ASFWS 2012 - Cybercrime to Information Warfare & “Cyberwar”: a hacker’s perspective par Raoul Chiesa et Ioan Landry
Upcoming SlideShare
Loading in...5

ASFWS 2012 - Cybercrime to Information Warfare & “Cyberwar”: a hacker’s perspective par Raoul Chiesa et Ioan Landry



This presentation will analyze the Information Warfare scenarios, technical and legal backgrounds, highlighting as well the importance of the terminologies and bringing to the audience real-life ...

This presentation will analyze the Information Warfare scenarios, technical and legal backgrounds, highlighting as well the importance of the terminologies and bringing to the audience real-life examples and known incidents. The last part of the talk will focus on two theorical case studies and on one, very special, theorical case study.



Total Views
Views on SlideShare
Embed Views



2 Embeds 17 15 2



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

ASFWS 2012 - Cybercrime to Information Warfare & “Cyberwar”: a hacker’s perspective par Raoul Chiesa et Ioan Landry ASFWS 2012 - Cybercrime to Information Warfare & “Cyberwar”: a hacker’s perspective par Raoul Chiesa et Ioan Landry Presentation Transcript

  • Raoul “Nobody” ChiesaFounder, President, The Security Brokers Ioan Landry Information Operations Manager Design & Concept: Jart Armin , Raoul Chiesa, Ioan Landry
  • * Disclaimer ** The Authors* Introduction, Reasons for this talk * Bye bye, Wargames… * Evolution of Cyber Attacks * Information Warfare * Shared points between Cybercrime & InfoWar * Countries at stake* New concepts for a new era * Digital Weapons comparison * The real scenarios* Case studies * Contacts, Q&A 2
  • *● The information contained within this presentation does not infringe on any intellectual property nor does it contain tools or recipe that could be in breach with known local laws.● The statistical data presented belongs to the Hackers Profiling Project by UNICRI and ISECOM.● Quoted trademarks belongs to registered owners.● The views expressed are those of the author(s) and speaker(s) and do not necessary reflect the views of UNICRI or others United Nations agencies and institutes, nor the view of ENISA and its PSG (Permanent Stakeholders Group).● Contents of this presentation may be quoted or reproduced, provided that the source of information is acknowledged.● Ehm…the agenda is quite long  - We’ll do our best to fit the timing!! 3
  • * * On the IT underground scene since 1986 * Advisor @ UNICRI since 2004 * ENISA PSG (2010-2012, 2012-2015) * Founder, @ – Independent Security Advisory Company. * Founder, Board of Directors at: CLUSIT (Italian Information Security Association), ISECOM, OWASP Italian Chapter * Associated Partner * Member: ICANN, OPSI/AIP, EAST * Supporting: Team Cymru, APWG, … © Jart Armin & Raoul Chiesa, 2011 4
  • *6
  • ** In 1983, the movie “Wargames” went out.* At least 2 generations of teenagers began “playing hacking” because of this movie.* In the script, the lead character was nearly able to launch a “global termo-nuclear” war.* All of us we’ve used to laugh at that movie…* Nevertheless, the IT attacks launched in the last 25 years, still mainly relay on the hacking-techniques shown in the movie.* It’s just the history, played in “repeat mode”. 7
  • Hacking with friends Wardialling PSTN & Toll-Free / Port Scanning / X.25 scanning …Getting access. 8
  • *© Jart Armin & Raoul Chiesa, 2010 9 November 30th, 2010
  • Learn more reading the book! and/or, Watch this: v=EcKxaq1FTac ….and this, from TED: v=Gj8IA6xOpSk (Cliffy, we just LOVE you, all of us! :)10
  • * 11
  • ** Speaking along with a lot friends, it looks like the “.mil” world developed a deep interest towards these topics…  2001/2002: First interest shown back from USA (after 9/11), focused on hacker’s resources in order to attack and/or infiltrate Al Qaeda;  2003-2005: observed a huge escalation of USA and Israel Secret Services, asking for 0-days, seeking for information resources among elite hackers, asking for Iran & Pakistan hacking;  2005: China’s attacks to USA go public, escalating during 2007-2010 (UK, Germany, France, Italy);  2008/2010: USA & Canada leading (since the last 2/3 years), an increasing attention related to National Critical Infrastructures, followed by UK, EU, Israel, India, Australia;  2010: Italian Committee for the National Security of the Republic audited myself (March/May);  2009/2012: NATO Cyber Coalition running CyberDefense 2010 (+CyberShot 2009/2010) along with C4 Command (Rome);  TODAY - Intelligence Agencies hiring “leet hackers” in order to:  Buy/develop 0-days;  Launch attacks on terrorists and/or suspected ones;  Protect National Security;  Informing & Training Local Governments.* Thus, hackers becoming kind of “e-ambassadors”, “e-strategy consultants” towards .mil and .gov environments, or “e-mercenaries”, training “e-soldiers”… 12
  • ** Just like along the years you’ve got used to words such as: * “Paranoia” (that’s into your DNA, hopefully!) * “Information Security” (198x) * “Firewall”, “DMZ” (1994/5) * “Pentesting” (1996/7) * “xIDS” (2001-2003) * “Web Application Security” (2006-2009) * “SCADA&NCIs” (2008-201x) * “PCI-DSS” (2009-201x) * Botnets (2008-2010) * “APTs” (2011-201x) * etc…* …in the next (five to ten) years, you will hear non-stop talks about: * NGC – Next Generation Cybercrime * CyberWar * Information Warfare * NGW – Next Generation Warfare 13
  • * First generation (70’s) was inspired by the need for knowledge. Second generation (1980-1984) was driven by curiosity plus the knowledge starving: the only way to learn OSs was to hack them; later (1985-1990) hacking becomes a trend. The Third one (90’s) was simply pushed by the anger for hacking, meaning a mix of addiction, curiosity, learning new stuff, hacking IT systems and networks, exchanging info with the underground community. Here we saw new concepts coming, such as hacker’s e-zines (Phrack, 2600 Magazine) along with BBS. Fourth generation (2000-today) is driven by angerness and money: often we can see subjects with a very low know- how, thinking that it’s “cool & bragging” being hackers, while they are not interested in hacking & phreaking history, culture and ethics. Here hacking meets with politics €, $ (cyber-hacktivism) or with the criminal world (cybercrime).
  • 2010/2012 -> 20xx* 15
  • “2011 Cybercrime financial turnover apparently scored up more than Drugs dealing, Human Trafficking and Weapons Trafficking «Cybercrime turnovers” ranks as one Various sources (UN, USDOJ, INTERPOL, 2011) of the topfour economic Financial Turnover, estimation: 6-12 BLN USD$/year crimes» Source: Group IB Report 2011PriceWaterhouseCoopers http://group-LLC Global Economic Survey 2011 IB_Report_2011_ENG.pdf* 16
  • * 17
  • * 18
  • * 19
  • ** No more “Wargames” * (even if: Wargames 2010 went out, and Bruce Willis got the support of an “hacker” in the latest Die Hard): the “romantic hackers” are gone, forever * Then Stuxnet appeared (then DuQu, Flame, Gauss, etc…) * (May-June 2010).* …and everything changed.* WHY?? * An unexpected attack. * An unexpected target (SCADA, Nuclear Plant). * The very first time something like this was happening. 20
  • ** Very simply, we are speaking about the so-called Warfare, applied to the cyberspace.* Defending information and communication networks, acting like a deterrent towards “information attacks”, while not allowing the enemy to do the same.* So we are speaking about “Offensive Information Operations”, built against an adversary, ‘till being able to dominate the information during a war contest. 21
  • ** It is an extremely new and dynamic war scenario, where those metrics and views used before it are now really obsolete.* Typically, these operations are decentralized while anonymous.* The “entry fee” cost is extremely low, while it supplies a huge power.* …and after all, there’s always the possibility of denying what has happened..* Think about Estonia, Georgia, Stuxnet, Arab Springs, North Africa, Lybia, Syria, Iran… what will be next?? 22
  • **PC Zombies (botnets) -> they take advantage of the “standard user”, both in a Corporate or home (broadband, SOHO) scenario.*“0-days”: until today, all of them were on MS Windows + ad-hoc exploiting.*(attacker’s perspective) Nothing changes that much. There’s more chances to hack 1.000.000 broadbands users instead of 10.000 PCs from a company’s network.*It’s still the digital weapon they need in order to launch attacks (DDoS, Keyloggers, 0-Days, etc). 23
  • * OUT  IN Single operational pic Situational awarenessAutonomous ops Self-synchronizing opsBroadcast information push Information pullIndividual CollaborationStovepipes Communities of InterestTask, process, exploit, disseminate Task, post, process, useMultiple data calls, duplication Only handle information oncePrivate data Shared dataPerimeter, one-time security Persistent, continuous IABandwidth limitations Bandwidth on demandCircuit-based transport IP-based transportSingle points of failure Diverse routingSeparate infrastructures Enterprise servicesCustomized, platform-centric IT COTS based, net-centric capabilities Scouting elite hacker parties? 24
  • *● USA “Low Risk”● UK, Canada, France, Germany, Switzerland, Italy● Brazil● Israel, Palestinian National Authority “Average Risk”● Zimbabwe● Middle East: “friendly” countries (UAE, Saudi Arabia…)● North Africa / Africa generally speaking (WW Soccer Games 2010)● China● India● Pakistan● North Korea (DPRK)● South Korea “High Risk”● Iran● Kyrgyzstan● Myanmar● Russia, Estonia, Georgia● Rwuanda 25
  • * 26
  • * Nations with Cyber Warfare (Offensive) Capabilities - Survey from WG «Cyber World», Italian Ministry of Defense, CASD/OSN. Collaboration w/ IT Cyber warfare CW training/ CW exercises/ Industry and/or Not official Doctrine/Strategy Trained Units simulations Technical Sources Universities Australia,, X X Belarus X X China21 X X X X ,North Korea21 X X ,, France21,29 X X X X India21, 31 X X X X 33 Iran21,,, X X 34, 35 Israel21, X X X X Pakistan21,, X 36 Russia21 X X X 37, 38USA21, 30, 39 40,41 X X X 27
  • * Nations with Cyber Warfare (Defense) Capabilities - Survey from WG «Cyber World», Italian Ministry of Defense, CASD/OSN. Collaboration w/ IT Cyber warfare CW training/ CW exercises/ Industry and/or Doctrine/Strategy Trained Units simulations Technical Universities Albania21,30 X X X Argentina21 X X Austria21,24 X X X Brazil21 X X X Bulgaria21 X X Canada 5,30 X Cyprus21,42 X X X XSouth Korea 21 XDenmark21,30 X X Estonia21,30 X X XPhilippines21 X X X Finland12 X X Ghana21 XGermany21,30 X X X Japan21 X Jordan21 X 28 X
  • * Nations with Cyber Warfare (Defense) Capabilities - Survey from WG «Cyber World», Italian Ministry of Defense, CASD/OSN. Italy21,30 X X X Kenya21 X Latvia21 X X X Lithuania21 X X Malaysia21 X X New Zealand21 X X Norway21,30 X XNetherlands21,8,43 X X X Poland21,30 X XCzek Republic21,8 X X XSlovak Republic21,8 X X Spain8 X Sweden21,,42 X Switzerland21,42 X X Turkey21,29 X X X Hungary21 X X X XUnited Kingdom21,8 X X X 29
  • ** “North Korea will soon attack many countries using IT attacks, since they have the best hackers of the whole world.”* Uh?!? Seriously??* That’s weird, when speaking about a country which is totally isolated from the Internet, where its “cellular network” recalls more a DECT infrastructure…(no BTSs out of PongYang).*See Mike Kemp’s slides from CONFidence 2010 @ Kracow. 30
  • * 31
  • "In the very near future many conflicts will not take place on theopen field of battle, but rather in spaces on the Internet, fought with the aid of information soldiers, that is hackers. This means that a small force of hackers is stronger than the multi-thousand force of the current armed forces.“ Former Duma speaker Nikolai Kuryanovich, 2007 32
  • *Cyber War33
  • * • „dummy list“ of „ID-10T“ for phishing• equipment to mimic target network • background info on organisation (orgchart etc.• dummy run on similar network • Primer for sector-specific social-engineering• sandbox zerodays • proxy servers • banking arrangements • purchase attack-kits • rent botnets • find (trade!) good C&C server• purchase 0-days / certificates• purchase skill-set Alexander Klimburg 2012• bespoke payload / search terms •Purchase L2/L3 system data 34
  • ** Botnet & drone * Server hacking armies* DDoS * Encryption* Trojans & Worms * Extortion & Ransom* Malware * Man in the Middle 35
  • * Russia * Cyber crime tools* USA * Communications Intelligence* France * National knowhow defence* Israel * Transition from Industrial tools* UK * Hired Cyber mercenaries* China * Industrial espionage* India * Counter cyber attacks* Pakistan * Cyber army* Ukraine * Botnet armies* Malware Factories * Contract developers (x 4 worldwide) * 36
  • * UN Member States = 197 * Hacking * DDoS* Vulnerable? * Botnets* 197 !!!! * Defacement * Web site Hijacking & Redirection * DNS & BGP hijacking * BlackEnergy * Darkness * Stuxnet * DuQu? * 37
  • * 38
  • ** Cluster Bomb * Cruise Missile 39
  • *Multiple targets, loud and Laser Guided, precision, andnoisy stealth* Massive DDoS * Compromise infrastructure* Loss of digital * Industrial Sabotage communication * Loss of confidence in* Cloning of state systems communications * Create confusion* Create confusion 40
  • * 30 bots overwhelm an average web site * 1,000 bots - large web site * 5,000 bots - even when using anti- ddos, blocks, and other preventive measures * 15,000 bots can theoretically bring down (Russian Facebook) * Example of Conficker worm reached 10.5 million bots* 41
  • + =* 42
  • Non-state proxies and“inadvertent Cyberwar Scenario:„ During a time of international crisis, a [presumed non-state CNE] proxy networkof country A is used to wage a „serious (malicious destruction) cyber-attack“against country B.“How does country B know if:a) The attack is conducted with consent of Country A (Cyberwar)b) The attack is conducted by the proxy network itself without consent of Country A (Cyberterrorism)c) The attack is conducted by a Country C who has hijacked the proxy network? (False Flag Cyberwar) © Alexander Klimburg 2012 * 43
  • Strategic Communication “Military cyber ops” “Information “Cyberpower“ Warfare” “Strategic cyber ops“ CNO Cyberespionage and CI CNA/CNE CND OPSEC PSYOPS EW CyberDiplomacy InternetMilDec “Information Governance Operations“ Source: Alexander Klimburg 2012Raoul Chiesa, Ioan Landry, Jart Armin 2010-2012
  • * 45
  •  In March 2012, the U.S.-China Economic and Security Review Commission tasked Northrop Grumman with writing up a “feasibility study” of Chinese information operations in peace and wartime. The paper weighs in at 137 pages and I highly recommend reading it. The paper goes into a “CNO Targeting Case Study” at some point, with Chinese actors specifically targeting a small but crucial component, the U.S. Transportation Command (USTRANSCOM). “The mission of USTRANSCOM is to provide air, land and sea transportation for the Department of Defense, both in time of peace and time of war”. More pertinently: responsible for air refueling missions, of critical importance given U.S. reliance on air power in projecting influence across the globe (and in this scenario, chiefly in Asia-Pacific ie: Taiwan). USTRANSCOM, like many agencies, relies on a number of civilian contractors to supplement its own men and women in uniform. More people spread among multiple organizations with access to critical web applications and databases = an exponential increase in the attack surface. 46
  •  I’m sure you all see where this is going…  Napoleon’s famous maxim, “an army marches on its stomach”. A complete paralysis of the Armed Forces’ supply chain is perhaps the second worst-case scenario, after the crippling of communications/C3 capabilities. (I can probably talk more about supply chain problems in a non-mil environment, like backdoored routers ending up in a .gov or telco datacenter) 47
  •  In August 2004, a backdoor was placed in a crucial junction of Greeces telecommunication backbone, namely four Ericsson AXE switches in Athens. The backdoor provided unknown perpetrators with full voice and SMS traffic of over 100 targeted mobile phones belonging to:  Prime Minister Kostas Karamanlis and members of his family,  the Mayor of Athens, Dora Bakoyannis,  most phones of the top officers at the Ministry of Defense,  the Ministry of Foreign Affairs,  the Ministry for Public Order,  members of the ruling party, and ranking members of the opposition (PASOK),  the Hellenic Navy General Staff,  the previous Minister of Defense,  others such as a Greek-American based in the American embassy and many Arab businessmen. 48
  •  Who did it? Who ordered it?  Hard-to-find and niche skills  Budget, perceived ROI, HUMINT assets…  More importantly, what would I do?  No cyber pearl harbour, no exploding power grids…  Let us visit the soft underbelly of telecommunications… 49
  •  Connection-oriented WAN technology. Protocol suite defined in 1976 in your backyard. Private entities and nations ran their own X.25 networks until the net swept them all away…  Well, almost...  Largely forgotten today. That’s a good thing.  Today’s Snapple facts:  Speeds of 56 Kbps to 2.048 Mbps…  “Utility model” – vendor/operator maintained infrastructure and data routing; user/client billed only for traffic used.  Different networks have different topologies and capabilities, known as facilities, ex:  Reverse charging, closed user groups, sub-addressing and mnemonics, hunt groups, etc… 50
  •  “C’mon, first and last I heard of X.25 was in CVE-2011-2910…” X.25 isn’t just for ham radio nerds, though… It is a whole “new” world, often deployed in parallel to the one you interact with… whether you know it or not. A whole world without IDS, without WAF… 51
  •  X.25 gives you the opportunity to visit exotic lands, meet interesting systems…  … and then root them.  … and so much more!  Once you’ve dropped shell on a mainframe, you can’t go back… 52
  • The topology at its simplest:  DTE - Data Terminal Equipment - think: end-user equipment  DCE - Data Circuit Terminating Equipment - think: modems, switches, gateways  PSE - Packet Switching Exchange - think: backbone Source: Cisco Documentation Wiki, retrieved 03/11/12 53
  •  Once you hop onto an X.25 network, legitimately orotherwise, you’re assigned an NUA (Network User Address).  Think of this as something between an IP address and a phone number.  Their make-up is at the discretion of the network operator…  Example: BT PSS (UK) “employed a numbering system using a 3-digit area code (which conformed with the area code of the telephone network) plus a 5-digit subscriber number, and another 2 digits were available for the sub-address.”  Example: DATAPAC (Canada) NUA’s are 8 digits long, the first four referring to the province and city while the following 4 specifying the actual host. Instead of “country codes” we have DNICs, which are managed by the ITU inGeneva.  3020 is DATAPAC, 4251 is ISRANET, 6026 is EGYPTNET, etc… Note: Yes, there are still a lot of active X.25 networks… 54
  • So, integrators have been pushing for a total deprecation of X.25for a while but vendors keep the love coming:  In fact, it is supported in all versions of Cisco IOS! 55
  •  Not just Cisco… Rolled out in more recent Huawei devices!  Let us ignore the possibility that Huawei basically did a svn checkout on the IOS source tree… 56
  • From the horse’s mouth: “Telco databases are usually linked to SCPs by X.25 links.” – Cisco “We accessed [an operator’s] systems through their x25 network which theynever knew was running because the network vendor never disclosed it…” –Philippe Langlois, October 12 2012 57
  • I’m a masochist and did a (mostly) complete scan of DATAPAC in 2011-12.  I’d rather not publicly discuss other networks.  Verdict: X.25 is still very busy, but Ill be honest - lots of planned deprecation andmigrations between 2000-2010.  We lost a few good X.25 networks... SWIFT migration to IP-based SWIFTNET allegedly complete in 2005...  But Ill bet you 1 BTC that theres still something...  Besides, a great deal of EFT transactions are still done over X.25… Canadas Interac migration from X.25 will be done in 2015. SITA is also deploying dual-layered solutions (X.25 and IP side by side; XOT), with nopublicly-declared deprecation date for X.25, but it is coming. 58
  • Still used for/in…  Telco management (NMC, NE, billing)  Telco operations - SMSc/MMSCs  Transport sector: global transport hubs – airlines – SITA  Finance sector: a lot of PoS and ETF activity  Finance sector: Credit Card Processing Centers (hacks already happened: no public, tough)  Stock Exchanges (!)  Government: regional and national  Meteorological organizations  Fortune 500 and heavy industry  And yes, there are PLCs that speak X.25… SCADA’s & National Critical Infrastructures nightmares here as well  Verdict: a forgotten X.25 link drops you right in the middle of the very weird stuff! 59
  • "The MTSO contains the switching equipment or Mobile Switching Center(MSC) for routing mobile phone calls. It also contains the equipment forcontrolling the cell sites that are connected to the MSC...All cellular systems have at least one MTSO which will contain at least oneMSC. The MSC is responsible for switching calls to mobile units as well as tothe local telephone system, recording billing data and processing data fromthe cell site controllers." 61
  •  Who is this guy and what’s he getting at? Where are the exploding power plants? Are cyberterrorists really gonna start hacking X.25 networks? Probably not, but think back on the two initial case studies:  Crippling of “dual use” logistical or communication networks in war time,  Traditional espionage in peace time.  We certainly live in interesting times... A world where I foresee more Ericsson AXE rootkits and more Stuxnet.  Just don’t drink the kool aid! 67
  •  Recommended Reading/Viewing  Philippe Langlois & Emmanuel Gadaix– 6000 Ways And More - A 15 Year Perspective on Why Telcos Keep Getting Hacked - HITB KL 2012  Johnathan Stuart – A brief introduction to telephone switching security and internals – ReCON 2010  Dave Aitel – Amateur Hour on the Internet – Countermeasure 2012  Key quote: “Infrastructures don’t age well”  Profiling Hackers: the Science of Criminal Profiling as applied to the World of Hacking, by Raoul Chiesa, Stefania Ducci and Silvio Ciappi (CRC Press/Taylor&Francis Group)  Telco manuals. 68
  •  Everything is just about the frog. …in the cloud. 69
  • ** Ioan Landry:* Raoul Chiesa: rc@security-brokers.comThe opinions hereby expressed are those of the Authors and donot necessarily represent the ideas and opinions of the UnitedNations, the UN agency “UNICRI”, ENISA, ENISA PSG, nor others. * 70