Wednesday, October 29, 2008

Motivation for Cyber Attacks against al-Qaida Websites

In a classic example of how little is known about the motives of (potential) politically motivated cyber attacks, The Guardian newspaper reports on recent cyber attacks against al-Qaida websites and provides a string of speculation on potential motives including:

  • "...governments are targeting them in a shadowy new front in the "war on terror"

  • "...the websites have fallen victim to Shia groups engaged in tit-for-tat sectarian cyber warfare with Sunnis"

  • "technical problems"

  • "...al-Qaida sympathisers closed the forums themselves because they were too good a source of intelligence for their enemies"

  • "[I]nternet vigilantes"





Cyber-attack theory as al-Qaida websites close

Terrorist Twitters

The Federation of American Scientists has posted a draft report produced by an U.S. Army intelligence unit that looks at several uses of technology by al-Qaida and other terrorist organizations for communications include the use of the quick messaging system, twitter.com.


The short section titled "Potential for Terrorist Use of Twitter: A Red Teaming Perspective" provides background on twitter and discusses its use by activists protesting at the U.S. Republican Convention:
"...extremist and terrorist use of Twitter could evolve over time to reflect tactics that are already evolving in use by hacktivists and activists for surveillance. This could theoretically be combined with targeting. Twitter was recently used as a counter-surveillance, command and control, and movement tool by activists at the Republican National Convention (RNC). The activists would Tweet each other and their Twitter pages to add information on what was happening with Law Enforcement near realtime."

The article concludes with three simple scenarios of terrorist use of Twitter.

The full report can be found at:

Sample Overview: alQaida-Like Mobile Discussions & Potential Creative Uses

Monday, October 20, 2008

Georgian Government Releases Report on Cyber Attacks

The Government of Georgia has released a report concerning the cyber attacks on Georgia originating in Russia. The report provides details of attacks and makes allegations against individuals in Russia responsible for organizing the attacks.

The report directly blames the Russian government for the attacks:
"To help to make a final judgment regarding the cyberwar against Georgia these two declarations from Russian officials can help us to evaluate how Moscow thinks in regard to online warfare. The Russian State Duma deputy and member of the Security Committee Deputy Nikolai Kuryanovich stated in 2006 within a formal Russian parliamentary letter of appreciation to hackers who had taken down several Israeli web sites:
  • "In the very near future many conflicts will not take place on the open field of battle, but rather in spaces on the Internet, fought with the aid of information soldiers, that is hackers. This means that a small force of hackers is stronger than the multi-thousand force of the current armed forces."
"Should we interpret this declaration as a statement of intent, or merely a prediction? A few days ago, the Editor of the Russian Online journal cybersecurity.ru, made a similar statement that provides insight into the Russian war aims:
  • “Cyber-attacks are part of the information war, making your enemy shut up is a potent weapon of modern warfare.”


Russian Invasion of Georgia: Russian Cyberwar on Georgia

Friday, October 17, 2008

Recommended Reading: Analysis of Russian Cyber Attacks

Project Grey Goose have released a detailed study of the capabilities and methods used in cyber attacks believed to have originated in Russia. The report gives four high level findings:

  1. "We assess with high confidence that the Russian government will likely continue its practice of distancing itself from the Russian nationalistic hacker community thus gaining deniability while passively supporting and enjoying the strategic benefits of their actions."

  2. "We assess with high confidence that nationalistic Russian hackers are likely adaptive adversaries engaged in aggressively finding more efficient ways to disable networks."

  3. "We judge with moderate confidence that a journeyman-apprentice relationship will continue to be the training model used by nationalistic Russian hackers."

  4. "We estimate with moderate confidence that hacker forums engaged in training Russian cyber warriors will continue to evolve their feedback loop which effectively becomes their Cyber Kill Chain."
In reading this report, it is striking how similar the techniques used today are compared to historical cyber attacks and espionage. While the software tools used by modern cyber criminals have increased their efficiency by orders of magnitude, the basics are still the same.

Of particular interest is finding 3 concerning the "journeyman-apprentice relationship". This is not a new phenomenon and was seen in the earliest days of network intrusions, especially those with political motivation. For example, during the 1987-88 investigations of the cyber espionage case in which West German nationals where working for the Soviet Union, it was discovered that the five West German principals had set up a network of "apprentice hackers" to assist in network mapping and initial intrusions.

Unfortunately, very little information has been published in open sources concerning the investigation of these early intrusions. Clifford Stoll's 1989 book "The Cuckoo's Egg" documented a small portion of the overall activity and investigation. Some very generalized information concerning the techniques and methods used by the West Germans (and other cases) is provided in: International Intrusions: Motives and Patterns.



The full Grey Goose report is available at:

Russia/Georgia Cyber War – Findings and Analysis

A good summary article is also available from the Washington Post:

Report: Russian Hacker Forums Fueled Georgia Cyber Attacks

Wednesday, October 15, 2008

Computer Intrusions Rise to the Attention of South Korea's Prime Minister

The Prime Minister of South Korea has issued a warning to his cabinet on the growing threat of network intrusions from North Korea and China targeting government information:
"The National Intelligence Service (NIS), Seoul's main spy agency, said it had told [South Korean Prime Minister Han Seung-Soo] that about 130,000 items of government information had been hacked over the past four years."
and;
"The documents largely focused on foreign policy and national security, he [A NIS spokesman] added without elaborating."


SKorean PM warns of hacking threat by NKorea, China (AFP)

Friday, October 10, 2008

Increase in High-Tech Terrorists in India

Indian police are reporting and increase in recruiting of high-tech individuals to assist in terrorist attacks. Most recently was the arrest of three IT professionals that used computer intrusions to send e-mails just before and after bombings in India:
"Evidence is mounting that recruiters for Islamist terror groups have targeted the information technology and engineering sectors, in a successful effort to give India’s jihadist movement a quantum jump in skills and ideological focus.

"Most of the 15 men arrested in Mumbai on Monday, on charges of participating in the hit-teams which planted explosives in Ahmedabad and Surat, are criminals linked to Pakistan-based ganglord Amir Raza Khan.

"But three men in the group were, till their arrest, believed to be model citizens. Key among them is Mohammed Mansoor Asghar Peerbhoy, who worked as a software engineer at multinational Yahoo India."

India - White-collar jihadists,a cause for growing concern

Saudi Owned Television News Website Attacked

The defacement of Al Arabiya's website, a Dubai based, Saudi-owned television station, was in apparent retaliation for recent attacks on Shiite websites:



The number of web site defacements continues to escalate between opposing Sunni and Shiite groups:
"Last month, prominent Sunni religious commentator Sheikh Yusuf al-Qaradawi charged that Shiites are "invading" Sunni societies. Also, a tit-for-tat cyber war disabled 900 websites, belonging to both sects, as Shiite and Sunni hackers infiltrated religious websites and uploaded their own messages."

More information on these attacks is available at: Sunni-Shiite hacking war disables 900 websites


Al Arabiya hit by Sunni-Shiite hacking war

Wednesday, October 08, 2008

US Considering Automated Cyber Retaliation

The U.S. Department of Homeland Security is considering the development of an automated system to retaliate against cyber attacks:
"Homeland Security Secretary Michael Chertoff on Friday said he'd like to see a government computer infrastructure that could look for early indications of computer skullduggery and stop it before it happens.

"The system "would literally, like an anti-aircraft weapon, shoot down an attack before it hits its target," he said. "And that's what we call Einstein 3.0.""

"Einstein" is the name of the U.S. government's current intrusion detection system.

Homeland Security seeks cyber counterattack system

Sunday, October 05, 2008

More Details on Skype Surveillance in China

As a followup to an earlier report, The New York Times published an article with further details of the surveillance of Skype communications in China. Interesting details include how the interceptions were detected:

"The researchers stumbled upon the surveillance system when Nart Villeneuve, a senior research fellow at Citizen Lab, began using an analysis tool to monitor data that was generated by the Tom-Skype software, which is meant to permit voice and text conversations from a personal computer. By observing the data generated by the program, he determined that each time he typed a particular swear word into the text messaging program an encrypted message was sent to an unidentified Internet address.

"To his surprise, the coded messages were being stored on Tom Online computers. When he examined the machines over the Internet, he discovered that they had been misconfigured and that the computer directories were readable with a simple Web browser.

"One directory on each machine contained a series of files in which the messages, in encrypted form, were being deposited. Hunting further, Mr. Villeneuve soon found a file that contained the numerical key that permitted him to decode the encrypted log files.

"What he uncovered were hundreds of files, each containing thousands of records of messages that had been captured and then stored by the filtering software. The records revealed Internet addresses and user names as well as message content. Also stored on the computers were calling records for Skype voice conversations containing names and in some cases phone numbers of the calling parties."

The original report from Citizen Lab can be found at: BREACHING TRUST: An analysis of surveillance and security practices on China’s TOM-Skype platform


Surveillance of Skype Messages Found in China

Friday, October 03, 2008

Study of Terrorist Recruitment in Europe and Use of the Internet

King’s College London has published an in-depth study of jihadist recruitment and mobilization for the European Commission. The paper provides an extensive background and history of terrorist recruitment that started in local mosques and moved to prisons and the Internet. It also discusses the psychological processes and rationalizations involved in recruitment.

The basic structure of online terrorist communications is provided:
"Despite the impression of anarchy, the ‘architecture’ of the Islamist militant Internet presence is relatively straightforward. First, there are the official web sites, representing clerics, strategists, or Islamist militant organisations. They are very unstable, but they are often well run and may contain downloadable videos, communiqués, discussion papers and religious rulings, and frequently also provide opportunities for interaction with leading personalities. Second, there are the web forums which are mostly administered and populated by grassroots supporters. The web forums are the soap boxes of the Islamist militant movement, where key debates about the latest news take place, networks are formed, and a real sense of community emerges. Often password-protected, they are also used to exchange videos, training material, and links to other web sites. The third element of the Islamist militant Internet architecture are so-called distributor sites, which include ‘jihadist’ web directories, ‘tribute’ sites, and the web pages of so-called ‘media groups’. These sites sustain the infrastructure of the Islamist militant web presence, as they distribute ‘jihadist’ material and provide updated links on where to locate official sites and web forums. Web forums can also perform the function of distributor site."

The researchers describe two elements of terrorist activity on the Internet:
  1. Internet supported recruitment; and,
  2. Virtual self recruitment
These elements can be summarized as follows:
"The Internet has come to play an increasingly important role. The main function is to support ‘real-world’ recruitment (by reinforcing religious and political themes; by facilitating networking; and by creating a climate of exaggeration). In recent years, however, new forms of Islamist militant online activism have emerged, which rely less on human contact and can be described as ‘virtual self-recruitment’."

The paper makes clear that the Internet has not replaced the human element in the recruiting process:
"Realworld social relationships continue to be pivotal in recruitment, therefore, but that does not exclude some role for the Internet altogether. On the contrary, whilst pointing out that the Internet is not the one dominant factor, nearly all our interviewees emphasised that it was important in supporting the process of recruitment."

The study provides several recommendations to combat terrorst recruitment. For online activity they recommend:
"More attention needs to be paid to extremist activities on the Internet. Governments need to become as Internet savvy as the extremists they are meant to counter, which requires investment in staff and technical capacity. Initiatives aimed at monitoring extremist activities on the net are important and welcome, but governments should not shy away from taking disruptive action where necessary. It has become a cliché to say that no extremist site can be taken down for long, but de-stabilising the extremist Internet ‘architecture’ – in particular distributor sites and large web forums – may produce valuable short-term gains. Also, the Internet may be difficult to regulate, but the successes in curbing the distribution of other ‘undesirable’ materials, such as child pornography, may hold valuable lessons for the fight against ‘jihadism online’."

Recruitment and Mobilisation for the Islamist Militant Movement in Europe

Thursday, October 02, 2008

Syria Increases Internet Censorship

The National newspaper in the UAE has an article discussing recent increases in Syrian censorship on the Internet. The article provides a good background on Internet use within Syria and the types of information that is censored:
"And in a sign that the censors are becoming more technologically advanced, a series of software gaps that existed in online controls a few months ago have been closed. It used to be a relatively simple matter for internet surfers to get around the censors using freely available programmes. Now accessing prohibited pages is much more difficult, and requires specialised knowledge."

Syria tightens control over internet

Skype Communications Monitored and Censored in China

Citizen Lab, an Internet and politics research lab at the University of Toronto has just released a detailed analysis of the interception, blocking and logging of text communications using TOM-Skype (the Chinese subsidiary of Skype).

More importantly, the analysis was made possible by poor security on the servers used to store intercepted and blocked communications and brings into question the complicity of western companies in aiding government surveillance and censorship:
"These findings should serve as a warning for groups engaging in political activism or promoting the use of censorship circumvention technology accessed through services provided by companies that have compromised on human rights. Private and politically sensitive messages sent through new communications technologies are only as secure as the robustness of the security of the technology companies themselves. In this case we were able to access volumes of sensitive data without the cooperation of the company involved due to lax security. There is no reason why an inquisitive government could not do the same.

"Trust in a well-known brand such as Skype is an insufficient guarantee when it comes to censorship and surveillance. This case demonstrates the critical importance of the issues of transparency and accountability by providers of communications technologies. It highlights the risks of storing personally identifying and sensitive private information in jurisdictions where human rights and privacy are under threat. It also illustrates the need to assess the security, privacy and human rights impact of such a decision."
The report listed the following key findings:

  • The full text chat messages of TOM-Skype users, along with Skype users who have communicated with TOM-Skype users, are regularly scanned for sensitive keywords, and if present, the resulting data are uploaded and stored on servers in China.
  • These text messages, along with millions of records containing personal information, are stored on insecure publicly-accessible web servers together with the encryption key required to decrypt the data.
  • The captured messages contain specific keywords relating to sensitive political topics such as Taiwan independence, the Falun Gong, and political opposition to the Communist Party of China.
  • Our analysis suggests that the surveillance is not solely keyword-driven. Many of the captured messages contain words that are too common for extensive logging, suggesting that there may be criteria, such as specific usernames, that determine whether messages are captured by the system.

BREACHING TRUST: An analysis of surveillance and security practices on China’s TOM-Skype platform

Wednesday, October 01, 2008

Myanmar's Cyber Warfare Capabilities

The Asia Times Online has an extensive article on Myanmar's cyber war capabilities and alleges that it has received training and assistance from China, Russia and Singapore. It also provides some details on the types of assistance and the history of Myanmar's cyber capabilities.

The article also alleges that Myanmar's government is using cyber warfare techniques to disrupt dissident groups around the world:
"...the junta's cyber-warfare specialists appear to have wider designs than just censoring an uncomfortable anniversary and they are receiving plenty of foreign assistance in upgrading their political dissent quashing capabilities."


Myanmar on the cyber-offensive

South Korean Missile Manufacturer Compromised with Malicious Code

This article provides very little information about an alleged breach of computer systems at South Korean guided missile manufacturer, LIGNex1 Hyundai Heavy Industries.

The report states that malicious code was planted "through which they stolen [sic] information.
"A spokesperson said: “The research institute suspects the culprits are Chinese or North Korean hackers but doesn't know specifically what information they stole. In the worst case, the blueprints of missiles and Aegis ship could have been stolen."


South Korean defence suppliers uncover malicious code

Information Security Is "on Vacation" in the U.S.

An interesting commentary on the state cyber war capabilities and vulnerabilities was recently published by Claremont College stating "[t]he security of America’s information infrastructure is on vacation". The article discusses recent cyber attacks, data losses and the nature of distributed denial-of-service (DDoS) attacks and concludes:
"This type of information espionage and Internet vandalism has the potential to be a serious form of assymetrical warfare, allowing state actors deniability and providing them with a powerful new tool in intelligence-gathering. International recognition of current U.S. military dominance has driven other nations to find alternative methods of strengthening their strategic position.

"While our dependency on the Internet grows both economically and politically, we need to provide stronger security regulation of government agencies and key industries..."


The State of Computer Security

GAO Report: US CERT's "Baseline Understanding" Inadequate

Last month, the U.S. Government Accountability Office (GAO) released yet another report condemning the Department of Homeland Security's cyber analysis and warning capability.

As previously observed, there is a deficiency in the most basic capabilities to understand (let alone protect) the national information infrastructure. The GAO report concluded:
"In seeking to counter the growing cyber threats to the nation’s critical infrastructures, DHS has established a range of cyber analysis and warning capabilities, such as monitoring federal Internet traffic and the issuance of routine warnings to federal and nonfederal customers. However, while DHS has actions under way aimed at helping US-CERT better fulfill attributes identified as critical to demonstrating a capability, US-CERT still does not exhibit aspects of the attributes essential to having a truly national capability. It lacks a comprehensive baseline understanding of the nation’s critical information infrastructure operations, does not monitor all critical infrastructure information systems, does not consistently provide actionable and timely warnings, and lacks the capacity to assist in mitigation and recovery in the event of multiple, simultaneous incidents of national significance [emphasis added]."


This lack of a "comprehensive baseline understanding" is not confined to the U.S. Government; it is also rampant in the private sector where risk and threat assessments are too often a simple compliance check-off with little regard to the quality of analysis. In both the public and private sectors, engineers and other technicians tasked with managing information security are not trained as security professionals who can analyze risks and threats across a single organization let alone across entire information infrastructures and global networks.

This lack of professional competence in the information security industry is one of the key factors driving the continued increase in vulnerabilities, attacks and data and monetary losses despite record investment and spending.

The full GAO report is available online:

CYBER ANALYSIS AND WARNING: DHS Faces Challenges in Establishing a Comprehensive National Capability