedown of the Homeland Security and the CIA Web sites.

The Hacktivism front has been very hot as well, with attacks in Europe and Syria (with the presidential e-mail hacked) and even against United Nations (once again) and NASDAQ Stock Exchange.

Scroll down the list and enjoy to discover the (too) many illustrious victims including Intel, Microsoft, Foxconn and Philips. After the jump you find all the references and do not forget to follow @paulsparrows for the latest updates. Also have a look to the Middle East Cyberwar Timeline, and the master indexes for 2011 and 2012 Cyber Attacks.

Addendum: of course it is impossible to keep count of the huge amount of sites attacked or defaced as an aftermath of the Anti ACTA movements. In any case I suggest you a couple of links that mat be really helpful:

Read more…

Categories: Cyber Attacks Timeline, Cyberwar, Security Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Middle East Cyber War Timeline (Part IV)

February 11, 2012 3 comments
Another week, another wave of attacks between the two cyber contenders (here: Part I, Part II, Part III).

After some mutual attacks in terms of DDoS and defacements (with a new entry from Morocco and a resounding defacement against the Tel Aviv University Security Studies Program website, the head of the National Cyber Defense Authority), this week has seen the revamping of Credit Cards leaks “thanks” to Zcompany Hacker crew, who dumped more than 200 Credit Cards belonging to Israel And United States.

Even considering this latter event, however, the timeline seems to have confirmed the descending trend, with the early actors of both parties apparently quiet inside their virtual shelters (maybe to elaborate new strategies). But in this apparently calm sky a new thunderstorm threatens the horizon: it is the Anonymous which posted a message promising a reign of terror for Israel…

If you have a look to the Middle East nations involved in the cyber conflict which made attacks or suffered attacks (depicted in the map below that does not include U.S. victim of the latest Credit Card leak and France whose Council of Jewish Institutions was hacked earlier in June), you may easily notice that the virtual geopolitics reflect nearly exactly the real ones (the dotted arrow from Iran indicates the uncertainty of the nationality of OxOmar) with the new entry of Pakistani ZHC.

Read more…

DDoS: When Size Matters… Or Not?

February 9, 2012 4 comments

Arbor Networks and Radware, probably the two leading vendors focused on DDoS prevention and mitigation, have just published nearly in contemporary (probably not a coincidence) their 2011 reports which analyze, with similar methodologies applied to different stakeholders, one year of DDoS Phenomena occurred during the last year.

These reports are particularly meaningful since they come in a moment in which the waves of DDoS attacks unleashed by the OpMegaUploadas are not completely gone. To all the (too) many information security professionals whose sleep is disturbed by the booms of the Low Orbit Ion Cannons, I suggest to give a look to both documents:

As a matter of fact both reports provide a really interesting overview of this kind of attack which has become the flagship of the hacktivism movements.

From a methodological perspective both reports provide the results of a survey: the one conducted by Arbor Networks consisted of 132 free-form and multiple choice questions, covering a 12-month period from October 2010 through September 2011, whilst the one conducted by Radware consisted of 23 questions concerning the DDoS faced in 2011.

The participants of the Arbor Networks survey included 114 self-classified Tier 1, Tier 2 and other IP network operators from the U.S. and Canada, Latin/South America, EMEA, Africa and Asia, whilst the participants from the Radware survey included 135 organizations with large, medium and small size;ì,

Although the targets of the survey were not completely heterogeneous, and also the analyzed time windows were not exactly the same, I spent some time in comparing the results. In both cases, the message is clear: the DDoS attacks are becoming more and more complex, but the two vendors came to the same conclusion with a substantial difference. Does really size matter?

Hacktvism on the top

In both cases hacktivism ranks at number one among the attack motivations. The 35% of the Arbor Networks participants reported political or ideological attack motivations as the most common, immediately followed by Nihilism/Vandalism (31%). Analogously, the 22% of the Radware participants indicated a political/hacktivism motivation behind the attacks, immediately followed by “Angry Users” (12%). Curiously the 50% of the Radware participants indicated an unknown motivation, against the 19% of the Arbor Networks participants. Although hacktivism ranks undoubtedly at number one, the difference are not surprising: albeit the questions aimed to obtain the same information, they were slightly different: in one case (Arbor Networks) participants were asked to indicate Attack motivations considered common or very common, in the other case (Radware) participants were asked to indicate which motivations from a defined list, they considered behind the DoS /DDoS attacks experienced. Moreover also the different sample of participants may offer a further explanation. Arbor Networks participants are mainly operator, which have more sophisticated equipment to detect and counter attacks, Radware participants are heterogeneous organizations of different sizes, so their response may be “tainted” by emotive considerations or also by a smaller technological culture.

DDoS Attacks are becoming more and more complex assuming the nature of APTs

I was particularly impressed by a statement found in the Radware Report: “The nature of DoS / DDoS attacks has become more of an Advanced Persistent Threat (APT) and, therefore, much more serious.” The report is also more explicit and suggests that, for instance, during a DDoS Attack perpetrated by the Anonymous there is an external ring formed by the volunteers self-made hackers that use LOIC or similar tools (too often without any precautions), and an inner circle formed by skilled hackers who have access to more sophisticated attack methods and tools. The Arbor Networks report substantially agrees with this statement using the term Multi Vector DDoS, emphasizing a shift to Application Layer (Layer 7) DDoS Attacks. In both cases HTTP is the preferred protocol to convey Application Layer DDoS.

Size matters! Or not?

It is interesting to notice the opposite position of the two vendors with regard to the importance of the size for DDoS Attacks. Radware does not consider the size of the attack as the primary factor: the first myth to be debunked is the fact that not necessarily average organizations might experience intense attacks (according to Radware, in the observed period 32% of attacks were less than 10Mbps, while 76% were less than 1Gbps), the second myth to be debunked is the fact that the proper way to measure attacks is by their bytes-per-second (BPS) and packets per-second (PPS) properties. A smaller HTTP connection-based attack can cause more damage with much less traffic than a “traditional” UDP attack.

Arbor Networks has quite a different opinion: his respondents reported a significant increase in the prevalence of flood-based DDoS attacks in the 10 Gbps range. This represents the “mainstreaming” of large flood-based DDoS attacks, and indicates that network operators must be prepared to withstand and mitigate large flood attacks on a routine basis. Moreover, the highest-bandwidth attack observed by respondents during the survey period was a 60 Gbps DNS reflection/amplification attack, which however represents a 40 percent decrease from the previous year in terms of sustained attack size for a single attack.

At the end…

There are few doubts about the fact that DDoS attacks are becoming multi-layered and more and more complex, and even that they are mainly motivated by hacktivism. There are also few doubts about the fact that technology is enough mature to provide a crucial support to mitigate them. In any case, there is a further element to take into consideration that is the human factor: as usual technology is useless if the IT Staff is not prepared to face such a similar attacks, gaining an adequate awareness in terms of procedures and (I would say) culture. As Radware stated “the very public attacks last year raised awareness of DoS / DDoS and made organizations acquire better and more capable mitigation solutions” but maybe is not enough…

Middle East Cyber War Timeline Part III

February 4, 2012 4 comments

Jan 22: Middle East Cyber War Timeline Part I

Jan 29: Middle East Cyber War Timeline Part II

Feb 12: Middle East Cyber War Timeline Part IV

The more  I look inside the Middle East Cyber War between Israel and the Arab Hackers, the more I realize that it follows exactly the same shape than the real conflict.

In particular this last week has seen a strong reduction of the cyber events between the involved parties, although it is not clear if this was due to stronger cyber defenses enforced, or it was rather a kind of “calm before the storm”.

Among the reported events I considered particularly meaningful the attack of InLightPress, a Palestinian news website, of whom I did not find any other report except the one quoted in the Infographic which comes from a Pro-Israeli Website (this is the reason why this event must be considered with the necessary caution). Maybe it is not directly related to the Middle East Cyber War, anyway it looks like this attack was not originated by Israeli hackers, but had rather been “commissioned” by the Palestinian Authority. In the real world political parties or movement have different wings (typically hawks and doves), it looks like this is true for the cyber world as well. On the other hand, some believe that also the attack carried on last week against the Israeli newspaper Haaretz, considered close to Pro-Palestinian movements, has an internal origin, that maybe explains the subsequent excuses by the alleged authors of the attack (BTW at the above link there is an interesting list of the hack published in pastebin by the Israeli Hackers).

Do you believe the descending trend of the cyber events will be confirmed in the next period, or it is rather a temporary cyber truce before the digital storm?

Read more…

Crime As A Self Service

February 3, 2012 2 comments

One of the most visionary information security predictions for 2012, was the one issued by Fortinet which defined the term Crime As A Service: “Crime as a Service (CaaS), [...] is just like Software as a Service (SaaS), but instead of offering legal and helpful services though the Internet, criminal syndicates are offering illegal and detrimental services, such as infecting large quantities of computers, sending spam and even launching direct denial of service (DDoS) attacks“. At first glance I marked this prediction as exaggerated but then I could not imagine that I should have witnessed a huge demonstration only few days after. Of course I am referring to the #OpMegaUpload when, immediately after the FBI takedown, the Anonymous redirected users towards a website when they could DDoS a large group of targets with a simple web click and most of all, without the need to install the Infamous LOIC.

Even if this has been, so far, the most noticeable example, is not the only one of a malicious tool used as a service for criminal (in this case one shot) campaigns. More in general, using very familiar terms (borrowed and adapted from Cloud Terminology) I believe the CaaS is assuming three shapes:

  • Software As a (Crime) Service or Saa(C)S, in which the criminals offer malicious software (and the needed support) as a service. An example? The latest Zeus Variant dubbed Citadel, recently spotted by Brian Kerbs, which provides the purchaser with help desk and even a dedicated Social Network;

 

  • Infrastructure As (Crime) Service or Iaa(C)S, in which the criminals offer malicious services (or infrastructures) to attack specified targets, services may include complex “traditional” infrastructures such as botnets, but also “innovative” large scale fashioned services such as DDoS or also sharper services such as password cracking. Try to surf the web and you will discover how easy it is to purchase such a criminal kind of services.

 

  • Platform As a (Crime) Service or Paa(C)S: in which the criminals offer malicious platforms that users may adapt to fit their needs. An example? The brand new HOIC (High Orbit Ion Cannon) the new DDoS tool, evoluti0n of the infamous LOIC, that may be assimilated to a real malicious service platform that users may tailor to fits their needs thanks to the booster scripts. I believe we are not so far from criminal organizations selling customized booster scripts for every kind of need and, why not, offering support services as well.

Last but not least this services are self provisioned, and this is the reason why I used the term “Crime as a Self Service”: in every scenario, be the malicious service a Saa(C)S, Iaa(C)S or Paa(C)S, the user selects directly the target (or the victim), and that’s it!

January 2012 Cyber Attacks Timeline (Part 2)

February 2, 2012 1 comment

Click here for part 1.

The second half of January is gone, and it is undoubtely clear that this month has been characterized by hacktivism and will be remembered for the Mega Upload shutdown. Its direct and indirect aftermaths led to an unprecedented wave of cyber attacks in terms of LOIC-Based DDoS (with a brand new self service approach we will need to get used to), defacements and more hacking initiatives against several Governments and the EU Parliament, all perpetrated under the common umbrella of the opposition to SOPA, PIPA and ACTA. These attacks overshadowed another important Cyber Event: the Middle East Cyberwar (which for the sake of clarity deserved a dedicated series of posts, here Part I and Part II) and several other major breaches (above all Dreamhost and New York State Electric & Gas and Rochester Gas & Electric).

Chronicles also reports a cyber attack to railways, several cyber attacks to universities, a preferred target, and also of a bank robbery in South Africa which allowed the attackers to steal $6.7 million.

Do you think that cyber attacks in this month crossed the line and the Cyber Chessboard will not be the same anymore? It may be, meanwhile do not forget to follow @paulsparrows to get the latest timelines and feel free to support and improve my work with suggeastions and other meaningful events I eventually forgot to mention.

Read more…

Categories: Cyber Attacks Timeline, Cyberwar, Security Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,
Follow

Get every new post delivered to your Inbox.

Join 2,898 other followers