Thursday, May 29, 2008

Belgian Woman Convicted for Islamist Website

A Belgian woman has been convicted in Switzerland for maintaining a website supporting Islamist groups including al-Qa'eda. Malika El Aroud (who's husband Abdessatar Dahmane killed the anti-Taliban resistance leader Ahmed Shah Massoud in Afghanistan two days before September 11th) is quoted in the article:

"I have a weapon. It's to write. It's to speak out. That's my jihad. You can do many things with words. Writing is also a bomb."

"I write in a legal way. I know what I'm doing. I'm Belgian. I know the system."

"...ask your mothers, your wives to order your coffins Vietnam is nothing compared to what awaits you on our lands [sic]".


Female al-Qa'eda supporter uses internet as 'bomb' to recruit others to wage jihad on West

Spanish Police Arrest Online Protest Group

This was originally posted several weeks ago in Gary Warner's CyberCrime & Doing Time blog.

Spanish police announced on May 17, 2008 the arrest of at least four members of a Spanish speaking group called D.O.M. This group is alleged to be one of the more prolific web defacement groups in the world. Spanish police estimate they were responsible for as many as 21,000 attacks on websites - most as political protests:
"Some of the more high-profile attacks credited to the group, at least from an American perspective, would include having hit the US government's National Cancer Institute with an SQL injection attack back in July of 2007, ( archived from Zone-H). In February, an0de defaced an MIT server with an anti-American, anti-Bush message, archive from Zone-H ."

Spanish Arrest D.O.M. Team

Wednesday, May 28, 2008

Russian Radiation Level Website Knocked Offline

RIA Novosti, the Russian News Agency, is reporting a denial-of-service attack against a public website used to inform citizens about radiation levels associated with nuclear power plants. It appears the attacks coincided with the release of false reports of a radiation leak.
"This was a planned action by hackers, which has brought down almost all sites providing access to the Automatic Radiation Environment Control System (ASKRO), including the Leningrad NPP site, the rosatom.ru site, and others. For several hours users were unable to reach the sites and obtain reliable information on the situation at the plant."


Russian nuclear power websites attacked amid accident rumors

Monday, May 19, 2008

Hate Speech on the Internet

The Anti-Defamation League (ADL) has published a speech by Christopher Wolf, Chair, ADL Internet Task Force and Chair, International Network Against Cyber-Hate (INACH) to the Commission on Security and Cooperation in Europe. The speech discusses the use of the Internet to facilitate hate speech:
"The Internet allows haters to communicate, collaborate and plot in ways simply not possible in the off-line world. The Internet inspires and facilitates real-world violence.And the misuse of the Internet to propagate hate victimizes those vulnerable to hurtful words and images, especially minorities, and it serves to mislead and even recruit young people to become the next generation of hate-mongers."


Hate in the Information Age

North America Hosts Terrorist Web Sites

Israel 21c posted an article discussing the use of North American ISPs to host terrorist supporting websites:
"Prof. Niv Ahituv, academic director of the Netvision Institute for Internet Studies (NIIS) at Tel Aviv University (TAU), said that some of the world's most dangerous organizations, including Hezbollah and al-Qaeda, host their web sites on servers owned by popular American and Canadian ISPs used by most North Americans."
This issue has been documented since 2000 when the first serious cyber conflicts occurred between Israeli and Palestinian supporters during the second Intifada. Since both sides targeted systems hosted by North American ISPs, the attacks affected many U.S. companies not directly involved with the conflict - a form of electronic collateral damage (See: Hacktivism and Politically Motivated Computer Crime).

The article discusses a presentation on this topic that Professor Ahituv made at a NATO conference earlier this year. The article also addresses the debate on shutting down this type of activity and the U.S. First Amendment issues involved:
"Unfortunately, in the wired world, the base location is a technical matter. Geography is not a limiting factor. "A half an hour after a website is shut down in the US, it is registered in Malaysia, Saudi Arabia, or Iran. The FBI has shut down a few websites, but it is like chasing the wind," warns Ahituv."


Israeli study shows US a digital haven for terrorists

Cyber Attacks Against Palestinian Bloggers

Picked up a short blog posting concerning the high volume of attacks against bloggers who post articles concerning issues in Palestine. The article doesn't specify any technical details nor speculate on the source or motive...
"It's funny how every time I write about Palestine, I get a slew of hack attempts ranging from the most primitive to the most complicated scary ones. I won't get into much details, but I've been noticing a huge amount of unnatural activity."


H-a-c-k-e-r Friendly

Friday, May 16, 2008

Recommended Reading: Carpet Bombing in Cyberspace

The title is a misnomer - this article is a well written and thought provoking discussion on how the U.S. might build an offensive military cyber capability and what the ramifications would be of its use.

Col. Charles W. Williamson III wrote the feature article in Armed Forces Journal and begins with a discussion of the changing aspect of cyberspace in national defense. It gives several very good comparisons of the currently situation with previous challenges in military history - from Troy to WWII:
"Today, every Army outpost in America traces its roots to the walls, guards and gates of Troy. But none of today’s forts relies for boundary defense on anything more substantial than a chain-link fence, even though the base may contain billions of dollars in military equipment and the things most important to the soldiers — their families. The U.S. intends for defense of its “forts” to occur thousands of miles away. We intend to take the fight to the enemy before the enemy has a chance to come here. So, if the fortress ultimately failed, does history provide a different model?"
Col. Williamson reports on suggestions for creating a military botnet using existing Air Force systems to provide an U.S. offensive cyber capability and discusses defensive requirements.

However, probably the most interesting part of the article is the discussion of the pros and cons of developing and using this type of offensive capability:

"Lawyers have been known to trot out a “parade of horribles” to demonstrate weaknesses in an idea. These issues are difficult but not insurmountable. But before addressing them, it is important to note what the botnet is not.

"The af.mil botnet is not a replacement for law enforcement action or diplomacy. If the harm coming to U.S. systems is low enough that a military response is not required, the U.S. must default to traditional responses that respect the sovereignty of other nations, just as we expect them to respect our sovereignty and the primacy of our responsibility to stop harm coming to them from the U.S. With that understanding, what challenges remain?"


The article goes on to discuss several of the key concerns with offensive cyber warfare and attempts to address them. The most critical of these is The Difficulty in Identifying Source and Motive of Politically Motivated Computer Crimes. Col. Williamson writes:

"The truly difficult problems come in defending against attack from devices adversaries have captured from U.S. or allies’ civilians. Generally, the U.S. military is not going to attack a U.S. private computer. Harm coming from one of those machines will first be treated as a crime, and military forces should stay out of the situation in accordance with the Posse Comitatus Act. However, Title 10 of the United States Code, Section 333, allows the president to order use of the military in the U.S. under tightly controlled conditions when civil authorities are overborne.

"More challenging is the problem of an attack coming from an ally’s civilian computers. Obviously, the U.S. would seek allies’ cooperation if at all possible, but we could be in a position of launching an attack on a nation whom we have sworn to protect in a mutual defense pact. Together, the U.S. and its allies can reduce this risk by cooperating to maximize computer security. If we attack them as a matter of proportionate response, it would only be because computers in their territory are attacking us.

"The biggest challenge will be political. How does the U.S. explain to its best friends that we had to shut down their computers? The best remedy for this is prevention. The U.S. and its allies need to engage in a robust joint endeavor to improve net defense and intelligence to minimize this risk."


Regardless of whether you agree or disagree with the author, it is refreshing to see a well thought-out and nicely argued discussion on the topic of cyber warfare.

Thanks to Gareth Gange for the the pointer to this article.

Carpet bombing in cyberspace

Political Cyber Attacks As a Form of Censorship

Forbes magazine published an article discussing the censorship motive behind online political attacks against Estonia and Radio Free Europe.

The 2007 Estonia cyber attacks are some of the most widely reported and studied cyber attacks. Yet to date, no definitive conclusion can be made concerning the motive or exactly who sponsored the attacks. The article quotes various authorities who have widely varying theories of the motives behind the Estonia attacks. This is an excellent example of the difficulty in determining motive - or conversely, the ease in mis-identifying an attacker's motive.
"The difference between government-sponsored attacks and grassroots cyber terrorism is growing increasingly fuzzy, even as researchers try to sift through who did what on Estonia's Web. And the difficulty of tracing responsibility for even massive cyber attacks suggests that such maneuvers may become an effective tool not just for indiscriminate vandalism, but also for stealthy cyber censorship."


When Cyber Terrorism Becomes State Censorship

Attacks Target Specific Chinese Dialects

The Dark Visitor, a blog that tracks Chinese hacker activity, provides some technical details on attacks that selectively target systems based on the Chinese dialect used by web browsers. Although these types of attacks have been seen before, this is a good example of the trend toward selective targeting.

The post also provides a sample protest message sent in SQL-injection attacks:
"This is a mass invasion. Safeguard the motherland’s dignity!
F*** FRANCE! F*** CNN! I WILL ATTACK you ALWAYS !
I love my motherland!"


More Patriotic Hacking

Wednesday, May 14, 2008

NATO Announces Cyber Defence Centre in Estonia

NATO has announced it will open a Cooperative Cyber Defence (CCD) Centre of Excellence (COE) in Tallin, Estonia. This is in response to last year's cyber attacks against Estonia.
"The centre will conduct research and training on cyber warfare and include a staff of 30 persons, half of them specialists from the sponsoring countries, Estonia, Germany, Italy, Latvia, Lithuania, Slovakia and Spain."


NATO opens new centre of excellence on cyber defence

US Senate Report on Use of the Internet by Islamist Groups

The U.S. Senate Committee on Homeland Security and Governmental Affairs has released a report titled: "Violent Islamist Extremism, The Internet, and the Homegrown Terrorist Threat".

The following quotes [reformatted for readability] give an overview of the report's contents:

"This staff report concerns ... – how violent Islamist terrorist groups like al-Qaeda are using the Internet to enlist followers into the global violent Islamist terrorist movement and to increase support for the movement, ranging from ideological support, to fundraising, and ultimately to planning and executing terrorist attacks.

"In the second section of this report, we examine the increasing number of homegrown incidents and the judgments of the intelligence and law enforcement communities that there will likely be additional homegrown threats in the future.

"The third section explores the four-step radicalization process through which an individual can be enticed to adopt a violent Islamist extremist mindset and act on the ideology’s call to violence.

"Section four identifies the disturbingly broad array of materials available on the Internet that promote the violent Islamist extremist ideology. The availability of these resources is not haphazard, but is part of a comprehensive, tightly controlled messaging campaign by al-Qaeda and like-minded extremists designed to spread their violent message.

"The fifth section of the report examines how these materials facilitate and encourage the radicalization process.

"Finally, the report assesses the federal government’s response to the spread of the violent Islamist message on the Internet and concludes that there is no cohesive and comprehensive outreach and communications strategy in place to confront this threat."


Violent Islamist Extremism, The Internet, and the Homegrown Terrorist Threat

Zimbabwe State Newspaper Attacked in Protest of 1980s Killings

The BBC is reporting on an attack against the website of Zimbabwe's state-owned Herald newspaper. The report provides no technical details but links the attack to allegations that the government carried out mass killings in the 1980s:

"Headlines on the site were replaced by the word Gukurahundi.

"The word refers to a campaign of mass slaughter that the government has been accused of carrying out after independence."


Hackers shut Zimbabwe website

Friday, May 09, 2008

The Difficulty in Identifying Source and Motive of Politically Motivated Computer Crimes

In a textbook example of the difficulties in determining the true source and motive behind online attacks, there are several reports coming from Korea concerning the arrest of Chinese and Korean nationals involved in online identify thefts. In this case, the original attacks were attributed to Chinese 'hackers' attacking Korean systems for political reasons. This was because the attacks appeared to originate in China and the software used in the attack had an anti-Korean title.

However, in this case, it appears that Korean criminals involved in online identity thefts were using Chinese 'hackers' to gather the information for fraud:
"...Chinese hackers who claim there is something of a black market for Korean personal information in China. They say Koreans hire Chinese hackers to break into sites to get information, which is then handed over and sold in Korea."

"...the vice head of PR for “Auction” [eBay's Korean subsidiary] said on CBS radio last month that the hacking program employed in the attack was named “Fuck KR,” leading at the time to speculation that the attack was anti-Korean in nature."

This case demonstrated three important issues in analyzing politically motivated computer crimes (or any other computer crime):

1. Most attackers use a chain of connections between themselves and their target. Inexperienced investigators are often misled when they attribute the attack to the most immediate link. (This is not a new phenomena and has been employed for over 20 years by 'hackers'. See "International Intrusions: Patterns and Motives" specifically section 3 Intrusion Patterns and Dynamics for a discussion on how this technique was used in the 1980's and 1990's.)

2. 'Hackers' can be manipulated by more criminal elements thus disguising the actual motive behind the attack.

3. Motive is very difficult to determine in online attacks. There are many cases of politically motived computer crimes disguised as fraud or other types of attacks and also attacks (such as this example) where the motive is disguised as political. Another good example of this is the 'WANK' worm released in 1989:
"...in the internal network of Digital Equipment Corporation and later in the NASA / SPAN networks. This was jokingly named by the Australian authors as “Worms against Nuclear Killers” and has been misreported in several publications as an example of political hacking [See: Denning, Dorothy E., “Activism, Hacktivism, and Cyberterrorism: The Internet as a Tool for Influencing Foreign Policy”].

"However, the authors had no political motive in these attacks and were playing on the British meaning of the word 'wank' [Source: "Hacktivism & Politically Motivated Computer Crime"]."

Too often the source and motives behind attacks are attributed with little information or based on assumptions. This is inadequate when discussing cyberwar and when governments and corporations are considering online retaliation. Investigators and security professionals need better skills in determining actual sources and motives behind computer crimes - political or otherwise.

Also see Analyzing Goggle Attacks - Plenty of Room for Error


Auction Identity Thieves Nabbed

‘Auction’ Hacker Arrested in China?

NPR Report Discusses Online Attacks on Activists and Journalists

National Public Radio broadcast a report on attacks involving Chinese systems. The program discusses attacks targeting both Chinese opponents and attacks against pro-Chinese websites:

"Recently, Tibetan advocacy groups and China-based foreign journalists have been hit by a wave of sophisticated computer attacks that steal data, cripple Web sites and even monitor what computer users type on their computers.

"The attacks often come in the form of viruses attached to e-mails skillfully made to look like correspondence from people the recipient knows and trusts."


Cyber Attacks in China Target Activists, Journalists

Thursday, May 08, 2008

Cyberattacks against Belgium Attributed to China

Belgium has become the latest government to accuse China of attacks on their information infrastructures. As with other reports, there are no details or facts to allow proper analysis.

"Justice minister Jo Vandeurzen is reported to have claimed that the Federal Government had been targeted by Chinese hackers, backing up a separate statement by Belgium's foreign affairs minister, Karel De Grucht that his ministry had been hit by espionage in recent weeks.

"In both cases, the Belgians appear certain that the culprits were Chinese and that the Beijing authorities must know something about events, although no evidence has been offered to back up these allegations. The precise nature of the attacks has not been explained either."


Belgium accuses China of cyberattacks

EU Considers the Future of the European Network and Information Security Agency

EU lawmakers are considering extending funding for the European Network and Information Security Agency (ENISA) in response to cyber attacks on Estonia. However, the organization currently does not have the funding, remit or capability to act as an incident response organization:

"Euro-MPs believe Internet infrastructure security must be protected more effectively as the EU economy depends increasingly on a trouble-free Web.

"A lot of staff are simply pushing papers, making reports and not doing what we need them to do. It's something you might see in the Soviet Union. There is an increase in network security problems," said Reino Paasilinna, a Finnish socialist."

[Editor's Note: After this article was published, I received a clarification on the staffing issues at ENISA from Ulf Bergström, Press and Communications Officer at ENSIA:

‘This year ADM has 17 staff in total, of which 13 are TAs (stable since 2006) to service 66 planned staff members (TAs and contract agents, SNEs and stagiaires).

There’s nothing imbalanced at ENISA. ENISA is even better as some agencies with regard to this ratio. The minimum number of admin staff (that we have) sounds much larger when the overall size of the agency is low.

About his ratio there's nothing what we could more improve, as the financial regulation and the whole set of administrative rules sets a minimum number in order to guarantee sound financial management ("checks and balances").']


Euro-MPs back longer term for EU Web security body

Monday, May 05, 2008

Indian Government Systems Are Being Mapped and Probed from China

The Times of India is reporting on cyber attacks they believe originate from China. While technical detail is limited, the attacks appear to follow the same pattern as reported in the U.S. and Europe:
"The sustained assault almost coincides with the history of the present political disquiet between the two countries.

"According to senior government officials, these attacks are not isolated incidents of something so generic or basic as "hacking" — they are far more sophisticated and complete — and there is a method behind the madness.

"Publicly, senior government officials, when questioned, take refuge under the argument that "hacking" is a routine activity and happens from many areas around the world. But privately, they acknowledge that the cyber warfare threat from China is more real than from other countries.

"The core of the assault is that the Chinese are constantly scanning and mapping India’s official networks. This gives them a very good idea of not only the content but also of how to disable the networks or distract them during a conflict."

China mounts cyber attacks on Indian sites

Saturday, May 03, 2008

Increase in Hacktivism?

Online protest and hacktivist attacks are gaining more publicity but does this reflect a sudden increase in activity or just more press coverage? A recent blog posting concluding a sudden increase in activity has gained some media attention:

"While incidents of Hacktivism are not new, they are beginning to become a lot more frequent — perhaps due to the availability of tools to conduct hacktivist mischief, but also perhaps due to the ubiquitous social networking mechanisms which can now be used as to build consensus when times of cultural or political unrest present the opportunity.

In any event, Hacktivism is becoming a disturbing trend, and one which can have serious ripple effects that interfere with Internet operational continuity — sometimes in ways which we may have not even thought of yet."

While the availability of social networks and 'hacktivist' tools do contribute to both increasing number of attacks and their effectiveness, most professionals that closely follow politically motivated computer crimes and hacktivism believe there has been a steady increase in activity for several years, with ups and downs following political events in the real world (such as Olympic protests, Israeli-Palestinian conflicts, etc.). What has become more frequent is press coverage of attacks which creates a cycle of more activity followed by more press (see Hacktivism & Politically Motivated Computer Crime for a detailed analysis of the relationship between hacktivism and media coverage).


‘Hacktivism’ Incidents Escalate, Become More Frequent

Activists Swarm French Olympic Boycott Voting

The website of French magazine 'Capital', conducting an online poll concerning boycotting the 2008 Chinese Olympics, was flooded with votes, apparently from China.

"On the first day, we had about 300 responses, which was normal for this type of poll, and they were 80 percent in favour of a boycott. The next day there were 20,000 responses, with 80 percent opposing a boycott," he [Jean-Joel Gurviez, publisher of the website for Capital magazine] said.

"Almost all of the responses arrived via Chinese servers, Gurviez said, leading technicians to initially think the influx was driven by Chinese sites directing patriotic fans to vote.

"But a few days later we had hackers operating off servers in China try to change our content, and there were 2.5 million attempts to access protected files. We had to shut down the site temporarily," he said."


Hackers hit French magazine website over China poll