Cyberwarfare Magazine

Warfare in the Information Age

Archive for the ‘Government’ Category

The Palestine-Israeli Conflict on the Web

with 14 comments

As any conflict that happened in the 21st century, there is usually a parallel conflict raging online as well. Either commanded by individuals or groups, which can be helped or not by either government agencies or other interest groups, acts of cyberwarfare are getting more and more common. The conflict in the Gaza strip offers a new opportunity to explore this kind of activity. This time, reports of websites defacement are numerous and ongoing, some reporting that malware is spreaded from hacked websites and even an Israeli botnet is starting to grow in order to attack Hamas supporters servers.

Reports are now growing over hundreds of websites defacements of Western websites by Palestinians supporters1. Various Palestinian groups and supporters have been vandalizing Israeli and other western nation commercial websites by putting propaganda and redirecting to jihadist forums and/or uploading malware on the hacked web servers. Hackers mentioned in the article are Team Evil, DNS Team, Tw!$3r, KaSPeRs HaCKeR CreW, PaLiSeNiaN HaCK, MoRoCcAn HaCkErZ.

Palestinian Propaghanda insert into Defaced Websites

Palestinian Propaganda insert into Defaced Websites

Recently, sites from the U.S Army and NATO have also been targeted by the vandals2. Archived versions of the hacked NATO webpage can be found here and here for the hacked version of the U.S Army website. For now, only defacements have been reported and no real attack has occured. Web defacement is a very easy attack to do on web servers with weak passwords. Most of the time, the attackers are script kiddies using software such as AccessDiver with a list of proxies and wordlists to conduct dictionaries attacks on servers. Using AccessDiver is fairly simple and many tutorials can be found on YouTube. Other ways include of course exploits and SQL injections attacks. Surprisingly, no DDoS attacks have been reported yet, but a group of Israeli students launch the “Help Israel Win” initiative3. At the time of writing, the website was online available through Google’s cache. Anoher website (http://help-israel-win.tk/) has been suspended. The goal was to develop a voluntary botnet dubbed “Patriot” to attack Hamas-related websites:

We have launched a new project that unites the computer capabilities of many computers around the world. Our goal is to use this power in order to disrupt our enemy’s efforts to destroy the state of Israel4.

The website offered a small executable to download. This bot would receive commands as a normal criminal bot would. Hamas-friendly sites like qudsnews.net and palestine-info.info were targeted by the IRC botnet. Still according to the article, the botnet has come under attack by unknown assaillants5. No definitive number is given as to how many machines the botnet is controlling, it might range from anything from 1000 to 8000 machines6. Very few detail is given on how the bot actually works.

There was a very similar attempt to create a “conscript” botnet known as the e-Jihad botnet that failed to realized its objective last year, as the tool was unsophisticated and rather crude7. The e-Jihad tool had the same objective as the Patriot botnet, which was to launch DDoS attacks against various targets.

e-Jihad 3.0 Screen

e-Jihad 3.0 Screen

Nevertheless, this kind of parallel attack is due to become a popular civilian option to attack servers. The only thing needed is to create a solid botnet, by using some of the most sophisticated criminal botnets and transform them into voluntary “cyber-armies”. There is one problem thought…how can we make sure it’s legitimate ? Making such programs open source ? But then you reveal your command and control servers and information that could make the enemy hijack our own botnet. It then all comes down to a question of trust…and of course, a clear and easy way to remove the bot anytime.

See also :

“Army Mil and NATO Paliarment hacked by Turks”, Roberto Preatoni,  Zone-H, http://www.zone-h.org/content/view/15003/30/ (accessed on January 10, 2009)



1“Battle for Gaza Fought on the Web, Too”, Jart Armin, Internet Evolution, January 5, 2009, http://www.internetevolution.com/author.asp?section_id=717&doc_id=169872& (accessed on January 10, 2009)

2“Pro-Palestine vandals deface Army, NATO sites”, Dan Goodin, The Register, January 10, 2009, http://www.theregister.co.uk/2009/01/10/army_nato_sites_defaced/ (accessed on January 10, 2009)

3“Wage Cyberwar Against Hamas, Surrender Your PC”, Noah Shachtman, Danger Room, Wired, January 8, 2009, http://blog.wired.com/defense/2009/01/israel-dns-hack.html, (accessed on January 10, 2009)

4Copied from Google’s cache of help-israel-win.org

5Ibid.

6Hacktivist tool targets Hamas”, John Leyden, The Register, January 9, 2008, http://www.theregister.co.uk/2009/01/09/gaza_conflict_patriot_cyberwars/ (accessed on January 10, 2009)

7“E-Jihad vs. Storm”, Peter Coogan, Symantec, September 11, 2007, https://forums.symantec.com/t5/blogs/blogarticlepage/blog-id/malicious_code/article-id/170#M170 (accessed on January 10, 2009)

Advertisements

To the New President: Secure Cyberspace

leave a comment »

As the transition period leading to the new presidency is almost coming to an end, everyone will probably have multiple requests to the president, and of those is to increase cyber defence. In this optic, a new report created by the “CSIS Commission on Cybersecurity for the 44th Presidency[1]” has release its recommendations on how to secure cyberspace. They consist of:

  • Create a Comprehensive National Security Strategy for Cyberspace
  • Organizing for Cybersecurity
  • Rebuilding Partnership with the Private Sector
  • Regulate for Cybersecurity
  • Identity Management for Cybersecurity
  • Modernize Authorities
  • Build for the Future

This report comes 5 years after the “National Strategy to Secure Cyberspace” document released in 2003 by the National Advisory board which goal was to “engage and empower Americans to secure the portions of cyberspace that they own, operate, control, or with which they interact[2]“. The CSIS’ document doesn’t mention the previous efforts by the National Advisory Board but declares the previous efforts of the Bush administration as “good but not sufficient[3]“.

As usual, it remains difficult to see how much of this report is based on real facts or just a way to secure funds from the new president by linking potential damage to the cyberspace infrastructure to the economy . It states that “America’s failure to protect cyberspace is one of the most urgent national security problems facing the new administration that will take office in January 2009[4]“. It uses the cyber attack that occurred on various American networks in 2007 as an example[5].

While they may be some part of fear mongering in this report, we should not completely put aside threats mentioned in this report. As cyber warfare is mostly a war happening without much fanfare and therefore happens in the shadows, it is hard to really determine what’s going on. Since there is no open war between modern countries, we won’t see any cyber warfare for the time being. For the moment, cyberspace will be used for spying mostly and this is what this document mostly addresses.

The unclassified e-mail of the secretary of defense was hacked … A senior official at the Department of State told us the department had lost “terabytes” of information,” declares the report, also: “Senior representatives from the intelligence community told us that they had conclusive evidence, covertly obtained from foreign sources, that U.S. companies have lost  billions in intellectual properties.

Unfortunately, “senior representatives“, “conclusive evidence” and “foreign sources” are so vague that it’s impossible to validate the scope of the problem…or even believe it. Another document though[6], mentioned in the present reading give some examples of the uses of terrorists for cyberspace. It mentions among others the “Muslim Hackers Club” website and the information posted to it, and the use of stolen credit cards and bank account information to finance the Bali attack in 2002[7].

The authors are putting a lot of emphasis on treating cybersecurity as a priority on the same levels as WMD and any other subject that requires national attention therefore requiring that the federal government take charge of the national cybersecurity instead of IT departments. It proposes that:

1)      Standards for computer security be enforce for to the industry such as manufacturing plants and power plants.

2)      Cyberspace security be overlook by a cybersecurity chief and that security agencies such as the National Cyber Security Center (NCSC) and the Joint Inter-Agency Cyber Task Force (JIACTF) be merged into one.

A central office in charge of enforcing computer security standards will have to be formed later or sooner. Fortunately this will be sooner. Information Technology departments should not only have a national reference on the standards to achieve, but also have the opportunity to know how to implements those standards by having government-accredited security companies implementing those standards to networks of various industries. I also believe this new agency should periodically test the security of those networks, as I presume, should already be done. The reports propose that instead of a new agency, the Whitehouse be in charge of the national cybersecurity with an assistant to the president.

The difficulty in this resides in the fact that only one weak link is sufficient to be able to attack the entire system. Therefore, it is necessary to screen the entire critical infrastructure in order to be efficiently secured. And since this implies that systems are often connected internationally for large industries, it means an international consensus.

One thing is for sure, is that all the existing computer-security related need to be consolidated in order to focus on a common goal, and that is the protection of cyberspace. As the report states, it also need to be working hand-to-hand with the private sector in order to have a quick reaction to emergencies. Unfortunately this is only another report amongst other. Maybe a more tech-savvy president such as Barack Obama will catch on quicker to this threat. Until then, the battle still rages on in the shadows of the Internet…

See also

“Obama urged to create White House cybersecurity chief “, Dan Goodin, The Register, December 8, 2008, http://www.theregister.co.uk/2008/12/08/cyber_security_report/ (accessed on December 10, 2008)

Add to FacebookAdd to NewsvineAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to Ma.gnoliaAdd to TechnoratiAdd to Furl


[1] “Securing Cyberspace for the 44th Presidency”, CSIS Commission on Cybersecurity for the 44th Presidency, December 8, 2008, http://www.csis.org/component/option,com_csis_pubs/task,view/id,5157/ (accessed on December 10, 2008)

[2] “The National Strategy to Secure Cyberspace”, National Advisory Board, February 2003, p. VII

[3] “Securing Cyberspace for the 44th Presidency”, CSIS Commission on Cybersecurity for the 44th Presidency, December 8, 2008, p.15

[4] Ibid. p.11

[5] “Pentagon shuts down systems after cyberattack’, Robert McMillan, InfoWorld, June 21, 2007, http://www.infoworld.com/article/07/06/21/Pentagon-shuts-down-systems-after-cyberattack_1.html(accessed on December 10, 2008)

[6] “Threats Posed by the Internet”, CSIS Commission on Cybersecurity for the 44th Presidency, October 2, 2008, http://www.csis.org/component/option,com_csis_pubs/task,view/id,5146/type,1/ (accessed on December 10, 2008)

[7] “Bali death toll set at 202”, BBC News, February 19, 2002, http://news.bbc.co.uk/2/hi/asia-pacific/2778923.stm (accessed on December 10, 2008)

NSA’s new data center in San Antonio

with 4 comments

San Antonio will be hosting the new data center of the National Security Agency reports the San Antonio Current[1]. An old Sony factory on the West Military Drive, near San Antonio’s Loop 410 freeway, will be transformed to accommodate enormous size of data, which will mainly be electronic communications such as phone conversations and emails according to author James Bamford:

“No longer able to store all the intercepted phone calls and e-mail in its secret city, the agency has now built a new data warehouse in San Antonio, Texas.”

This city have been chosen for it’s cheap electricity, provided on an independent power grid since Texas as its own, unconnected to the other states’ grid, making it more reliable.

NSA's Datacenter in San Antonio

NSA's Datacenter in San Antonio

Another factor that played was the location of a similar size Microsoft datacenter a few miles away. This center will be the third largest data center of San Antonio.

As for the Sony plant, it’s made out of two connected buildings, offering offices and research areas and totals around 470 000 square feet[2]. It is expected that 1500 employees will work there initially and may employ up to 4000 personnel.


[1] “The panopticon economy”, Greg M. Schwartz, San Antonio Current, December 3, 2008, http://www.sacurrent.com/news/story.asp?id=69607 (accessed on December 8, 2008)

[2] “NSA Plans San Antonio Data Center”, Rich Miller, Data Center Knowledge, April 19, 2007,  http://www.datacenterknowledge.com/archives/2007/04/19/nsa-plans-san-antonio-data-center/ (accessed on December 8, 2008)

Written by Jonathan Racicot

December 9, 2008 at 7:16 pm

Technology in the Mumbai Attacks – A Quick Overview

with one comment

Details are now starting to emerge from the deadly attacks by terrorists on the city of Mumbai, formerly known as Bombay. News outlets are starting to report technologies used by the attackers to communicate and coordinate their attacks that killed an estimated 172 people from various nations[1]

Among all the commercial technologies used by the terrorists are GPS and satellite phones. The attackers, apparently trained in marine assault[2], entered the city by the MV Kuber[3], a hijacked fishing boat used as mother ship, and navigated by an experienced sailor using GPS maps[4]: “A trained sailor, [Abu] Ismail used the GPS to reach Mumbai coast on November 26.[5]” According to the Times of India, the GPS contained an escape route once the operation would be deemed completed[6].

Among the other objects found in the boat a satellite phone, a Thuraya model[7], was discovered which could be the key to find more information about the terrorists.

Satellite phone used by the terrorists

Satellite phone used by the terrorists[8]

The satellite phone could be used to track conversations between the individuals before their landing on the city. According to an article published by ABC News, Indian Intelligence also intercepted a satellite phone call:

“Nov. 18, Indian intelligence also intercepted a satellite phone call to a number in Pakistan known to be used by a leader of the terror group, Lashkar e Taiba, believed responsible for the weekend attack, Indian intelligence officials say.[9]

Officials from the RAW, the Indian Intelligence agency, said that they got hold of SIM cards found with the satellite phone, possibly bought in the U.S. Those are providing leads to Lashkar e Taiba, a Kashmir separatist group, according to the same ABC article.

Also, many of the articles reports that BlackBerries phones were used by the attackers to communicate between each other and to attest the medias’ reports about the attacks. Damien McElory from The Telegraph claims that the terrorists used them to monitor the situation using British medias[10].

Finally, it appears the terrorists proclaimed their identity by sending various forged emails to news outlets by using a remailer[11].

More to come as the investigation continues, now that the siege has ended…

Add to FacebookAdd to NewsvineAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to Ma.gnoliaAdd to TechnoratiAdd to Furl


[1] “India clears last Mumbai siege site”, Ravi Nessman, Associated Press, December 1, 2008, http://www.google.com/hostednews/ap/article/ALeqM5hz0C0SXcxgP0NxzlqGA_EI57FBkQD94PMPC00 (accessed on December 1, 2008)

[2] “‘No regrets’: Captured terrorist’s account of Mumbai massacre reveals plan was to kill 5,000”, Daily Mail, December 1, 2008, http://www.dailymail.co.uk/news/article-1090546/No-regrets-Captured-terrorists-account-Mumbai-massacre-reveals-plan-kill-5-000.html (accessed on December 1, 2008)

[3] “MV Kuber opens can of worms”,  Ninad Siddhaye, DNA, December 1, 2008,  http://www.dnaindia.com/report.asp?newsid=1210640 (accessed on December 1, 2008)

[4] “Is technology a toy in the hands of terrorists?”, CyberNews Media, November 28, 2008, http://www.ciol.com/News/News-Reports/Is-technology-a-toy-in-the-hands-of-terrorists/281108113190/0/ (accessed on December 1, 2008)

[5] “Arrested terrorist says gang hoped to get away”, Times of India, November 29, 2008, http://timesofindia.indiatimes.com/India/Arrested_terrorist_says_gang_hoped_to_get_away/rssarticleshow/3771598.cms (accessed on December 1, 2008)

[6] Ibid.

[7] “U.S. Warned India in October of Potential Terror Attack”, Richard Esposito, Brian Ross, Pierre Thomas, ABC News, December 1, 2008,  http://www.abcnews.go.com/Blotter/story?id=6368013&page=1 (accessed on December 1, 2008)

[8] “Mumbai attack: Satellite phone vital clue to solve mystery”, Yogesh Naik, The Times of India, November 28, 2008,  http://timesofindia.indiatimes.com/Mumbai_attack_Satellite_phone_vital_clue_to_solve_mystery/rssarticleshow/3770611.cms (accessed on December 1, 2008)

[9] “U.S. Warned India in October of Potential Terror Attack”, Richard Esposito, Brian Ross, Pierre Thomas, ABC News, December 1, 2008,  http://www.abcnews.go.com/Blotter/story?id=6368013&page=1 (accessed on December 1, 2008)

[10] “Mumbai attacks: Terrorists monitored British websites using BlackBerry phones”, Damien McElroy, The Telegraph, December 1, 2008, http://www.telegraph.co.uk/news/worldnews/asia/india/3534599/Mumbai-attacks-Terrorists-monitored-coverage-on-UK-websites-using-BlackBerry-phones-bombay-india.html?mobile=basic (accessed on December 1, 2008)

[11] “How Gadgets Helped Mumbai Attackers”, Noah Shachtman, Danger Room – Wired, December 1, 2008, http://blog.wired.com/defense/2008/12/the-gagdets-of.html (accessed on December 1, 2008)

Use of Cyber Warfare Will Limit U.S Freedom of Action says Intelligence

leave a comment »

Not entirely cyber warfare related but still a very interesting read, but according to the Global Trends 2025 report by the National Intelligence Council, irregular warfare, which cyber warfare is part of, will play a determinant part into the future of the United States:

“… expanded adoption of irregular warfare tactics by both state and nonstate actors, proliferation of long-range precision weapons, and growing use of cyber warfare attacks increasingly will constrict US freedom of action.[1]

Unfortunately this is the only mention of cyber warfare in the report, which fails to go into further details. This shouldn’t come to a surprise to anyone though. We all know how reliant on technology everything is nowadays and the interconnection between every part of the modern society. Not only does the United States recognized that cyber warfare will be an important part of the upcoming conflicts, but also does China and Russia, which are stated to become heavyweights on the world stage:

“Few countries are poised to have more impact on the world over the next 15-20 years than China. If current trends persist, by 2025 China will have the world’s second largest economy and will be a leading military power.[2]

Right now, even with her very large armed forces of 2 million active personnel[3], China is trying to modernize its military to be more mobile and efficient. In order to accomplish that modernization, it has explored many new avenues that western societies are still trying to grasp. In 1999, two Chinese Air Forces colonels discussed new ways to conduct war in a guide titled “Unrestricted Warfare”, where they describe the use of computers as new weapons for future warfare:

“With technological developments being in the process of striving to increase the types of weapons, a breakthrough in our thinking can open up the domain of the weapons kingdom at one stroke. As we see it, a single man-made stock-market crash, a single computer virus invasion, or a single rumor or scandal that results in a fluctuation in the enemy country’s exchange rates or exposes the leaders of an enemy country on the Internet, all can be included in the ranks of new-concept weapons.[4]

Experts seem to agree that this kind of “new weapon” could do far more damage than one can imagine:

“If someone is able to attack information that is needed by decision makers, or that is crucial to organizing logistics and supply lines of an army on the ground, that means they can induce chaos in a nation[5] said Sami Saydjari, who worked as a Pentagon cyber expert for 13 years and now runs a private company, Cyber Defence Agency.

. If current trends persist, by 2025 China will have the world’s second largest economy and will be a leading military power

... by 2025 China will have the world’s second largest economy and will be a leading military power

We don’t know how much of the concepts explained in this book as been accepted by the People’s Liberation Army (PLA), but events from the last decade can gave us clues as how much China has developed cyber warfare capacities based on the text of the two colonels. . Concretes realizations of these ideas may have happened as soon as four years after the publication of the guide during Operation Titan Rain in 2003. With a computer network of more than 3.5 million computers spread across 65 countries, the Pentagon faces many challenges against a strong and sophisticated attack and Operation Titan Rain proved this. According to an article on ZDNet[6], 20 hackers, based or using proxies based in China, successfully attacked American networks in a coordinated attack:

 

  • At 10:23 p.m. PST, the Titan Rain hackers exploited vulnerabilities at the U.S. Army Information Systems Engineering Command at Fort Huachuca, Ariz.

  • At 1:19 a.m., they exploited the same hole in computers at the Defense Information Systems Agency in Arlington, Va.

  • At 3:25 a.m., they hit the Naval Ocean Systems Center, a Defense Department installation in San Diego, Calif.

  • At 4:46 a.m., they struck the U.S. Army Space and Strategic Defense installation in Huntsville, Ala.

The results from this operation were the theft of several classified information:

“From the Redstone Arsenal, home to the Army Aviation and Missile Command, the attackers grabbed specs for the aviation mission-planning system for Army helicopters, as well as Falconview 3.2, the flight-planning software used by the Army and Air Force,” according to Alan Paller, the director of the SANS Institute[7].

Many other attacks have been suspected to originate from China afterwards. Attacks against most of the G7 countries such as France[8], UK and Germany[9], New Zealand[10] and India[11] have been reported by many medias.

Cyber War

Attacks against most of the G7 countries such as France, UK and Germany, New Zealand and India have been reported

Although evidence gathered shows that China is aggressively pursuing irregular warfare, Russia is also gaining a strong cyber warfare reputation on the world scene. Its attack against Estonia has won world coverage and succeeding attacks on Georgia gave the country experience in that domain. It is again unclear though if attacks from Russia are actually coming from government agencies or from criminal behaviour.

The first incident concerning Russia goes back to 1999, before the Chinese cyber attacks. American networks went under siege in what is now called Operation Moonlight Maze. Back then, FBI officials were investigating a breach into the DOD satellite control systems. Again, while the first accusations for the source of this attack were Russian authorities, it was soon shown that they were not implied in this attack[12]. The only certitude about this operation was that the attack went through a Russian proxy.

Nevertheless, Russia cyber warfare was displayed on Estonia in 2007. Once against, it was unclear if the government was involved or if Russian patriotism over the removal of the war memorial[13] caused Russian script kiddies and botnets to answer with a massive DDoS attack. Moscow always denied any involvement in that case. It is also well known that major botnets that are lurking on the net are often controlled by Russian cyber-criminal gangs such as the Russian Business Network. It’s quite possible that those cyber-gangs ordered their botnets to retaliate against Estonia, especially since the attack consisted mostly of a denial-of-service attack, and wasn’t not as sophisticated as a coordinated hacking attack on networks. Another plausible option would be that Russia’s cyber army is a mercenary force.

A repetition of the Estonia cyber attack then took place against Georgia during the Russia-Georgian conflict. The same kind of attack occurred and took down various governmental and commercial websites: HTTP floods were send to www.parliament.ge and president.gov.ge. Some other sites were hi-jacked and displayed fake information. The Georgian government had to put up a temporary website on Blogspot. This time, the Russian Business Network was openly suspected by many analysts to be behind the attacks[14].

HTTP floods were send to www.parliament.ge and president.gov.ge.

HTTP floods were send to http://www.parliament.ge and president.gov.ge.

McAfee claims that 120 countries around the world are now developing cyber warfare strategies[15]. It is inevitable that countries without cyber warfare capacities will be at great disadvantage in any arising conflict, as disruption of communications will be the first objective of any belligerent. It’s crucial that a strong offensive and defensive cyber war force be developed in order to not only defend against cyber threats, but also wage war in cyberspace.

See also:

“Inside the Chinese Hack Attack”, “Nathan Thornburgh”, Time, August 25, 2005, http://www.time.com/time/nation/article/0,8599,1098371,00.html (accessed on November 21, 2008)

“Coordinated Russia vs. Georgia cyber attack in progress”, Dancho Danchev, August 11, 2008, http://blogs.zdnet.com/security/?p=1670 (accessed on November 21, 2008)


[1] “Global Trends 2025: A Transformed World”, National Intelligence, U.S Government, November 2008, p. XI

[2] Ibid. p. 29

[3] The Asian Conventional Military Balance in 2006: Overview of major Asian Powers”, Anthony H. Cordesman, Martin Kleiber, CSIS, June 26, 2006, p.24

[4] Translation from “Unrestricted Warfare”, Qiao Liang, Wang Xiangsui, PLA Literature and Arts Publishing House, February 1999. p. 25

[5] “China flexes muscles of its ‘informationised’ army”, Ed Pilkington, Bobbie Johnson, The Guardian, September 5, 2007, http://www.guardian.co.uk/technology/2007/sep/05/hacking.internet (accessed on November 21, 2008)

[6] “Security experts lift lid on Chinese hack attacks”, “Tom Espiner”, ZDNet, November 23, 2005, http://news.zdnet.com/2100-1009_22-145763.html (accessed on November 21, 2008)

[7] Ibid.

[8] “French government falls prey to cyber-attacks ‘involving China'”, Agence France-Presse, September 9, 2007, http://www.france24.com/france24Public/en/news/france/20070909-Internet-piracy-france-secuirty-china-hacker.php (accessed on November 21, 2008)

[9] “Chinese government at the center of five cyber attack claims”, Jeremy Reimer, September 14, 2007, http://arstechnica.com/news.ars/post/20070914-chinese-government-at-the-center-of-five-cyber-attack-claims.html (accessed on November 21, 2008)

[10] “New Zealand hit by foreign computer hacking”, Agence France-Presse, The Age, September 11, 2007, http://www.theage.com.au/news/Technology/New-Zealand-hit-by-foreign-computer-hacking/2007/09/11/1189276701773.html (accessed on November 21, 2008)

[11] “China mounts cyber attacks on Indian sites”, Indrani Bagchi, The Times of India, May 5, 2008, http://timesofindia.indiatimes.com/China_mounts_cyber_attacks_on_Indian_sites/articleshow/3010288.cms (accessed on November 21, 2008)

[12] “Russia hacking stories refuted”, Federal Computer Weekly, September 27, 1999, http://www.fcw.com/print/5_188/news/68553-1.html?page=1 (accessed on November 21, 2008)

[13] “Estonia hit by ‘Moscow cyber war'”, BBC News, May 17, 2007,  http://news.bbc.co.uk/2/hi/europe/6665145.stm (accessed on November 21, 2008)

[14] “Georgia: Russia ‘conducting cyber war'”, Jon Swaine, The Telegraph, August 11, 2008, http://www.telegraph.co.uk/news/worldnews/europe/georgia/2539157/Georgia-Russia-conducting-cyber-war.html (accessed on November 21, 2008)

[15] “China Disputes Cyber Crime Report”, Jordan Robertson, Washington Post, November 29, 2007, http://www.washingtonpost.com/wp-dyn/content/article/2007/11/29/AR2007112901588.html (accessed on November 21, 2008)

Cyber Espionage : The Triggerfish

with 8 comments

ArsTechnica had some bits of information how the triggerfish has been used to retrieve information from cell phones such as the electronic serial number (ESN), phone numbers and other information without the users’ knowledge and without the help of the telephone providers[1]. It was used back in the 90s by the FBI to track legendary hacker Kevin Mitnick[2].

When cell phones are on, they automatically look for cell sites around them in order to connect to the telephone company network. It will then connect to the one having the strongest signal, as it means a better signal. The triggerfish antenna is a high-powered cell site simulator to which any cell phone near enough will connect, as they will consider it as a normal cell site. Once the mobile registers to the triggerfish and the user wants to make or receive a call, the mobile will send the mobile identification number (MIN), which is actually the phone number, the ESN, cell site data, which contains the channel used and sub-geographical location all the incoming and outgoing data of the caller. It will also contain the outgoing or incoming MIN.  According to the documents released by the ACLU, the triggerfish is able to display the following:

“If the cellular telephone is used to make or receive a call, the screen of the digital analyzer/cell site/simulator/triggerfish would include the cellular telephone number (MIN), the call’s incoming or outgoing status, the telephone number dialled, the cellular telephone’s ESN, the date, time and duration of the call, and the cell site number/sector (location of the cellular telephone when the call was connected)[3]

The same document also writes that this device may be able to intercept the contents of the communication if the option is enabled. It’s important to note that the cell phone must be used to receive or send a call (SMS or web also) in other to for the triggerfish to work, as data about the location of the phone will be send in every data packet send and received by the user. This is how organization can track people using cell phones. Since mobiles always need to find new cell sites as the user moves around, it needs to exchange geographical information with the phone in order to locate the cell sites nearest to the mobile.

As told above, the antenna needs to be stronger than the local cell site in order to pickup the registration of the mobiles. Therefore it needs a lot of power and a high-gain. It also needs equipment such as a digital analyzer in order to make sense of the data intercepted by the triggerfish. And for tracking, it needs to be mounted on a truck to follow the signal of course.

There is a way for everyone to build something almost similar as the triggerfish by using an IMSI catcher. An IMSI catcher can be used to intercept GSM phone calls and use the same tactics as the triggerfish: by simulating a cell site. It will then relay data to a genuine cell site in the area. To do that, the IMSI catcher will need a SIM card and will then appear to the genuine cell site as a mobile phone. In other words, the IMSI catcher acts as a man-in-the-middle between the mobile phone and the genuine cell site.

representing the man-in-the-middle attack using an ISMI catcher

Diagram representing the man-in-the-middle attack using an ISMI catcher(4)

Even if it works in the same way as a triggerfish, the IMSI catcher has some serious drawbacks, among others[5]:

  • “It must be ensured, that the mobile phone of the observed person is in standby mode and the correct network operator is found out. Otherwise, for the Mobile Station, there is no need to log into the simulated Base Station.

  • All mobile phones in the catchment area have no access to the network. Incoming and outgoing calls cannot be patched through for these subscribers.

  • […] Since the network access is handled with the SIM/USIM of the IMSI Catcher, the receiver cannot see the number of the calling party. Of course, this also implicates that the tapped calls are not listed in the itemized bill.

  • The assignment near the Base Station can be difficult, due to the high signal level of the original Base Station.”

IMSI Catchers can be found online. They are sold by Rohde & Schwarz. You could buy the GC128 GSM Communication Unit R&S and apply the firmware to transform it into an ISMI catcher.

See also:

Electronic Surveillance Manual“, U.S Department of Justice, June 2005

IMSI Catcher“, Daehyun Strobel, Chair for Communication Security, Ruhr-Universität Bochum, July 13, 2007


[1] “FOIA docs show feds can lojack mobiles without telco help”, Julian Sanchez, ArsTechnica, November 16, 2008, http://arstechnica.com/news.ars/post/20081116-foia-docs-show-feds-can-lojack-mobiles-without-telco-help.html (accessed on November 18, 2008)

[2] “Computer hacker Kevin Mitnick”, Michael Cooke, Essortment.com, 2002, http://www.essortment.com/all/kevinmitnickco_rmap.htm (accessed on November 18, 2008)

[3] “Electronic Surveillance Book : XIV Cell Site Simulators/Digital Analyzer/Triggerfish”, Electronic Surveillance Unit, Department of Justice, June 2005, p.40

[4] “IMSI Catcher”, Daehyun Strobel, Chair for Communication Security, Ruhr-Universität Bochum, July 13. 2007, p.14

[5] Ibid. p.16

High-tech Cheating

leave a comment »

One man and a woman, Steve Lee and Rong Yang, were convicted last week to eight months of prison after helping two Chinese men cheat their immigration exams, according to a news report from the Metropolitan Police Service[1].  The duo was monitoring the examination from a vehicle outside the building with laptops, transmitters and other equipment.

“Lee and Yang were clearly involved in a sophisticated operation using some of the best surveillance technology available worth thousands of pounds. When we first arrived at the scene it was very confusing as to what exactly was going on.”

It’s hard to tell what was the “best surveillance technology available worth thousands of pounds” since no detailed equipment list was given, but we might expect this to be largely exaggerated. The report states that Zhuang, the examinee, was given “tiny buttonhole cameras sewn in, a microphone and a small ear piece”. With this equipment, the information was transmitted back to Lee and Yang, who told Zhuang the answers to the questions.

“Best surveillance equipment” found into the car

“Best surveillance equipment” found into the car

I decided to look the equipment needed to conduct such an operation. The following material can be found without looking very hard on the net:

· Wireless Button Camera – £226.37

· Wireless Microphone – £133.13

· Wireless Earpiece – £134

· Laptop – £429

· Wireless Router – £51

Total: £973.5

Unless I’m forgetting something worth more than £1000, this is far from being “thousands of pounds”. And I’m quite sure you can get these items cheaper if you look on eBay.

Anyway, the cheaters were caught after a member of the public reported seeing them sitting Lee and Yang in a silver BMW with wires running from under the hood to the inside the car.

According to Sergeant Dominic Washington who first responded to the call from the public, said:

“However, working with colleagues from across the borough and the Met we believe that we have uncovered an established criminal enterprise that may be in operation in other parts of the country.”

No, I don’t think so… but this might give ideas to the others. And why were there wires under the car?


[1] “Two convicted for immigration test scam”, Metropolitan Police Service, November 14, 2008, http://cms.met.police.uk/news/convictions/two_convicted_for_immigration_test_scam (accessed on November 17, 2008)