Beza belayneh information_warfare_brief

Mr. Beza Belayneh – Centre for Information Security – Information Warfare – Clear and Present Danger to the Corporate World

Opening

Thank you for the questions and I am pleased to provide you detailed answers below. As you may know, issues of information security are changing with death defying speed and what was a solution yesterday may not be valid and what was a threat yesterday now changed today as a full blown attack.

I would take cognisance of current information security threats and trends in my responses, remarks and overall presentation. This would help the audience to see the very current picture of the issue at hand.

Very crucial fact that is often times ignored is that the ultimate objective of any information security measure is to protect human safety. Networks are under relentless attack, secure systems are breached, Information is stolen, and information is bought and sold.

Just 5 days ago, researchers at the Internet Storm Center, an early warning system for Internet threats that is operated by the SANS Institute revealed that medical devices, MRI machines, infected with Conficker worm.

This clearly brought the issue of information warfare attack to the level of a direct threat to human life. This is in addition to the recently reported security breach of the US power grid.

The battle for information dominance is raging. Hackers attempt to break secured networks every 36 seconds. 250 new viruses are created every month. Over a trillion Rand lost as a result of various attacks and breaches that amount to be called information warfare. Many skeptics are starting to believe that we are at war. I am presenting not as a prophet of doom, but clearly providing the high risks presented by information warfare attacks. Today the world where the name of the game is deception is a world that businesses and managers ignore at their peril.

Let me start by asking why should businesses be interested in information warfare? The reason is simple, because information warfare is interested in business. The presentation will show clearly series of current trends, weapons and experiences of numerous organisations that lost so much business and money.

Simply put. Information warfare consists of those actions intended to protect, exploit, corrupt, deny, or destroy Information or information resources in order to achieve a significant advantage, objective, or victory over a Competitor.

Before the responses, I would list few highly publicized and notable cases where information warfare attacks had taken place and critical systems were compromised for the past 12 months. To date, the best practices for information security in the private sector have focused on defence. Tremendous efforts have gone into developing and marketing defensive network tools – so much so that the market space is cluttered with

www.bezaspeaks.com Beza Belayneh 1

Mr. Beza Belayneh – Centre for Information Security – Information Warfare – Clear and Present Danger to the Corporate World An array of “solutions” which become difficult to distinguish. Capabilities for active countermeasures have, for the most part, been considered outside of the appropriate scope of response for commercial enterprises. For a complete defense, offense must be considered. The concept of warfare comes in. Warfare in Business After all numerous business books are cluttered with concepts like flanking strategy, first –strike advantage, price wars, competitors’ intelligence, guerrilla marketing, killer application and so on. The similarity between military and business is growing each day. Both involve adversaries with various assets, motives and competing goals. It is for this reason, information warfare has become a serious issue in the corporate world and is regarded as an emerging threat by numerous authorise in the information security field including the annual Georgia Tech Information Security Centre. Georgia Tech declared information warfare (Cyber warfare) as one of the emerging threats for 2009 in its annual Emerging Cyber Threats Report for 2009.



Background

Serious and Notable information warfare related attacks and breaches

• Conficker worm hits hospital devices

April 30th, 2009 By Elise Ackerman

A computer worm that has alarmed security experts around the world has crawled into hundreds of medical devices at dozens of hospitals in the United States and other countries, according to technologists monitoring the threat.

The worm, known as "Conficker," has not harmed any patients, they say, but it poses a potential threat to hospital operations."A few weeks ago, we discovered medical devices, MRI machines, infected with Conficker," said Marcus Sachs, director of the Internet Storm Center, an early warning system for Internet threats that is operated by the SANS Institute…(http://www.physorg.com/news160331005.html)

• Chinese Hacktivists Waging People's Information Warfare Against CNN

"We continue to import their junk with the lead paint on them and the poisoned pet food and export, you know, jobs to places where you can pay workers a dollar a month to turn out the stuff that we're buying from Wal-Mart."

Speaking about the U.S. trade deficit with China on “The Situation Room”, Cafferty did not realize that his statement would provoke what amount to be unprecedented information warfare attack on CNN website by Chinese hackers.

• Information warfare attack on Israeli Businesses -

When Israeli tanks roll into Gaza, Pro-Palestinian hackers shut down approximately 700 Israeli web domains. A range of different Web sites were targeted by the group, including Web sites of banks, medical centers, car manufacturers and pension funds. Well-known companies and organizations, including Bank Hapoalim, the Rambam Medical Center, Bank Otsar Ha-Hayal, BMW Israel, Subaru Israel and Citroen Israel, real estate company Tarbut-Hadiur and the Jump fashion Web site all found their Web sites shut down and replaced by the message: Hacked by Team-Evil Arab hackers u KILL Palestine people we KILL Israel servers.



• Major corporations’ websites in New Zealand were attacked

Turkish hackers broke into the New Zealand based registrar Domainz.net (which belongs to MelbourneIT) and redirected some of their customers' high profile web sites to a third party server with a defaced page. Companies which had their New Zealand web sites defaced include Microsoft, HSBC, Coca-Cola, F-secure, Bitdefender, Sony and Xerox. Mirror sites are at http://www.zone-h.org/news/id/4708

• Information warfare attacks on Danish sites

Danish artist Kurt Westergaard never anticipated his drawings will cause unprecedented information warfare attack on numerous Danish websites.

Internet hackers have attacked a website run by Denmark's Free Press Society selling prints of a controversial cartoon of the Prophet Mohammed, the group's director

• Information Warfare Monitor uncovered cyber espionage network

Researchers (Univ. of Toronto & SecDev Group) uncovered a suspected cyber espionage network of over 1,295 infected hosts in 103 countries. The researchers says the system — called GhostNet — sent e-mails that introduced malware into host computers, which in turn fed information back to servers located on the Chinese mainland. "The GhostNet system directs infected computers to download a Trojan (horse) known as ghOst RAT that allows attackers to gain complete, real-time control.

• Verizon: Organized Crime Caused Spike in Data Breaches

Apr 16, 2009 3:18 pm

A new study from Verizon Business claims that organized crime is responsible for a large increase in the number of breached corporate electronic records, which totaled roughly 285 million last year.

According to the study, which Verizon Business compiled using data from the 90 confirmed corporate network breaches it recorded last year, roughly 93% of all records breached came from the financial sector. The company also says that nine out every 10 of these breaches involved "groups identified by law enforcement as engaged in organized crime."



• Report: Spies hacked into U.S. electricity grid

Spies from other countries have hacked into the United States' electricity grid, leaving traces of their activity and raising concerns over the security of the U.S. energy infrastructure to cyberattacks.

The Wall Street Journal on Wednesday published a report saying that spies sought ways to navigate and control the power grid as well as the water and sewage infrastructure. It's part of a rising number of intrusions, the article said, quoting former and current national security officials.

• Greece arrests man suspected of selling Dassault data

Fri Jan 25, 2008 10:59am EST ATHENS (Reuters) - Greek police said on Friday they had arrested a man suspected of selling corporate secrets from France's Dassault Group, including data on weapons systems.

This 58-year-old mathematician is responsible for causing damages in excess of $361 million to the company and he has sold this corporate data, including information on weapons systems, to about 250 buyers through the Internet," the official said.

Police suspect the man of selling the data to buyers in Germany, Italy, France, South Africa, Brazil, as well as countries in Asia and the Balkans.

"He is one of the world's best hackers, using the nickname ASTRA..," the official said.

Dassault Group and its subsidiaries are a major player in civil aviation and the military sector.

• Trojan.SilentBanker compromises online banking accounts

April 24, 2009 - 5:30pm Trojan captures specific screen images, records keystrokes, steals all your confidential financial information and then sends it to a remote attacker. Recently certain computer security experts began paying attention to a Trojan that targets online bank accounts. This Trojan can cause extreme harm to customers’ finances, computer and their life.

This Trojan is called Trojan.SilentBanker. Its computer attacks are executed in a very clever manner. It hides and waits on a hard drive without a user’s knowledge. Trojan.SilentBanker activates itself as soon as a user logs into his/her online banking account.


http://www.ecommerce-journal.com/tags/trojan

http://www.ecommerce-journal.com/tags/financial_information

http://www.ecommerce-journal.com/tags/it

http://www.ecommerce-journal.com/tags/computer_security

http://www.ecommerce-journal.com/tags/online

http://www.ecommerce-journal.com/tags/bank_accounts

http://www.ecommerce-journal.com/glossary#term4098

http://www.ecommerce-journal.com/tags/computer

http://www.ecommerce-journal.com/tags/trojan_silentbanker

http://www.ecommerce-journal.com/tags/hard_drive

http://www.ecommerce-journal.com/tags/knowledge

http://www.ecommerce-journal.com/tags/user

http://www.ecommerce-journal.com/tags/online_banking

http://www.ecommerce-journal.com/tags/account


It steals usernames and passwords and uses them to change account details, then it takes such steps that makes user’s money be actually transferred to the bank account of the malware mastermind.

It is important for all internet banking users to minimize many of the risks involved by working in their online bank accounts from their own computer. It is also extremely important to be aware that any e-mails that customers receive which ask them to update their banking details is probably false, even if it looks like original. All these warnings are not about only Trojan.SilentBanker, which is just one of many Trojans designed to steal your information and money.

• Computer Spies Breach Fighter-Jet Project

Computer spies have broken into the Pentagon's $300 billion Joint Strike Fighter project -- the Defense Department's costliest weapons program ever -- according to current and former government officials familiar with the attacks.

Similar incidents have also breached the Air Force's air-traffic-control system in recent months, these people say. In the case of the fighter-jet program, the intruders were able to copy and siphon off several terabytes of data related to design and electronics systems, officials say, potentially making it easier to defend against the craft.

The latest intrusions provide new evidence that a battle is heating up between the U.S. and potential adversaries over the data networks that tie the world together. The revelations follow a recent Wall Street Journal report that computers used to control the U.S. electrical-distribution system, as well as other infrastructure, have also been infiltrated by spies abroad.


http://www.ecommerce-journal.com/tags/change

http://www.ecommerce-journal.com/tags/money

http://www.ecommerce-journal.com/tags/bank_account

http://www.ecommerce-journal.com/tags/malware

http://www.ecommerce-journal.com/tags/internet_banking

http://www.ecommerce-journal.com/tags/users

http://www.ecommerce-journal.com/tags/risks

http://www.ecommerce-journal.com/tags/online_bank

http://www.ecommerce-journal.com/tags/accounts

http://www.ecommerce-journal.com/tags/e

http://www.ecommerce-journal.com/tags/update

http://www.ecommerce-journal.com/tags/banking

http://www.ecommerce-journal.com/tags/trojans

http://www.ecommerce-journal.com/tags/information


1. Beza’s Presentation

Based on the above facts the presentation will cover the following issues

Clearly explain to the audience that all these things happening around the world can happen to any organizations and what they must do to protect themselves.

• What information warfare is and is not • Definition of information warfare from commerce point of view • Importance of information warfare awareness • Indications and examples of information warfare’s expansion to the

commercial domain from military issue • Means of waging information warfare • Availability of current information warfare and attack tools freely online

o Http bombers o Website defacing tools o Malware development kit

• Highlight the need for corporate leaders to know about information warfare • The need for information security managers to develop a strategy that is

offensive and defensive. Defensive may include how to develop framework for an information attack.

• How to develop Information Warfare Risk Analysis Model – a system to be used by business organizations to help them protect against current and future risks.

The presentation will highlight in detail why organizations must take information warfare threats seriously.

Information warfare is almost antithesis of security. One is offensive, the other defensive. One tends to be proactive, the other reactive. In any organisation, the two are entwined but require totally different approaches.

Organsiations wish to keep their own information advantage, and to deprive their competitors’. The use and abuse of information will be a critical factor in most organisations’ performance today and in the coming years. Information is not only a target but also a weapon. The presentation is all about this fact.



2. Why is it important? In today's electronic age, the threat of cyber attacks is real and enormous. For any organisation with information-based assets, the deadliest weapons can come in the form of a keyboard, mouse, or personal computer. With hacking attacks and computer-based crimes increasing both in frequency and degree of seriousness, it's clear that information warfare is real and companies must protect themselves in order to survive. But how do you not get caught in the crossfire of these attacks and how do you prepare when the electronic future is uncertain? How would you prepare when you do not know the enemy and where the attack is coming from? How would you prepare when your organisations’ IT managers reaffirm that they are well protected? Future corporate information security strategy will be profoundly affected by the ongoing, rapid evolution of cyberspace — the global information infrastructure — and in particular by the growing dependence of the corporate world on potentially vulnerable elements of this information infrastructure. Understanding and knowing the trends that reveal the spreading of information warfare into civilian and commercial arena helps organisations and security practitioners to develop strategies for effective information security management. This presentation would give vivid evidences of the clear and present danger companies are exposed to and how best they can protect their information asset.

The following key areas that will demonstrate the importance of the presentation will be covered:

1. Targets of information warfare or similar cyber conflicts are business establishments

a. Many politically motivated attacks made business and commercial sites the prime targets.

i. For Gaza attacks, many Israeli businesses were attacked b. Many information warfare attacks are not longer done by hobbyist for not

for profit purposes or by advanced hackers but by predefined and freely available attack tools assisted no experienced individuals for profit purposes.

2. As it is revealed in the GhostNet computer breaches, the potential for attackers to disrupt vital networks and systems in critical infrastructure areas such as banking and power is growing daily. This calls for increased awareness of the dangers on business

3. The presentation also is important as it reveals how organisations can use information as weapon in addition to defending it as a target. The traditional defense tactic is no longer valid in today’s world. Organisations must have a strategic offensive plan with effective deployment of information warfare tools.

4. The above examples show that most of the information warfare attacks were committed with tools that are available freely online. These will help organisations to acquire these tools and test their systems if they can stand imminent breaches.



5. The presentation will clearly illustrate acts that constitute information warfare by offering a clear definition

6. The presentation will clearly illustrate how the concept of information warfare is becoming a societal issue that has expanded to non-military areas. Many available literatures are more concerned with the military aspect of warfare than the corporate world. The presentation will highlight key trends that signal the expansion of information warfare (use and abuse of information) into the commercial space.

7. As the metaphor “warfare” gives this subject a military bias, the presentation will illustrate its implication to the corporate world with various business examples. This shift into the commercial world presents a growing threat to information managers who are responsible for protecting organisational information assets.

The presentation will also demonstrate that the target of politically motivated computer crime is not limited to government networks: Commercial interests are equally attractive targets. Moreover, most corporate executives are not aware of the threat posed to their organisations by individuals and groups with political agendas. Here are a few questions that executives should consider: � Is your organisation a potential target of online protest? How do you determine if you are a target? � What would you do if online protesters disrupted your website for a day? For a week? � What would you do if protesters attacked your customers or investors? � How would you react to negative media reports? � What if there was no disruption, but the attackers made press statements to the contrary? � How should you protect your network? Do you understand the threats and impacts in order to balance costs and risks? � Who would you contact? Law enforcement? Would you contact law enforcement if your network is attacked?



3. What are the trends and challenges around information warfare?

Trends of information warfare.

• Information warfare is fast moving in terms of technical possibilities. • As seen on the above cases and real life examples, the prime targets of

information attacks are becoming civilian targets and the private sector. • Computer related security incidents are widespread • Numerous attacks and breaches are becoming state sponsored or at least

state supported. The example of GhostNet in China shows that the government distanced itself from the espionage attack

• It is difficult to know where attacks are coming from. Though many researchers suspect China, there is no conclusive evidence that other countries like USA or Russia are not part of the network.

• Evidence shows that many countries already built information warfare capabilities and units to defend their commercial interests which are different from the traditional warfare where protection is mainly provided to military targets. Research shows countries with information warfare capabilities have increased from 20 in 2006 to more than 140 in 2008

• Many information warfare attacking tools are becoming freely and easily available. These tools for example. The Mpack and IcePack exploit packages are designed for non-technical users. They group exploits together into one easy install package and using this package, non-technical users can run exploits on the browsers of unsuspecting visitors. Ultimately this grants non-technical attackers the ability to infect visitors to their sites without having to know how exactly it happens.

• Information warfare is used by organisations and countries as a strategy against competitor to deny access to data, destroy or disrupt data, steal data and manipulate data.

• Information warfare in some sort is used against individuals and small business that are considered as the first level of cyberspace.

• "Rogue" states and criminal organisations have stepped up their capabilities to launch crippling online attacks e.g. (Russian Business Network (RBN) thought is offline these days considered as creator of the most effective and popular DOS (Denial of Service) attack tool Mpack.



Challenges

a. A significant challenge associated with information warfare is that its governing legal principles are unclear. Where does it legally fit into the international and domestic environments, internal and external relations, state, corporate and business governance?

Analysts and strategists gathered at the Cyber Warfare 2009 conference in London last January were grappling with some thorny problems associated with the cyber-aggression threat. One that proved particularly vexing was the matter of exactly what constitutes cyberwarfare under international law. There's no global agreement on the definitions of cyberwarfare or information warfare, so how does a nation conform to the rule of law if it's compelled to respond to a cyberattack?

b. Everybody in the world owns information warfare weapons. The need to establish global norms about what is acceptable behavior in cyberspace is complicated by the fact that the weapons are not just in the hands of nation-states. They're essentially in everybody's hands. This makes it very hard and sometimes impossible to know the attacker and the driving motivation.

c. .Laws of war does not apply to information warfare. Laws of war would forbid targeting purely civilian infrastructure, but most attackers don't limit themselves by the Geneva Conventions at it shows on the above examples.

d..A challenge is paused by information warfare targets due to the fact that it's nearly impossible to identify all of the potential targets and sophisticated tools they acquire freely online.

e.. Mindset. Many IT and security managers do not think there is a threat of attack from competitors. Many IT organizations will tell you either the threats are too far fetched or that they're adequately protected. This kind of complacency is a major challenge. In one assignment, we were able to secure a critical password from a system that is regarded exceptionally secured. As it is illustrated in the above example, hackers penetrated a crucial website in New Zealand using a commonly known vulnerability – SQL injection. Pentagon and other highly secured systems were recently compromised.

• Organisaitons are stuck with the old culture of securing physical perimeter. For example North American businesses spent more than $17.5 billion in security alarms for their buildings, but only $6.2 billion on information security measures.



d..The balance between developing and producing commercially viable software and secure software. Huge number of software solutions deployed to improve productivity, process and defend critical information assets are infested with vulnerabilities. This presents a challenge to security experts and system administrators.

e.. A lack of information sharing among nations means some countries have become a safe haven for cyber criminals. The sophistication of some attacks shows that the attackers had sufficient time and technology. In some cases, efforts to convince some countries (Ukraine, Russia, China) to follow up and close certain servers lead to a “dead-end”.

Fsecure, Finland based Antivirus developer, recently pointed finger on Ukraine hackers as the creator of Conficker worm. Research showed that the attacking system made an effort to avoid infecting systems in a Ukrainian domain or using a Ukrainian keyboard layout.. This suggests that the creators of the malware may live in that part of the world and may be exempting their home country to avoid attracting attention from local authorities.

f.. unlike the early internet days of show-off hackers and amateur vandals, today’s virus writers are all about making money. Typically, today’s malware attempts to sniff out personal details that could provide its author with access to the victim’s bank account or online auction account – or simply holds and individual or company’s data to ransom.

g. More than 250 new viruses released monthly

h. Growing insider threat. Once it’s been said “We have been watching the front door while the thieves were coming in the employee entrance.” This is to illustrate the growing insiders’ threat. 37% of employees surveyed at this year’s Infosecurity Europe event said that they are keeping their options open to be insiders if given the right

The surveyed employees had access to the following company assets:

• 83% had access to customer databases • 72% has access to business plans • 53% had access to accounting systems • 51% had access to HR databases • 31% had access to IT admin passwords



The incentives that they required in order to hand over sensitive data:

• 63% required at least 1 million pounds to convert to insiders • 10% would become insiders if their mortgage was paid off • 5% are willing to participate in exchange for a holiday • Another 5% would do it if they are offered a new job • 4% would participate if their credit card debt is covered

i. Occasionally, vulnerability is publicised before a patch is available. In some cases vulnerabilities received more publicity than the already available patches.



And what are the current technologies be used around information warfare?

The types of attacks and method of attacks (technologies) will be described 1. The main types of attacks

• Vandalism • Financial Fraud • Denial of service • Theft of transaction information

DECEPTION applies to all these attacks

Methods, Techniques, Technologies (From Attackers’ point of view) Note: some of the tools may have current versions of the attack tools but the older versions are still usable in most instances. The malware and malicious scripts in circulation today are mostly based on techniques and example code from tutorials which were published nearly a decade ago. These get adapted incrementally as Microsoft or other vendors release their system security patches

A great many technologies and tools used to attack computers and networks could fall on these categories:

• Malicious Codes • Network Scanning Tools • Password Cracking Tools • Denial of Service Tools • Cryptography Tools

Note: For further analysis information warfare technologies and weapons matrix is presented below

Attack Methods Technologies Description Password cracking Cain & Abel http://www.oxid.it/cain.html

Brute Passfinder Crack There are companies available who give password cracking service (We used some) (www.password-crackers.com/crack.html) http://www.passwordportal.net

1. delete or change data relating to orders, pricing or product description

2. copy data for use by competitor for fraudulent purposes

IP Spoofing "Spoofing" is a process by which the IP address of your machine is made to appear different from what it really is

Spoofing attacks Forge from address so the


http://www.oxid.it/cain.html

http://www.password-crackers.com/crack.html


Web spoofing (phishing) message appears to have originated from trusted source

http bomber http bomber With its very simple user interface, Bomber appears to allow a user to target specific web sites either by its URL or IP address. The attack tool claims to generate numerous HTTP GET and POST requests.

Ping attack AtTacK PiNG 1.0

Sending large amounts of pings of large sizes at an IP address.

Sql Injectors sqlninja People’s information warfare

Massive SQL injection attacks

Distributed Denial of attack (DDOS)

Ping O, Death machines can be crashed by sending IP packets that exceed the maximum legal length (65535 octets)

Malware attack Mpack IcePack

Spyware Surveillance : Keyloggers

Keylogger Lite Free Keylogger

Record all activities of keyboard without the knowledge of the victim

Viruses, bomb, Trojan, malware generating tools (scary!!!)

Virus creation tools & kit http://vx.netlux.org/lib/static/vdat/creatrs1.htmhttp://vx.netlux.org/vx.php?id=tidx (195)

Worms e.g. Nugache worm Conficker, Storm

sophisticated botnets, or networks of hacked computers

Hackers’s support sites Numerous websites Espionage software Netstumbler

Kismet is a passive Sniffer for seeking out radio net works

WLAN monitor program (scanner, Sniffer) for Windows

Automated defacement tools

Denial of service attacks, IP Spoofing

Tribal Flood Network It can spoof the source IP for the agents, and can generate multiple types of attack (including UDP flood, TCP SYN flood, ICMP echo request flood, and ICMP directed broadcast). TFN2K is a more sophisticated version


http://vx.netlux.org/lib/static/vdat/creatrs1.htm

http://vx.netlux.org/vx.php?id=tidx


of the original TFN Electronic Civil Disobedience (ECD). Combination of hacking and activism

Denial-of-service attacks.

Social Engineering http://sectools.org/ so many tools 100 Examples- Illustrations on some of the tools.



Information Warfare Technologies (Weapons) Matrix Each threat has specific tools available online in various forms. Some are free and some are for sale. Some are just enter IP address and click, the attack is done by third party. Tunneling


Scavenging




www.bezaspeaks.com

Source: Technolytics.com

Beza Belayneh 19

Mr. Beza Belayneh – Centre for Information Security – Information Warfare – Clear and Present Danger to the Corporate World Beza Belayneh – is a well known qualified and experienced information security and cyber security expert. He had carried out extensive research on cyber warfare and presented his papers around the world…. He is Chief Information Security Officer at the Centre for Information Security and South African Centre for Information Security. Visit www.bezaspeaks.com for customized research and presentation.


http://www.bezaspeaks.com/

Documents

Beza belayneh information_warfare_brief