[SecurityRatty] tag: cyberattacks

The DDoS Attack Against Bobbear.co.uk

Wed, 19 Nov 2008 05:35:01 +0000

When you get the "privilage" of getting DDoS-ed by a high profile DDoS for hire service used primarily by cybercriminals attacking other cybercriminals, you're officially doing hell of a good job exposing money laundering scams.

The attached screenshot demonstrates how even the relatively more sophisticated countersurveillance approaches taken by a high profile DDoS for hire service can be, and were in fact bypassed, ending up in a real-time peek at how they've dedicated 4 out of their 10 BlackEnergy botnets to Bobbear exclusively.

Perhaps for the first time ever, I come across a related DoS service offered by the very same vendor - insider sabotage on demand given they have their own people in a particular company/ISP in question. Makes you think twice before considering a minor network glitch what could easily turn into a coordinated insider attack requested by a third-party. Moreover, now that I've also established the connection between this DDoS for hire service and one of the command and control locations (all active and online) of one of the botnets used in the Russia vs Georgia cyberattack, the concept of engineering cyber warfare tensions once again proves to be a fully realistic one.

Related posts:
A U.S military botnet in the works
DDoS Attack Graphs from Russia vs Georgia's Cyberattacks
Botnet on Demand Service
OSINT Through Botnets
Corporate Espionage Through Botnets
The DDoS Attack Against CNN.com
A New DDoS Malware Kit in the Wild
Electronic Jihad v3.0 - What Cyber Jihad Isn't

Expert to Obama: Time to Reboot Cyber Security

Tue, 18 Nov 2008 02:45:00 +0000

With everything from businesses to the military dependent on computer networks, the Obama White House needs a coherent strategy for coping with cyberattacks. The third installment of the Danger Room Debriefs series on security issues facing the new administration features John Arquilla, professor of defense strategies at the U.S. Naval Postgraduate School.

Real-Time OSINT vs Historical OSINT in Russia/Georgia Cyberattacks

Mon, 20 Oct 2008 05:58:59 +0000

The original real-time OSINT analysis of the Russian cyberattacks against Georgia conducted on the 11th of August, not only closed the Russia vs Georgia cyberwar case for me personally, but also, once again proved that real-time OSINT is invaluable compared to historical OSINT using a commercial social network visualization/data mining tool which cannot and will never be able to access the Dark Web, accessible only through real-time CYBERINT practices.

The value of real-time OSINT in such people's information warfare cyberattacks -- with Chinese hacktivists perfectly aware of the meaning of the phrase -- relies on the relatively lower operational security (OPSEC) the initiators of a particular campaign apply at the beginning, so that it would scale faster and attract more participants. What the Russian government was doing is fueling the (cyber) fire - literally, since all it takes for a collectivist socienty's cyber militia to organize, is a "call for action" which was taking place at the majority of forums, with the posters of these messages apparently using a spamming application to achieve better efficiency.

The results from 56 days of Project Grey Goose in action got published last week, a project I discussed back in August, point out to the bottom of the food chain in the entire campaign - stopgeorgia.ru :

"Furthermore, coming up with Social Network analysis of the cyberattacks would produce nothing more but a few fancy graphs of over enthusiastic Russian netizen's distributing the static list of the targets. The real conversations, as always, are happening in the "Dark Web" limiting the possibilities for open source intelligence using a data mining software. Things changed, OPSEC is slowly emerging as a concept among malicious parties, whenever some of the "calls for action" in the DDoS attacks were posted at mainstream forums, they were immediately removed so that they don't show up in such academic initiatives"

So what's the bottom line? Nothing that I haven't already pointed out back in August : "Report: Russian Hacker Forums Fueled Georgia Cyber Attacks" :

"But experts say evidence suggests that Russian officials did little to discourage the online assault, which was coordinated through a Russian online forum that appeared to have been prepped with target lists and details about Georgian Web site vulnerabilities well before the two countries engaged in a brief but deadly ground, sea and air war."

Some more comments :

"Just because there was no smoking gun doesn't mean there's no connection," said Jeff Carr, the principal investigator of Project Grey Goose, a group of around 15 computer security, technology and intelligence experts that investigated the August attacks against Georgia. "I can't imagine that this came together sporadically," he said. "I don't think that a disorganized group can coalesce in 24 hours with its own processes in place. That just doesn't make sense."

It wouldn't make sense if this was the first time Russian hacktivists are maintaining the same rhythm as real-life events - which of course isn't.

Moreover, exactly what would have constituted a "smoking gun" proving that the Russian government was involved in the campaign, remains unknown -- I'm still sticking to my comment regarding the web site defacement creative. If they truly wanted to compromise themselves, they would have cut Georgia off the Internet, at least from the perspective offered by this graph courtesy of the Packet Clearing House speaking for their dependability on Russian ISPs.

As for the script kiddies at stopgeorgia.ru, they were informed enough to feature my research into their "negative public comments section". To sum up - the "DoS battle stations operational in the name of the "Please, input your cause" mentality is always going to be there.

Georgian cyberattacks suggest Russian involvement, say researchers

Fri, 17 Oct 2008 00:00:00 +0000

The hackers who launched cyberattacks against the one-time Soviet republic of Georgia in August probably had links to the Russian government, though evidence remains scarce, according to a report on the attacks.

Experts: Georgian cyberattacks suggest Russian involvement

Thu, 16 Oct 2008 20:00:00 +0000

The hackers who launched cyberattacks against the former Soviet republic of Georgia two months ago probably had links to the Russian government, even though no hard evidence has been uncovered of official involvement, a report by an all-volunteer group of experts said Friday.

DDoS Attack Graphs from Russia vs Georgia's Cyberattacks

Wed, 15 Oct 2008 11:01:58 +0000

Part of Georgia's information warfare campaign aiming to minimize the bandwidth impact on its de-facto media platforms such as the web site of their Ministry of Foreign Affairs, I've just received a report part of Georgia's "Russian Invasion of Georgia" series entitled "Russian Cyberwar on Georgia", which is quoting me on page 4 in regard to the "too good to be courtesy of Russia's cyber militia" creative that appeared on the defaced Georgian President's web site. The report also includes DDoS attack graphs and related details worth going through :

"The last large cyberattack took place on 27 August. After that, there have been no serious attacks on Georgian cyberspace. By that is meant that minor attacks are still continuing but these are indistinguishable from regular traffic and can certainly be attributed to regular civilians. On 27 August, at approximately 16:18 (GMT +3) a DDoS attack against the Georgian websites was launched. The main target was the Georgian Ministry of Foreign Affairs. The attacks peaked at approx 0,5 million network packets per second, and up to 200–250 Mbits per second in bandwidth (see attached graphs). The graphs represent a 5-minute average: actual peaks were higher.

The attacks mainly consisted of HTTP queries to the http://mfa.gov.ge website. These were requests for the main page script with randomly generated parameters. These requests were generated to overload the web server in a way where every single request would need significant CPU time. The initial wave of the attack disrupted services for some Georgian websites. The services became slow and unresponsive. This was due to the load on the servers by these requests. As you see from the graphs above the attacks started to wind down after most of the attackers were successfully blocked. The latest attack may have been initiated as a response to the media coverage on the Russian cyber attacks."

In case you're interested in more factual evidence about what was happening at the particular moment in time, go through the following assessment - "Coordinated Russia vs Georgia cyber attack in progress", as well as through the following posts - "The Russia vs Georgia Cyber Attack"; "Who's Behind the Georgia Cyber Attacks?"; "Georgia President’s web site under DDoS attack from Russian hackers".

Information Assurance Education: A Work In Progress

Wed, 08 Oct 2008 00:42:06 +0000

The recognition that we need improved computer security education has increased over the past several years. Recent cyberattacks in Georgia and Estonia exemplify the new threats faced by economies that rely on the Internet. Thus, more people see the need to protect cyberspace—which translates into improving computer security in all aspects of computer use—as crucial for everyone, not merely for those who work with technology. In this column, we reflect on emerging opportunities and challenges in instruction as well as the need for increasing the partnerships among industry, government, and academia to foster mutual understanding of challenges and joint participation in solutions.

Two Europeans charged in U.S. over DDoS attacks

Thu, 02 Oct 2008 20:00:00 +0000

Two European men have been indicted for allegedly orchestrating cyberattacks against two Web sites, a continuation of the first successful U.S. investigation ever into distributed denial-of-service attacks, according to the U.S. Department of Justice.

Many computer users lack basic security precautions, survey says

Thu, 02 Oct 2008 00:00:00 +0000

Although businesses and government agencies are getting better at cybersecurity, many U.S. computer users still fail to take basic precautions to protect against cyberattacks, a survey says.

Survey: Many computer users lack basic security precautions

Wed, 01 Oct 2008 20:00:00 +0000

Cybersecurity efforts in the U.S. government and many businesses are improving, but many individual computer users still don't take basic precautions against cyberattacks, cybersecurity experts said Thursday.