Friday, February 27, 2009

Political Motivation Still Top Motive for Web Defacement

Breach Security, Inc has released its annual report analyzing web page defacement. The study found that although financial motivation for web attacks is increasing, political and ideological motivations are still the primary drivers:
"On the other end of the spectrum, the ideologists use the Internet to convey their message using Web hacking. Their main vehicle is defacing web sites."
"When further analyzing defacement incidents, we found that the majority were of a political nature, targeting political parties, candidates and government departments, often with a very specific message related to a campaign. Others have a cultural aspect, mainly Islamic hackers defacing western web sites."

The report also looks at who is targeted most often for web defacements:
"Government is a prime target due to ideological reasons, while universities are more open than other organizations. These statistics, however, are biased, to a degree, as the public disclosure requirements of government and other public organizations are much broader than those of commercial organizations..."

"On the commercial side, Internet-related organizations top the list. This group includes retail shops, comprising mostly e-commerce sites, media companies and pure internet services such as search engines and service providers."


Wednesday, February 25, 2009

A New Military Branch for Cyber Warfare?

IANewsletter has published an article (starting on page 14) looking at the need for a separate cyber branch of the U.S. military on par with the Army, Navy, Marines and Air Force.

The authors review the historical context of the existing branches and the unique nature of cyber warfare:
"...occasionally, a new technology is so significant that it creates a discontinuity in the conduct of war that necessitates creation of an entirely new military service. This situation occurred in the United States, resulting in the formation of the Air Force in 1947. The advent of air power fundamentally altered the conduct of warfighting and drove the transformation of the Army Air Corps into the United States Air Force.

"The revolution in cyberwarfare places today’s militaries at a similar cusp in history and necessitates the formation of a cyberwarfare branch of the military, on equal footing with the Army, Navy, and Air Force."
"Cyberwarfare is fundamentally different from traditional kinetic warfare. National boundaries in cyberspace are difficult, if not impossible, to define. Lawyers and pundits are still debating the
formal definition of an “act of war.” Asymmetries abound and defenders must block all possible avenues of cyber attack. An attacker need only exploit a single vulnerability to be successful."
The article then discusses why it would be better to have a separate military branch rather than trying to integrate cyber capabilities into each existing branch:
"The cultures of today’s military services are fundamentally incompatible with the culture required to conduct cyberwarfare. This assertion in no way denigrates either culture. Today’s militaries excel at their respective missions of fighting and winning in ground, sea, and air conflict; however, the core skills each institution values are intrinsically different from those skills required to engage in cyberwarfare. Cyber requires a deep understanding of software, hardware, operating systems, and networks at both the technical and policy levels."

Army, Navy, Air Force, and Cyber—Is it Time for a Cyberwarfare Branch of Military?

Monday, February 23, 2009

Russian Consulate Website Attacked to Protest Sinking of Ship

Several sites are carrying information concerning an attack on the Russian Consulate in Shanghai to protest the Russian Navy's sinking of a Chinese ship as it tried to escape after being impounded for alleged smuggling.

The website was defaced with a protest message:
“Russia invaded our territory to kill people from the People’s Republic. Hack done for the Chinese crew of controversy! Russia must be punished! ! ! Hacked BY: Yu”
Yu is described in the article as "a network security enthusiast that has been defacing Chinese, Japanese, Korean, Taiwanese and U.S sites for a while, but had to give up his activities due to college studies."

Chinese hackers deface the Russian Consulate in Shanghai (ZDNet)

Chinese hackers take down Russian Consulate website (Dark Visitor)

Azerbaijan Cellular Website Attacked from Iran

From a very short article describing an attack on the website of Catel, Azerbaijan’s first CDMA operator:
"Iranian hackers, who describe themselves as “Balck [sic] Hats”, changed the appearance of the index page by posting a banner which reads that they will destroy the websites of companies with a US and Israeli stake."

Hackers attack Azerbaijan’s first CDMA operator’s website

Tuesday, February 17, 2009

New Arrest in Indymedia Investigation in the U.K.

The investigation of the online activist site, Indymedia, as discussed several weeks ago, continues in the U.K. with the arrest of an individual hosting a server for the group. Police are investigating the publication of personal information belonging to a judge in an animal rights trial.

This case is an excellent study of the conflicting issues related to free speech and political dissent, the need to investigative crimes, international and cultural differences concerning privacy and how laws passed to give investigative powers in one area (terrorism) are quickly applied in unrelated areas (invasion of privacy).

Indymedia's view of the situation and events is provided below:

"This Monday, Kent Police arrested a man in Sheffield under the Serious Crime Act 2007 in relation to the recent Indymedia server seizure. His home was raided, all computer equipment and related papers taken. He was released after eight hours. The person had neither technical, administrative nor editorial access to the Indymedia UK website. He was only associated to the project by hosting its server.

"The arrest took place under Section 44-46 of the Serious Crime Act, which was passed into law on 1st October 2008 to combat serious international crime like drug trafficking, prostitution, money laundering and armed robbery. Sections 44-46 refer to “encouraging or assisting offences”.

"Kent police claim that they are after the IP address of the poster of two anonymous comments to a report about a recent animal liberation court case, which included personal details of the Judge. The IP address of the poster is not stored as Indymedia does not log IP addresses. This was acknowledged by British Transport Police in 2005, after the Bristol IMC server seizure.

"For the police to arrest the person who happened to sign the contract for server hosting, is sheer intimidation, in light of Indymedia’s openly stated policy of no IP logging.

"With the implementation of the EU Data Retention Directive in March 2009, the UK government attempts to turn every internet service provider in the country into part of the law enforcement apparatus. This legislation will provide a legal basis to track, intimidate, harass, and arrest people who are doing valuable and necessary work for social change, for example as peace activists, campaigners for economic and social justice or against police brutality."

Also of interest are the comments to this post discussing activists perceptions of this situation and similiar issues encountered by other political activists around the world.

Friday, February 13, 2009

DNI: Cyber Security a Top U.S. National Security Issue

The U.S. Director of National Intelligence, Dennis Blair, has provided his annual threat assessment to Congress. His Statement for the Record has been published and cyber security issues are defined as a major threat to the United States. Mr. Blair's statement includes the following summary of the threat (emphasis has been added):

"A growing array of state and non-state adversaries are increasingly targeting—for exploitation and potentially disruption or destruction—our information infrastructure, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers in critical industries. Over the past year, cyber exploitation activity has grown more sophisticated, more targeted, and more serious. The Intelligence Community expects these trends to continue in the coming year.

"We assess that a number of nations, including Russia and China, have the technical capabilities to target and disrupt elements of the US information infrastructure and for intelligence collection. Nation states and criminals target our government and private sector information networks to gain competitive advantage in the commercial sector. Terrorist groups, including al-Qa’ida, HAMAS, and Hizballah, have expressed the desire to use cyber means to target the United States. Criminal elements continue to show growing sophistication in technical capability and targeting and today operate a pervasive, mature on-line service economy in illicit cyber capabilities and services available to anyone willing to pay. Each of these actors has different levels of skill and different intentions; therefore, we must develop flexible capabilities to counter each. We must take proactive measures to detect and prevent intrusions from whatever source, as they happen, and before they can do significant damage.

"We expect disruptive cyber activities to be the norm in future political or military conflicts. The Distributed Denial of Service (DDoS) attacks and Web defacements that targeted Georgia in 2008 and Estonia in 2007 disrupted government, media, and banking Web sites. DDoS attacks and Web defacements targeted Georgian government Web sites, including that of Georgian President Saakishvili, intermittently disrupting online access to the official Georgian perspective of the conflict and some Georgian Government functions but did not affect military action. Such attacks have been a common outlet for hackers during political disputes over the past decade, including Israel’s military conflicts with Hizballah and HAMAS in 2006 and 2008, the aftermath of the terrorist attacks in Mumbai last year, the publication of cartoons caricaturing the Prophet Mohammed in 2005, and the Chinese downing of a US Navy aircraft in 2001."
The report also discusses online activity by organized crime.

Annual Threat Assessment of the Intelligence Community for the Senate Select Committee on Intelligence

Recommended: Detailed Report on the State of Network and Information Security in Europe

For anyone that deals with cyber security issues in Europe, it is always a challenge to keep up on each member country's initiatives, institutions and regulations. A new report looks to be a valuable resource in navigating the complex European environment.

The European Network and Information Security Agency (ENISA) has published an extensive (over 600 pages) report on network and information security in its 30 member countries (the 27 EU member countries plus 3 members of the European Economic Community). This report is an excellent who's who of cyber security in Europe.

The report is structured by country and provided details of cyber security activities including:
  • General country information including statistics on IT use;
  • The major governmental and private stakeholders that set and implement cyber security policies and their relationships;
  • An overview and detailed look at current initiatives, focus points and activities of each entity;
  • Cyber security events taking place in each country;
  • Cyber security trends including information on security breaches
An excellent reference on the state of cyber security in Europe. Let's hope they plan to keep in updated.

ENISA Country Reports

Chinese Cyber Attacks Back in the News

Attacks from China have resurfaces in the news although its difficult to determine from the coverage if these are new attacks. In a recent interview, Rep. Bennie Thompson, Chairman of the House Homeland Security Committee, provided a few details concerning attack targets:

"Currency trading is among the financial networks targeted by hackers, Thompson said. An attack would be particularly damaging in light of the financial system’s troubled state, he said.

"He said electric utilities’ networks also have several points of weakness.

“We were provided alarming data on the vulnerability of our electrical grid in this country,” he said."

China strongly denies the allegations:

“Allegations that the Chinese government is behind cyber attacks against the U.S. computer networks are totally unwarranted and misleading for the America public,” Wang [Baodong, a spokesman for the Chinese Embassy in the U.S.] said in an e-mailed statement.

Wang said the Chinese government is “cracking down” on computer hacking and other cyber crimes.

Chinese Hackers Attack U.S. Computers, Thompson Says

Tuesday, February 10, 2009

More 'Political Hacking' in India

CyberMedia India Online (CIOL) looks at politically motivated computer crime in an article with the subtitle "Imagine if computer hackers, the daredevils of the networked world, turn into principled political activists".

The article mostly reviews incidents around the world, not all with political motivation. However, it does discuss some recent activity in India related to attacks that are alleged to have originated in Pakistan or are in support of Islamic causes:
"In a virtual act of mocking the cyber crime department of the police the official website of the Andhra Pradesh Crime Investigation Department (CID),, was hacked and defaced recently. Though no one has publicly claimed responsibility for the act, the abusive message posted on the website points to some Islamic fundamentalist group.

"The group had hacked nearly five India's site, including that of the ONGC, in a 'retaliatory' action against the hacking of the site of Pakistan's OGRA (Oil and Gas Regulatory Authority)

"Amidst reports from all over the world regarding hacking celebrity sites and other websites, the community site of the former President of India, Dr. APJ Kalam, in Orkut World, was recently targeted by Pakistani hackers."

Is hacking a war tool?

"Cyber War" to Protect Sharia Law?

In an article titled "Protection of Sharia (Islamic Law) and social reforms in AIMPLB [All India Muslim Personal Law Board]" the India-based ShahilOnline website is reporting on recent speeches given by Islamic scholars to more than 25,000 people.

During one of these speeches, the issue of cyberwar and technology came up:
"Moulana Salam Nadvi in his address said that the younger generation of the community should obtain higher education particularly they have to gain proficiency in the field of 'Information Technology' not for the purpose of accumulating wealth by getting employment in American companies in Bangalore, but to fight against the cyber-war being waged by anti-Islamic lobby particularly by western media [sic]."

Protection of Sharia (Islamic Law) and social reforms in AIMPLB

Monday, February 09, 2009

Why Are There No Internet Terrorist Attacks?

Strategy Page posted an analysis of the fact that we have not seen a significant Internet based terrorist attack:
"The Internet Jihad (struggle) has been mostly smoke, and very little fire.

"Attempts by terrorists to recruit hackers have had very poor results. There are a growing number of programmers and Internet specialists in the Moslem world, but most of them have legitimate jobs in software firms, or maintaining software and Internet services for companies."

The article also rightly points out that what little activity we have seen has been ineffective and isolated:

"At most, there have been some defacing of web pages, often by hackers driven more by nationalism than religion."

The post goes on to explain categorically why:

"Counter-terrorism organizations know why there have not been more of these attacks by al Qaeda, or any other self-proclaimed Islamic warriors. The fact is that the Islamic terrorists are not nearly as well organized or skilled as the mass media would lead you to believe."
The premise that we are not seeing major cyber terrorist attacks is correct but I disagree with the conclusion. The potential of the Internet is the fact that it does not take a lot of organization to exploit it's strengths (positively or negatively). This is why an individual or small (unorganized) group can have a presence and voice on the world stage. As the article points out, "there are Cyber War tools available that even the poorly educated terrorist computer user could operate."

If a group has the organization to recruit a suicide bomber, they have at least the potential to launch a cyber attack. Furthermore, if the almost chaotic organization of various hacktivist protesters can launch (mostly ineffective) cyber attacks then most terrorist organizations could do at least the same; and that's the key - the effectiveness of these types of attacks.

A more likely explanation is that they choose not to use them for the same reason that they choose not to carry out low-level physical attacks - only a large, physical attack causes the damage groups such as al-Qaeda believe furthers their cause - creating fear and inspiring their followers. Even the best DDoS attack would only cause temporary outages. It might gain some headlines (which the hacktivist is happy to have) but would hardly inspire uneducated Jihadists in the slums of Middle East cities to rise up.

Terrorists groups do see the power of the Internet for communication, intelligence gathering and propaganda and will continue to use it for these purposes. Only if they truly believe a cyber attack will further their cause will they be motivated to carry one out. Even then, it won't have the same impact as a physical attack - inconvenience does not translate to fear.

What Happened To The Internet Jihad?

Indian Summary of Davos Discussions

The Hindu Newspaper's Business Line reports on the discussions of cyber crime at the World Economic Forum in Davos and provides an Indian perspective:

"We, in India, have often seen reports of many Government of India Web sites being defaced, possibly from attacks originating from Pakistan.

"Fortunately these have been isolated instances, not amounting to a major cyber war. There is, however, no room for complacence. The government may not be able to share with us all that it has done to protect systems in India. We will have to rest content with the belief that we remain in a perpetual state of alertness to meet a severe challenge from neighbouring countries."

Don’t let down guard

Thursday, February 05, 2009

Guessing at the Source of Cyber Attacks

Yet another example of how difficult it is to determine both motive and source of cyber attacks. As with most "cyber war" attacks, it is pure speculation as to who is behind the latest activity against Kyrgyzstan and arguments can be made for any number of sources.

The New York Times has an article discussing two different possibilities for the most recent Kyrgyzstan attacks:
  1. Russian "cyber-militias" are attacking to intimidate the Kyrgyzstan government for any number of reasons; or,
  2. Kyrgyzstan hired Russian "hackers" to attack itself in order to "crackdown on an opposition party in Kyrgyzstan that uses the Internet to organize".
This is the danger: Without better intelligence and investigative capabilities, it will be next to impossible to determine exact source and motive. This leads to an inability to respond properly to a cyber attack or, potentially worse, responding inappropriately.

I have been involved in numerous complex, international cyber investigations where the source and motive were determined. However, it is almost never simple and requires extensive intelligence gathering and analysis (beyond basic Internet traffic analysis). This requires time and expenses beyond what most organizations are willing to invest in. Yet doing anything less leaves only guesswork.

Also see Analyzing Goggle Attacks - Plenty of Room for Error

Are ‘Cyber-Militias’ Attacking Kyrgyzstan?

NATO Officers Targeted by Trojan Code

This BBC article looks at several aspects of NATO cyber defenses including Trojan code that is specifically designed and targeted to NATO officers for espionage purposes:

"Mr Anil reveals that there has been more than one incidence of Nato officials being socially profiled, and then subjected to "targeted trojans".

"He explains how their unseen adversaries gather as much information as possible about the individual then send them an email purporting to come from a friend or a relative."

Nato's cyber defence warriors

Convergence of Electronic and Network Warfare

The Fort Leavenworth Lamp discusses the convergence of traditional electronic warfare (EW) with computer network operations (CNO):
"In the operational environment, the lines between CNO and EW are blurred," [Lt. Col. John] Bircher said. "We can use EW to disable our enemies' cellular phone device or we can use CNO to deny the device's access to its network."

"Do we use CNO or EW to deny our adversary, and does it matter to the tactical commander?" Bircher continued, "and in our conceptual research we found that it didn't matter. What's important is controlling the data, the bandwidth and the electromagnetic spectrum."

Electronic Warfare Proponent: Changes by adversaries, advances in technology drive EW's operational importance

Thailand Struggles with Internet Content

The Bangkok Post ran an lengthy article discussing the issue of freedom of speech and control of inappropriate content. Much of the article is concerned with controlling disparaging comments made online about the Thai Monarchy.

The article provides an excellent example of how each culture is struggling to deal with these issues and the difficulty in enforcing any regulations that are passed:
"Blocking content on over 2,000 web sites just prevents Thai residents accessing them while others worldwide still can. This method therefore cannot truly protect the honour of the monarchy," added Chiranuch Premchaiporn, director of Prachathai, an online news web site.

"The ICT [Information and Communication Technology] Ministry's combative stance on cyperspace is viewed as another draconian measure, in addition to the Computer Crime Act 2007 that deals with cyber-dissidents or online criminals. But the group at the seminars fears that such extreme measures will do more harm than good.

"We support the law and the policy to handle such crimes as hacking, deception, child pornography, pirate video clips, and theft of personal information, but the measure that allows state agents to block and close web sites can also lead to a violation of freedom of speech and limits public access to information," said Supinya Klangnarong, CPMR [the Campaign for Popular Media Reform]."


Wednesday, February 04, 2009

Social Networks Limit Undercover Work

Yet another "security" issue with social networks - intelligence agency recruitment:

"Herein lies the problem: if you're planning on having a second identity for undercover work, it doesn't help if your photos, friends and real name are splattered all over various social networking sites. Try finding a student at a university who hasn't done just that.

"The UK's intelligence agencies are worried. From schoolchildren on Bebo, through Facebook-obsessed young professionals, to well-networked CEOs on LinkedIn, having an online presence is a must in this day and age. But with the explosion of social networking sites, it has become virtually impossible to find recruits who don't have some sort of an online trail."

I would expect this to be a similar problem for law enforcement...

Social networking websites make recruiting spies difficult

Cyber Security Is a National Security Problem for the United States

Vice Adm. Carl Mauney, deputy commander for the U.S. Strategic Command told the 2009 Network Centric Warfare conference that "cyber security is a national security problem".

During his presentation he told the audience some of the problems the DoD is facing and that cyber defense required better coordination of effort:
"Also complicating cyber sleuths’ lives is the world’s billions of eye-blink-fast interconnected computers. But keeping up is vital. “Cyberspace has become a warfighting domain like land, sea, air, space,” Mauney told attendees. “And in light of growingly astute cyber enemies, it’s in our interest to maintain freedom of action,” he said.

"However, he cautioned, “It can’t be done in isolation.” There’s a “compelling need to integrate all elements of cyberspace operation and to [move] at net speed.” This is because the DOD on a daily basis faces millions of denial-of-service attacks, hacking, malware, bot-nets, viruses and other ruinous intrusions, some of which are associated with nations and nation-states, he said."
More importantly, Admiral Mauney stressed the need for individual accountability:
"What is needed is “a focus on accountability, from leadership to the user level. Our mindset needs to reflect the way we treat other military systems,” he said. “We don’t accept substandard performance in maritime, air and ground ops — and this is no different.” [emphasis added]

Hear Hear!

Greater cooperation needed to defeat cyber enemies

Europe Needs More Work on Cyber Defense

Trend News in Azerbaijan is reporting on a German DPA interview with Estonia's Minister of Defense concerning European readiness to defend against cyber attacks:

"For the time being, Europe's capability to defend itself from cyber-attacks is on the level of some of the capabilities of member states. Little value-added on the European level has been developed: we need to do more," he [Estonian Defence Minister Jaak Aaviksoo] said.

"In particular, the 27-member bloc must work harder to coordinate the efforts of various national defence and law-enforcement agencies and push for better cooperation with third countries which can serve as a safe haven for web-based attackers, he said."

Minister: Europe has not yet done enough on cyber-defence

Monday, February 02, 2009

Indymedia Server Seized - A Lesson in Network Resilience

Indymedia - one of the largest international clearinghouses of news and information for social activism - was recently raided by police in the UK. The raid was apparently the result of an investigation into the publication of personal information belonging to a trail judge in a comment to an article on an animal rights trial.

Indymedia had already removed the offending article per their own policies, however, police seized a server containing a large quantity of information:
" seizing this server they [the police] are not only getting information on Indymedia but also on wholly unrelated groups."
However, the seizure of the server did not interrupt Indymedia operations. Indymedia's network is highly distributed and redundant with extensive mirroring of data:
"As with previous cases, Indymedia UK stayed online this time. This was possible due to a system of "mirrors", which was set up to protect the technical infrastructure of the alternative media project. Despite the resource intensive interruptions caused by server seizures, the DIY-media activists continue to provide a platform for "news straight from the streets"."
Although it appears the police were not attempting to censor the information, this case shows both the flexibility, power and dynamic nature of online communication. However, this resilience cuts both ways: Activists and other politically motivated sites are difficult to censor or disrupt, but likewise, when commercial or government sites are the target of online protests by hacktivists, their online attacks often have limited or no operational impact on their targets for the same reason.

Other case studies of this phenomenon are documented in Hacktivism and Politically Motivated Computer Crime.

Police Seize UK Indymedia Server (Again)

Turkish "Hacker" Spied for PKK

The Turkish newsite,Today's Zaman, is reporting that a "hacker" originally arrested for theft is now accused of supporting the Kurdistan Workers' Party (PKK).

Analysis of his system and recovered media revealed classified information which he is alleged to have transferred to the PKK in Northern Iraq.

The article discusses an interesting method of obtaining the information:
"[The suspect] said during police interrogation that the contact between him and the PKK's Karayılan was established through a terrorist friend of his who resides in France. He also stated that he acquired confidential information belonging to the General Staff, MİT [the Turkish National Intelligence Organization] and other institutions through computer virus programs he placed on pornographic Web sites visited by army members."

PKK hacker faces up to 10 years in prison

Sunday, February 01, 2009

World Economic Forum Short on Answers to Cyber Warfare and Computer Crime

The World Economic Forum in Davos held a panel discussion on cyber threats and named cyber warfare as one of the top three (crime and the basic design of the web were the other two).

Most of the discussion of cyber warfare centered around Russian attacks against its neighbors but also discussed the difficulty of control on the Internet:

"...the internet[sic] is a global network, it doesn't obey traditional boundaries, and traditional ways of policing don't work," one expert said."
The panel also discussed what should be done about the problem and it appears from news reports that there were no new ideas. In fact, some panelists seemed to think just letting things work themselves out was the best answer:

"But several panellists worried about the heavy hand of government. The internet's strength was its open nature. Centralising it would be a huge threat to innovation, evolution and growth of the web.

"The amount of control required [to exclude all risk] is quite totalitarian," one of them warned.

"Instead they suggested to foster the civic spirit of the web, similar to the open source software movement and the team that had sorted the YouTube problem"

While no one wants "totalitarian" control of the Internet, it is dangerously naive to think that fostering "civic spirit" would even begin to make a dent in computer crime. In fact, one could argue that civic spirit is a major motivator for politically motivated cyber attacks.

Cybercrime threat rising sharply

Looking at the Pattern of Cyber Attacks from Russia

Terming cyberattacks against Russian's neighbors as "cyber bullying", Strategy Page provides a synopsis of previous attacks originating from Russia and discusses their escalation to the present attack against Kyrgyzstan. The article also discusses NATO reaction including the creation of the Cyber Defense Center in Estonia last year:
"The Center will study Cyber War techniques and incidents, and attempt to coordinate efforts by other NATO members to create Cyber War defenses, and offensive weapons."