Tag Archives: DoS

Cyber Terrorism and the Election

Leon Panetta, Secretary of Defense, recently stated that the United States could be facing Pearl Harbor if it doesn’t revamp its security. This time the threat doesn’t come from physical fire fights with opponents overseas, instead it stems from the Internet. Panetta’s goal is to help pass the new Cyber Security bill, H.R. 3623 (“Cyber Intelligence Sharing and Protection Act”).

https://www.youtube.com/watch?v=QVzgPDXJisI

Summed up briefly, the new bill hopes to enable federal law enforcement with the ability to be able to access corporate computer systems in times of need. CISPA’s opposition claims that the resolution hurts individual privacy online. We’ll let you – the reader – decide on whether or not the pros outweigh the cons. To read the resolution in full please click here.

Many feel that Panetta’s comments are an over-exaggeration of a very real problem. As security expert Bruce Schneier stated on October 19th, “[t]here’s an enormous amount of money and power that results from pushing cyberwar and cyberterrorism: power within the military, the Department of Homeland Security, and the Justice Department; and lucrative government contracts supporting those organizations. As long as cyber remains a prefix that scares, it’ll continue to be used as a bugaboo.” (Schneier on Security, 10/19/2012)

Similarly, I feel as Bruce Schneier does: although there’s a very real security threat (APTs), comparisons to Pearl Harbor or 9/11 serve only to incite fear. They aren’t based on any rational understanding of how actual computer networks work. That being said, I do believe industry control systems are at risk by forces from within as well as from without.

Over 2,000 lives were lost during the Japanese assault on Pearl Harbor. To compare a future cyber-assault to Pearl Harbor is a bit of a stretch. Despite the Secretary of Defense’s claims to the contrary, computer systems worldwide are NOT all integrated in a Terminator-style way. They may be in the distant future, but they aren’t now.

Can you DDoS systems on a network? Yes. The problem is that not all industry control systems are online or interconnected. And if they are, they must have something exploitable in order to be compromised. On top of that it is worth reminding readers that a DDoS isn’t “hacking into” anything, it is the flood of bogus traffic to an open and receptive server. Actually hacking “into” something requires systems-specific exploitation.

Panetta points to DDoS assaults such as the latest JP Morgan-Anonymous attack, but those attacks against a web server aren’t going to result in the inability for that bank to do business. E-commerce sites face greater risk from this form of attack.

Air traffic control and power grid monitoring systems are typically closed and separate from the internet. While these systems are sometimes networked on intranets or by secure other means, they aren’t actually accessible to us or an attacker. Panetta’s claims are lumping industry control systems in one big category when they should be understood on an individual basis (SCADA security is an excellent topic that well exceeds the scope of this post).

Do similar assaults pose a problem for corporate interests and cost companies revenue? Absolutely.

If the CISPA was designed to protect corporate interests alone, it would go a long way to easing the public’s opinions of the bill. The source of contention comes from CISPA giving the government power over corporate computers (in the mind’s of many citizens, anyway). Keep in mind companies like Google store your search queries in their database for a certain amount of time, identifying marks such as an IP address are removed eventually).

There probably are important systems that are connected to the Internet and need safeguarding. But to say the exploitation and disruption of such systems would cause an apocalyptic scenario is downright ludicrous. Such systems are the exception not the rule.

Proponents make mention of Stuxnet and yet rumors that Stuxnet was designed by a super power have been prevalent. Many point to the U.S. working in concert with the Israeli government to disrupt specific Siemens industrial equipment (after all, it clearly targets one ‘type’ of system). This is similar to one of the new incident Panetta mentions, a virus that targeted a very specific oil system. With Stuxnet, the rootkit is absolutely useless outside of the environment it was created to exploit: for more information see Operation Olympic Games.

You better believe the new CISPA bill is being pushed for political reasons. That doesn’t necessarily mean it’s bad either, it’s just unfortunate that the only time people “need protection” is during an election year. Positive future legislation will assist companies and stress importance of securing key infrastructure while, at the same time, ensuring that such systems aren’t accessible to the public.

Corporate espionage and enemy penetration from within a company’s own network is a very real danger but it’s beyond the scope of CISPA. Such issues are still not as prevalent as Secretary Panetta is making them out to be. Keep what Bruce Schneier says in mind when reading the news:

“But while scare stories are more movie-plot than actual threat, there are real risks. The government is continually poked and probed in cyberspace, from attackers ranging from kids playing politics to sophisticated national intelligence gathering operations. Hackers can do damage, although nothing like the cyber-terrorism rhetoric would lead you to believe.”

Schneier on Security, 10/19/2012

I’m not a politician and I don’t care how you vote. I only care about the facts. I don’t like when people are “scared” into action especially if they aren’t given all the facts. Cyber security and safety online is an issue which transcends political parties: stay informed is important and I urge everyone to read multiple news sources online for information.

Again, while cyber-threats are real, they’ve been portrayed in the news recently in a slightly over-dramatic way. With proper insight and understanding we can safeguard necessary systems without spreading unnecessary fear.

Sources

Video: BBC News. “Leon Panetta warns of cyber Pearl Harbour” (posted by BBC24News on YouTube), October 12, 2012.

Aitel, Dave. “The The Cybersecurity Act of 2012: Are We Smarter Than a Fifth Grader?.” Huffington Post, August 3, 2012.

Schneier, Bruce. “Stoking Cyber Fears.” Schneier on Security blog. October 19, 2012. Note: As always, Schneier has links to multiple sites/essays of interest concerning this matter.

H.R. 3523: Cyber Intelligence Sharing and Protection Act (CISPA)

Related Neuralhub Posts

LOIC DDoS & The Nature of Anonymous Attacks“, October 2, 2012.

Link – In the News: Chinese Attackers Hit White House“, October 2, 2012.

National Cybersecurity Awareness Month” @ Neuralhub, October 2, 2012.

Edit: A friend asked me for clarification a while after I wrote this. He asked if I was suggesting that Advanced Persistent Threats do not exist. I positively do not believe that. I was disagreeing with likening cyber attacks to Pearl Harbor (even as a metaphor for something extremely tragic). As technologies advance so too will the risks: this assessment can change with time. Advanced threats pose a very real problem to industry and national security and I personally agree with efforts to combat them.

LOIC DDoS & The Nature of Anonymous Attacks

One of the most impressive and dangerous Denial of Service tools is named, jokingly, as Low Orbit Ion Cannon (LOIC). The tool has gained public notice after being repeatedly used in successful attacks against high value web servers such as those belonging to the Church of Scientology during Project Chanology, the Recording Industry Association of America (RIAA), groups opposing MegaUpload and WikiLeaks as the mega-group’s enemies.

While I won’t get into the ideological arguments expressed by either Anonymous or their opposition, I’d like to take a moment to explain LOIC and provide some interesting links to sites containing more information.

As I always state:  I’m merely an individual interested in security for the sake of learning, if you have a vested interest in any of the ideologies either for or against the attacks check the links below for protections or ways to get more involved in the LOIC project.

Background

LOIC, originally written in C# by Praetox Technologies, has been since coded into an independent JavaScript program known as JS LOIC (hosted by HiveMind, linked below). As such there’s even a web version of the DoS tool!

When the project was first released I managed a DDoS (Distributed Denial of Service) attack against my own test box using a 5 PC networked LOIC attack triggered using UltraVNC (akin to a botnet), it worked extremely well. The method could even be used to trigger remotely using an iPad or any device running the appropriate RAS software. If a given server or network is susceptible to LOIC attacks, a DDoS against that server or network can be extremely potent.

Details and Protection

LOIC works by flooding a specified target server with TCP or UDP packets. The attack relies on the principles inherent to most forms of DoS attacks. As such it’s surprisingly easy to protect against. Many servers should have been well-protected against DoS attacks to begin but, as we know from real world IT, what’s best isn’t always what’s done.

Firewall rule-sets can be enacted which filter out the over abundance of packets coming from any one IP address long before something like this becomes a problem. To my knowledge ISPs on a larger scale can protect against DoS traffic by filtering out the appropriate UDP and ICMP packets before they reach their intended targets.

It should be common knowledge for server administrators to contact their ISPs to ensure measures are in place to protect them at that level. Then appropriate measures should be taken to draft appropriate network firewall rules.

But many of the attacks are difficult to trace…

The Nature of Anonymous Attacks

ARP Poisoning, as previously mentioned on fork(), can be used to make attacks appear to be launched from within your own network (or attacks against your network can be made by attackers who gain special accessing by spoofing their way into your network). Such attacks can be used to incite various man-in-the-middle (MITM) attacks and/or DoS/DDoS attacks. For more examples see this blog’s article on session hijacking.

A good intrusion detection system monitoring ARP tables can alert the network administrator of changes or additions and thus possibly thwarting spoofed MITM attacks before they occur. The article by Busschers cited below discusses spoofed/reflected attacks and how they can be conducted.

Sources

My blog isn’t funded by any corporations or governments and as such I’m fully willing to give all sides to an argument. So, I’ve constructed a list of  sources I used when writing this post as well as some sites that may interest those wanting to learn more:

If you’d like to contribute to the C# original LOIC project please check out the LOIC project page here: https://github.com/NewEraCracker/LOIC/

Additionally you can check the more frequently updated SourceForge page for JS LOIC designed by HiveMind: http://sourceforge.net/projects/loic/

The HiveMind web version is located here: https://code.google.com/p/lowc/

Server Fault (Stack Exchange) Topic in regards to preventing LOIC DDoS posed by a user in 2010: http://serverfault.com/questions/211135/how-to-prevent-a-loic-ddos-attack

“4 Best Practices for Mitigating DDoS Effects,” by ES Enterprise Systems, February 6, 2012. Article discusses DDoS damage mitigation here: http://esj.com/articles/2012/02/06/best-practices-mitigating-ddos.aspx

“Effectiveness of Defense Methods Against DDoS Attacks by Anonymous,” Busschers, Rik. University of Twente, NL. This is a great article detailing the Anonymous Chanology & Operation Payback attacks, those recent attacks against PayPal, MasterCard and more. Check it out here: http://referaat.cs.utwente.nl/TSConIT/download.php?id=1085 (It’s also an excellent article for learning more about the type of attacks used and how such things as SYN packet flooding work. If the article ever goes off-line I’ll re-upload it.)

Another great source detailing spoofed DDoS attacks: http://www.skullbox.net/spoofeddos.php

ARP Poisoning/Spoofing in detail can be further explored here: http://www.irongeek.com/i.php?page=security/arpspoof

Network Research Group (NRG)’s ARP Watch can be found here: http://www-nrg.ee.lbl.gov/