Hackers, Credit Cards, and the Media

Posted on January 19, 2012 by iamit

In the past couple of weeks there has been an interesting “hacking” trend going on in Israel. It started from the publication of a few thousand credit card records (out of an alleged 400,000). Continued with the publication of “SCADA” systems with default credentials, and a handful of gov.il email addresses and passwords, and more recently with the DDoS on the public site of the Tel-Aviv Stock Exchange, and ElAl Arilines.

We call these events “hacking” (quotes) on purpose. Following is a basic analysis of what has been done, some impact analysis on it, and an outlook for the continuation of such events and their escalation.

Analysis of past events

First things first – the credit card leak that started it all wasn’t real news. All the records pertain to older attacks on some poorly secured internet merchants (mostly coupon deals) which stored credit card records (illegal) in an insecure way (malpractice). The “news” about the leak was the aggregation of these records, and the publication in a media context of “Cyberwar against Israel”. What made this fairly insignificant event into newsworthy was… the news. The media attention thrown on it was unprecedented, and the number of “cyber consultants” (I’m not making this up) who provided content-less interviews gave the impression that the infosec industry in Israel is 10 times bigger than it really is.

For the person/s (0xOmar) who published the regurgitated information this was pure win – exactly what they were looking for. This would have ended with that unless two things happened:

Danny Ayalon – the vice-minister of foreign affairs has been quoted saying that this attack should be regarded as an act of terror
Several groups of script kiddies from Israel started working on a vengeance against Saudi credit card holders.

Both actions are regarded as knee-jerk responses, and there is no way to look at them in any productive means (strategic nor tactical). Nevertheless, the combination of said actions, and the continued excessive media coverage basically led the way to an escalation in the activities.

The next action, although not a real escalation yet, showed how 0xOmar turned essentially into a brand much like Anonymous, where information on alleged Israeli “SCADA” systems logins and gov.il email addresses was made public. This leak, now not directly associated with 0xOmar turned the attention of some Anonymous twitter accounts into supporting the newly tagged “#fuckIsrael” activities.

When looking at the “SCADA” leak, it is easy to see that none of the systems quoted are actually SCADA related, but mostly content management systems, some wireless routers installed at residential locations, and a car booking system. The email addresses and passwords (and hashes) are all from the STRATFOR leak which happened a couple of weeks beforehand (and even there it didn’t contain the hundreds of really interesting Israeli related information).

Nevertheless – media attention was at full force, and the attempts to “out” who 0xOmar only fueled the ego behind the alias more. Combined with the newfound attention from the Anonymous brand as well, additional groups started to join the party, and the last escalation in activities showed for the first time an actual activity against Israeli associated facilities – the DDoS on the stock exchange and ElAl’s websites. Again – the choice of targets is not coincidental: both sites are well known and are strongly associated with Israeli media around the world (financial, and the national airline). These are not strategic targets of a classic “cyberwar” but more of a “media-war”.

This latest attack, while inflicting minimal (if at all) damage to the targets, should raise a lot of hard questions for the relevant CISOs who failed to recognize the threat communities they are facing (especially in light of the media attention), and the defenses put in place to greet such communities. Additionally, mitigation tactics of such attacks has been out there for quite a while, and even a simple CDN solution would have easily coped with them.

Escalation and Triggers

The escalation has already started from the attacking side. We see more groups that were previously unassociated with 0xOmar join into the game – especially now when its has been expanded to include more media support from some anon factions. These groups widen the threat communities that are now part of the threat model which Israeli organizations have to deal with, along with their associated threat capabilities.

We expect that the attacks would continue – especially is media coverage of this will continue to be provided in prime-time. Additionally, groups that are currently in holding pattern on whether to join the action will be more keen to do so if a direct retaliation will be launched from the Israeli side. Such a retaliation could be additional attempts to “out” 0xOmar using diplomatic ties, attacks on hacker forums associated with the recent activities or anything that would be portrayed as a violation of rights in international eyes.

An escalation in the attacks would mean that additional groups, who also bring additional capabilities to the table, would be able to launch much more targeted attacks against more strategic targets. If the attacks so far focused on the media value, further attacks would escalate to (in order): financials, defense contractors, government, and finally high-value individuals.

We hope that this analysis sheds some light on the motivations and the actual impact of the recent events, and would prevent any escalation – both in the response from the local hacking groups, from the media as well as from the assorted groups that were ad-hoc strung together to form this chain of events.

About CyberWar, Deterrence, and Espionage

Posted on February 14, 2011 by iamit

It’s been a long time since my last post, but trust me for all the good reasons (i.e. work). This one is long due, and has been recently fueled after I had a chance to attend RAND’s Martin Libicki’s brief at the Tel-Aviv University.

Spy vs. Spy - copyright Kigs, devianart.

Martin is a great source for debate and thought exercises as he is fluent in many realms of the subject at hand, and has been trained as an economist which makes it much easier to broaden the debate into politics and diplomacy.

I’ll address a few key elements of the brief – at least the ones that speak to me the most in terms of research and ongoing work that we are engaged in on a national, international and local levels.

First – the ever provoking “there is no CyberWar” statement. Immediately followed by “this is the definition of CyberWar as I see it”… Obviously, with a definition that closely resembles war as defined in other domains (land, sea, air, space), it’s hard to see how one can state that CyberWar was ever engaged (or ever will be for that matter). But the key here is not to treat the Cyber domain as “another” domain and try to use the template of the traditional domains when defining it. Cyber is a game-changer, it’s not a domain like any other, it has its own rules, territorial issues are mute here, jurisdiction is a mess, and accessibility is even worst. It’s almost impossible to define what a conflict is in Cyber, what an engagement is in terms of forces colliding and how is aggression defined. Nevertheless, all the issues mentioned in the last sentence have risen many times over the last decade, and yet some refuse to realize that in several occasions it was indeed a state or form of warfare.

The second issue is deterrence. On this one I almost completely agree with Martin’s approach which speculates whether real deterrence can be subjected into the domain. Nevertheless, I do believe that sustained and proven threat over the opponent’s critical infrastructure, financial and base production facilities can be used as a deterrence factor. You do not need missile silo counts to prove deterrence in the Cyber domain, you need sustainable access to critical systems, and a prove that you can retain such access in light of some vulnerabilities and key access elements being taken off the table by the defensive strategy. For that – enter espionage… With a combination of cyber-domain capabilities, and a solid intelligence practice (i.e. both gathering as well as proactive), one side can create a situation where such access to critical elements in the other side’s Cyber domain are kept consistently under surveillance and accessible to modification/sabotage.

Which leads to the last issue, which has surprisingly raised a lot of eyebrows lately – even from people who I consider proficient in the “Art” of international relationships and diplomacy: the “legality” of espionage. Face it – espionage has been and will always be a fully acceptable part of a nation strategy. It is accepted at all level of diplomacy, and by every nation. Everyone knows that everyone else is engaged in it, and is putting a lot of resources to make sure that their efforts are successful while trying to minimize everyone else’ efforts in their own territory. The same applies for the Cyber domain. It’s no big surprise that the US finds itself dealing with a major espionage case (on the commercial level) almost every year, and just think about all the cases that are not made public in the government, and military sectors… But have no fear – the other side is being spied on just as well with skills that do not fall short (and usually surpass) of what the US is subjected to. It’s a fact of life, so stop whining about it (and excuse the burn notice cameo).

To conclude – I truly think that dealing with such a young and ever evolving domain is a great challenge – both technologically, as well as from the diplomacy / international relationship aspects of it. And until we’ll have some shape or form of formalized discourse on this domain (such as the efforts put in by NATO, the UN and a few of the world’s largest nations), it’s a free-for-all playground that is going to keep providing us with moral, technological and sociological challenges. BRING IT ON!

Information Security Intelligence Report for 2010 and Predictions for 2011

Posted on January 24, 2011 by iamit

Looking back at 2010 shows a widening gap between cybercrime and law enforcement capabilities, in conjunction to nations that have started the cyber-race to develop defensive and offensive capabilities. Most of the attacks analyzed in 2010 depict organizations that fall behind in their defensive strategies as attackers take advantage of a hybrid approach that merges technical merits alongside human weaknesses to cash-out on their attacks.

Cybercrime widens the gap between attack capability and defense mechanisms. Analyzing several of the major attacks of 2010, Security Art notes that organizations were attacked in two key ways. Firstly, through technical exploits such as Aurora, Mariposa, ZeuS, and SpyEye. Secondly, by attacks that bypassed traditional protection methods, and gained access to targets through human-weakness areas such as social media. While businesses focused on defending themselves using security mechanisms such as anti- virus software and perimeter defenses, attackers jumped over these defenses, and proceeded to flood the market with a high volume of malware that now poses a serious threat to security providers in terms of detection rates and response time. However, law enforcement agencies have focused mainly on menial cybercriminals, and have not successfully reduced the impact of online criminal activities. On a national level, we see nations have embarked upon the race to develop defensive and offensive cyber capabilities.

Cyberwar arms race sends nations to shopping frenzy. As CyberWar gained merit (and criticism) during 2010, with the movie-material Stuxnet incident being the poster-boy for news outlets that published every spin-off, speculation, and plain old gossip, the international scene had its own race for the latest and greatest defense mechanisms. The implications of Aurora and Stuxnet made most countries feel their lack of a critical infrastructure defense and the capability to deliver a similar cyber-blow, and many went shopping for weapons. Security Art witnessed the strategic build up of capabilities in some countries, and a more hurried shopping spree (that usually led to amassment of CyberCrime provided tools) in others. This, and the delayed response of organizations such as the UN, the EU, and NATO, left the scene looking more like the Wild West than Silicon Valley.

Expanding digital domain and improved understanding of security will reign in 2011. Our prediction for 2011, drawn from the criminal, political and diplomatic sides of cybercrime that dominated 2010, is that more focus is going to be given to approaching security from a strategic standpoint. Rather than buying “best of breed” products and ticking off compliance sheets, we predict that organizations and countries will apply a more sensible executive-level understanding of what information security means to them. In the expanding personal digital domain (smartphone, tablets, and suchlike), and the continued digitization of all organizational information (from scanned materials to VOIP telephony), security must be applied to more layers than ever before. Countries and organizations will have to adopt additional skill-sets and look for solutions in areas they have not dealt with before.

Please go to http://www.security-art.com/download-report to download the full report, or email [email protected] for additional information.

The power of collaboration (BlueHat post)

Posted on November 2, 2010 by iamit

Some additional BlueHat wrap-up - a collaborative post with a dear colleague of mine Fyodor Yarochkin has just been posted on the BlueHat blog.

The interesting thing about this is that my interaction with Fyodor have been as follows:

Email exchange prior to BlueHat, as we were speaking one after the other, and were referring to the same ecosystems but from different points of view.
Meeting in Seattle/Redmond at BlueHat, having some conversations (and drinks, yes, some drinks were involved too) about work, research, and such.
Speaking one after the other.
Working together on a post through online sharing tools where we basically played with throwing ideas around, putting in writing what we thought about them, exchanging some ideas and directions, and coming up with the aforementioned post.

To sum this up quickly, we didn’t really know each other (not virtually either) a few weeks ago, and based on our mutual interests, research and passion we were able to come up with a (somewhat) cohesive post that at least I can stand back and say “damn!, that’s pretty good” (and learn something from).

Only in InfoSec!

Stuxnet Analysis Report

Posted on October 29, 2010 by iamit

So, after quite some time of working behind the scenes, and making an effort to focus on essence rather than buzz, the CSFI have published their official report on Stuxnet.

I have had the opportunity to assist (just a bit… work has been taking its toll) in the report writing – mostly in CSFI Logo terms of countermeasures for a threat like this, and some basic analysis.

Feel free to download the report form here:CSFI_Stuxnet_Report_V1

As well as watch the demonstration video on the CSFI website: http://csfi.us/?page=stuxnet

Kudos to all the great contributions from the CSFI-CWD (Cyber Security Forum Initiative – Cyber Warfare Division) fellows!

I Am Security

Security news and research

Tag Archives: cyberwarfare