Posts Tagged ‘Cyber attack’
« Older Entries

When Ego Gets In The Way Of Vulnerability Testing, Get Out.

Last Updated on Saturday, 18 April 2009 04:46 Written by admin Friday, 27 March 2009 08:45

UPDATE (4/17/09): After receiving several comments from people that i know and don’t know about how they aren’t seeing what set me off on my rant against the author of this post on the Frequency blog, I went back and reread it today (3 weeks later). I thought it would be a good test to see if I was mis-reading the author’s intent back then or if his post was still rant-worthy.

So having reread it, I can honestly say that I over-reacted and owe Gunther Ollman an apology.

Gunther, I’m sorry for taking out my frustrations about SCADA network security out on you. Your post didn’t deserve it. I was clearly just having a bad day when I wrote my original post back on March 27th. Fortunately for me, I don’t rant too often on this blog or I’d be posting a hell of a lot more of these apologies.

————-

I’ll start off by acknowledging that this post is a rant, rather than a detached assessment of a problem. Read this post by Gunter Ollmann on the Frequency blog (IBM Internet Security Systems) and see if it strikes you as badly as it did me.

This guy seriously needs an attitude adjustment.At the very least, he should be pulled off this job and re-assigned to something less critical.

I don’t want to hear from the people responsible for protecting critical infrastructure that there’s no way to keep a dedicated hacker from breaking in (even when that’s true).

I don’t want finger-pointing at other existing problems as a rationale to stop picking on network vulnerabilities.

I REALLY don’t want to hear security engineers say to critics ‘Just shut up and trust that I know what I’m doing’. Are you kidding me with that kind of bullshit attitude?

What I do want to hear is that in spite of the fact that there are many ways to cause havoc, we are aggressively anticipating future attack vectors and hardening our critical networks to withstand them; that in spite of the fact that 100% security is an illusion, we are not going to quit or make excuses by pointing a finger at other low-tech vulnerabilities that exist too.

Hey Gunter. Quit feeling sorry about yourself or your profession and get re-motivated about your work. Either that, or get the hell off the Smart Grid project and let someone else take over.

Learn More
Tags: , ,   |  Posted under Cyber  |  4 Comments

Why I believe that the Kyrgyzstan Government hired Russian hackers to launch a DDOS attack against itself.

Last Updated on Wednesday, 4 February 2009 07:30 Written by admin Friday, 30 January 2009 11:32

The Kyrgyzstan cyber attacks of Jan 18 – ? have been getting a lot of press after my initial post about it on Jan 23, particularly since Don Jackson of SecureWorks blogged about it on January 28 and added his analysis. Don referenced my earlier post as well as the Grey Goose report (thanks Don), but I disagree with some of his findings. Here’s why.

1. This is not about denying U.S. forces access to the Manas air base in Kyrgyzstan. President Bakiyev is an ally of the Russian Federation. If Putin wanted to squeeze him into complying, he has many more effective options than a DDoS attack; the biggest stick right now being economic.

2. The most direct way to discover the motive behind the attacks is to look at what’s happening simultaneously WITH the attacks. I created a list here. All but one are related to the formation of the United Popular Movement (UPM), who are calling for the ouster of Bakiyev because of cronyism and his lack of democratic reforms, as well as his inability to fix the ailing economy of the country. Denying the UPM Internet access, along with arresting their leaders, is a classic one-two punch.

3. Almost this exact scenario happened in 2005 when Bakiyev, then an opposition leader, successfully led a regime change against then President Akayev. Cyber attacks occured then as well, effectively blocking access to opposition Web sites. 

4. Finally, the Kyrgyz government has the ability to combat this threat, and the office responsible has done nothing about it. The Kyrgyzstan Interior Ministry’s Ninth main directorate has been recently set up (in part) to counter cyber threats. Training is provided by Russian law enforcement agencies according to Taalay Kadyrkulov, deputy head of the Ninth Directorate (source: Bishkek AKIpress Online 12 Jan 09).

This is not a sophisticated attack, and its being routed through Russian servers. If Kadyrkulov or anyone else in the Kyrgyz government wanted it stopped, it would be a relatively easy matter for them to do so. The Russian government monitors and has full control over its servers at Golden Telecom Moscow and JSC Moscow, which represent a majority of the servers involved in this attack.

So in this case of competing hypotheses, I choose to believe the one with the least number of complexities and assumptions; that this is a simple case of an existing regime trying to retain power by silencing its opposition in every way possible, including hiring Russian hackers to launch DDOS attacks on their own Internet Service Providers.

UPDATE (2/4/09): Jose at Arbor Networks has an excellent post on this topic, and his point – that the attacks don’t appear via any of the usual channels – is another reason why I don’t believe that the Russian government is behind the DDoS attacks of January 18. It didn’t fit the profile of the past cyber attacks that have been attributed to Moscow. 

Learn More
Tags: , , ,   |  Posted under Cyber, Uncategorized  |  5 Comments

The Kyrgyzstan DDoS Attacks of January, 2009: Assessment and Analysis

Last Updated on Monday, 13 April 2009 12:13 Written by admin Wednesday, 28 January 2009 01:35

Note: This post is a joint effort by myself, Jart Armin of HostExploit.com, and Greg Walton of InforWarMonitor.net. Further analysis may be forthcoming by individual contributors at their respective Web sites.

On January 18, 2009, a large scale DDoS attack began against Kyrgyzstan Internet service providers (ISPs). Key national Web server site Asiainfo.kg and the Kyrgyzstan official domain registration service Domain.kg have only been available intermittently from Jan 18th 09.

Russian-based servers primarily known for cybercrime activity have been identified through IP analysis with the attacks on Kyrgyzstan.

Fig 1 – Kyrgyzstan DDos Snapshot - Alignments of Core Network Servers – 012109

Figure 1 shows the Internet routing during the later stages of the Kyrgyzstan DDoS attacks.

Table 1 – Kyrgyzstan DDos Snapshot - Details of Core Network Servers

Figure 2 - Mapping the Attacks, Routing the DDos against Kyrgyzstan’s AsiaInfo – 15th to 25th Jan 09

Figure 2 provides a BGP (Border Gate Protocol) Internet traffic routing for the period of the 15th to the 25th of January 2009, with primary focus on highlighting the DDoS traffic against AS8511 Asiainfo Kyrgyzstan.

Timeline of Political Events

January 17: Prominent opposition leader detained in Kyrgyzstan

January 17: Political confrontation intensifies. Opposition activists form new coalition UPM (United People’s Movement)

January 19: Two opposition leaders detained and charged

January 19: Russia presses Kyrgyzstan to close US base

January 20: Kyrgyzstan Opposition denied use of Parliament Press Center

January 21: Kyrgyzstan government targets opposition

January 22: Journalists ordered to file personal information

January 22: Kyrgyz Opposition Party denied registration

Analysis

The Kyrgyz cyber attacks during the week of January 18th fall right in line with an escalating series of repressive political actions by the Bakiev government against this latest attempt to form an opposition political party – the United Peoples Movement (UPM). Bakiev should know, since it was the Tulip Revolution in 2005 (and the last time that DDoS attacks were utilized in Kyrgyzstan) which brought him to power.

Opposition leader Omurbek Tekebaev has pointed out the similarities between 2005 and 2009: “Both then and now, you could see people mistrusted those in power, who lacked moral authority. Both then and now, public opinion was completely controlled by the authorities, and there was persecution of journalists and dissidents, criminal persecution of political opponents,” he said.

This appears to be a cyber operation for hire by the Bakiev government to control information access against its political opposition. The likely culprits are Russian hackers with moderate skill levels who regularly engage in cyber crime.

There is no evidence that the Russian government is directly involved, however Moscow has complete control over the servers owned by JSC and Golden Telecom. To date, no action has been taken by the RF to deny access to these servers by Russian hackers.

Related Links:

Kyrgyz Websites subject to unexplained failure and hacking during the Parliamentary Elections (2005)

The Kyrgyzstan Cyber Attack That No One Is Talking About

Learn More
Tags: , ,   |  Posted under Cyber  |  4 Comments
« Older Entries

Inside Cyber Warfare

Book cover of Inside Cyber Warfare

Main Menu

Site Search

Tags

China CIA critical infrastructure Cyber Cyber attack Cyber Command cyber security cyberwar Cyber War cyber warfare DARPA DHS DNI DoD DST Facebook FSB Georgia Google grey goose greylogic hackers IARPA India inside cyber warfare IntelFusion FLASH Traffic intelligence Iran Kremlin Kyrgyzstan Microsoft NSA O'Reilly Open Source OSINT palantir power grid project grey goose RBN Russia SCADA Second Life Terrorism Twitter USAF

Archives

Copyright © 2009 Afterburner - Free GPL Template. All Rights Reserved.
WordPress is Free Software released under the GNU/GPL License.