Alejandro Caceres' weblog

I was glancing at the news the other day and noticed a recent study released by the Center for Strategic and International Studies that says that cyber-terrorism is just not a threat right now. Specifically terrorist just don’t have the capabilities to cause any significant damage in cyberspace, the study said. Great news! I thought to myself, I can finally stop worrying about the huge security risk of terrorists hacking into my computer and monitoring my significant web use consisting mostly of youtube videos and www.cracked.com list-based comedy articles.

So I kept looking at the news. And I came to an upsetting story. AFCOM, the worlds largest data center recently conducted a study saying that cyber-terrorism was not being focused on enough. Specifically data was unprotected that should be protected and generally saying that terrorists could hack major systems at any time because we’re leaving everything too vulnerable.

Here’s links to both the stories, released in the same week:

http://www.reuters.com/article/pressRelease/idUS143546+27-Oct-2009+BW20091027

http://threatpost.com/en_us/blogs/cyberterror-not-credible-threat-102309

So at this point I was pretty confused:

But then I actually read through some of the studies a little bit and the confusion was at least somewhat beaten back. So the first study was focusing more on DDoS attacks, attacks that require significant computing power, and yes it’s true that it does not appear that terrorists have this ability just yet. He claims 3-8 years until they become a serious threat in this way. However, in my humble opinion, the study’s wording is made such that it can make a broader sweeping claim about terrorism in general, which obviously makes the study seem more important but also makes it more confusing to the general public and media. The second study was more any kind of cyber-terrorism, from single hackers to social engineering practices to literally just stealing CDs and such. So in this way apparently organizations are not doing enough to safeguard against this.

Conclusion: Cyber-terrorism is a threat right now, just not in the form of attacks that require significant computing power (such as is present with control of botnets).

Posted by Alejandro Caceres at 05:31 PM | Permalink | Comments (0) | TrackBacks (0)

I love this story. I think it’s really interesting and very compelling. So, I went ahead and did some primary source research on Ashiyane by looking at their forums.

They claim their forum to be “Iran’s first security forum.” However looking at it a bit closer you see that it’s really more a step-by-step collection of how to be a script-kiddie. It has everything from where to download and how to use Trojan horse backdoors (like back orifice and such), password sniffers, port scanning tools (nmap), conducting DDoS and DoS attacks, password cracking software (john the ripper), and much more. Most places at least vaguely try to hide that they’re giving this information out for illegal purposes, instead saying things like “conduct your own DDoS attack on your own network only!” or something like that, but they don’t even try. They must say the word hack (abbreviated to hk and which they are definitely taking to mean illegal hacking not just doing creative things with computers as some hackers use the term) a million times in the forum.

The forum includes about 45,000 members, but their group is definitely fairly limited, the media claims 15 people and it’s probably somewhere close to that if not exactly that. Here’s some of their work:

You’ll notice the Hamas picture on the right, showing their anti-Israeli stance.

Something else that makes me think they have actual ties to the government is their hacking style. It’s very political. However, from what I’ve seen of their forum (and I definitely haven’t seen a lot of it, there’s some “private” areas for members only) they aren’t that politically charged. That makes me think someone is pushing them to do some politically-charged hacking.

Here’s their facebook page, it’s in Persian so use google translate to read their description, you’ll note no political messages:

http://www.facebook.com/search/?q=ashiyane&init=quick#/group.php?gid=39484951932&v=info&ref=search

Oh in case you’re curious this is a picture of Behrooz Kamalian I found on Facebook.

and here’s the link to their forum (also in Persian). A word of caution before checking out the forum, if you thought “1337speak” (1337sp34k) was painful in English, wait until it’s combined with a poor translation from Persian, poor grammar to begin with (most likely), and the word hack being abbreviated hk about 10 million times in rapid fire:

http://www.ashiyane.org/forums/

Posted by Alejandro Caceres at 05:05 PM | Permalink | Comments (0) | TrackBacks (0)

This all comes from a short article on a news website called IRNA and then my personal analysis of primary sources.

So the story is, a guy named Behrooz Kamalian, head of a 15-member hacker group called Ashiyane. I’m not sure exactly where they got that number, I see 11 admins on their forum and 45 people in their facebook group, though that 45 number definitely doesn’t mean they’re all part of the group. Anyway, Behrooz Kamalian released a statement claiming ties to the Iranian government and military. He said that they’ve hacked over 1,500 Israeli websites during the Israeli attack on Gaza in January and on international al-Quds day. He also claims they hacked 100 Danish websites that insulted the Prophet Muhammad.

So is this guy just crazy? On some sort of power trip? Is he like the hacker version of Frank Dux claiming to work for the government but really just a little bit nuts?

I don’t think so. State-sponsored hacking is a big deal right now in the international community. I think if a hacker group falsely claimed ties to the government they could face serious consequences from their own government. Not necessarily would, but they could, and I think that would make Ashiyane think twice before doing so. Therefore, I think this is likely the real deal and that the announcement was either orchestrated or at the very least okayed by the government/military.

In general state-sponsored hacking occurs in the shadows, all parties deny that it occurred or at least keep mum, until it all blows over. That way there is at least some doubt…everyone is left wondering, are these countries hiring criminals to do their dirty work? Well…yes they are most likely, but they usually don’t admit it and this always that tiny little bit of doubt left in some people’s heads. So assuming I’m right that this was purposefully released by the government, why are they doing this?

I am of the opinion that they did it to flex their cyber-muscles. Not that anyone would be scared of a 15-person hacker group (that quite honestly looks like a bunch of script-kiddies), but it’s more what the hacker group having ties to the government represents. It basically says to the world, “yeah we’re using these borderline criminal hackers, we are willing to do this and we currently ARE doing this.” Sort like an F you to other countries that either might not have the means to do this or simply are opposed to hiring criminals to attack other countries. For example, I don’t think the US could hire a criminal hacker group to attack other countries, the politician who okayed that would probably be put in jail, or at least chewed out by somebody.

I’m going to go out on a limb here and say that more countries are going to follow Iran’s example. I think it could even cause an escalation in cyber-warfare as countries race to have the biggest cyber-muscles to cyber-flex all over the cyber-world to show that they can cyber-disrupt-out-other-country’s. Watch for this within the next couple of months and either:

1) Laugh at me as I’m horribly wrong
2) Cheer and shower me with praise
3) Completely ignore this entry

Posted by Alejandro Caceres at 02:04 PM | Permalink | Comments (0) | TrackBacks (0)

I’ve talked a decent amount already about some of the different threats that are out there (Russia). But some people might say, “Why so negative? How about we get some happy news?” Here is some happy news that might seem kind of obvious: countries have definitely recognized that cyber-threats are growing and they’re trying to fight back. Here are some different things that other countries are doing to make themselves more secure.

The UK

In October the UK launched a £30 million Centre for Secure Information and Technologies (CSIT) . The Centre will combine various private and public organizations to work together to create “systems to be deployed at the core of next generation computer and telecoms networks to provide much higher levels of protection than is possible with the Internet security tools installed on today’s PCs.” According to the gov monitor news.

This is definitely technical sounding enough to be impressive but really just means “make UK cyber-security way awesomer.”

But actually looking at some of their projects it seems like they’re really concentrating on getting serious processing power as well as some crime and behavioral specialists in conjunction with software producers to try to combine many disciplines into stopping cyber-crime.

South Korea

Just this past Sunday, South Korea announced that they’re training 3,000 cyber-security experts in order to work on Internet security. The measures were decided by the presidential office, government agencies, and their National Intelligence Service. Something I find extremely interesting is that unlike the DHS’s plan to hire 1000 new cyber-security experts, South Korea actually has a plan as to where these 3000 experts will come from. The government will have universities set up new departments that offer Internet security courses and create new research centers where these students may subsequently work. They’ve also divided the roles of different Korean agencies: The Korean Communications center will handle all of the policies that affect the private sector, the Ministry of Defense will expand troops to protect against any new cyber attacks, and the National Intelligence Service is in charge of dealing with cyber-terror. They seem very organized and motivated to make it work, look for South Korea to become a major cyber player in the coming years.

New Zealand

Recently New Zealand PD opened up a cyber-security center. It has 5 members, but dammit they’re trying.

The US

We do have to be very aggressive in the areas that you cited in cyber, both protecting our own secrets
and stealing those of others, because not only in the developed countries but through the world
information is moving to networks

All of these show that there’s some major players beefing up their cyber-security.

Posted by Alejandro Caceres at 10:53 PM | Permalink | Comments (0) | TrackBacks (0)

A cyber-attack detected by Poland last week is suspected to have originated from Russia.

The attack was a big “screw you” to Poland after they proposed a reolution asking “people of good will” in Russia to condemn Stalinist crimes such as the Katyn massacre in 1940 in which the Russians killed about 22,000 polish military officers, police, intellectuals and civilian prisoners of war. The resolution has been very controversial, with the Russian government downright refusing to re-open investigations into the Katyn massacre.

The attack came on the 70th anniversary of the Soviet invasion of Poland. It targeted approximately 50 government servers in an attempt to severely cripple gov’t infrastructure and ability to disseminate information. However, Polish “cyberpatrols” noticed the suspicious traffic and were able to stop any significant damage from occurring. It has not been released exactly which servers were hit.

It’s also not entirely clear if this was done by only organized cyber-crime, coordinated hacker groups, or a state-sponsored mix of the two. I’m going to go out on a limb and say I think it was state-sponsored. Russian government has so far not been appreciative of being forced to revisit their Soviet past, and they’ve seemed to have no problem resorting to direct cyber-attacks to try to get their way. For example, their cyber-attack on Estonia following a dispute over the relocation of Soviet-era war memorials and graves. The attempted cyber-attack on Poland seems awfully familiar to this, and it’s unlikely that organized crime acting alone really cares very much about resolutions by Poland asking Russians to basically apologize for past wrongs. The government however, does have a reason to not want to revisit this past, and therefore I conclude that this was state-sponsored hacking, yet again.

So we have a problem. Russia has no problem with committing cyber-attacks. Though it’s unlikely they’ll try to bully us, it’s clear they have no problem doing it to other, smaller countries. Props to Poland for stopping the attack in time, showing them they can’t just attack any other country and get away with it (like with Georgia or Estonia):

but this is unlikely to deter the Russian government from continuing such attacks, especially when they have the easy cover of “hey it was just those organized cyber-crime gangs…they should really stop that, we’ll give them a stern talking to if we see them around.”

Posted by Alejandro Caceres at 05:42 PM | Permalink | Comments (0) | TrackBacks (0)

As seen in previous posts, organized cyber-crime has played an important part of state-sponsored hacking. However, organized cyber-crime has changed since 2008. Particularly it’s gotten worse. Here’s some more info that might shed some light on what’s going on in the computer underground.

It should come as no surprise that Russian cyber-crime is still extremely organized, which is why the Russian government sponsored them to help with military operations against Georgia. Of particular note is the now supposedly debunked Russian Business Network (RBN), who is known for selling their services, releasing malware, and stealing many many identities. The recent Heartland payment systems heist had some similarities to tactics used by the RBN which makes me think that they’re probably not completely gone.

Smaller Eastern European nations are also major players in the organized cyber-crime world. Recently they have begun to grow very large and receive significant attention due to their recent focus on stealing form many small and mid-sized US businesses that might be vulnerable. Many times, these groups often have programmers, false fronts as legitimate ISPs, and hackers that are talented in creating malware. I expect that we’ll see more and more crime coming out of Eastern Europe, and these smaller states could use them effectively against countries they may be in conflict with.

The Mafia has recently begun recruiting people to commit cyber-crimes. This is a smart move, as various studies have shown that one of the mafia’s favorite activities, selling drugs, even on a large scale, is often less profitable and more risky than organized computer crimes. I expect this to become a bigger problem in the US, as significant profit is made. However, I don’t see the US using them as state-sponsored hackers. They’re not that advanced yet fortunately, and if they were used here whoever makes that decision will die a horrible horrible political death, so I just don’t see it happening.

These are just a few examples to illustrate organized crime. There’s a lot more, and as I come across them, I’ll post them.

Posted by Alejandro Caceres at 05:22 PM | Permalink | Comments (0) | TrackBacks (0)