Wednesday, March 31, 2010

Chechen rebel leader claims responsibility for attacks

As we discussed in class terrorist groups often use the Internet to distribute propaganda. A favorite type of propaganda of various groups is the video claiming responsibility for an attack.

As you all know Russia has fallen victim to a series of suicide bombings this week and according to the Washington Post "Doku Umarov, leader of a separatist insurgency in the North Caucasus, which seeks to establish a fundamentalist Caucasus Emirate in the region, claimed reponsibility for the Moscow attacks in a video posted on the Web site. He said they were retaliation for a Russian attack on civilians in a village last month. He said the retribution would continue."

For those interested, the specific page on can be found here. Additionally, the video of Doku Umarov can be found here on YouTube.


Google announced last week that it was moving its search operations from mainland China to Hong Kong. Users in China would now be redirected to its uncensored search engine at You can read more about Google's decision to shut down its censored search service here and here.

Google also launched a new service that allows users to monitor its availability in Mainland China. This new service can be accessed here.

Its interesting to me that the PRC government has yet to block access to the uncensored Google served from but has blocked Google's more interactive services that allow one-to-many communication like Google Sites, YouTube, and Blogger. Only time will tell if China will extend its Great Firewall to fully block all of Google's services.

Tuesday, March 30, 2010

How I’d Hack Your Weak Passwords

CEO of web company iFusion Labs and blogger John Pozadzides provides an entertaining read about password security on ...
If you invited me to try and crack your password, you know the one that you use over and over for like every web page you visit, how many guesses would it take before I got it?

Let's see… here is my top 10 list. I can obtain most of this information much easier than you think, then I might just be able to get into your e-mail, computer, or online banking. After all, if I get into one I'll probably get into all of them.
  1. Your partner, child, or pet's name, possibly followed by a 0 or 1 (because they're always making you use a number, aren't they?)
  2. The last 4 digits of your social security number.
  3. 123 or 1234 or 123456.
  4. "password"
  5. Your city, or college, football team name.
  6. Date of birth – yours, your partner's or your child's.
  7. "god"
  8. "letmein"
  9. "money"
  10. "love"
Statistically speaking that should probably cover about 20% of you. But don't worry. If I didn't get it yet it will probably only take a few more minutes before I do…
The rest of this article provides an in depth explanation of various tools and techniques used by hackers to steal user password, but more importantly Mr. Pozadzides recommendations on how you can improve your password security. Read the rest of the article here.

Sunday, March 28, 2010

Mafia Fail

From ABC News ...

One of Italy's 100 most-wanted criminals, a vicious mafia boss who had been on the run for months, was betrayed by his passion for social networking and flushed out thanks to Facebook.

Using the name "Scarface" from the gangster movie starring Al Pacino, Pasquale Manfredi, 33, a boss of the the ferocious 'Ndrangheta mafia organization from the Calabria region in southern Italy, had logged on to his Facebook account so often that police were able to trace the signal from his Internet key and find his hideout.

If only all criminals were this stupid.

Because that's where the money is

Brian Krebs checks in with an excellent post comparing cyber crime to traditional crime. Krebs writes,
Organized cyber criminals stole more than $25 million from small to mid-sized businesses in brazen e-banking heists in the 3rd quarter of 2009 alone, federal regulators said last week. In contrast, traditional stick-up artists hauled less than $9.5 million out of U.S. banks over that same time period last year.
As weve discussed and Krebs points out,
Small wonder that the haul from cyber bank robberies has overtaken that of physical heists: Cyber thieves take far fewer risks to life, liberty and limb than do real-life bank robbers. In that same three month period last year, the FBI says bank robberies at bricks-and-mortar institutions caused five deaths — all them perpetrators of the crime.

What’s more, the perpetrators of these incessant attacks against small businesses banking online for the most part reside in countries that are traditionally beyond the reach and influence of U.S. law enforcement. Sure, bank robbers occasionally kill people (more often themselves) while they’re stealing your money, instead of silently lifting it out of your bank account from afar like cyber thieves. That alone makes them a more emotional high-value target for the feds. But let’s face it: Traditional stick up artists are a lot easier to collar. For one thing, by necessity they are all here in the United States.

In addition, while traditional bank robbers are limited to the amount of money they can physically carry from the scene of the crime, cyber thieves have a seemingly limitless supply of accomplices to help them haul the loot, by hiring so-called money mules to carry the cash for them.

I can’t help but notice one other important distinction between these two types of bank crimes: The federal government sure publishes a lot more information about physical bank robberies that it makes available about online stick-ups.

There are Bad Neighborhoods Online Too

From the good netizens at the Zeus Tracker ...
I always check the ZeuS Tracker statistics to get some information about the trend of the active ZeuS Command&Control servers. This morning I was really surprised what I saw on the ZeuS Tracker statistic page:
As you can see in the chart above, on March 9th 2010, the number of active ZeuS C&C servers dropped from 249 to 181! The first thing I thought was: There has to be some problem with the ZeuS Tracker cron script. I checked the script – everything looked ok. So the massive drop of ZeuS C&C server is fact. I noticed that six of the worst ZeuS hosting ISP suddently dissapeared from the ZeuS Tracker.

I verified the subnets of the affected ISP and came to the conclusion that Troyak-as (AS50215), the upstream provider for the six worst ZeuS hosting ISPs, was cut from the internet on 2010-03-09. As a result, the following ISPs lost their internet connetivity which finally resulted in a massiv drop in the number of active ZeuS C&C servers.
In the physical world were attuned to sense danger. We all can instinctively recognize a bad neighborhood. When we see dilapidated buildings, broken street lights, liquor stores on every block, prostitutes working street corners, and a lack of police presence we all understand that we are not in a safe neighborhood.

However, we have not yet developed the same sensory perception for our digital lives online. The Internet is made up a series of neighborhood known as autonomous system (AS). Internet Service Providers "rent" space from these autonomous systems and provide hosting services for customers. Some criminal or indifferent hosting providers will work with likeminded autonomous systems to serve criminals and terrorists. These bad service providers foster bad neighborhoods online that allow for a good deal of the malicious activity that we see online today.

Internet making it easier to become a terrorist

From the LA Times ...
The abrupt transformation of Colleen R. LaRose from bored middle-aged matron to "JihadJane," her Internet alias, was unique in many ways, but a common thread ties the alleged Islamic militant to other recent cases of homegrown terrorism: the Internet.

From charismatic clerics who spout hate online, to thousands of extremist websites, chat rooms and social networking pages that raise money and spread radical propaganda, the Internet has become a crucial front in the ever-shifting war on terrorism.

"LaRose showed that you can become a terrorist in the comfort of your own bedroom," said Bruce Hoffman, professor of security studies at Georgetown University. "You couldn't do that 10 years ago."

"The new militancy is driven by the Web," agreed Fawaz A. Gerges, a terrorism expert at the London School of Economics. "The terror training camps in Afghanistan and Pakistan are being replaced by virtual camps on the Web."

From their side, law enforcement and intelligence agencies are scrambling to monitor the Internet and penetrate radical websites to track suspects, set up sting operations or unravel plots before they are carried out.

As we discussed last week in class terrorist groups across the world have embraced the Internet as a vital tool in their information warfare arsenal. Time permitting we will put our investigative hats on and explore the web in search of many of these digital hate safe havens in an effort to track those responsible for maintaining these sites.

Malware delivered by Yahoo, Fox, Google ads

From Elinor Mills at CNet ...
Malware that exploits holes in popular applications is being delivered by big ad delivery platforms including those run by Yahoo, Fox, and Google, according to Prague-based antivirus firm Avast.

Viruses and other malware were found to be lurking in ads last year on high-profile sites like The New York Times and conservative news aggregator Drudge, and this year on Drudge, TechCrunch and The practice has been dubbed "malvertising."

Now, researchers at Avast are pointing fingers at some large ad delivery platforms including Yahoo's Yield Manager and Fox Audience Network's, which together cover more than 50 percent of online ads, and to a much smaller degree Google's DoubleClick. In addition, some of the malicious ads ended up on Yahoo and Google sites, Avast claims.
Mills continues,
Found in ads delivered from those networks was JavaScript code that Avast dubbed "JS:Prontexi," which Avast researcher Jiri Sejtko said is a Trojan in script form that targets the Windows operating system. It looks for vulnerabilities in Adobe Reader and Acrobat, Java, QuickTime, and Flash and launches fake antivirus warnings, Sejtko said.

Users don't need to click on anything to get infected; a computer becomes infected after the ad is loaded by the browser, Avast said.

Since the malware started spreading in late December, Avast has registered more than 2.6 million instances of it on customer computers. Nearly 530,000 of those were from Yield Manager and more than 16,300 from DoubleClick, Sejtko said.

Thats pretty scary. Most web surfers feel safe browsing popular well branded sites but they do not realize that many of these sites rely on 3rd party advertising services to manage their banner ads. As a result, should these services fail to properly vet the sources of their ads well established websites can be easily dupped into running malicious ads. As pointed out in the article, all the user has to do is view an infected ad and malware is silently installed behind the scenes. The user in none the wiser.

Ive been following this attack for a while now and if it is still running on Monday I plan on demonstrating it in class.

Saturday, March 27, 2010

Dismantling of Saudi-CIA Web site illustrates need for clearer cyberwar policies

From the Washington Post,
By early 2008, top U.S. military officials had become convinced that extremists planning attacks on American forces in Iraq were making use of a Web site set up by the Saudi government and the CIA to uncover terrorist plots in the kingdom.

"We knew we were going to be forced to shut this thing down," recalled one former civilian official, describing tense internal discussions in which military commanders argued that the site was putting Americans at risk. "CIA resented that," the former official said.

Elite U.S. military computer specialists, over the objections of the CIA, mounted a cyberattack that dismantled the online forum. Although some Saudi officials had been informed in advance about the Pentagon's plan, several key princes were "absolutely furious" at the loss of an intelligence-gathering tool, according to another former U.S. official.
This case study highlights one of the dilemmas we discussed in last weeks class. Should we leave potentially dangerous websites online in order to exploit them for actionable intelligence, or should we shut them down and deny terrorists an online safe haven?

Read the whole article here ...

Monday, March 8, 2010

Drug War Goes Digital

By now most of us are aware that al-Qaeda and other jihadist groups use the Internet to distribute propaganda. Of late other non-state actors have also embraced the Internet to get their message out.

On March 3 a user claiming to represent the "Mexican Cyber Cartel", an alliance between the Cartel de Sinaloa, the Gulf Cartel and the Familia Michoacana, uploaded a video to YouTube. The video, entitled "The truth about what is happening in Tamaulipas and Nuevo Leon", appears to be an attempt by the Mexican Cyber Cartel to win public support in its ongoing war with "Los Zetas" - a criminal/mercenary army of ex-Mexican special forces soldiers.

Hat Tip to Georgetown Grad Ben Turner for pointing this video out.

Sunday, March 7, 2010

Fear, Uncertainty, and Doubt

Flipping through my Google Reader this morning I noticed this gem of a quote from Michael Chertoff, former head of the Department of Homeland Security. Chertoff was speaking on a panel at the RSA conference about the need for improving cyber attack attribution capabilities. According to a Computer World article Chertoff noted that "the difficult task of identifying the true sources of cyber attacks remains one of the biggest challenges in the development of a national cybersecurity strategy." Further Chertoff also observed that "by comparison, physical attacks are relatively easy to track down and respond to." Specifically, Chertoff said, "In the Cold War we could attribute an attack. It was clear where it came from and we could respond," he said.

Umm, correct me if im wrong but the FBI closed the case on the 2001 Anthrax attacks in February 2010 after formally charging Bruce Ivins in 2008. I submit that assigning attribution in this attack was not relatively easy.

The problem with Chertoff's, and many policy makers, thinking is a Cold War mindset. In the post Cold War/Globalized/GWOT/Whatever you want to call it attacks can be carried out by anyone, anywhere, at anytime. This makes attribution hard in any form of attack - physical or digital.