Tag Archives: cyberwarfare

The community to the rescue again

I’ve had some hard time coming up with this post. I had the great opportunity to travel quite a bit lately – specifically to Berlin where basically EVERYBODY in security was at ph-neutral (have I thanked FX yet? I think so, but anyway – great con/party!).

It all started in Berlin when I realized what an amazing community we have. People from all over the world coming over for 3 days of sharing, networking and listening to talks (oh, and partying). I also have the great honor of calling a few of these guys friends. Friends that I know that I would be honored to help if they needed anything, and friends that I know I can “drop on” if I happen to get into a snag in their hometown. Friends that I only see in-person 2-4 times a year, but still consider them one of my closest.

I saw borders dissolve in an instant as politics, geography and history dropped in sight of a beer or a cool PoC demo on someone’s PC, and I had great conversations with people I just got to know and am sure will run into again in the future.

And then I got back home. I don’t need to mention the unfortunate events that took place a couple of days ago, and I’m not going to point fingers at anyone. Everyone had their agenda, some sides were more optimistic, some had better planning, some had better intent, but the end result is what it was. Sometimes as we say it’s better to be smart than to be right…

That was just a day before I flew over to Athens to talk at Athcon. People around me started freaking out, having the entire area feel like a barrel of gunpowder, and the media adding in some FUD to top it off. And then I recalled ph-neutral. A couple of hours later, a friendly cabbie and what looks to be a really cool con, everything is left behind. The community wins again, while politicians keep meddling with their agendas.

I just hope that more people could find such communities where borders are bridged, and religion/ethnicity/gender become irrelevant in light of a common cause/interest. I’m truly happy that I had a chance to debunk myths that I’ve had in my mind, and other people had in theirs, and really hope that this focus on a common interest could work elsewhere.
Now off to polish off my presentation for tomorrow. Stay safe out there!

Quick update [6/7/2010]: Athcon was fantastic! I’ve had a great time in Athens, had a chance to finally meet some really brilliant minds that I’ve been following for some time online, and was fortunate enough to experience the famous greek hospitality. I am reassured with my previous assumptions that all these politics are just the attempt of politicians to prove that they are worth their salaries (hint -they don’t). We just want to live our lives quietly – the only reason for some kind of army/politicians is to fend off anyone who wants to disturb this (terrorists).

Back to work now, as I need to start prepping for Miami next week…

Cyber[Crime|War] – connecting the dots – BlackHat EU 2010

Hola from Barcelona!

It’s been a very productive couple of days here. Quite a lineup for this version of the BlackHat briefings out here. I had the great fortune of speaking right after a fantastic opening by Jeff Moss (BlackHat founder and director) and Max Kelly (Facebook’s CSO) that just set me up perfectly – both discussed elements of attribution, deniability when talking about proxied attacks through certain countries, and how money is the driving force for all Cybercrime.

The talk went fairly well, and the responses I got afterward was favorable all around (if you were too shy to put me on the spot or complain feel free to do so here or on my email… all feedback will be highly appreciated). For your viewing pleasure, I am including the most up-to-date slides that I used for the talk here: CyberCrimeWar-BHEU2010.pdf

Cyber[FUD]Fare – repost from fudsec.com

As promised – here is the “official” cross-post from my guest appearance on fudsec.com. Enjoy!

I’ve been intravenously fed with FUD for as long as I’ve been in the business.

The main strategy for understanding that you are facing FUD is to realize that there is a financial motivation behind the FUD-spreading entity. This has served me well over the years and managed to keep me out of trouble (i.e. buying/selling/liking any “you gotta have this!!!” technology).

I have to admit that when I started seeing what the media is doing to the term CyberWar, I was a bit baffled. What’s the motivation? It’s not like we can run to the local RadioShack and buy an Anti-CyberWar overpriced box of solutions for just $39.99 (not including annual license renewal of $99.99).

Nevertheless, as someone who likes security (yeah, I know… sorry…) and actually spends most of his time playing around with computers (my semi-formal job definition), I had to dig into this.
I decided to start off with my prior knowledge of CyberCrime (again – definitions aside, some say eCrime, some CyberCrime, some tomato…) to cover the more “traditional” attack vectors and risk surfaces. Armed with these, I wore my thinking hat and ventured back in history to re-inspect some of the cyberwar incidents of our past. The main incidents that brought the most media attention were the Estonia and the Georgia ones.
Estonia being dubbed the “first true cyberwar” in some publications (and by some “professionals”) turned out to be mostly civilian  – meaning that there didn’t seem to be a Kremlin general high on Vodka that marched his army of hackers into cyberspace to crush the Estonia internet!!! On the other hand, reality seemed much more familiar that expected – a couple of defacements from skiddies on the hacktivism side, and a fairly traditional DDoS using a botnet that – behold – is attributed to CyberCrime. Almost like someone was trying to push me back to my “place”.
To be completely honest, there was a bit more to it. For anyone who is familiar with the RBN, you probably are aware of the close ties it has with Russian authorities that allow it to operate almost uninterrupted. The timing of the attacks, and the scale of it indicate that either some hacktivists got a huge favor from a highly commercially inclined organization, or that some kind of quid-pro-quo between RBN and a Kremlin rep was in place to put a little pressure on the Estonia neighbors.
But from some greased hands that allow RBN to keep running aloof to “the first true cyberwar” is a long haul…

The second example was the Georgia-Russia front. While getting somewhat less attention in the media, this was more closely a “CyberWar”, or an act of cyberwarfare, as it has been closely coordinated with kinetic actions taken on the ground by the Russian forces. Nevertheless, the same deniability factor plays well here – use of botnets operated mainly by CyberCriminal groups was the main attack surface.

Interestingly enough – true cyberwar acts failed to truly make a media hit (look for the alleged bombing of the alleged nuclear plant in Syria by alleged Israeli F-16s… These allegedly did not show up on any radar screen. Not in Turkey, nor in Syria or Lebanon. Go figure 🙂 ).

But the real cherry on top has been APT! When I first heard that there was an APT and it was very malicious and scary I thought that there goes my favorite Linux distribution… Yeah – I’m such a sucker for the media 🙁
Too bad that the latest APT (and that’s the last time you’ll see this acronym here) is just another FUD-happy name for – wait for it – TROJANS!!! Trojans, and rootkits, and keyloggers and viruses!!! run for your lives…
Seriously now. Whether state sponsored (possible…) or just another highly targeted criminal attack on select organizations (seen it before, handling some on a daily basis, not calling it funny names…), we go back again to the FUD motivation.
According to the latest one (FUD that is), CyberWar is full of APT (broke my promise. deal with it), and it can only be protected by – you guessed it – AntiVirus! (or whatever new fancy names our beloved vendors find for the same software they have been pushing us in the last 20 years).

So cheer up!  The sky is not falling. It’s just a little cloudy, and the usual bad people are still around doing their thing. The only difference is that you need to realize that ANYONE can hire these bad guys. Yes – even your government (or whatever shell company used to disguise it). Just like we are used to do with more conventional arms dealing.

Hope this was some food for thought. For more on the topic you can check out my past coverage of Cybercrime (BlackHat, DefCon, HackerHalted, Excaliburcon, etc.) and the up-and-coming coverage of Cyber[Crime|War] connections in BlackHat EU and the FIRST conference.

New post on fudsec.com – CyberFUDfare

Just a quick FYI – a new post by yours truly has been published over at fudsec.com. One of my favorite blogs with some really cool contents (still wondering how I ended up publishing there 🙂 )

Have fun reading: http://fudsec.com/cyberfudfare

It’s all about the money

In my recent coverage of CyberCrime and CyberWar, I have neglected my old “friends” at the criminal world and gave them a little less attention (at least on their consumer business). It’s time to take a look back and see what are they up to.

Well – it might seem as non-news for readers of this blog (or people who were in my presentations at BlackHat, DefCon, HackerHalted, ExcaliburCon, BlueHat, or in other venues), but a couple of interesting sound-bytes may catch your eye:

1. ZeuS (good ol’e friend, how I missed debugging thou) has implemented licensing schema. The schema enforces that the licensed software be only used on licensed machines. News? yes, kind’a. Remember Neosploit (another personal pet-peeves)? Then you must remember the licensing scheme there as well. Pretty close to what ZeuS just introduced. And they say that the world has stopped sharing. pffff. And you can quote me on that. As anyone who ever took more than a brief look at how these things operate, the only takeaway possible is simple: It’s all about the money (hence – license enforcement is key. Ask Microsoft 🙂 )

2. Staying with ZeuS, there has been quite a lot of effort in the past few months to take down one of the main autonomous systems providing upstream for some of the biggest C&C’s hosting ZeuS. You can read more about it here, and here. Notable effort indeed, as TORYAK-AS has been on the hit list for ZeuS tracking researchers for a long time. Only thing is – there’s money here again. Which means that even taking down the entire AS won’t really take down the botnet as it relies on bulletproof hosting which means that there will ALWAYS be alternate routes leading to it. That’s how things work. Just like trying to fight trafficking and drug trade. As long as there is demand, there will be supply. You dry out one supplier, the economy will just pop out another one. It’s all about the money.

So, I’ll finish up with a couple of reassuring words. We are not done yet. We like fighting the technical battle (I’ll admit that I had my fun doing so, and still have fun when called to duty), but the real battle won’t be won in that playing field. Remember Al (Capone) – it didn’t take the DEA or FBI to take him down. It was the IRS…