This presentation will analyze the Information Warfare scenarios, technical and legal backgrounds, highlighting as well the importance of the terminologies and bringing to the audience real-life examples and known incidents. The last part of the talk will focus on two theorical case studies and on one, very special, theorical case study.
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
ASFWS 2012 - Cybercrime to Information Warfare & “Cyberwar”: a hacker’s perspective par Raoul Chiesa et Ioan Landry
1. Raoul “Nobody” Chiesa
Founder, President, The Security Brokers
Ioan Landry
Information Operations Manager
Design & Concept: Jart Armin , Raoul Chiesa, Ioan Landry
2. * Disclaimer
*
* The Authors
* Introduction, Reasons for this talk
* Bye bye, Wargames…
* Evolution of Cyber Attacks
* Information Warfare
* Shared points between Cybercrime & InfoWar
* Countries at stake
* New concepts for a new era
* Digital Weapons comparison
* The real scenarios
* Case studies
* Contacts, Q&A
2
3. *
● The information contained within this presentation does not infringe on any
intellectual property nor does it contain tools or recipe that could be in breach with
known local laws.
● The statistical data presented belongs to the Hackers Profiling Project by UNICRI and
ISECOM.
● Quoted trademarks belongs to registered owners.
● The views expressed are those of the author(s) and speaker(s) and do not necessary
reflect the views of UNICRI or others United Nations agencies and institutes, nor the
view of ENISA and its PSG (Permanent Stakeholders Group).
● Contents of this presentation may be quoted or reproduced, provided that the
source of information is acknowledged.
● Ehm…the agenda is quite long - We’ll do our best to fit the timing!!
3
7. *
* In 1983, the movie “Wargames” went out.
* At least 2 generations of teenagers began
“playing hacking” because of this movie.
* In the script, the lead character was nearly
able to launch a “global termo-nuclear”
war.
* All of us we’ve used to laugh at that movie…
* Nevertheless, the IT attacks launched in the
last 25 years, still mainly relay on the
hacking-techniques shown in the movie.
* It’s just the history, played in “repeat
mode”.
7
8. Hacking with friends Wardialling PSTN & Toll-Free /
Port Scanning / X.25 scanning
…Getting access.
8
10. Learn more reading the
book!
and/or,
Watch this:
http://www.youtube.com/watch?
v=EcKxaq1FTac
….and this, from TED:
http://www.youtube.com/watch?
v=Gj8IA6xOpSk
(Cliffy,
we just LOVE you,
all of us! :)
10
12. *
* Speaking along with a lot friends, it looks like the “.mil” world developed a deep interest
towards these topics…
2001/2002: First interest shown back from USA (after 9/11), focused on hacker’s resources in
order to attack and/or infiltrate Al Qaeda;
2003-2005: observed a huge escalation of USA and Israel Secret Services, asking for 0-days,
seeking for information resources among elite hackers, asking for Iran & Pakistan hacking;
2005: China’s attacks to USA go public, escalating during 2007-2010 (UK, Germany, France,
Italy);
2008/2010: USA & Canada leading (since the last 2/3 years), an increasing attention related to
National Critical Infrastructures, followed by UK, EU, Israel, India, Australia;
2010: Italian Committee for the National Security of the Republic audited myself (March/May);
2009/2012: NATO Cyber Coalition running CyberDefense 2010
(+CyberShot 2009/2010) along with C4 Command (Rome);
TODAY - Intelligence Agencies hiring “leet hackers” in order to:
Buy/develop 0-days;
Launch attacks on terrorists and/or suspected ones;
Protect National Security;
Informing & Training Local Governments.
* Thus, hackers becoming kind of “e-ambassadors”, “e-strategy consultants” towards
.mil and .gov environments, or “e-mercenaries”, training “e-soldiers”…
12
13. *
* Just like along the years you’ve got used to words such
as:
* “Paranoia” (that’s into your DNA, hopefully!)
* “Information Security” (198x)
* “Firewall”, “DMZ” (1994/5)
* “Pentesting” (1996/7)
* “xIDS” (2001-2003)
* “Web Application Security” (2006-2009)
* “SCADA&NCIs” (2008-201x)
* “PCI-DSS” (2009-201x)
* Botnets (2008-2010)
* “APTs” (2011-201x)
* etc…
* …in the next (five to ten) years, you will hear non-stop
talks about:
* NGC – Next Generation Cybercrime
* CyberWar
* Information Warfare
* NGW – Next Generation Warfare
13
14. *
First generation (70’s) was inspired by the need for
knowledge.
Second generation (1980-1984) was driven by curiosity plus
the knowledge starving: the only way to learn OSs was to
hack them; later (1985-1990) hacking becomes a trend.
The Third one (90’s) was simply pushed by the anger for
hacking, meaning a mix of addiction, curiosity, learning
new stuff, hacking IT systems and networks, exchanging
info with the underground community. Here we saw new
concepts coming, such as hacker’s e-zines (Phrack, 2600
Magazine) along with BBS.
Fourth generation (2000-today) is driven by angerness and
money: often we can see subjects with a very low know-
how, thinking that it’s “cool & bragging” being hackers,
while they are not interested in hacking & phreaking
history, culture and ethics. Here hacking meets with politics
€, $
(cyber-hacktivism) or with the criminal world (cybercrime).
16. “2011 Cybercrime financial turnover
apparently scored up more than Drugs
dealing, Human
Trafficking and Weapons Trafficking
«Cybercrime turnovers”
ranks as one Various sources (UN, USDOJ, INTERPOL,
2011)
of the top
four economic Financial Turnover, estimation: 6-12 BLN
USD$/year
crimes» Source: Group IB Report 2011
PriceWaterhouseCoopers http://group-
LLC Global Economic ib.com/images/media/Group-
Crime Survey 2011 IB_Report_2011_ENG.pdf
*
16
20. *
* No more “Wargames”
* (even if: Wargames 2010 went out, and Bruce Willis got the
support of an “hacker” in the latest Die Hard): the “romantic
hackers” are gone, forever
* Then Stuxnet appeared (then DuQu, Flame, Gauss, etc…)
* (May-June 2010).
* …and everything changed.
* WHY??
* An unexpected attack.
* An unexpected target (SCADA, Nuclear Plant).
* The very first time something like this was happening.
20
21. *
* Very simply, we are speaking about the so-called Warfare,
applied to the cyberspace.
* Defending information and communication networks,
acting like a deterrent towards “information attacks”, while
not allowing the enemy to do the same.
* So we are speaking about “Offensive Information
Operations”, built against an adversary, ‘till being able to
dominate the information during a war contest.
21
22. *
* It is an extremely new and dynamic war scenario, where those
metrics and views used before it are now really obsolete.
* Typically, these operations are decentralized while anonymous.
* The “entry fee” cost is extremely low, while it supplies a huge
power.
* …and after all, there’s always the possibility of denying what has
happened..
* Think about Estonia, Georgia, Stuxnet, Arab Springs, North Africa,
Lybia, Syria, Iran… what will be next??
22
23. *
*PC Zombies (botnets) -> they take advantage of the
“standard user”, both in a Corporate or home
(broadband, SOHO) scenario.
*“0-days”: until today, all of them were on MS Windows
+ ad-hoc exploiting.
*(attacker’s perspective) Nothing changes that much.
There’s more chances to hack 1.000.000 broadbands
users instead of 10.000 PCs from a company’s network.
*It’s still the digital weapon they need in order to
launch attacks (DDoS, Keyloggers, 0-Days, etc).
23
24. *
OUT IN
Single operational pic Situational awareness
Autonomous ops Self-synchronizing ops
Broadcast information push Information pull
Individual Collaboration
Stovepipes Communities of Interest
Task, process, exploit, disseminate Task, post, process, use
Multiple data calls, duplication Only handle information once
Private data Shared data
Perimeter, one-time security Persistent, continuous IA
Bandwidth limitations Bandwidth on demand
Circuit-based transport IP-based transport
Single points of failure Diverse routing
Separate infrastructures Enterprise services
Customized, platform-centric IT COTS based, net-centric capabilities
Scouting elite hacker parties?
24
25. *
● USA “Low Risk”
● UK, Canada, France, Germany, Switzerland, Italy
● Brazil
● Israel, Palestinian National Authority “Average Risk”
● Zimbabwe
● Middle East: “friendly” countries (UAE, Saudi Arabia…)
● North Africa / Africa generally speaking (WW Soccer Games 2010)
● China
● India
● Pakistan
● North Korea (DPRK)
● South Korea “High Risk”
● Iran
● Kyrgyzstan
● Myanmar
● Russia, Estonia, Georgia
● Rwuanda
25
27. * Nations with Cyber Warfare (Offensive) Capabilities - Survey from WG «Cyber World»,
Italian Ministry of Defense, CASD/OSN.
Collaboration w/ IT
Cyber warfare CW training/ CW exercises/ Industry and/or Not official
Doctrine/Strategy Trained Units simulations Technical Sources
Universities
Australia,, X X
Belarus X X
China21 X X X X ,
North Korea21 X X ,,
France21,29 X X X X
India21, 31 X X X X 33
Iran21,,, X X 34, 35
Israel21, X X X X
Pakistan21,, X 36
Russia21 X X X 37, 38
USA21, 30, 39 40,41 X X X
27
28. * Nations with Cyber Warfare (Defense) Capabilities - Survey from WG «Cyber World»,
Italian Ministry of Defense, CASD/OSN.
Collaboration w/ IT
Cyber warfare CW training/ CW exercises/
Industry and/or
Doctrine/Strategy Trained Units simulations
Technical Universities
Albania21,30
X X X
Argentina21
X X
Austria21,24
X X X
Brazil21
X X X
Bulgaria21
X X
Canada 5,30
X
Cyprus21,42
X X X X
South Korea 21
X
Denmark21,30
X X
Estonia21,30
X X X
Philippines21
X X X
Finland12
X X
Ghana21
X
Germany21,30
X X X
Japan21
X
Jordan21
X 28
X
29. * Nations with Cyber Warfare (Defense) Capabilities - Survey from WG «Cyber World»,
Italian Ministry of Defense, CASD/OSN.
Italy21,30 X X X
Kenya21 X
Latvia21 X X X
Lithuania21 X X
Malaysia21 X X
New Zealand21 X X
Norway21,30 X X
Netherlands21,8,43 X X X
Poland21,30 X X
Czek Republic21,8 X X X
Slovak Republic21,8 X X
Spain8 X
Sweden21,,42 X
Switzerland21,42 X X
Turkey21,29 X X X
Hungary21 X X X X
United Kingdom21,8 X X X
29
30. *
* “North Korea will soon attack many countries
using IT attacks, since they have the best
hackers of the whole world.”
* Uh?!? Seriously??
* That’s weird, when speaking about a country
which is totally isolated from the Internet,
where its “cellular network” recalls more a
DECT infrastructure…(no BTSs out of
PongYang).
*See Mike Kemp’s slides from CONFidence 2010
@ Kracow.
30
32. "In the very near future many conflicts will not take place on the
open field of battle, but rather in spaces on the Internet, fought
with the aid of information soldiers, that is hackers.
This means that a small force of hackers is stronger than the
multi-thousand force of the current armed forces.“
Former Duma speaker Nikolai Kuryanovich, 2007
32
34. *
• „dummy list“ of „ID-10T“ for phishing
• equipment to mimic target network • background info on organisation (orgchart etc.
• dummy run on similar network • Primer for sector-specific social-engineering
• sandbox zerodays • proxy servers
• banking arrangements
• purchase attack-kits
• rent botnets
• find (trade!) good C&C server
• purchase 0-days / certificates
• purchase skill-set Alexander Klimburg 2012
• bespoke payload / search terms •Purchase L2/L3 system data
34
35. *
* Botnet & drone * Server hacking
armies
* DDoS * Encryption
* Trojans & Worms * Extortion & Ransom
* Malware * Man in the Middle
35
36. * Russia * Cyber crime tools
* USA * Communications Intelligence
* France * National knowhow defence
* Israel * Transition from Industrial tools
* UK * Hired Cyber mercenaries
* China * Industrial espionage
* India * Counter cyber attacks
* Pakistan * Cyber army
* Ukraine * Botnet armies
* Malware Factories * Contract developers (x 4 worldwide)
*
36
37. * UN Member States = 197 * Hacking
* DDoS
* Vulnerable? * Botnets
* 197 !!!! * Defacement
* Web site Hijacking & Redirection
* DNS & BGP hijacking
* BlackEnergy
* Darkness
* Stuxnet
* DuQu?
*
37
40. *
Multiple targets, loud and Laser Guided, precision, and
noisy stealth
* Massive DDoS * Compromise infrastructure
* Loss of digital * Industrial Sabotage
communication
* Loss of confidence in
* Cloning of state systems
communications
* Create confusion
* Create confusion
40
41. * 30 bots overwhelm an average
web site
* 1,000 bots - large web site
* 5,000 bots - even when using anti-
ddos, blocks, and other
preventive measures
* 15,000 bots can theoretically
bring down vkontakte.ru (Russian
Facebook)
* Example of Conficker worm
reached 10.5 million bots
*
41
46. In March 2012, the U.S.-China Economic and Security Review Commission
tasked Northrop Grumman with writing up a “feasibility study” of Chinese
information operations in peace and wartime.
The paper weighs in at 137 pages and I highly recommend reading it.
The paper goes into a “CNO Targeting Case Study” at some point, with Chinese
actors specifically targeting a small but crucial component, the U.S.
Transportation Command (USTRANSCOM).
“The mission of USTRANSCOM is to provide air, land and sea transportation for
the Department of Defense, both in time of peace and time of war”.
More pertinently: responsible for air refueling missions, of critical importance
given U.S. reliance on air power in projecting influence across the globe (and
in this scenario, chiefly in Asia-Pacific ie: Taiwan).
USTRANSCOM, like many agencies, relies on a number of civilian contractors to
supplement its own men and women in uniform.
More people spread among multiple organizations with access to critical web
applications and databases = an exponential increase in the attack surface.
46
47. I’m sure you all see where this is going…
Napoleon’s famous maxim, “an army marches on its stomach”.
A complete paralysis of the Armed Forces’ supply chain is perhaps
the second worst-case scenario, after the crippling of
communications/C3 capabilities.
(I can probably talk more about supply chain problems in a non-mil
environment, like backdoored routers ending up in a .gov or telco
datacenter)
47
48. In August 2004, a backdoor was placed in a crucial junction of Greece's telecommunication backbone, namely four Ericsson
AXE switches in Athens. The backdoor provided unknown perpetrators with full voice and SMS traffic of over 100 targeted
mobile phones belonging to:
Prime Minister Kostas Karamanlis and members of his family,
the Mayor of Athens, Dora Bakoyannis,
most phones of the top officers at the Ministry of Defense,
the Ministry of Foreign Affairs,
the Ministry for Public Order,
members of the ruling party, and ranking members of the opposition (PASOK),
the Hellenic Navy General Staff,
the previous Minister of Defense,
others such as a Greek-American based in the American embassy and many Arab businessmen.
48
49. Who did it? Who ordered it?
Hard-to-find and niche skills
Budget, perceived ROI, HUMINT assets…
More importantly, what would I do?
No cyber pearl harbour, no exploding power grids…
Let us visit the soft underbelly of telecommunications…
49
50. Connection-oriented WAN technology.
Protocol suite defined in 1976 in your backyard.
Private entities and nations ran their own X.25 networks until the
'net swept them all away…
Well, almost...
Largely forgotten today. That’s a good thing.
Today’s Snapple facts:
Speeds of 56 Kbps to 2.048 Mbps…
“Utility model” – vendor/operator maintained infrastructure and data
routing; user/client billed only for traffic used.
Different networks have different topologies and capabilities, known
as facilities, ex:
Reverse charging, closed user groups, sub-addressing and mnemonics,
hunt groups, etc…
50
51. “C’mon, first and last I heard of X.25 was in CVE-2011-2910…”
X.25 isn’t just for ham radio nerds, though…
It is a whole “new” world, often deployed in parallel to the one you interact
with… whether you know it or not.
A whole world without IDS, without WAF…
51
52. X.25 gives you the opportunity to visit exotic lands, meet interesting
systems…
… and then root them.
… and so much more!
Once you’ve dropped shell
on a mainframe, you can’t
go back…
52
53. The topology at its simplest:
DTE - Data Terminal Equipment - think: end-user equipment
DCE - Data Circuit Terminating Equipment - think: modems, switches, gateways
PSE - Packet Switching Exchange - think: backbone
Source: Cisco Documentation Wiki, retrieved 03/11/12
53
54. Once you hop onto an X.25 network, legitimately or
otherwise, you’re assigned an NUA (Network User Address).
Think of this as something between an IP address and a phone number.
Their make-up is at the discretion of the network operator…
Example: BT PSS (UK) “employed a numbering system using a 3-digit area code (which conformed
with the area code of the telephone network) plus a 5-digit subscriber number, and another 2 digits
were available for the sub-address.”
Example: DATAPAC (Canada) NUA’s are 8 digits long, the first four referring to the province and city
while the following 4 specifying the actual host.
Instead of “country codes” we have DNICs, which are managed by the ITU in
Geneva.
3020 is DATAPAC, 4251 is ISRANET, 6026 is EGYPTNET, etc…
Note: Yes, there are still a lot of active X.25 networks…
54
55. So, integrators have been pushing for a total deprecation of X.25
for a while but vendors keep the love coming:
In fact, it is supported in all versions of Cisco IOS!
55
56. Not just Cisco…
Rolled out in more recent Huawei devices!
Let us ignore the possibility that Huawei basically did a svn checkout on the IOS source
tree…
56
57. From the horse’s mouth:
“Telco databases are usually linked to SCPs by X.25 links.” – Cisco
“We accessed [an operator’s] systems through their x25 network which they
never knew was running because the network vendor never disclosed it…” –
Philippe Langlois, October 12 2012
57
58. I’m a masochist and did a (mostly) complete scan of DATAPAC in 2011-12.
I’d rather not publicly discuss other networks.
Verdict: X.25 is still very busy, but I'll be honest - lots of planned deprecation and
migrations between 2000-2010.
We lost a few good X.25 networks...
SWIFT migration to IP-based SWIFTNET allegedly complete in 2005...
But I'll bet you 1 BTC that there's still something...
Besides, a great deal of EFT transactions are still done over X.25…
Canada's Interac migration from X.25 will be done in 2015.
SITA is also deploying dual-layered solutions (X.25 and IP side by side; XOT), with no
publicly-declared deprecation date for X.25, but it is coming.
58
59. Still used for/in…
Telco management (NMC, NE, billing)
Telco operations - SMSc/MMSCs
Transport sector: global transport hubs – airlines – SITA
Finance sector: a lot of PoS and ETF activity
Finance sector: Credit Card Processing Centers (hacks already happened: no public,
tough)
Stock Exchanges (!)
Government: regional and national
Meteorological organizations
Fortune 500 and heavy industry
And yes, there are PLCs that speak X.25… SCADA’s & National Critical Infrastructures nightmares
here as well
Verdict: a forgotten X.25 link drops you right in the middle of the very weird stuff!
59
60. SLIDE NOT AVAILABLE IN THE
PUBLIC RELEASE OF THIS TALK:
YOU SHOULD HAVE ATTENDED APP
SEC 2012!!
60
61. "The MTSO contains the switching equipment or Mobile Switching Center
(MSC) for routing mobile phone calls. It also contains the equipment for
controlling the cell sites that are connected to the MSC...
All cellular systems have at least one MTSO which will contain at least one
MSC. The MSC is responsible for switching calls to mobile units as well as to
the local telephone system, recording billing data and processing data from
the cell site controllers."
61
62. SLIDE NOT AVAILABLE IN THE
PUBLIC RELEASE OF THIS TALK:
YOU SHOULD HAVE ATTENDED APP
SEC 2012!!
62
63. SLIDE NOT AVAILABLE IN THE
PUBLIC RELEASE OF THIS TALK:
YOU SHOULD HAVE ATTENDED APP
SEC 2012!!
63
64. SLIDE NOT AVAILABLE IN THE
PUBLIC RELEASE OF THIS TALK:
YOU SHOULD HAVE ATTENDED APP
SEC 2012!!
64
65. SLIDE NOT AVAILABLE IN THE
PUBLIC RELEASE OF THIS TALK:
YOU SHOULD HAVE ATTENDED APP
SEC 2012!!
65
66. SLIDE NOT AVAILABLE IN THE
PUBLIC RELEASE OF THIS TALK:
YOU SHOULD HAVE ATTENDED APP
SEC 2012!!
66
67. Who is this guy and what’s he getting at? Where are the
exploding power plants? Are cyberterrorists really gonna start
hacking X.25 networks?
Probably not, but think back on the two initial case studies:
Crippling of “dual use” logistical or communication networks in
war time,
Traditional espionage in peace time.
We certainly live in interesting times... A world where I foresee
more Ericsson AXE rootkits and more Stuxnet.
Just don’t drink the kool aid!
67
68. Recommended Reading/Viewing
Philippe Langlois & Emmanuel Gadaix– 6000 Ways And More - A
15 Year Perspective on Why Telcos Keep Getting Hacked - HITB
KL 2012
Johnathan Stuart – A brief introduction to telephone switching
security and internals – ReCON 2010
Dave Aitel – Amateur Hour on the Internet – Countermeasure
2012
Key quote: “Infrastructures don’t age well”
Profiling Hackers: the Science of Criminal Profiling as applied
to the World of Hacking, by Raoul Chiesa, Stefania Ducci and
Silvio Ciappi (CRC Press/Taylor&Francis Group)
Telco manuals.
68
70. *
* Ioan Landry: io@chargen.ca
* Raoul Chiesa: rc@security-brokers.com
The opinions hereby expressed are those of the Authors and do
not necessarily represent the ideas and opinions of the United
Nations, the UN agency “UNICRI”, ENISA, ENISA PSG, nor others.
*
70