Raoul “Nobody” Chiesa Founder, President, The Security Brokers

Ioan Landry Information Operations Manager

Design & Concept: Jart Armin , Raoul Chiesa, Ioan Landry

2

** Disclaimer

* The Authors

* Introduction, Reasons for this talk

*Bye bye, Wargames…

*Evolution of Cyber Attacks

* Information Warfare

*Shared points between Cybercrime & InfoWar

*Countries at stake

* New concepts for a new era

*Digital Weapons comparison

*The real scenarios

*Case studies

*Contacts, Q&A

3

*● The information contained within this presentation does not infringe on any

intellectual property nor does it contain tools or recipe that could be in breach with known local laws.

● The statistical data presented belongs to the Hackers Profiling Project by UNICRI and ISECOM.

● Quoted trademarks belongs to registered owners.

● The views expressed are those of the author(s) and speaker(s) and do not necessary reflect the views of UNICRI or others United Nations agencies and institutes, nor the view of ENISA and its PSG (Permanent Stakeholders Group).

● Contents of this presentation may be quoted or reproduced, provided that the source of information is acknowledged.

● Ehm…the agenda is quite long - We’ll do our best to fit the timing!!

4

*

* On the IT underground scene since 1986

* Advisor @ UNICRI since 2004

* ENISA PSG (2010-2012, 2012-2015)

* Founder, @ Mediaservice.net – Independent

Security Advisory Company.

* Founder, Board of Directors at: CLUSIT (Italian

Information Security Association), ISECOM,

OWASP Italian Chapter

* TSTF.net Associated Partner

* Member: ICANN, OPSI/AIP, EAST

* Supporting: Team Cymru, APWG, …

© Jart Armin & Raoul Chiesa, 2011

5

*

SLIDE NOT AVAILABLE IN THE

PUBLIC RELEASE OF THIS TALK:

YOU SHOULD HAVE ATTENDED APP

SEC 2012!!

6

*

7

** In 1983, the movie “Wargames” went out.

* At least 2 generations of teenagers began “playing hacking” because of this movie.

* In the script, the lead character was nearly able to launch a “global termo-nuclear” war.

* All of us we’ve used to laugh at that movie…

* Nevertheless, the IT attacks launched in the last 25 years, still mainly relay on the hacking-techniques shown in the movie.

* It’s just the history, played in “repeat mode”.

8

Hacking with friends Wardialling PSTN & Toll-Free /

Port Scanning / X.25 scanning

…Getting access.

9

*

November 30th, 2010 © Jart Armin & Raoul Chiesa, 2010

10

Learn more reading the

book!

and/or,

Watch this:

http://www.youtube.com/watch?

v=EcKxaq1FTac

….and this, from TED:

http://www.youtube.com/watch?

v=Gj8IA6xOpSk

(Cliffy,

we just LOVE you,

all of us! :)

11

*

12

** Speaking along with a lot friends, it looks like the “.mil” world developed a deep interest

towards these topics…

2001/2002: First interest shown back from USA (after 9/11), focused on hacker’s resources in order to attack and/or infiltrate Al Qaeda;

2003-2005: observed a huge escalation of USA and Israel Secret Services, asking for 0-days, seeking for information resources among elite hackers, asking for Iran & Pakistan hacking;

2005: China’s attacks to USA go public, escalating during 2007-2010 (UK, Germany, France, Italy);

2008/2010: USA & Canada leading (since the last 2/3 years), an increasing attention related to National Critical Infrastructures, followed by UK, EU, Israel, India, Australia;

2010: Italian Committee for the National Security of the Republic audited myself (March/May);

2009/2012: NATO Cyber Coalition running CyberDefense 2010

(+CyberShot 2009/2010) along with C4 Command (Rome);

TODAY - Intelligence Agencies hiring “leet hackers” in order to:

Buy/develop 0-days;

Launch attacks on terrorists and/or suspected ones;

Protect National Security;

Informing & Training Local Governments.

* Thus, hackers becoming kind of “e-ambassadors”, “e-strategy consultants” towards .mil and .gov environments, or “e-mercenaries”, training “e-soldiers”…

13

** Just like along the years you’ve got used to words such

as:

* “Paranoia” (that’s into your DNA, hopefully!)

* “Information Security” (198x)

* “Firewall”, “DMZ” (1994/5)

* “Pentesting” (1996/7)

* “xIDS” (2001-2003)

* “Web Application Security” (2006-2009)

* “SCADA&NCIs” (2008-201x)

* “PCI-DSS” (2009-201x)

* Botnets (2008-2010)

* “APTs” (2011-201x)

* etc…

* …in the next (five to ten) years, you will hear non-stop talks about:

* NGC – Next Generation Cybercrime

* CyberWar

* Information Warfare

* NGW – Next Generation Warfare

First generation (70’s) was inspired by the need for

knowledge.

Second generation (1980-1984) was driven by curiosity plus

the knowledge starving: the only way to learn OSs was to

hack them; later (1985-1990) hacking becomes a trend.

The Third one (90’s) was simply pushed by the anger for

hacking, meaning a mix of addiction, curiosity, learning

new stuff, hacking IT systems and networks, exchanging

info with the underground community. Here we saw new

concepts coming, such as hacker’s e-zines (Phrack, 2600

Magazine) along with BBS.

Fourth generation (2000-today) is driven by angerness and

money: often we can see subjects with a very low know-

how, thinking that it’s “cool & bragging” being hackers,

while they are not interested in hacking & phreaking

history, culture and ethics. Here hacking meets with politics

(cyber-hacktivism) or with the criminal world (cybercrime).

€, $

*

*

15

2010/2012 -> 20xx

*16

http://group-

ib.com/images/media/Group-

IB_Report_2011_ENG.pdf

“2011 Cybercrime financial turnover

apparently scored up more than Drugs

dealing, Human

Trafficking and Weapons Trafficking

turnovers”

Various sources (UN, USDOJ, INTERPOL,

2011)

Financial Turnover, estimation: 6-12 BLN

USD$/year

Source: Group IB Report 2011

«Cybercrime

ranks as one

of the top

four economic

crimes»

PriceWaterhouseCoopers

LLC Global Economic

Crime Survey 2011

*

17

*

18

*19

20

*

* No more “Wargames”

* (even if: Wargames 2010 went out, and Bruce Willis got the support of an “hacker” in the latest Die Hard): the “romantic hackers” are gone, forever

* Then Stuxnet appeared (then DuQu, Flame, Gauss, etc…)

* (May-June 2010).

* …and everything changed.

*WHY??

*An unexpected attack.

*An unexpected target (SCADA, Nuclear Plant).

*The very first time something like this was happening.

21

*

* Very simply, we are speaking about the so-called Warfare,

applied to the cyberspace.

* Defending information and communication networks,

acting like a deterrent towards “information attacks”, while

not allowing the enemy to do the same.

* So we are speaking about “Offensive Information

Operations”, built against an adversary, ‘till being able to

dominate the information during a war contest.

22

** It is an extremely new and dynamic war scenario, where those

metrics and views used before it are now really obsolete.

* Typically, these operations are decentralized while anonymous.

* The “entry fee” cost is extremely low, while it supplies a huge

power.

*…and after all, there’s always the possibility of denying what has

happened..

* Think about Estonia, Georgia, Stuxnet, Arab Springs, North Africa,

Lybia, Syria, Iran… what will be next??

23

*

*PC Zombies (botnets) -> they take advantage of the

“standard user”, both in a Corporate or home

(broadband, SOHO) scenario.

*“0-days”: until today, all of them were on MS Windows

+ ad-hoc exploiting.

*(attacker’s perspective) Nothing changes that much.

There’s more chances to hack 1.000.000 broadbands

users instead of 10.000 PCs from a company’s network.

*It’s still the digital weapon they need in order to

launch attacks (DDoS, Keyloggers, 0-Days, etc).

24

*

Situational awareness

Self-synchronizing ops

Information pull

Collaboration

Communities of Interest

Task, post, process, use

Only handle information once

Shared data

Persistent, continuous IA

Bandwidth on demand

IP-based transport

Diverse routing

Enterprise services

COTS based, net-centric capabilities

Scouting elite hacker parties?

Single operational pic

Autonomous ops

Broadcast information push

Individual

Stovepipes

Task, process, exploit, disseminate

Multiple data calls, duplication

Private data

Perimeter, one-time security

Bandwidth limitations

Circuit-based transport

Single points of failure

Separate infrastructures

Customized, platform-centric IT

OUT IN

25

*● USA

● UK, Canada, France, Germany, Switzerland, Italy

● Brazil

● Israel, Palestinian National Authority

● Zimbabwe

● Middle East: “friendly” countries (UAE, Saudi Arabia…)

● North Africa / Africa generally speaking (WW Soccer Games 2010)

● China

● India

● Pakistan

● North Korea (DPRK)

● South Korea

● Iran

● Kyrgyzstan

● Myanmar

● Russia, Estonia, Georgia

● Rwuanda

“Low Risk”

“High Risk”

“Average Risk”

*

26

*

27

Nations with Cyber Warfare (Offensive) Capabilities - Survey from WG «Cyber World»,

Italian Ministry of Defense, CASD/OSN.

Cyber warfare

Doctrine/Strategy

CW training/

Trained Units

CW exercises/

simulations

Collaboration w/ IT

Industry and/or

Technical

Universities

Not official

Sources

Australia,, X X

Belarus X X

China21 X X X X ,

North Korea21 X X ,,

France21,29 X X X X

India21, 31 X X X X 33

Iran21,,, X X 34, 35

Israel21, X X X X

Pakistan21,, X 36

Russia21 X X X 37, 38

USA21, 30, 39 40,41 X X X

*

28

Nations with Cyber Warfare (Defense) Capabilities - Survey from WG «Cyber World»,

Italian Ministry of Defense, CASD/OSN.

Cyber warfare

Doctrine/Strategy

CW training/

Trained Units

CW exercises/

simulations

Collaboration w/ IT

Industry and/or

Technical Universities

Albania21,30 X X X

Argentina21 X X

Austria21,24 X X X

Brazil21 X X X

Bulgaria21 X X

Canada 5,30 X

Cyprus21,42 X X X X

South Korea 21 X

Denmark21,30 X X

Estonia21,30 X X X

Philippines21 X X X

Finland12 X X

Ghana21 X

Germany21,30 X X X

Japan21 X

Jordan21 X X

*

29

Nations with Cyber Warfare (Defense) Capabilities - Survey from WG «Cyber World»,

Italian Ministry of Defense, CASD/OSN.

Italy21,30 X X X

Kenya21 X

Latvia21 X X X

Lithuania21 X X

Malaysia21 X X

New Zealand21 X X

Norway21,30 X X

Netherlands21,8,43 X X X

Poland21,30 X X

Czek Republic21,8 X X X

Slovak Republic21,8 X X

Spain8 X

Sweden21,,42 X

Switzerland21,42 X X

Turkey21,29 X X X

Hungary21 X X X X

United Kingdom21,8 X X X

*

30

* “North Korea will soon attack many countries using IT attacks, since they have the best hackers of the whole world.”

* Uh?!? Seriously??

* That’s weird, when speaking about a country which is totally isolated from the Internet, where its “cellular network” recalls more a DECT infrastructure…(no BTSs out of PongYang).

*See Mike Kemp’s slides from CONFidence 2010 @ Kracow.

31

*

"In the very near future many conflicts will not take place on the

open field of battle, but rather in spaces on the Internet, fought

with the aid of information soldiers, that is hackers.

This means that a small force of hackers is stronger than the

multi-thousand force of the current armed forces.“

Former Duma speaker Nikolai Kuryanovich, 2007

32

*Cyber War

33

34

*• „dummy list“ of „ID-10T“ for phishing

• background info on organisation (orgchart etc.)

• Primer for sector-specific social-engineering

• proxy servers

• banking arrangements

• purchase attack-kits

• rent botnets

• find (trade!) good C&C server

• purchase 0-days / certificates

• purchase skill-set

• bespoke payload / search terms •Purchase L2/L3 system data

• equipment to mimic target network

• dummy run on similar network

• sandbox zerodays

Alexander Klimburg 2012

35

*

*Botnet & drone

armies

*DDoS

*Trojans & Worms

*Malware

*Server hacking

*Encryption

*Extortion & Ransom

*Man in the Middle

* Russia

* USA

* France

* Israel

* UK

* China

* India

* Pakistan

* Ukraine

* Malware Factories

* Cyber crime tools

* Communications Intelligence

* National knowhow defence

* Transition from Industrial tools

* Hired Cyber mercenaries

* Industrial espionage

* Counter cyber attacks

* Cyber army

* Botnet armies

* Contract developers (x 4 worldwide)

36

*

*UN Member States = 197

* Vulnerable?

* 197 !!!!

* Hacking

* DDoS

* Botnets

* Defacement

* Web site Hijacking & Redirection

* DNS & BGP hijacking

* BlackEnergy

* Darkness

* Stuxnet

* DuQu?

37

*

38

*

* Cluster Bomb * Cruise Missile

*

39

Multiple targets, loud and

noisy

*Massive DDoS

* Loss of digital

communication

* Cloning of state

communications

* Create confusion

Laser Guided, precision, and

stealth

* Compromise infrastructure

* Industrial Sabotage

* Loss of confidence in

systems

* Create confusion

*

40

* 30 bots overwhelm an average web site

* 1,000 bots - large web site

* 5,000 bots - even when using anti-ddos, blocks, and other preventive measures

* 15,000 bots can theoretically bring down vkontakte.ru (Russian Facebook)

* Example of Conficker worm reached 10.5 million bots

41

*

42

*

+ =

*43

Non-state proxies and

“inadvertent Cyberwar Scenario: „ During a time of international crisis, a [presumed non-state CNE] proxy network

of country A is used to wage a „serious (malicious destruction) cyber-attack“

against country B.“

How does country B know if:

a) The attack is conducted with consent of Country A (Cyberwar)

b) The attack is conducted by the proxy network itself without consent of

Country A (Cyberterrorism)

c) The attack is conducted by a Country C who has hijacked the proxy network?

(False Flag Cyberwar) © Alexander Klimburg 2012

Raoul Chiesa, Ioan Landry, Jart Armin 2010-2012

“Cyberpower“

“Information

Operations“

CNO

CNA/CNE

OPSEC

PSYOPS

MilDec

EW

CND

“Military

cyber ops”

Internet

Governance

Cyberespionage

and CI

“Strategic

cyber ops“

Strategic

Communication

CyberDiplomacy

“Information

Warfare”

Source: Alexander Klimburg 2012

*45

In March 2012, the U.S.-China Economic and Security Review Commission tasked Northrop Grumman with writing up a “feasibility study” of Chinese information operations in peace and wartime.

The paper weighs in at 137 pages and I highly recommend reading it.

The paper goes into a “CNO Targeting Case Study” at some point, with Chinese actors specifically targeting a small but crucial component, the U.S. Transportation Command (USTRANSCOM).

“The mission of USTRANSCOM is to provide air, land and sea transportation for the Department of Defense, both in time of peace and time of war”.

More pertinently: responsible for air refueling missions, of critical importance given U.S. reliance on air power in projecting influence across the globe (and in this scenario, chiefly in Asia-Pacific ie: Taiwan).

USTRANSCOM, like many agencies, relies on a number of civilian contractors to supplement its own men and women in uniform.

More people spread among multiple organizations with access to critical web applications and databases = an exponential increase in the attack surface.

46

I’m sure you all see where this is going…

Napoleon’s famous maxim, “an army marches on its stomach”.

A complete paralysis of the Armed Forces’ supply chain is perhaps the second worst-case scenario, after the crippling of communications/C3 capabilities.

(I can probably talk more about supply chain problems in a non-mil environment, like backdoored routers ending up in a .gov or telco datacenter)

47

In August 2004, a backdoor was placed in a crucial junction of Greece's telecommunication backbone, namely four Ericsson AXE switches in Athens. The backdoor provided unknown perpetrators with full voice and SMS traffic of over 100 targeted mobile phones belonging to:

Prime Minister Kostas Karamanlis and members of his family,

the Mayor of Athens, Dora Bakoyannis,

most phones of the top officers at the Ministry of Defense,

the Ministry of Foreign Affairs,

the Ministry for Public Order,

members of the ruling party, and ranking members of the opposition (PASOK),

the Hellenic Navy General Staff,

the previous Minister of Defense,

others such as a Greek-American based in the American embassy and many Arab businessmen.

48

Who did it? Who ordered it?

Hard-to-find and niche skills

Budget, perceived ROI, HUMINT assets…

49

More importantly, what would I do?

No cyber pearl harbour, no exploding power grids…

Let us visit the soft underbelly of telecommunications…

50

Connection-oriented WAN technology.

Protocol suite defined in 1976 in your backyard.

Private entities and nations ran their own X.25 networks until the 'net swept them all away…

Well, almost...

Largely forgotten today. That’s a good thing.

Today’s Snapple facts:

Speeds of 56 Kbps to 2.048 Mbps…

“Utility model” – vendor/operator maintained infrastructure and data routing; user/client billed only for traffic used.

Different networks have different topologies and capabilities, known as facilities, ex:

Reverse charging, closed user groups, sub-addressing and mnemonics, hunt groups, etc…

51

“C’mon, first and last I heard of X.25 was in CVE-2011-2910…”

X.25 isn’t just for ham radio nerds, though…

It is a whole “new” world, often deployed in parallel to the one you interact with… whether you know it or not.

A whole world without IDS, without WAF…

52

X.25 gives you the opportunity to visit exotic lands, meet interesting

systems…

… and then root them.

… and so much more!

Once you’ve dropped shell on a mainframe, you can’t go back…

53

The topology at its simplest: DTE - Data Terminal Equipment - think: end-user equipment

DCE - Data Circuit Terminating Equipment - think: modems, switches, gateways

PSE - Packet Switching Exchange - think: backbone

Source: Cisco Documentation Wiki, retrieved 03/11/12

54

Once you hop onto an X.25 network, legitimately or otherwise, you’re assigned an NUA (Network User Address). Think of this as something between an IP address and a phone number.

Their make-up is at the discretion of the network operator…

Example: BT PSS (UK) “employed a numbering system using a 3-digit area code (which conformed with the area code of the telephone network) plus a 5-digit subscriber number, and another 2 digits were available for the sub-address.”

Example: DATAPAC (Canada) NUA’s are 8 digits long, the first four referring to the province and city while the following 4 specifying the actual host.

Instead of “country codes” we have DNICs, which are managed by the ITU in Geneva. 3020 is DATAPAC, 4251 is ISRANET, 6026 is EGYPTNET, etc…

Note: Yes, there are still a lot of active X.25 networks…

55

So, integrators have been pushing for a total deprecation of X.25 for a while but vendors keep the love coming: In fact, it is supported in all versions of Cisco IOS!

56

Not just Cisco…

Rolled out in more recent Huawei devices! Let us ignore the possibility that Huawei basically did a svn checkout on the IOS source tree…

57

From the horse’s mouth:

“Telco databases are usually linked to SCPs by X.25 links.” – Cisco

“We accessed [an operator’s] systems through their x25 network which they never knew was running because the network vendor never disclosed it…” – Philippe Langlois, October 12 2012

58

I’m a masochist and did a (mostly) complete scan of DATAPAC in 2011-12. I’d rather not publicly discuss other networks.

Verdict: X.25 is still very busy, but I'll be honest - lots of planned deprecation and migrations between 2000-2010.

We lost a few good X.25 networks...

SWIFT migration to IP-based SWIFTNET allegedly complete in 2005... But I'll bet you 1 BTC that there's still something...

Besides, a great deal of EFT transactions are still done over X.25…

Canada's Interac migration from X.25 will be done in 2015.

SITA is also deploying dual-layered solutions (X.25 and IP side by side; XOT), with no publicly-declared deprecation date for X.25, but it is coming.

59

Still used for/in… Telco management (NMC, NE, billing)

Telco operations - SMSc/MMSCs

Transport sector: global transport hubs – airlines – SITA

Finance sector: a lot of PoS and ETF activity

Finance sector: Credit Card Processing Centers (hacks already happened: no public, tough)

Stock Exchanges (!)

Government: regional and national

Meteorological organizations

Fortune 500 and heavy industry And yes, there are PLCs that speak X.25… SCADA’s & National Critical Infrastructures nightmares here as well

Verdict: a forgotten X.25 link drops you right in the middle of the very weird stuff!

60

SLIDE NOT AVAILABLE IN THE

PUBLIC RELEASE OF THIS TALK:

YOU SHOULD HAVE ATTENDED APP

SEC 2012!!

61

"The MTSO contains the switching equipment or Mobile Switching Center (MSC) for routing mobile phone calls. It also contains the equipment for controlling the cell sites that are connected to the MSC... All cellular systems have at least one MTSO which will contain at least one MSC. The MSC is responsible for switching calls to mobile units as well as to the local telephone system, recording billing data and processing data from the cell site controllers."

62

SLIDE NOT AVAILABLE IN THE

PUBLIC RELEASE OF THIS TALK:

YOU SHOULD HAVE ATTENDED APP

SEC 2012!!

63

SLIDE NOT AVAILABLE IN THE

PUBLIC RELEASE OF THIS TALK:

YOU SHOULD HAVE ATTENDED APP

SEC 2012!!

64

SLIDE NOT AVAILABLE IN THE

PUBLIC RELEASE OF THIS TALK:

YOU SHOULD HAVE ATTENDED APP

SEC 2012!!

65

SLIDE NOT AVAILABLE IN THE

PUBLIC RELEASE OF THIS TALK:

YOU SHOULD HAVE ATTENDED APP

SEC 2012!!

66

SLIDE NOT AVAILABLE IN THE

PUBLIC RELEASE OF THIS TALK:

YOU SHOULD HAVE ATTENDED APP

SEC 2012!!

67

Who is this guy and what’s he getting at? Where are the

exploding power plants? Are cyberterrorists really gonna start

hacking X.25 networks?

Probably not, but think back on the two initial case studies:

Crippling of “dual use” logistical or communication networks in

war time,

Traditional espionage in peace time.

We certainly live in interesting times... A world where I foresee

more Ericsson AXE rootkits and more Stuxnet.

Just don’t drink the kool aid!

68

Recommended Reading/Viewing

Philippe Langlois & Emmanuel Gadaix– 6000 Ways And More - A 15 Year Perspective on Why Telcos Keep Getting Hacked - HITB KL 2012

Johnathan Stuart – A brief introduction to telephone switching security and internals – ReCON 2010

Dave Aitel – Amateur Hour on the Internet – Countermeasure 2012

Key quote: “Infrastructures don’t age well”

Profiling Hackers: the Science of Criminal Profiling as applied to the World of Hacking, by Raoul Chiesa, Stefania Ducci and Silvio Ciappi (CRC Press/Taylor&Francis Group)

Telco manuals.

69

Everything is just about the frog.

…in the cloud.

*70

*Ioan Landry: io@chargen.ca

*Raoul Chiesa: rc@security-brokers.com

The opinions hereby expressed are those of the Authors and do

not necessarily represent the ideas and opinions of the United

Nations, the UN agency “UNICRI”, ENISA, ENISA PSG, nor others.

*