Thursday, January 31, 2008

Russian Duma Considers Legislation to Curb Nationalist Hate Speech

Last week, the Russian Duma heard a first reading of proposed legislation that would increase government monitoring and control over the Internet. The new law is in "...response to the rising number of cyber crimes and, in particular, to curb increasing nationalist hate speech that is resounding across the Russian internet."

Of course, any control over one type of speech has the potential to be used in other areas:
"However, as some critics have pointed out, the text of the law seems to be wider than this: the center is charged with regulate the "development and use of the internet [sic]."

Anton Nosik, a Russian internet expert, argues that this law raises dozens of questions. First, he thinks the creation of a watchdog might lead to the Chinese approach to internet use, in which users are limited access to certain sites."

New Russian Internet Watchdog Proposed

Local Government Opposition Website Attacked in Russia

Reuters is reporting an alleged attack against an opposition web site in the southern Russian region of Ingushetia. Opposition leaders accuse local political leaders of attacking the website (no details on how, just that it was "hacked") after the website carried information promoting protests against the local government and details of alleged kidnapings and murders.

"The Web site promoted and helped organize a protest on Saturday in which demonstrators armed with petrol bombs clashed with police and burnt a pro-government newspaper office.

On Thursday the Web site was closed, founder Magomed Evloev said, accusing authorities of hacking into the site to try and silence opposition."

Founder says Russian authorities hack critical Web site

Wednesday, January 30, 2008

Tampa Bay Website Supporting al-Qaida Taken Down

A Tampa Bay ISP has removed a website supporting al-Qaida and other jihadists.

"The company, Noc4Hosts, took the action Monday after it was informed about the site by The Tampa Tribune. Noc4Hosts, at 400 N. Tampa St., is in an office building that also rents space to the Tampa district of the U.S. attorney's office.

The Web site includes a graphic interface program that is of special interest to those who monitor jihadi activity. Known as "Mujahideen Secrets 2," it allows for encryption of messages and files."

Local Firm Removes Jihadi Web Site

Saudi Arabia Tightens Internet Use Laws

Saudi Arrabia has passed a new law on the use of the Internet in the Kingdom. The law covers a wide range of activity including "terrorism, fraud, pornography, defamation, violating religious values and disregarding public etiquette"
"The new information technology law contains 16 articles, and provides a maximum penalty of 10 years and a SR5 million fine ($1.3 million) for persons found guilty of running web sites in support of terrorist organisations."

Saudi tightens grip on Internet use

U.S. Air Force to Include Cyber Warfare Training in Recruits

In a steady stream of news on the increase in U.S. cyber warfare capabilities, the Air Force announced that cyber warfare techniques will be taught in basic training:

"Every enlisted man and officer will be taught about cyberwarfare in basic training, the Air Force Academy or officer candidate school, [Air Force Brig. Gen. Mark] Schissler said. About 100 students per year will receive more advanced instruction at the Undergraduate Network Warfare Training course at Hurlburt Field in Florida. Graduates of the six-month program will be able to operate a computer like "a weapon system" and will be known as cyberwarriors or cyberoperators, Schissler said. The first class graduated last month.

"The Air Force wants to build offensive and defensive capabilities in cyberspace. A presentation from the Center for Cyberspace Research at the Air Force Institute of Technology states the goal plainly:

"The Air Force "can drop a 2,000-pound bomb anywhere we want. … We need to be able to do the same thing in cyberspace … while denying that ability to any adversary!"

Air Force trains warriors to defend cyberspace

Oxford Study Links Engineer's Mindset to that of Extremists

In an interesting study (sure to be controversial), Oxford researchers have published a paper analyzing the education levels of Islamist terrorists and found that engineers account for a large number of the individuals involved in terrorist acts:
"We find that graduates from subjects such as science, engineering, and medicine are strongly overrepresented among Islamist movements in the Muslim world, though not among the extremist Islamic groups which have emerged in Western countries more recently. We also find that engineers alone are strongly over-represented among graduates in violent groups in both realms. This is all the more puzzling for engineers are virtually absent from left-wing violent extremists and only present rather than over-represented among right-wing extremists. We consider four hypotheses that could explain this pattern. Is the engineers’ prominence among violent Islamists an accident of history amplified through network links, or do their technical skills make them attractive recruits? Do engineers have a ‘mindset’ that makes them a
particularly good match for Islamism, or is their vigorous radicalization explained by the social conditions they endured in Islamic countries? We argue that the interaction between the last two causes is the most plausible explanation of our findings, casting a new light on the sources of Islamic extremism and grounding macro theories of radicalization in a micro-level perspective."
The researchers hypothesize that part of the reason for this phenomena is that engineers have a mindset that is related to right-wing extremists and Islamist extremists, in particular.
"We failed to find engineers among left-wing extremists: with the exception of a handful among anarchists, there is hardly any trace of them...

"By contrast, among right-wing extremists, engineers if not over-represented seem at least present. Among 287 right-wing extremists and neo-Nazis in Germany and Austria involved in 33 groups, we found 29 individuals with known higher education 6 of whom were engineers. In the US extreme right, whose ideology often has a strong religious and millenarian underpinning ... and whose members are generally poorly educated, engineers have played a significant role as leaders of several groups: out of seven individuals for whom we were able to establish the degree, four were engineers...

"Still, despite some presence among extreme right-wing movements, regarding the strength of over-representation across different groups and countries, the case of the Islamic radical engineers stands out."

Engineers of Jihad

Tuesday, January 29, 2008

Presidential Directive Places U.S. Government Cyber Security under NSA

The Washington Post reported on the recent signing of a classified National Security Presidential Directive (number 54) that transfers responsibility to the NSA and other intelligence agencies for monitoring U.S. government networks. Previously, NIST performed this function.

The powers of other government agencies was also expanded, according to the report:

"Under the initiative, the NSA, CIA and the FBI's Cyber Division will investigate intrusions by monitoring Internet activity and, in some cases, capturing data for analysis, sources said.

The Pentagon can plan attacks on adversaries' networks if, for example, the NSA determines that a particular server in a foreign country needs to be taken down to disrupt an attack on an information system critical to the U.S. government. That could include responding to an attack against a private-sector network, such as the telecom industry's, sources said.

Also, as part of its attempt to defend government computer systems, the Department of Homeland Security will collect and monitor data on intrusions, deploy technologies for preventing attacks and encrypt data. It will also oversee the effort to reduce Internet portals across government to 50 from 2,000, to make it easier to detect attacks."

The motivation behind the change was:
"...aimed at securing the government's computer systems against attacks by foreign adversaries and other intruders. It will cost billions of dollars, which the White House is expected to request in its fiscal 2009 budget. "The president's directive represents a continuation of our efforts to secure government networks, protect against constant intrusion attempts, address vulnerabilities and anticipate future threats," said White House spokesman Scott Stanzel."
Critics on both side found fault with the directive. Opponents fear the extended powers of intelligence agencies to monitor communications of U.S. citizens and proponents believe the directive did not go far enough is limiting the monitoring only the U.S. government networks:
"Supporters of cyber-security measures say the initiative falls short because it doesn't include the private sector -- power plants, refineries, banks -- where analysts say 90 percent of the threat exists."

Bush Order Expands Network Monitoring

Thursday, January 24, 2008

Conviction in 2007 Estonia Cyber Attack

An Estonian court has convicted the first individual in the 2007 cyber attacks against Estonia.
"Dmitri Galushkevich used his home PC to launched a denial-of-service attack that knocked down the Web site for the political party of Estonia's prime minister for several days..."

He was fined 17,500 kroons (approx. US$ 1,642).

The motive for the attack was to protest the relocation by the Estonian government of a statue to Russian war veterans.

Student Convicted in Attack Against Estonian Web Site

Another article on the conviction is available at:

Estonia convicts first 'cyber-war' hacker: prosecutors

Tuesday, January 22, 2008

Panama's National Assembly Website Vandalised

Intruders vandalised the website of Panama's National Assembly, believed to be in protest for the election of the Assembly's leader who is wanted in the U.S. for allegedly killing a U.S. soldier. The website was replaced with an American flag.
"Officials at the [National] assembly, declining to be quoted by name, said the site,, has been down since January 9, when a U.S. flag briefly appeared there. One said the cyber attack almost certainly came from the United States."

Hackers bring down Panama assembly's Web site

Monday, January 21, 2008

CIA Analyst Confirms Attacks on US Critical Infrastructure

A CIA analyst has provided information on cyber attacks against U.S. infrastructure. Although the motive is probably financial rather than political, the case demonstrates the risk to critical infrastructure regardless of motive.
"On Wednesday, in New Orleans, US Central Intelligence Agency senior analyst Tom Donahue told a gathering of 300 US, UK, Swedish, and Dutch government officials and engineers and security managers from electric, water, oil & gas and other critical industry asset owners from all across North America, that "We have information, from multiple regions outside the United States, of cyber intrusions into utilities, followed by extortion demands. We suspect, but cannot confirm, that some of these attackers had the benefit of inside knowledge."

In evaluating this type of threat, it is important to recognize the likelihood (or requirement) of collusion with insiders. It is critical for security professionals to understand and address this element when developing both preventive and investigative capabilities in a SCADA environment.

Developing controls to mitigate threats involving collusion requires more than the standard perimeter controls (both physical and logical) normally applied to IT systems. This type of threat requires additional processes to make the collusion more difficult and easier to detect and investigate if it does occur. Too often, organizations fail to apply the appropriate, layered controls beyond simple firewalls and other perimeter defenses.

CIA Confirms Cyber Attack Caused Multi-City Power Outage

Friday, January 18, 2008

U.K. Home Secretary Outlines Initiative to Target Online Extremism

The U.K. has announced an initiative to filter extremist information on the Internet.
"[Home Secretary] Jacqui Smith said she wanted to use technology to stop "vulnerable people" being "groomed for violent extremism".

"Because something is difficult, that is no reason not to have a go at it," she added. "The internet can't be a no-go area for government."

Few details were provided as to how this would be done.

Smith targets internet extremism

Details on Chinese Attacks against U.S. Systems

SCMagazine has provided some details on recent attacks of U.S. computer systems believed to have originated in China. While these attacks are often attributed to the Chinese government or the People's Liberation Army, very few details have emerged to support these claims as most data concerning the intrusions is classified.

"[SANS Institute Director of Research Allan ] Paller said that empirical evidence analyzed by researchers leaves little doubt that the Chinese government has mounted a non-stop, well-financed attack to breach key national security and industry databases, adding that it is likely that this effort is making use of personnel provided by China's People's Liberation Army.

The “smoking guns” pointing to a government-directed effort are keystroke logs of the attacks, which have been devoid of errors usually found in amateur hack attacks, the use of spear phishing to gain entry into computer networks, and the massively repetitive nature of the assault, the SANS research director said.

“This is not amateur hacking. They are going back to the same places 100 times a day, every day. This kind of an effort requires a massive amount of money and resources,” Paller told"

China has penetrated key U.S. databases: SANS director

Jihadist Use of Online Social Networks

The Combating Terrorism Center at West Point (the U.S. Army military academy) has published an analysis of the use of online social networks by Jihadists and their effectiveness in recruiting.

The article provides an excellent summary of how use, rather than misuse, of the Internet appears to be more important to most extremists:

In the same way that traditional terrorist training camps once served as beacons for would-be jihadists, online support forums such as Muntada al-Ansar and al-Ekhlaas now operate as black holes in cyberspace, drawing in and indoctrinating sympathetic recruits, teaching them basic military skills and providing a web of social contacts that bridges directly into the ranks of al-Qa`ida. Rather than simply using the web as a weapon to destroy the infrastructure of their enemies, al-Qa`ida is using it instead as a logistical tool to revolutionize the process of terrorist enlistment and training."

"This is the hidden dark side of online social-networking—as a virtual factory for the production of terrorists."

Al-Qa`ida’s “MySpace”: Terrorist Recruitment on the Internet

The same issue (January 2008) also contains an article discussing Al-Qaeda's extensive use of the Internet (see Al-Qaeda and the Internet)

Al-Qaeda and the Internet

The January issue of West Point's Combating Terrorism Center (CTC) Sentinel carries an analysis on Al-Qaeda and it's use of the Internet. Of particular interest is the description of the similarities between Al-Qaeda's organization and that of the Internet:

"Al-Qa`ida is a decentralized network of networks with no structure, hierarchy or center of gravity. It is based on a global alliance of autonomous groups and organizations, in a loosely-knit international network. This composition is strikingly similar to the internet with its unstructured network, reliance on a decentralized web of nodes with no center and no hierarchy. The parallel between the two may not be so coincidental: al-Qa`ida adopted the internet and has become increasingly reliant on it for its operations and survival."

Al-Qa`ida’s Extensive Use of the Internet

The same issue also runs a story on the use of online social networking in recruitment (see Jihadists Use of Online Social Networks)

Wednesday, January 16, 2008

Relation between Terrorist Activity, Credit Card Theft and Computer Crime

Credit card fraud is an important tool for many criminal organizations - for both funding and operational support. The Counterterrorism Blog has published an article on the acquisition and use of stolen credit cards by terrorists and the relation to computer crimes.
"The internet not only serves as a learning tool for terrorists but also functions as a mechanism to steal credit card information through hacking, phishing and other means."
The article provides two case studies: Imam SAMUDRA, convicted for the Bali bombings, and Younes TSOULI (see Insight into Al-Qaeda Use of the Internet).
"[Imam] Samudra is technologically savvy and a computer expert. While in prison in 2004, he wrote a jailhouse manifesto. It was an autobiography of his jihadist life. The book contained a chapter, entitled “Hacking, Why Not.” In it, he urged fellow Muslim radicals to take holy war into cyberspace by attacking U.S. computers. Samudra described America’s computer network as being vulnerable to hacking, credit card fraud and money laundering. The chapter did not focus on specific techniques. It focused on how to find techniques on the internet and how to connect with people in chat rooms to perfect hacking and carding skills. It was a course of study for aspiring hackers and carders. Samudra discussed the process of scanning for websites vulnerable to hacking and then went on to discuss the basics of online credit card fraud and money laundering."

Credit Cards and Terrorists

Insight into Al-Qaeda Use of the Internet

The Times Online published an article on Younes TSOULI aka "Irhabi 007", convicted in a U.K. court for "incitement to commit an act of terrorism through the internet."

"What makes Irhabi 007’s case so chilling is the evolution from simply setting up websites to becoming involved in terrorism itself. Increasingly he pined to go to Iraq to fight, and increasingly he became involved with others who were planning attacks. Two men who chatted with Tsouli online travelled from Atlanta, Georgia, to Canada to meet a group of extremists whom they knew from Tsouli’s forums, and then to Washington, where they took what are alleged to be reconnaissance videos of targets such as Capitol Hill. These videos were later found on Tsouli’s computer."

The article also discusses how the use of technology can be a two way street: It assists computer criminals but can also be used by investigators to track suspects and collect evidence:

"The power of the internet is its ability to put like-minded people in touch from every corner of the world. But the benefits for terrorists can also be an advantage for detectives when they catch a suspect, because they can quickly trace the people with whom the suspect was in contact.

“Once you get on to one guy who’s important in a network, because the structure of a network is flat . . . you get everyone he’s connected to,” Aaron Weisburd explains. “In the old days a terrorist organisation would have a much more hierarchical structure, you would have tight little cells and one guy would know maybe one person one step up and maybe one person one step down, but that’s it. In a network structure, if you get the right guy the whole thing goes down.”

Al-Qaeda’s 007

U.S. Looking At Large Scale Internet Surveillance

Wired magazine published a story concerning the U.S. National Security Agency's interest in monitoring Internet communications to prevent a cyber attack.

The story alleges that much of the data used to justify the need for large scale surveillance is either exaggerated or incorrect.
"The nation's top spy, Michael McConnell, thinks the threat of
cyberarmageddon! is so great that the U.S. government should have unfettered and warrantless access to U.S. citizens' Google search histories, private e-mails and file transfers, in order to spot the cyberterrorists in our midst.

NSA Must Examine All Internet Traffic to Prevent Cyber Nine-Eleven, Top Spy Says

Tuesday, January 15, 2008

New Cyber Attacks Directed at Estonia

Reuters is reporting new cyber attacks against Estonia in response to the trail of Russian speakers for rioting last year.

"Estonian news providers said on Monday they had been victims of renewed "cyber-attacks."

Delfi news portal news chief editor Tonu Pedaru said the connection to servers abroad was cut on Friday. "From yesterday, Sunday afternoon, the connection has been restored," he told Reuters.

Estonia's computer emergency response team said the Friday attack was a denial of service attack from machines around the world. This involves repeated requests to a Web site, forcing it to crash or be paralyzed. This was the method used in April.

The Estonian events raised the profile of the concept of a cyber war, involving attacks on increasingly vital Internet infrastructure. Military alliance NATO also took up the issue."

Estonia puts four on trial over April riots

Friday, January 11, 2008

U.S. Cyber Command Will Have Both Offensive and Defensive Mission

In an article that discusses the new US center for cyberspace combat, The U.K. website Computing provides some more details on the new U.S. Cyber Command Center that will reportedly have a 30,000 strong staff.

"At this stage, plans for the Afcyber centre include three main elements:

- Assessment of US defence systems’ vulnerability to electronic attack, and improvements to their resilience.

- Co-ordination with the physical armed forces to attack enemies with a presence in cyberspace.

- $10m-worth (£5m) of annual funding for the largest ever research centre looking at software application weak points."

The article also mentions other military cyberwar centers:

"The US is not the only country establishing a military command centre for cyber warfare. Canada and Australia have similar programmes. But in the UK, the job is spread around civilian organisations.

The [U.K.] security services carry out intelligence operations in cyberspace. And the Centre for the Protection of National Infrastructure advises businesses."

US looks to military to take on cyber threats: Command centre to be offensive and defensive

Tuesday, January 08, 2008

Simple Technologies Preferred by Terror Organizations

In a reprint of a Washington Post article (the Washington Post requires registration to read) the Seattle Times is carrying an article on the preference of terror organization to use simpler (or no) technology.

Some examples from the article include:

"Overall, terrorist cells around the world have become noticeably more skilled at avoiding detection, European counterterrorism officials and analysts said in interviews. For instance, operatives now commonly use Skype and other Internet-telephone services, which are difficult to trace or bug.

At times, they have displayed a flair for creativity. Defendants convicted last April in a plot to blow up targets in London with fertilizer bombs communicated via chat rooms on Internet-pornography sites in an effort to throw investigators off their trail, according to testimony."

The preference for low-tech is primarily an issue of operational security. The greater the dependence on, and use of, complicated technologies, the greater the chance for detection or opportunity for disruption - a vulnerability is a vulnerability for victim and adversary alike.

In fighting terror, think low-tech

Increased Use of Botnets by Activists

Infoworld published an article discussing the increased use of botnets for politically motivated Denial-of-Service (DoS) attacks. These attacks appear to target political campaigns in Russia andUkraine.

This article is related to an article in The Register last week but provides a little more information concerning the types of attacks:

"Now new evidence has been discovered that indicates the same sort of political activism believed to have driven the 2007 Estonian Web site attacks not only exists but is becoming more popular.

"We spent some time after the Estonia attacks looking into this part of the world, and we've found evidence of other politically motivated botnet DOS attacks," said Jose Nazario, senior software engineer at Arbor. "It's hard to tell who is responsible for these campaigns, but they definitely appear to be tied to some recent Russian and Ukrainian elections."

Botnets: The new political activism

Monday, January 07, 2008

Recommended Reading: The Dark Web of Cyber Terror

Sammy Elrom has complete his multi-part analysis of the "Jihadist's Dark Web". Part one was reviewed earlier (see Analysis of Jihadist's "Dark Web"). The three part series explores the threat of terrorist organizations use (and misuse) of technology and includes case studies and an analysis of both sides of the "cyber terror" debate.

Mr. Elrom's argument can be summed up as:
"What is the likelihood of such a catastrophic event [terrorist cyber attack] to ever unfold? Very high in my opinion, because we’ve seen the extreme changes in the way terrorists use the internet (detailed in Part One on this subject). It makes perfectly sense that the almost total reliance on the internet by business, government, military, academia and society in general, only emphasized what a huge target it became for terrorists to hit. Imagine a simultaneous attack targeting a critical infrastructure site like a nuclear power plant and its supporting and connecting network; beside the physical damage and the psychological effect, the collapse of the communication network may send a shock wave of secondary crashes impacting connected, related and remote networks and locations, which like a delayed earthquake shock create an unstoppable ripple effect. And it is not rocket science to comprehend that from the terrorists’ point of view scores of casualties may be the ultimate goal PR wise, but financial havoc and business chaos can be more destructive, because it impacts the immediate lives of everybody."
Each part was published separately on the website:

Part I: The Dark Web Of Cyber Terror – An Inescapable Reality
Part II: The Dark Web Of Cyber Terror - The Threat That Got Lost in Traffic
Part III: Dark Web Terror

Friday, January 04, 2008

Russian Political 'Hackers' Growing Capabilities

The Register has an article with some details of the Estonia attack last year showing that the attack, while not as organized or sophisticated as it could have been was, nonetheless, effective. The article also discusses the growing threat and capabilities of politically motivated computer criminals in Russia:

"By Western standards, the attacks weren't all that sophisticated. They topped out at about 100MB per second, compared with as much as 40GB per second unleashed against some targets. They also employed protocols such as ICMP and TCP SYN, which have been used for so long that they are no longer effective against many hardened targets.

But more recent events may show that politically motivated attackers are growing more savvy. Over the past several months, Nazario has documented attacks on sites belonging to groups on both sides of the Russian establishment. Targets include the Party of Regions, a pro-Russian party led by Ukrainian Prime Minister Viktor Yanukovych; the site of Gary Kasparov, the Russian chess grandmaster turned critic of Russian President Vladimir Putin; and, another dissident site. All attacks have been carried out using botnets, Nazario says."
The article also discusses 'BlackEnergy' a new, more stealthy tool, to carry out distributed denial of service attacks.

'Ragtag' Russian army shows the new face of DDoS attacks

Tuesday, January 01, 2008

A Fine Line between Cybercrime and War? Not Really. ran an article on the blurring line between criminal attacks and acts of war in cyberspace.

"In the computer age -- and 2008 is definitely in the computer age -- the difference between an act of war and crime is often a matter of interpretation as well as degree.

Attack a nation's highways and railroads, and you've attacked transportation infrastructure. You've also committed an obvious, recognized act of war.

An electronic attack doesn't leave craters or bleeding human casualties, at least not in the same overt sense of an assault with artillery and bombs. However, the economic costs can be much larger than a classic barrage or bombing campaign."

This article, like others, points out the problems and appears to want to label many attacks as acts of war or terrorism. The problem is real but answers are not simple. Cyber attacks are no different from physical attacks - what separates crime from terrorism or acts of war is not the medium or even the impact but the motivation, resources and organization behind the attack.

If a seventeen year old in China vandalizes a website because he disagrees with its content, it is a criminal act. If a nation state (whether directly or indirectly) orchestrates an online denial of service attack against another nation state, it's probably an act of war. The problem is the victim rarely knows who or why they have been attacked.

The difference in cyberspace is that it is very difficult to understand the adversary's motive. Corporations and other organizations rarely investigate the actual source of or reason behind the attack. Law enforcement and intelligence agencies are usually ill-equipped and underfunded or staffed.

These types of investigations are not impossible, but they are both costly and time consuming. Yet, as society's dependence on information infrastructures grows, so does the impact of attacks. Understanding the nature of the threat is vital to proper response. Simply labeling every attack as 'cyberwar' or 'cyber terrorism' is counter productive. Society - corporations, governments, academia and security vendors - need to invest in new and better methods and technologies to investigate cyber attacks.

Unfortunately, it will probably take a serious attack before this happens.

War -- or Crime -- in Cyberspace

Chinese 'Hackers' Accused in Dissedent Website Attack

A website for the group Boxun was attacked with a Distributed Denial of Service attack which began on December 24th. The attack was so severe that the hosting ISP has refused to continue hosting the site.

Site administrators accuse Chinese 'hackers' of the attacks in retaliation for articles written by Chinese dissidents.

The article also reports on unnamed sources predicting that China will organize more online attacks to reduce critics in advance of the 2008 Olympics.
"Other observers have said recently that China is likely to embark on a coordinated effort to shut up and shut down critics of the Communist regime there in advance of the Olympics in 2008."

Hackers smash Chinese dissident Web site