Update December 26: 2011 is nearly gone and hence, here it is One Year Of Lulz (Part II)
This month I am a little late for the December Cyber Attacks Timeline. In the meantime, I decided to collect on a single table the main Cyber Attacks for this unforgettable year.
In this post I cover the first half (more or less), ranging from January to July 2011. This period has seen the infamous RSA Breach, the huge Sony and Epsilon breaches, the rise and fall of the LulzSec Group and the beginning of the hot summer of Anonymous agsainst the Law Enforcement Agencies and Cyber Contractors. Korea was also affected by a huge breach. The total cost of all the breaches occurred inthis period (computed with Ponemon Institute’s estimates according to which the cost of a single record is around 214$) is more than 25 billion USD.
As usual after the page break you find all the references.
The month of March will go into the annals of Information security. First the breach of RSA, then the issue of fake Comodo Certificates (with the subsequent claim by the Iranian Comodo Hacker) have gradually brought down the (few) certainties the Strong Authentication technologies relied on.
While commenting the beginning of this new era made of very few certainties for our digital identity, I could not help thinking about the (apparently) downward trend to which I was getting used with regards to the strong authentication mechanism adopted for my home banking (be quiet I do not currently have any RSA SecurID tokens, fortunately). Hindsight it could be interpreted as a strange omen (I would suggest RSA to follow the same path).
My first E-Banking contract dates back to 2005, and it was signed with a Regional Italian Bank. In that year, for perfoming operations such as money transfer, I was given a digital certificate stored in a floppy disk (in 2005 sigh!) for electronically signing every transaction. At that time I was firmly convinced that Digital Certificates were the most secure method to strong authenticate transactions, but I never used that certificate since, back in far 2005, a floppy disk was already a thing of the past.
A couple of years later the same bank made a Copernican (r)evolution and decided to dismiss all the certificates in exchange of OTP tokens (not manufactured by RSA but from competitor). Despite some scattered small issues due to a poor IT governance (in a couple of circumstances there was no way to make the PIN to be recognized and I also was victim of a data loss related to the electronic transactions of the previous four months (of course rigorously without backup, even if the operations had effectively been made), I was quite satisfied with the tokens (but not with the bank). Of course needless to say that these kinds of incidents always happened when I desperately needed to complete the transaction.
Five months ago I changed my bank (looking for better conditions) and decided to open a brand new completely on-line account. Well! Guess what kind of device I was given to authenticate the transactions? After a digital certificate and a token, I would have expected at least a PKCS#11 OTP USB Key… Not at all, I was given instead an efficient (but not very elegant or technological) card with a numerical grid composed by 24 triplets. Nowadays for each operation I am asked to insert three numbers each of them belonging to a different triplet randomically chosen between the 24 printed in one face of the card.
Of course even the most fervid imagination could not imagine that the parable of the strong authentication methods for my bank accounts during these years, could be interpreted as a premonition. Actually banks always know more than the devil, especially when it comes to other people’s money, but I must confess, that, although my initial disappointment for the progressive weakening of the authenticated mechanism necessary to sign transactions, in the last month I changed my mind and now I feel more comfortable with a card having impressed a kind of Caesar Cipher (yes I know that is just not the same thing but the comparison is appealing: back to the future!) than with an OTP Token or a certificate.
I was almost thinking of trying the strong authentication via SMS, but just today I realized that it is not particularly advisable, most of all on the iPhone, where the 2FA (Two Factor Authentication) mechanism has just been compromised. Ok I have an Android terminal but maybe is better not to use any mobile terminals, the threats like Zitmo (Zeus in The Mobile), are always around the corner.
I spent some time in reading the declarations of Comodo Hacker, the alleged author of the fake Certificates issued by mean of the compromising of a couple of (sigh!) Italian Comodo Partners, and I found some very interesting points far beyond the single event.
Actually, it had been clear from the beginning that the attack had been performed from an Iranian ISP, feeding the hypothesis of an Iranian Cyber Army action aimed to intercept emails from dissidents in a quite troubled moment from the Middle East after the winds of change blowing from the Maghreb.
Anyway Comodo Hacker was anxious to quickly put the record straight, declaring he was the only author of the attack, and, if one just wanted to involve an army on the event, had to consider that he was the only army, being able to rely on his own experience of 1000 programmers, 1000 project managers, 1000 hackers:
Now, even if the political connotation of the message still makes me think that behind this act there might be a real cyber army (but this is my personal opinion), this is not the real point. The real point is that this attack occurred as a kind of revenge against Stuxnet, and more in general the fact, supported by Comodo Hacker, that the U.S. and Israel where behind it.
Fight fire with fire, fight code with code…
The attack to Comodo Certificates has left a wide impact in the INFOSEC world and probably things will not be the same anymore since in few days all the strongholds, the identity security model relied on, have been miserably compromised (I took the liberty to add the RSA affaire to this event even if there is no evidence so far of a political matrix behind it). But there is another interesting point, and it is the third law of motion (you will not probably know I was a physic in my previous life) which, with not too much imagination, could be applied to infosec as well, if one considers the events that are happening: “the mutual forces of action and reaction between two bodies are equal, opposite and collinear”, which, in few and simple words should sound as: “to every cber-action corresponds an equal and opposite cyber-reaction”. If this is true, this means to me, as an infosec professional, that we will have to get used to similar cyber actions. Also from this point of view things will not be the same anymore…
Armed with this awareness, my mind runs inevitably among the dunes of the Libyan desert, where a civil war is being fought, now sadly familiar to all. Let me fly (but not too much) with my imagination and think that the Civil War will end up with the exile of Mr. Muammar Gaddafi. In this case it is likely to expect that he will find his revenge, not only with real terrorists act, but also with (cyber)terrorist acts, in the wake of the Comodo affaire, which, even if related to Iran, is the first known example of a cyber-terrorist act strictly related not only to the Stuxnet attack, but also to the movements flooding from Maghreb to Middle East, what I called the Mobile Warfare due to the primary role played by the mobile technologies inside these events.
We don’t have privacy in internet, we don’t have security in digital world, just wait and see… These lines can be considered as a kind of Declaration of Cyber-war against everything…
Targets of Cyberwar
Nowadays everything has a stream of bit inside and as a matter of fact is vulnerable to malware. What is happening in Libya (and the consequences on our energy bills), together with the risk of nuclear meltdown in Fukushima is pushing the so called Western world to reconsider its energy policy and accelerate the development of Smart Grids in order to promote a better, wiser use of energy. In these circumstances compromising an energy facility would have a huge practical and symbolic impact (do you remember the Night Dragon APT, tailored specifically for Oil Facilities?), that is the reason why, in my opinion, the first targets of this Cyber-terrorism reaction will be energy utilities. Few weeks ago I wrote an article (in Italian) concerning vulnerabilities and security of Smart Grids, which can be considered the “world of unknown” from a security perspective since they adopt an Internet open model to interconnect old legacy SCADA systems and, to make matters worse, the structures that govern the IT world and the SCADA world have a silo-ed approach being often mutually suspicious against each other. As a dark omen, few days later, a list of 34 0-day SCADA vulnerabilities was released by Luigi Auriemma, an Italian Researcher.
Think about it: compromising a smart grid with a SCADA malware could have potentially devastating consequences and should sound as a kind of dark revenge: imagine an Iranian SCADA malware sabotaging the energy facilities of U.S., and more in general the facilities the Western World is building to cut the umbilical cord that ties him strictly to the Middle East countries (that often are also the hottest as far as the political temperature is concerned).
Moreover, the development of electric vehicles will further complicate the scenario since they will be able to interconnect Directly to Home Area Networks (the borderline of Smart Grids), offering an unexpected (and probably not so complicated) ingress point for Cyber-Terrorists to Smart Grids, if it is true that nowadays a small car owns 30-50 ECU (Electronic Control Units) interconnected by a bidirectional Synchronous bus and governed by something like 100 millions of lines of codes. My dear friend and colleague, ICT Security expert and Aviation Guru, David Cenciotti will be glad to know that an F-22 Raptor owns about one tenth of lines of codes (“only” 1.7 millions), the F-35 Joint Strike Fighter about 5.7 millions and Boeing 787 Dreamliner about 6.5 millions used to manage avionics and on-board systems. Of course one may not exclude a priori that these systems may be target as well of specific tailored malware (do you remember the intrepid Jeff Goldbum injecting on the mother ship of Aliens on Independence Day?)
Prepare ourselves for a Smart Grid Stuxnet? I think there is enough to be worried about for the next years…