Date post: | 08-May-2015 |
Category: |
Technology |
Upload: | application-security-forum-western-switzerland |
View: | 2,983 times |
Download: | 3 times |
Raoul “Nobody” Chiesa Founder, President, The Security Brokers
Ioan Landry Information Operations Manager
Design & Concept: Jart Armin , Raoul Chiesa, Ioan Landry
2
** Disclaimer
* The Authors
* Introduction, Reasons for this talk
*Bye bye, Wargames…
*Evolution of Cyber Attacks
* Information Warfare
*Shared points between Cybercrime & InfoWar
*Countries at stake
* New concepts for a new era
*Digital Weapons comparison
*The real scenarios
*Case studies
*Contacts, Q&A
3
*● The information contained within this presentation does not infringe on any
intellectual property nor does it contain tools or recipe that could be in breach with known local laws.
● The statistical data presented belongs to the Hackers Profiling Project by UNICRI and ISECOM.
● Quoted trademarks belongs to registered owners.
● The views expressed are those of the author(s) and speaker(s) and do not necessary reflect the views of UNICRI or others United Nations agencies and institutes, nor the view of ENISA and its PSG (Permanent Stakeholders Group).
● Contents of this presentation may be quoted or reproduced, provided that the source of information is acknowledged.
● Ehm…the agenda is quite long - We’ll do our best to fit the timing!!
4
*
* On the IT underground scene since 1986
* Advisor @ UNICRI since 2004
* ENISA PSG (2010-2012, 2012-2015)
* Founder, @ Mediaservice.net – Independent
Security Advisory Company.
* Founder, Board of Directors at: CLUSIT (Italian
Information Security Association), ISECOM,
OWASP Italian Chapter
* TSTF.net Associated Partner
* Member: ICANN, OPSI/AIP, EAST
* Supporting: Team Cymru, APWG, …
© Jart Armin & Raoul Chiesa, 2011
5
*
SLIDE NOT AVAILABLE IN THE
PUBLIC RELEASE OF THIS TALK:
YOU SHOULD HAVE ATTENDED APP
SEC 2012!!
6
*
7
** In 1983, the movie “Wargames” went out.
* At least 2 generations of teenagers began “playing hacking” because of this movie.
* In the script, the lead character was nearly able to launch a “global termo-nuclear” war.
* All of us we’ve used to laugh at that movie…
* Nevertheless, the IT attacks launched in the last 25 years, still mainly relay on the hacking-techniques shown in the movie.
* It’s just the history, played in “repeat mode”.
8
Hacking with friends Wardialling PSTN & Toll-Free /
Port Scanning / X.25 scanning
…Getting access.
9
*
November 30th, 2010 © Jart Armin & Raoul Chiesa, 2010
10
Learn more reading the
book!
and/or,
Watch this:
http://www.youtube.com/watch?
v=EcKxaq1FTac
….and this, from TED:
http://www.youtube.com/watch?
v=Gj8IA6xOpSk
(Cliffy,
we just LOVE you,
all of us! :)
11
*
12
** Speaking along with a lot friends, it looks like the “.mil” world developed a deep interest
towards these topics…
2001/2002: First interest shown back from USA (after 9/11), focused on hacker’s resources in order to attack and/or infiltrate Al Qaeda;
2003-2005: observed a huge escalation of USA and Israel Secret Services, asking for 0-days, seeking for information resources among elite hackers, asking for Iran & Pakistan hacking;
2005: China’s attacks to USA go public, escalating during 2007-2010 (UK, Germany, France, Italy);
2008/2010: USA & Canada leading (since the last 2/3 years), an increasing attention related to National Critical Infrastructures, followed by UK, EU, Israel, India, Australia;
2010: Italian Committee for the National Security of the Republic audited myself (March/May);
2009/2012: NATO Cyber Coalition running CyberDefense 2010
(+CyberShot 2009/2010) along with C4 Command (Rome);
TODAY - Intelligence Agencies hiring “leet hackers” in order to:
Buy/develop 0-days;
Launch attacks on terrorists and/or suspected ones;
Protect National Security;
Informing & Training Local Governments.
* Thus, hackers becoming kind of “e-ambassadors”, “e-strategy consultants” towards .mil and .gov environments, or “e-mercenaries”, training “e-soldiers”…
13
** Just like along the years you’ve got used to words such
as:
* “Paranoia” (that’s into your DNA, hopefully!)
* “Information Security” (198x)
* “Firewall”, “DMZ” (1994/5)
* “Pentesting” (1996/7)
* “xIDS” (2001-2003)
* “Web Application Security” (2006-2009)
* “SCADA&NCIs” (2008-201x)
* “PCI-DSS” (2009-201x)
* Botnets (2008-2010)
* “APTs” (2011-201x)
* etc…
* …in the next (five to ten) years, you will hear non-stop talks about:
* NGC – Next Generation Cybercrime
* CyberWar
* Information Warfare
* NGW – Next Generation Warfare
First generation (70’s) was inspired by the need for
knowledge.
Second generation (1980-1984) was driven by curiosity plus
the knowledge starving: the only way to learn OSs was to
hack them; later (1985-1990) hacking becomes a trend.
The Third one (90’s) was simply pushed by the anger for
hacking, meaning a mix of addiction, curiosity, learning
new stuff, hacking IT systems and networks, exchanging
info with the underground community. Here we saw new
concepts coming, such as hacker’s e-zines (Phrack, 2600
Magazine) along with BBS.
Fourth generation (2000-today) is driven by angerness and
money: often we can see subjects with a very low know-
how, thinking that it’s “cool & bragging” being hackers,
while they are not interested in hacking & phreaking
history, culture and ethics. Here hacking meets with politics
(cyber-hacktivism) or with the criminal world (cybercrime).
€, $
*
*
15
2010/2012 -> 20xx
*16
http://group-
ib.com/images/media/Group-
IB_Report_2011_ENG.pdf
“2011 Cybercrime financial turnover
apparently scored up more than Drugs
dealing, Human
Trafficking and Weapons Trafficking
turnovers”
Various sources (UN, USDOJ, INTERPOL,
2011)
Financial Turnover, estimation: 6-12 BLN
USD$/year
Source: Group IB Report 2011
«Cybercrime
ranks as one
of the top
four economic
crimes»
PriceWaterhouseCoopers
LLC Global Economic
Crime Survey 2011
*
17
*
18
*19
20
*
* No more “Wargames”
* (even if: Wargames 2010 went out, and Bruce Willis got the support of an “hacker” in the latest Die Hard): the “romantic hackers” are gone, forever
* Then Stuxnet appeared (then DuQu, Flame, Gauss, etc…)
* (May-June 2010).
* …and everything changed.
*WHY??
*An unexpected attack.
*An unexpected target (SCADA, Nuclear Plant).
*The very first time something like this was happening.
21
*
* Very simply, we are speaking about the so-called Warfare,
applied to the cyberspace.
* Defending information and communication networks,
acting like a deterrent towards “information attacks”, while
not allowing the enemy to do the same.
* So we are speaking about “Offensive Information
Operations”, built against an adversary, ‘till being able to
dominate the information during a war contest.
22
** It is an extremely new and dynamic war scenario, where those
metrics and views used before it are now really obsolete.
* Typically, these operations are decentralized while anonymous.
* The “entry fee” cost is extremely low, while it supplies a huge
power.
*…and after all, there’s always the possibility of denying what has
happened..
* Think about Estonia, Georgia, Stuxnet, Arab Springs, North Africa,
Lybia, Syria, Iran… what will be next??
23
*
*PC Zombies (botnets) -> they take advantage of the
“standard user”, both in a Corporate or home
(broadband, SOHO) scenario.
*“0-days”: until today, all of them were on MS Windows
+ ad-hoc exploiting.
*(attacker’s perspective) Nothing changes that much.
There’s more chances to hack 1.000.000 broadbands
users instead of 10.000 PCs from a company’s network.
*It’s still the digital weapon they need in order to
launch attacks (DDoS, Keyloggers, 0-Days, etc).
24
*
Situational awareness
Self-synchronizing ops
Information pull
Collaboration
Communities of Interest
Task, post, process, use
Only handle information once
Shared data
Persistent, continuous IA
Bandwidth on demand
IP-based transport
Diverse routing
Enterprise services
COTS based, net-centric capabilities
Scouting elite hacker parties?
Single operational pic
Autonomous ops
Broadcast information push
Individual
Stovepipes
Task, process, exploit, disseminate
Multiple data calls, duplication
Private data
Perimeter, one-time security
Bandwidth limitations
Circuit-based transport
Single points of failure
Separate infrastructures
Customized, platform-centric IT
OUT IN
25
*● USA
● UK, Canada, France, Germany, Switzerland, Italy
● Brazil
● Israel, Palestinian National Authority
● Zimbabwe
● Middle East: “friendly” countries (UAE, Saudi Arabia…)
● North Africa / Africa generally speaking (WW Soccer Games 2010)
● China
● India
● Pakistan
● North Korea (DPRK)
● South Korea
● Iran
● Kyrgyzstan
● Myanmar
● Russia, Estonia, Georgia
● Rwuanda
“Low Risk”
“High Risk”
“Average Risk”
*
26
*
27
Nations with Cyber Warfare (Offensive) Capabilities - Survey from WG «Cyber World»,
Italian Ministry of Defense, CASD/OSN.
Cyber warfare
Doctrine/Strategy
CW training/
Trained Units
CW exercises/
simulations
Collaboration w/ IT
Industry and/or
Technical
Universities
Not official
Sources
Australia,, X X
Belarus X X
China21 X X X X ,
North Korea21 X X ,,
France21,29 X X X X
India21, 31 X X X X 33
Iran21,,, X X 34, 35
Israel21, X X X X
Pakistan21,, X 36
Russia21 X X X 37, 38
USA21, 30, 39 40,41 X X X
*
28
Nations with Cyber Warfare (Defense) Capabilities - Survey from WG «Cyber World»,
Italian Ministry of Defense, CASD/OSN.
Cyber warfare
Doctrine/Strategy
CW training/
Trained Units
CW exercises/
simulations
Collaboration w/ IT
Industry and/or
Technical Universities
Albania21,30 X X X
Argentina21 X X
Austria21,24 X X X
Brazil21 X X X
Bulgaria21 X X
Canada 5,30 X
Cyprus21,42 X X X X
South Korea 21 X
Denmark21,30 X X
Estonia21,30 X X X
Philippines21 X X X
Finland12 X X
Ghana21 X
Germany21,30 X X X
Japan21 X
Jordan21 X X
*
29
Nations with Cyber Warfare (Defense) Capabilities - Survey from WG «Cyber World»,
Italian Ministry of Defense, CASD/OSN.
Italy21,30 X X X
Kenya21 X
Latvia21 X X X
Lithuania21 X X
Malaysia21 X X
New Zealand21 X X
Norway21,30 X X
Netherlands21,8,43 X X X
Poland21,30 X X
Czek Republic21,8 X X X
Slovak Republic21,8 X X
Spain8 X
Sweden21,,42 X
Switzerland21,42 X X
Turkey21,29 X X X
Hungary21 X X X X
United Kingdom21,8 X X X
*
30
* “North Korea will soon attack many countries using IT attacks, since they have the best hackers of the whole world.”
* Uh?!? Seriously??
* That’s weird, when speaking about a country which is totally isolated from the Internet, where its “cellular network” recalls more a DECT infrastructure…(no BTSs out of PongYang).
*See Mike Kemp’s slides from CONFidence 2010 @ Kracow.
31
*
"In the very near future many conflicts will not take place on the
open field of battle, but rather in spaces on the Internet, fought
with the aid of information soldiers, that is hackers.
This means that a small force of hackers is stronger than the
multi-thousand force of the current armed forces.“
Former Duma speaker Nikolai Kuryanovich, 2007
32
*Cyber War
33
34
*• „dummy list“ of „ID-10T“ for phishing
• background info on organisation (orgchart etc.)
• Primer for sector-specific social-engineering
• proxy servers
• banking arrangements
• purchase attack-kits
• rent botnets
• find (trade!) good C&C server
• purchase 0-days / certificates
• purchase skill-set
• bespoke payload / search terms •Purchase L2/L3 system data
• equipment to mimic target network
• dummy run on similar network
• sandbox zerodays
Alexander Klimburg 2012
35
*
*Botnet & drone
armies
*DDoS
*Trojans & Worms
*Malware
*Server hacking
*Encryption
*Extortion & Ransom
*Man in the Middle
* Russia
* USA
* France
* Israel
* UK
* China
* India
* Pakistan
* Ukraine
* Malware Factories
* Cyber crime tools
* Communications Intelligence
* National knowhow defence
* Transition from Industrial tools
* Hired Cyber mercenaries
* Industrial espionage
* Counter cyber attacks
* Cyber army
* Botnet armies
* Contract developers (x 4 worldwide)
36
*
*UN Member States = 197
* Vulnerable?
* 197 !!!!
* Hacking
* DDoS
* Botnets
* Defacement
* Web site Hijacking & Redirection
* DNS & BGP hijacking
* BlackEnergy
* Darkness
* Stuxnet
* DuQu?
37
*
38
*
* Cluster Bomb * Cruise Missile
*
39
Multiple targets, loud and
noisy
*Massive DDoS
* Loss of digital
communication
* Cloning of state
communications
* Create confusion
Laser Guided, precision, and
stealth
* Compromise infrastructure
* Industrial Sabotage
* Loss of confidence in
systems
* Create confusion
*
40
* 30 bots overwhelm an average web site
* 1,000 bots - large web site
* 5,000 bots - even when using anti-ddos, blocks, and other preventive measures
* 15,000 bots can theoretically bring down vkontakte.ru (Russian Facebook)
* Example of Conficker worm reached 10.5 million bots
41
*
42
*
+ =
*43
Non-state proxies and
“inadvertent Cyberwar Scenario: „ During a time of international crisis, a [presumed non-state CNE] proxy network
of country A is used to wage a „serious (malicious destruction) cyber-attack“
against country B.“
How does country B know if:
a) The attack is conducted with consent of Country A (Cyberwar)
b) The attack is conducted by the proxy network itself without consent of
Country A (Cyberterrorism)
c) The attack is conducted by a Country C who has hijacked the proxy network?
(False Flag Cyberwar) © Alexander Klimburg 2012
Raoul Chiesa, Ioan Landry, Jart Armin 2010-2012
“Cyberpower“
“Information
Operations“
CNO
CNA/CNE
OPSEC
PSYOPS
MilDec
EW
CND
“Military
cyber ops”
Internet
Governance
Cyberespionage
and CI
“Strategic
cyber ops“
Strategic
Communication
CyberDiplomacy
“Information
Warfare”
Source: Alexander Klimburg 2012
*45
In March 2012, the U.S.-China Economic and Security Review Commission tasked Northrop Grumman with writing up a “feasibility study” of Chinese information operations in peace and wartime.
The paper weighs in at 137 pages and I highly recommend reading it.
The paper goes into a “CNO Targeting Case Study” at some point, with Chinese actors specifically targeting a small but crucial component, the U.S. Transportation Command (USTRANSCOM).
“The mission of USTRANSCOM is to provide air, land and sea transportation for the Department of Defense, both in time of peace and time of war”.
More pertinently: responsible for air refueling missions, of critical importance given U.S. reliance on air power in projecting influence across the globe (and in this scenario, chiefly in Asia-Pacific ie: Taiwan).
USTRANSCOM, like many agencies, relies on a number of civilian contractors to supplement its own men and women in uniform.
More people spread among multiple organizations with access to critical web applications and databases = an exponential increase in the attack surface.
46
I’m sure you all see where this is going…
Napoleon’s famous maxim, “an army marches on its stomach”.
A complete paralysis of the Armed Forces’ supply chain is perhaps the second worst-case scenario, after the crippling of communications/C3 capabilities.
(I can probably talk more about supply chain problems in a non-mil environment, like backdoored routers ending up in a .gov or telco datacenter)
47
In August 2004, a backdoor was placed in a crucial junction of Greece's telecommunication backbone, namely four Ericsson AXE switches in Athens. The backdoor provided unknown perpetrators with full voice and SMS traffic of over 100 targeted mobile phones belonging to:
Prime Minister Kostas Karamanlis and members of his family,
the Mayor of Athens, Dora Bakoyannis,
most phones of the top officers at the Ministry of Defense,
the Ministry of Foreign Affairs,
the Ministry for Public Order,
members of the ruling party, and ranking members of the opposition (PASOK),
the Hellenic Navy General Staff,
the previous Minister of Defense,
others such as a Greek-American based in the American embassy and many Arab businessmen.
48
Who did it? Who ordered it?
Hard-to-find and niche skills
Budget, perceived ROI, HUMINT assets…
49
More importantly, what would I do?
No cyber pearl harbour, no exploding power grids…
Let us visit the soft underbelly of telecommunications…
50
Connection-oriented WAN technology.
Protocol suite defined in 1976 in your backyard.
Private entities and nations ran their own X.25 networks until the 'net swept them all away…
Well, almost...
Largely forgotten today. That’s a good thing.
Today’s Snapple facts:
Speeds of 56 Kbps to 2.048 Mbps…
“Utility model” – vendor/operator maintained infrastructure and data routing; user/client billed only for traffic used.
Different networks have different topologies and capabilities, known as facilities, ex:
Reverse charging, closed user groups, sub-addressing and mnemonics, hunt groups, etc…
51
“C’mon, first and last I heard of X.25 was in CVE-2011-2910…”
X.25 isn’t just for ham radio nerds, though…
It is a whole “new” world, often deployed in parallel to the one you interact with… whether you know it or not.
A whole world without IDS, without WAF…
52
X.25 gives you the opportunity to visit exotic lands, meet interesting
systems…
… and then root them.
… and so much more!
Once you’ve dropped shell on a mainframe, you can’t go back…
53
The topology at its simplest: DTE - Data Terminal Equipment - think: end-user equipment
DCE - Data Circuit Terminating Equipment - think: modems, switches, gateways
PSE - Packet Switching Exchange - think: backbone
Source: Cisco Documentation Wiki, retrieved 03/11/12
54
Once you hop onto an X.25 network, legitimately or otherwise, you’re assigned an NUA (Network User Address). Think of this as something between an IP address and a phone number.
Their make-up is at the discretion of the network operator…
Example: BT PSS (UK) “employed a numbering system using a 3-digit area code (which conformed with the area code of the telephone network) plus a 5-digit subscriber number, and another 2 digits were available for the sub-address.”
Example: DATAPAC (Canada) NUA’s are 8 digits long, the first four referring to the province and city while the following 4 specifying the actual host.
Instead of “country codes” we have DNICs, which are managed by the ITU in Geneva. 3020 is DATAPAC, 4251 is ISRANET, 6026 is EGYPTNET, etc…
Note: Yes, there are still a lot of active X.25 networks…
55
So, integrators have been pushing for a total deprecation of X.25 for a while but vendors keep the love coming: In fact, it is supported in all versions of Cisco IOS!
56
Not just Cisco…
Rolled out in more recent Huawei devices! Let us ignore the possibility that Huawei basically did a svn checkout on the IOS source tree…
57
From the horse’s mouth:
“Telco databases are usually linked to SCPs by X.25 links.” – Cisco
“We accessed [an operator’s] systems through their x25 network which they never knew was running because the network vendor never disclosed it…” – Philippe Langlois, October 12 2012
58
I’m a masochist and did a (mostly) complete scan of DATAPAC in 2011-12. I’d rather not publicly discuss other networks.
Verdict: X.25 is still very busy, but I'll be honest - lots of planned deprecation and migrations between 2000-2010.
We lost a few good X.25 networks...
SWIFT migration to IP-based SWIFTNET allegedly complete in 2005... But I'll bet you 1 BTC that there's still something...
Besides, a great deal of EFT transactions are still done over X.25…
Canada's Interac migration from X.25 will be done in 2015.
SITA is also deploying dual-layered solutions (X.25 and IP side by side; XOT), with no publicly-declared deprecation date for X.25, but it is coming.
59
Still used for/in… Telco management (NMC, NE, billing)
Telco operations - SMSc/MMSCs
Transport sector: global transport hubs – airlines – SITA
Finance sector: a lot of PoS and ETF activity
Finance sector: Credit Card Processing Centers (hacks already happened: no public, tough)
Stock Exchanges (!)
Government: regional and national
Meteorological organizations
Fortune 500 and heavy industry And yes, there are PLCs that speak X.25… SCADA’s & National Critical Infrastructures nightmares here as well
Verdict: a forgotten X.25 link drops you right in the middle of the very weird stuff!
60
SLIDE NOT AVAILABLE IN THE
PUBLIC RELEASE OF THIS TALK:
YOU SHOULD HAVE ATTENDED APP
SEC 2012!!
61
"The MTSO contains the switching equipment or Mobile Switching Center (MSC) for routing mobile phone calls. It also contains the equipment for controlling the cell sites that are connected to the MSC... All cellular systems have at least one MTSO which will contain at least one MSC. The MSC is responsible for switching calls to mobile units as well as to the local telephone system, recording billing data and processing data from the cell site controllers."
62
SLIDE NOT AVAILABLE IN THE
PUBLIC RELEASE OF THIS TALK:
YOU SHOULD HAVE ATTENDED APP
SEC 2012!!
63
SLIDE NOT AVAILABLE IN THE
PUBLIC RELEASE OF THIS TALK:
YOU SHOULD HAVE ATTENDED APP
SEC 2012!!
64
SLIDE NOT AVAILABLE IN THE
PUBLIC RELEASE OF THIS TALK:
YOU SHOULD HAVE ATTENDED APP
SEC 2012!!
65
SLIDE NOT AVAILABLE IN THE
PUBLIC RELEASE OF THIS TALK:
YOU SHOULD HAVE ATTENDED APP
SEC 2012!!
66
SLIDE NOT AVAILABLE IN THE
PUBLIC RELEASE OF THIS TALK:
YOU SHOULD HAVE ATTENDED APP
SEC 2012!!
67
Who is this guy and what’s he getting at? Where are the
exploding power plants? Are cyberterrorists really gonna start
hacking X.25 networks?
Probably not, but think back on the two initial case studies:
Crippling of “dual use” logistical or communication networks in
war time,
Traditional espionage in peace time.
We certainly live in interesting times... A world where I foresee
more Ericsson AXE rootkits and more Stuxnet.
Just don’t drink the kool aid!
68
Recommended Reading/Viewing
Philippe Langlois & Emmanuel Gadaix– 6000 Ways And More - A 15 Year Perspective on Why Telcos Keep Getting Hacked - HITB KL 2012
Johnathan Stuart – A brief introduction to telephone switching security and internals – ReCON 2010
Dave Aitel – Amateur Hour on the Internet – Countermeasure 2012
Key quote: “Infrastructures don’t age well”
Profiling Hackers: the Science of Criminal Profiling as applied to the World of Hacking, by Raoul Chiesa, Stefania Ducci and Silvio Ciappi (CRC Press/Taylor&Francis Group)
Telco manuals.
69
Everything is just about the frog.
…in the cloud.
*70
*Ioan Landry: [email protected]
*Raoul Chiesa: [email protected]
The opinions hereby expressed are those of the Authors and do
not necessarily represent the ideas and opinions of the United
Nations, the UN agency “UNICRI”, ENISA, ENISA PSG, nor others.
*