‘SYSTEMIC ELECTRONIC ATTACK THE FUTURE IS NOW’. An Information & Communications Technology view...
-
Upload
isis-mudgett -
Category
Documents
-
view
215 -
download
2
Transcript of ‘SYSTEMIC ELECTRONIC ATTACK THE FUTURE IS NOW’. An Information & Communications Technology view...
‘SYSTEMIC ELECTRONIC ATTACK
THE FUTURE IS NOW’
An Information & Communications Technology view of Information Operations
Jurgen Opfer MIEEE, MAIPIO
What is being attacked?
Who is doing the attacks?
How are they attacking?
What are the defences?
Extent of the problem
Severity of Consequences
Area of most growth
Our Defense networks are constantly under attack. They are probed thousands of times per DAY and scanned millions of times per DAY.And the frequency and sophistication of attacks are increasing exponentially.”
“Attackers range from teenage hackers to more than 100 foreign intelligence agencies”
US Deputy Defense Secretary William Lynn October 2009
Many of the world’s conflicts are not wars at all.There is a fading of the borderline between “defence” and “security” as non-state actors adopt weapons and tactics, and act across borders, and nation-states hire cyber criminals to perform espionage and potentially sabotage as well
Defense Technology International January 2010
“I fear that the western world’s defence and security forces are now so focused on counter-terrorism, that we’ve lost sight of the real, and lingering problems of espionage”
.....Private conversation with senior Australian Intelligence Officer
Malware General term to describe Malicious code Virus Infection of program files, propagate when the program is executed Worm Similar to virus, but propagates without execution Trojan An apparently useful program which conceals malware Spam Unsolicited e-mail, usually unwanted advertising Phising Spam or pop-ups which deceive users into revealing passwords, credit card numbers
etc. Pharming Redirection of URLs to fake websites Spoofing Fake websites which mimic legitimate websites, or use a fake senders email
addresses Spyware Code which tracks users, and transmits information to a third party DOS Denial Of Service, an attack which overloads a web site, or other network resource DDOS Distributed DOS, in which many computers are used in the attack Botnet Networks of compromised computers remotely controlled to attack target systems,
can be used to distribute malware, and used in DDOS. Cracking Breaking passwords or encryption to gain unauthorised access Wardriving Driving around with a portable computer to detect unprotected WiFi networks
Selected Terms
Hierarchy of attacks
Strategic
Tactical
Operational
Some recent AttacksUS Navy EP-3 forced down by China 2001 followed by cyber exchange
Israel cyber attack before bombing Nuclear facilities in Syria 2007
Russian Mafiya vs Europe’s most wired country ‘Estonia’ 2007
Russia vs Georgia’s military & infrastructure 2008
Israel /Hamas Dec 08-Jan 2009
China /USA 2009
Hackers vs Australian Federal Police 2009
Anonymous group hacks federal parliament Feb 2010
Computer Trojan Helped Expose Secret Syrian Nuclear reactor
“The Trojan was planted on a laptop of a Syrian official while he was staying in London”
Operation Orchard
Erich Follath & Holger Stark Der Spiegel
General Peter Pace USMC (Retired) addressing USCCU about Russia cyber attacking Georgia
“Their ‘cyber special operations forces’ isolated the president by disabling all his cyber connectivity, then their ‘cyber air force’ carpet bombed the entire national network, and finally their ‘cyber Delta force’ infiltrated and rewrote code that kept their network from working correctly even after it was brought back up. It was a highly sophisticated attack”
US Army District of Washington web site was hacked from TurkeyAfter Israel “Operation Cast Lead” started in Gaza Dec 2008
Google Likely Saying Goodbye To China In mid- December, Google said in a blog posting yesterday, the company discovered "a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google. However, it soon became clear that what at first appeared to be solely a security incident--albeit significant one--was something quite different."
First, Google said, it found out that the attack on it apparently was part of a coordinated attack against at least 20 other large companies, many of which seem to be US- based. According to the Washington Post, it was more like 34 companies. Second, Google says it has evidence suggesting that "a primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists." Google also said that it didn't believe that more than two GMail accounts were successfully accessed, however. Third, Google did find that dozens of accounts of "US- , China- and Europe- based Gmail users who are advocates of human rights in China appear to have been routinely accessed by third parties" apparently through persistent phishing and other malware attacks. As a result, this and other problems with its operations in China has led Google "to conclude that we should review the feasibility of our business operations in China. We have decided we are no longer willing to continue censoring our results on Google.cn, and so over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all. We recognize that this may well mean having to shut down Google.cn, and potentially our offices in China." Needless to say, Google's announcement has set off a firestorm that more than one newspaper has said may impact US- China relations.
Google probing possible inside help on attack Mon Jan 18, 8:55 am ET SHANGHAI (Reuters) – Google is investigating whether one or more employees may have helped facilitate a cyber- attack that the U.S. search giant said it was a victim of in mid - December, two sources told Reuters on Monday. Google, the world's most popular search engine, said last week it may pull out of the world's biggest Internet market by users after reporting it had been hit by a "sophisticated" cyber- attack on its network that resulted in theft of its intellectual property. The sources, who are familiar with the situation, told Reuters that the attack, which targeted people who have access to specific parts of Google networks, may have been facilitated by people working in Google China's office.
Professor: “...what interesting problems she had found in her work.”
Major X: “the press had concluded that these attacks were coming from Nth Korea. North Korea has expanded its ‘cyber combat’ unit in charge of intelligence gathering through the internet claimed a source in Asia.” “The General Staff of the Nth Korean Peoples Army has for years been running what it calls the ‘technology reconnaissance team’ which consists of about 100 hackers, mostly graduates of a leading military academy in Pyongyang.”
Professor: “Do you think this is coming from Korea?”
Major X: “No, I don’t think they’re that good”
Professor: “Where are they from?”
Major X: “A lot of things that we see are coming from a single IP address in China. They are making no effort to disguise the origin”
Professor: “So either they’re being brazen, or someone is doing a good job of making you believe they’re being brazen”
Professor Alan Grier speaking with a Major after she attended DEF CON IEEE Computer Dec 09
“...depicting China as a threat to space & cyber security is perhaps hasty when one contrast NASA’s budget of $17B with China’s stated $500M space budget. Its recent supercomputer, the 17th most powerful in the world, made headlines but China still has leaps and bounds before ..... matching the US in computer power....China possesses a mere 16 supercomputers in comparison to America’s 291”
Captain Timothy Hsia, US Army December 09 US Naval Institute Proceedings
Some Attack ToolsPing target
Tracert destination
Pathping target
Netsh diag (switches)
NmapSupersharkMegapanzerBlackIcePwdumpSatan (Saint)SuperscanSkypetrojan
Patches & updates
Insiders
USB Ports
Next Generation Jammer
Select Target
Scan (ping)
Enumeration
Gain Access
Escalate Privilege
Pilfering
Covering Tracks
Select Target
Scan
Enumeration
Gain Access
Elevate Privileges
Pilfering
Covering Tracks
Creating Back Doors
Denial Of Service
Research
Ping, Nmap
DumpACL, sid2user
tcpDump, LOphtcrack
John, LOphtcrack
Rhosts, Registry
Zap, event logs
Cron, netcat
Synk4, supernuke, pingofdeath
IP Packet
Some defence Tools
Netstat (switches)
Ipconfig (switches)
Check Router StatusAirSnareHoneypotsP0fSuperglue
What is p0f v2? P0f v2 is a versatile passive OS fingerprinting tool. P0f can identify the operating system on: - machines that connect to your box (SYN mode), - machines you connect to (SYN+ACK mode), - machine you cannot connect to (RST+ mode), - machines whose communications you can observe. P0f can also do many other tricks, and can detect or measure the following: - firewall presence, NAT use (useful for policy enforcement), - existence of a load balancer setup, - the distance to the remote system and its uptime, - other guy's network hoockup (DSL, OC3, avian carriers) and his ISP. All this even when the device in question is behind an overzealous packet firewall, when our favourite active scanner can't do much. P0f does not generate ANY additional network traffic, direct or indirect. No name lookups, no mysterious probes, no ARIN queries, nothing.
Show me! 194.236.50.173:2502 - Linux 2.2 (1) [Bonet Sweden] (up: 9 hrs) - > 217.8.32.51:80 (distance 5, link: ethernet/modem) >> Masquerade at 206.157.248.34/ns1.mosaicsoftware.com: indicators at 43%. >> Masquerade at 213.158.197.100/ptcnat.era.pl: indicators at 60%. >> Masquerade at 216.88.158.142/crawlers.looksmart.com: indicators at 52%. >> Masquerade at 193.110.121.3/evil.tpi.pl: indicators at 86%.
Why? P0f is quite useful for gathering all kinds of profiling information about your users, customers or attackers (IDS, honeypot, firewall), tech espionage (laugh...), active or passive policy enforcement (restricting access for certain systems or otherwise handling them differently; or detecting guys with illegal network hookups using masquerade detection), content optimization, pen -testing (especially with SYN+ACK and RST+ACK modes), thru -firewall fingerprinting... plus all the tasks active fingerprinting is suitable for. P0f v2 is lightweight, secure and fast enough to be run almost anywhere, hands -free for an extended period of time.
A Few Words about Web 2.0