Archive for the ‘Government’ Category
As any conflict that happened in the 21st century, there is usually a parallel conflict raging online as well. Either commanded by individuals or groups, which can be helped or not by either government agencies or other interest groups, acts of cyberwarfare are getting more and more common. The conflict in the Gaza strip offers a new opportunity to explore this kind of activity. This time, reports of websites defacement are numerous and ongoing, some reporting that malware is spreaded from hacked websites and even an Israeli botnet is starting to grow in order to attack Hamas supporters servers.
Reports are now growing over hundreds of websites defacements of Western websites by Palestinians supporters1. Various Palestinian groups and supporters have been vandalizing Israeli and other western nation commercial websites by putting propaganda and redirecting to jihadist forums and/or uploading malware on the hacked web servers. Hackers mentioned in the article are Team Evil, DNS Team, Tw!$3r, KaSPeRs HaCKeR CreW, PaLiSeNiaN HaCK, MoRoCcAn HaCkErZ.
Recently, sites from the U.S Army and NATO have also been targeted by the vandals2. Archived versions of the hacked NATO webpage can be found here and here for the hacked version of the U.S Army website. For now, only defacements have been reported and no real attack has occured. Web defacement is a very easy attack to do on web servers with weak passwords. Most of the time, the attackers are script kiddies using software such as AccessDiver with a list of proxies and wordlists to conduct dictionaries attacks on servers. Using AccessDiver is fairly simple and many tutorials can be found on YouTube. Other ways include of course exploits and SQL injections attacks. Surprisingly, no DDoS attacks have been reported yet, but a group of Israeli students launch the “Help Israel Win” initiative3. At the time of writing, the website was online available through Google’s cache. Anoher website (http://help-israel-win.tk/) has been suspended. The goal was to develop a voluntary botnet dubbed “Patriot” to attack Hamas-related websites:
We have launched a new project that unites the computer capabilities of many computers around the world. Our goal is to use this power in order to disrupt our enemy’s efforts to destroy the state of Israel4.
The website offered a small executable to download. This bot would receive commands as a normal criminal bot would. Hamas-friendly sites like qudsnews.net and palestine-info.info were targeted by the IRC botnet. Still according to the article, the botnet has come under attack by unknown assaillants5. No definitive number is given as to how many machines the botnet is controlling, it might range from anything from 1000 to 8000 machines6. Very few detail is given on how the bot actually works.
There was a very similar attempt to create a “conscript” botnet known as the e-Jihad botnet that failed to realized its objective last year, as the tool was unsophisticated and rather crude7. The e-Jihad tool had the same objective as the Patriot botnet, which was to launch DDoS attacks against various targets.
Nevertheless, this kind of parallel attack is due to become a popular civilian option to attack servers. The only thing needed is to create a solid botnet, by using some of the most sophisticated criminal botnets and transform them into voluntary “cyber-armies”. There is one problem thought…how can we make sure it’s legitimate ? Making such programs open source ? But then you reveal your command and control servers and information that could make the enemy hijack our own botnet. It then all comes down to a question of trust…and of course, a clear and easy way to remove the bot anytime.
See also :
“Army Mil and NATO Paliarment hacked by Turks”, Roberto Preatoni, Zone-H, http://www.zone-h.org/content/view/15003/30/ (accessed on January 10, 2009)
1“Battle for Gaza Fought on the Web, Too”, Jart Armin, Internet Evolution, January 5, 2009, http://www.internetevolution.com/author.asp?section_id=717&doc_id=169872& (accessed on January 10, 2009)
2“Pro-Palestine vandals deface Army, NATO sites”, Dan Goodin, The Register, January 10, 2009, http://www.theregister.co.uk/2009/01/10/army_nato_sites_defaced/ (accessed on January 10, 2009)
3“Wage Cyberwar Against Hamas, Surrender Your PC”, Noah Shachtman, Danger Room, Wired, January 8, 2009, http://blog.wired.com/defense/2009/01/israel-dns-hack.html, (accessed on January 10, 2009)
4Copied from Google’s cache of help-israel-win.org
6 “Hacktivist tool targets Hamas”, John Leyden, The Register, January 9, 2008, http://www.theregister.co.uk/2009/01/09/gaza_conflict_patriot_cyberwars/ (accessed on January 10, 2009)
7“E-Jihad vs. Storm”, Peter Coogan, Symantec, September 11, 2007, https://forums.symantec.com/t5/blogs/blogarticlepage/blog-id/malicious_code/article-id/170#M170 (accessed on January 10, 2009)
As the transition period leading to the new presidency is almost coming to an end, everyone will probably have multiple requests to the president, and of those is to increase cyber defence. In this optic, a new report created by the “CSIS Commission on Cybersecurity for the 44th Presidency” has release its recommendations on how to secure cyberspace. They consist of:
- Create a Comprehensive National Security Strategy for Cyberspace
- Organizing for Cybersecurity
- Rebuilding Partnership with the Private Sector
- Regulate for Cybersecurity
- Identity Management for Cybersecurity
- Modernize Authorities
- Build for the Future
This report comes 5 years after the “National Strategy to Secure Cyberspace” document released in 2003 by the National Advisory board which goal was to “engage and empower Americans to secure the portions of cyberspace that they own, operate, control, or with which they interact“. The CSIS’ document doesn’t mention the previous efforts by the National Advisory Board but declares the previous efforts of the Bush administration as “good but not sufficient“.
As usual, it remains difficult to see how much of this report is based on real facts or just a way to secure funds from the new president by linking potential damage to the cyberspace infrastructure to the economy . It states that “America’s failure to protect cyberspace is one of the most urgent national security problems facing the new administration that will take office in January 2009“. It uses the cyber attack that occurred on various American networks in 2007 as an example.
While they may be some part of fear mongering in this report, we should not completely put aside threats mentioned in this report. As cyber warfare is mostly a war happening without much fanfare and therefore happens in the shadows, it is hard to really determine what’s going on. Since there is no open war between modern countries, we won’t see any cyber warfare for the time being. For the moment, cyberspace will be used for spying mostly and this is what this document mostly addresses.
“The unclassified e-mail of the secretary of defense was hacked … A senior official at the Department of State told us the department had lost “terabytes” of information,” declares the report, also: “Senior representatives from the intelligence community told us that they had conclusive evidence, covertly obtained from foreign sources, that U.S. companies have lost billions in intellectual properties.“
Unfortunately, “senior representatives“, “conclusive evidence” and “foreign sources” are so vague that it’s impossible to validate the scope of the problem…or even believe it. Another document though, mentioned in the present reading give some examples of the uses of terrorists for cyberspace. It mentions among others the “Muslim Hackers Club” website and the information posted to it, and the use of stolen credit cards and bank account information to finance the Bali attack in 2002.
The authors are putting a lot of emphasis on treating cybersecurity as a priority on the same levels as WMD and any other subject that requires national attention therefore requiring that the federal government take charge of the national cybersecurity instead of IT departments. It proposes that:
1) Standards for computer security be enforce for to the industry such as manufacturing plants and power plants.
2) Cyberspace security be overlook by a cybersecurity chief and that security agencies such as the National Cyber Security Center (NCSC) and the Joint Inter-Agency Cyber Task Force (JIACTF) be merged into one.
A central office in charge of enforcing computer security standards will have to be formed later or sooner. Fortunately this will be sooner. Information Technology departments should not only have a national reference on the standards to achieve, but also have the opportunity to know how to implements those standards by having government-accredited security companies implementing those standards to networks of various industries. I also believe this new agency should periodically test the security of those networks, as I presume, should already be done. The reports propose that instead of a new agency, the Whitehouse be in charge of the national cybersecurity with an assistant to the president.
The difficulty in this resides in the fact that only one weak link is sufficient to be able to attack the entire system. Therefore, it is necessary to screen the entire critical infrastructure in order to be efficiently secured. And since this implies that systems are often connected internationally for large industries, it means an international consensus.
One thing is for sure, is that all the existing computer-security related need to be consolidated in order to focus on a common goal, and that is the protection of cyberspace. As the report states, it also need to be working hand-to-hand with the private sector in order to have a quick reaction to emergencies. Unfortunately this is only another report amongst other. Maybe a more tech-savvy president such as Barack Obama will catch on quicker to this threat. Until then, the battle still rages on in the shadows of the Internet…
“Obama urged to create White House cybersecurity chief “, Dan Goodin, The Register, December 8, 2008, http://www.theregister.co.uk/2008/12/08/cyber_security_report/ (accessed on December 10, 2008)
 “Securing Cyberspace for the 44th Presidency”, CSIS Commission on Cybersecurity for the 44th Presidency, December 8, 2008, http://www.csis.org/component/option,com_csis_pubs/task,view/id,5157/ (accessed on December 10, 2008)
 “The National Strategy to Secure Cyberspace”, National Advisory Board, February 2003, p. VII
 “Securing Cyberspace for the 44th Presidency”, CSIS Commission on Cybersecurity for the 44th Presidency, December 8, 2008, p.15
 Ibid. p.11
 “Pentagon shuts down systems after cyberattack’, Robert McMillan, InfoWorld, June 21, 2007, http://www.infoworld.com/article/07/06/21/Pentagon-shuts-down-systems-after-cyberattack_1.html(accessed on December 10, 2008)
 “Threats Posed by the Internet”, CSIS Commission on Cybersecurity for the 44th Presidency, October 2, 2008, http://www.csis.org/component/option,com_csis_pubs/task,view/id,5146/type,1/ (accessed on December 10, 2008)
 “Bali death toll set at 202”, BBC News, February 19, 2002, http://news.bbc.co.uk/2/hi/asia-pacific/2778923.stm (accessed on December 10, 2008)
San Antonio will be hosting the new data center of the National Security Agency reports the San Antonio Current. An old Sony factory on the West Military Drive, near San Antonio’s Loop 410 freeway, will be transformed to accommodate enormous size of data, which will mainly be electronic communications such as phone conversations and emails according to author James Bamford:
“No longer able to store all the intercepted phone calls and e-mail in its secret city, the agency has now built a new data warehouse in San Antonio, Texas.”
This city have been chosen for it’s cheap electricity, provided on an independent power grid since Texas as its own, unconnected to the other states’ grid, making it more reliable.
Another factor that played was the location of a similar size Microsoft datacenter a few miles away. This center will be the third largest data center of San Antonio.
As for the Sony plant, it’s made out of two connected buildings, offering offices and research areas and totals around 470 000 square feet. It is expected that 1500 employees will work there initially and may employ up to 4000 personnel.
 “The panopticon economy”, Greg M. Schwartz, San Antonio Current, December 3, 2008, http://www.sacurrent.com/news/story.asp?id=69607 (accessed on December 8, 2008)
 “NSA Plans San Antonio Data Center”, Rich Miller, Data Center Knowledge, April 19, 2007, http://www.datacenterknowledge.com/archives/2007/04/19/nsa-plans-san-antonio-data-center/ (accessed on December 8, 2008)
Details are now starting to emerge from the deadly attacks by terrorists on the city of Mumbai, formerly known as Bombay. News outlets are starting to report technologies used by the attackers to communicate and coordinate their attacks that killed an estimated 172 people from various nations
Among all the commercial technologies used by the terrorists are GPS and satellite phones. The attackers, apparently trained in marine assault, entered the city by the MV Kuber, a hijacked fishing boat used as mother ship, and navigated by an experienced sailor using GPS maps: “A trained sailor, [Abu] Ismail used the GPS to reach Mumbai coast on November 26.” According to the Times of India, the GPS contained an escape route once the operation would be deemed completed.
Satellite phone used by the terrorists
The satellite phone could be used to track conversations between the individuals before their landing on the city. According to an article published by ABC News, Indian Intelligence also intercepted a satellite phone call:
“Nov. 18, Indian intelligence also intercepted a satellite phone call to a number in Pakistan known to be used by a leader of the terror group, Lashkar e Taiba, believed responsible for the weekend attack, Indian intelligence officials say.“
Officials from the RAW, the Indian Intelligence agency, said that they got hold of SIM cards found with the satellite phone, possibly bought in the U.S. Those are providing leads to Lashkar e Taiba, a Kashmir separatist group, according to the same ABC article.
Also, many of the articles reports that BlackBerries phones were used by the attackers to communicate between each other and to attest the medias’ reports about the attacks. Damien McElory from The Telegraph claims that the terrorists used them to monitor the situation using British medias.
More to come as the investigation continues, now that the siege has ended…
 “India clears last Mumbai siege site”, Ravi Nessman, Associated Press, December 1, 2008, http://www.google.com/hostednews/ap/article/ALeqM5hz0C0SXcxgP0NxzlqGA_EI57FBkQD94PMPC00 (accessed on December 1, 2008)
 “‘No regrets’: Captured terrorist’s account of Mumbai massacre reveals plan was to kill 5,000”, Daily Mail, December 1, 2008, http://www.dailymail.co.uk/news/article-1090546/No-regrets-Captured-terrorists-account-Mumbai-massacre-reveals-plan-kill-5-000.html (accessed on December 1, 2008)
 “Is technology a toy in the hands of terrorists?”, CyberNews Media, November 28, 2008, http://www.ciol.com/News/News-Reports/Is-technology-a-toy-in-the-hands-of-terrorists/281108113190/0/ (accessed on December 1, 2008)
 “Arrested terrorist says gang hoped to get away”, Times of India, November 29, 2008, http://timesofindia.indiatimes.com/India/Arrested_terrorist_says_gang_hoped_to_get_away/rssarticleshow/3771598.cms (accessed on December 1, 2008)
 “U.S. Warned India in October of Potential Terror Attack”, Richard Esposito, Brian Ross, Pierre Thomas, ABC News, December 1, 2008, http://www.abcnews.go.com/Blotter/story?id=6368013&page=1 (accessed on December 1, 2008)
 “Mumbai attack: Satellite phone vital clue to solve mystery”, Yogesh Naik, The Times of India, November 28, 2008, http://timesofindia.indiatimes.com/Mumbai_attack_Satellite_phone_vital_clue_to_solve_mystery/rssarticleshow/3770611.cms (accessed on December 1, 2008)
 “U.S. Warned India in October of Potential Terror Attack”, Richard Esposito, Brian Ross, Pierre Thomas, ABC News, December 1, 2008, http://www.abcnews.go.com/Blotter/story?id=6368013&page=1 (accessed on December 1, 2008)
 “Mumbai attacks: Terrorists monitored British websites using BlackBerry phones”, Damien McElroy, The Telegraph, December 1, 2008, http://www.telegraph.co.uk/news/worldnews/asia/india/3534599/Mumbai-attacks-Terrorists-monitored-coverage-on-UK-websites-using-BlackBerry-phones-bombay-india.html?mobile=basic (accessed on December 1, 2008)
 “How Gadgets Helped Mumbai Attackers”, Noah Shachtman, Danger Room – Wired, December 1, 2008, http://blog.wired.com/defense/2008/12/the-gagdets-of.html (accessed on December 1, 2008)
ArsTechnica had some bits of information how the triggerfish has been used to retrieve information from cell phones such as the electronic serial number (ESN), phone numbers and other information without the users’ knowledge and without the help of the telephone providers. It was used back in the 90s by the FBI to track legendary hacker Kevin Mitnick.
When cell phones are on, they automatically look for cell sites around them in order to connect to the telephone company network. It will then connect to the one having the strongest signal, as it means a better signal. The triggerfish antenna is a high-powered cell site simulator to which any cell phone near enough will connect, as they will consider it as a normal cell site. Once the mobile registers to the triggerfish and the user wants to make or receive a call, the mobile will send the mobile identification number (MIN), which is actually the phone number, the ESN, cell site data, which contains the channel used and sub-geographical location all the incoming and outgoing data of the caller. It will also contain the outgoing or incoming MIN. According to the documents released by the ACLU, the triggerfish is able to display the following:
“If the cellular telephone is used to make or receive a call, the screen of the digital analyzer/cell site/simulator/triggerfish would include the cellular telephone number (MIN), the call’s incoming or outgoing status, the telephone number dialled, the cellular telephone’s ESN, the date, time and duration of the call, and the cell site number/sector (location of the cellular telephone when the call was connected)“
The same document also writes that this device may be able to intercept the contents of the communication if the option is enabled. It’s important to note that the cell phone must be used to receive or send a call (SMS or web also) in other to for the triggerfish to work, as data about the location of the phone will be send in every data packet send and received by the user. This is how organization can track people using cell phones. Since mobiles always need to find new cell sites as the user moves around, it needs to exchange geographical information with the phone in order to locate the cell sites nearest to the mobile.
As told above, the antenna needs to be stronger than the local cell site in order to pickup the registration of the mobiles. Therefore it needs a lot of power and a high-gain. It also needs equipment such as a digital analyzer in order to make sense of the data intercepted by the triggerfish. And for tracking, it needs to be mounted on a truck to follow the signal of course.
There is a way for everyone to build something almost similar as the triggerfish by using an IMSI catcher. An IMSI catcher can be used to intercept GSM phone calls and use the same tactics as the triggerfish: by simulating a cell site. It will then relay data to a genuine cell site in the area. To do that, the IMSI catcher will need a SIM card and will then appear to the genuine cell site as a mobile phone. In other words, the IMSI catcher acts as a man-in-the-middle between the mobile phone and the genuine cell site.
Even if it works in the same way as a triggerfish, the IMSI catcher has some serious drawbacks, among others:
- “It must be ensured, that the mobile phone of the observed person is in standby mode and the correct network operator is found out. Otherwise, for the Mobile Station, there is no need to log into the simulated Base Station.
- All mobile phones in the catchment area have no access to the network. Incoming and outgoing calls cannot be patched through for these subscribers.
- […] Since the network access is handled with the SIM/USIM of the IMSI Catcher, the receiver cannot see the number of the calling party. Of course, this also implicates that the tapped calls are not listed in the itemized bill.
- The assignment near the Base Station can be difficult, due to the high signal level of the original Base Station.”
“Electronic Surveillance Manual“, U.S Department of Justice, June 2005
“IMSI Catcher“, Daehyun Strobel, Chair for Communication Security, Ruhr-Universität Bochum, July 13, 2007
 “FOIA docs show feds can lojack mobiles without telco help”, Julian Sanchez, ArsTechnica, November 16, 2008, http://arstechnica.com/news.ars/post/20081116-foia-docs-show-feds-can-lojack-mobiles-without-telco-help.html (accessed on November 18, 2008)
 “Computer hacker Kevin Mitnick”, Michael Cooke, Essortment.com, 2002, http://www.essortment.com/all/kevinmitnickco_rmap.htm (accessed on November 18, 2008)
 “Electronic Surveillance Book : XIV Cell Site Simulators/Digital Analyzer/Triggerfish”, Electronic Surveillance Unit, Department of Justice, June 2005, p.40
 “IMSI Catcher”, Daehyun Strobel, Chair for Communication Security, Ruhr-Universität Bochum, July 13. 2007, p.14
 Ibid. p.16
One man and a woman, Steve Lee and Rong Yang, were convicted last week to eight months of prison after helping two Chinese men cheat their immigration exams, according to a news report from the Metropolitan Police Service. The duo was monitoring the examination from a vehicle outside the building with laptops, transmitters and other equipment.
“Lee and Yang were clearly involved in a sophisticated operation using some of the best surveillance technology available worth thousands of pounds. When we first arrived at the scene it was very confusing as to what exactly was going on.”
It’s hard to tell what was the “best surveillance technology available worth thousands of pounds” since no detailed equipment list was given, but we might expect this to be largely exaggerated. The report states that Zhuang, the examinee, was given “tiny buttonhole cameras sewn in, a microphone and a small ear piece”. With this equipment, the information was transmitted back to Lee and Yang, who told Zhuang the answers to the questions.
I decided to look the equipment needed to conduct such an operation. The following material can be found without looking very hard on the net:
· Wireless Button Camera – £226.37
· Wireless Microphone – £133.13
· Wireless Earpiece – £134
· Laptop – £429
· Wireless Router – £51
Unless I’m forgetting something worth more than £1000, this is far from being “thousands of pounds”. And I’m quite sure you can get these items cheaper if you look on eBay.
Anyway, the cheaters were caught after a member of the public reported seeing them sitting Lee and Yang in a silver BMW with wires running from under the hood to the inside the car.
According to Sergeant Dominic Washington who first responded to the call from the public, said:
“However, working with colleagues from across the borough and the Met we believe that we have uncovered an established criminal enterprise that may be in operation in other parts of the country.”
No, I don’t think so… but this might give ideas to the others. And why were there wires under the car?
 “Two convicted for immigration test scam”, Metropolitan Police Service, November 14, 2008, http://cms.met.police.uk/news/convictions/two_convicted_for_immigration_test_scam (accessed on November 17, 2008)