Fabio Ghioni Asymmetric Warfare and Interception revealed


Published on

Fabio Ghioni Asymmetric Warfare and Interception revealed

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Fabio Ghioni Asymmetric Warfare and Interception revealed

  1. 1. Asymmetric warfare and interception revealed www.zone-h.org the Internet thermometer
  2. 2. THE LECTURERS Fabio Ghioni Roberto Preatoni www.zone-h.org the Internet thermometer
  3. 3. Why Zone-H ? SQL Database HTTP Firewall request YOU! (cleartext or SSL) Web Web app Serv Web DB Web er app Web Client app DB Web •Apache app •IIS HTTP reply •Netscape (HTML, Javascript, Plugins: Database •Perl connection: VBscript, Mail •C/C++ •ADO, etc) Serv •JSP, etc •ODBC, etc. er www.zone-h.org the Internet thermometer
  4. 4. D i g i t a l a t t a c k s a m o u n t s i n c e 2 0 0 2 30000 25273 25000 20000 16393 16724 16924 17329 15638 14575 15000 12739 9884 10000 5279 5000 3652 3907 3468 4175 1 6 0 0 1811 2341 D i g i t a l a t t a c k s a m o u n t 0 2002- 2002- 2002- 2002- 2002- 2002- 2002- 2002- 2002- 2002- 2002- 2002- 2003- 2003- 2003- 2003- 2003- 01 02 03 04 05 06 07 08 09 10 11 12 01 02 03 04 05 D a t e In 2004 35.000+ / months www.zone-h.org the Internet thermometer
  5. 5. Internet today INTERNET TODAY 40 millions of servers MOBILE CELLPHONES TODAY APPROAX 1 BILLION www.zone-.org the Internet thermometer
  6. 6. Internet today MOBILE CELLPHONES + INTERNET TODAY CONVERTED INTO 3G / 4G = EXTREME PAIN www.zone-.org the Internet thermometer
  7. 7. 3g exploitable points - Protocol - Telco network component - OS - User application level - SIM / USIM toolkit application level www.zone-.org the Internet thermometer
  8. 8. About terrorism TERRORISM ? www.zone-.org the Internet thermometer
  9. 9. Asymmetric warfare WHAT IS IT? “threats outside the range of conventional warfare and difficult to respond to in kind “ U.S. Dictionary of Military Terms WHEN IS IT USED? “If the enemy is superior in strenght, evade him. If his forces are united, separate them. Attack him where he is unprepared; appear where you are not expected.” Sun Tzu www.zone-h.org the Internet thermometer
  10. 10. Asymmetric warfare and infowar Asymmetric Warfare (AW) “Battlefield” where small groups of individuals can produce massive damage with minimum effort and risk from virtually anywhere in the world. Information Operations (IO) Hit the adversary’s information and IT systems and simultaneously defend one’s own information and IT systems. Information Warfare (IW) Information Operations conducted in moments of crisis or conflict, aimed at reaching or promoting given objectives towards given adversaries. www.zone-h.org the Internet thermometer
  11. 11. ICT WARFARE “It’s the best strategy for an asymmetric conflict” •Distributed attacks, high anonimity •Possibility to use the same enemy’s infrastructures •Low cost of technology implementation and R&D •Wide range of critical infrastructures to be attacked •Possibility to carry out unconventional activities •Direct contact with the enemy’s command and www.zone-h.org control center at the highest ranks the Internet thermometer
  12. 12. Future conflicts dimensions Dirty war Systemic war The heritage: mechanical war PeaceWar ICT War www.zone-.org the Internet thermometer
  13. 13. Future conflicts dimensions low Technology high Forte Dirty war Systemic war Power Mechanical war War and ICT War Peace www.zone-.org Debole the Internet thermometer
  14. 14. About terrorism Usage of different conflict unconventional tipologies to defy an enemy with a superior warfare capability -“Traditional terrorism” - Use of chemical/nuclear/biological weapons - Attack to the ICT infrastructures critical to the economy and national security ICT war targets against e-nations -Economy -Public service infrastructures -Military and civil defense Multiplier of the above www.zone-.org the Internet thermometer
  15. 15. Sensored networks and critical infrastructure protection - National security - Asymmetric warfare and infowar - Defence and uses in state of war www.zone-h.org the Internet thermometer
  16. 16. National security Protection of public & private critical ICT infrastructures Reporting e support for analysts Support Defense Intelligence Offensive & employee infiltration capabilities State of alert & automatic activation of defense systems conceived for the protection of strategic national & economic infrastructures Enemy analysis, counterattack, elaboration & implementation of offensive strategies Counterespionage www.zone-h.org the Internet thermometer
  17. 17. National Security & Critical Infrastructure Protection COMPUTER National Critical Infrastructure TELECOMMUNICATIONS Public Health and Safety ELECTRIC POWER Emergency Services Water Supply and Sewage Transports Other Government Operations Military Command and Control Systems Mass media Energy, Oil and Gas Control Banking and Financing Activities Industrial Production www.zone-h.org the Internet thermometer
  18. 18. The beginning of data interception used to solve terrorism cases www.zone-h.org the Internet thermometer
  19. 19. Parametric interception Probe radius Listening #1 Pop ISP #1 Radius Listening #2 Probe #1 Backbone ISP Listening #3 Pop ISP #2 Listening #4 Probe #2 Mediation server Parametric www.zone-h.org (storage and forwarding) rules the Internet thermometer configurator
  20. 20. Parametric interception - Uses and abuses - Technology involved - Reliability - Usability in investigative procedure - Legal uses in court cases and judicial use - Basic architecture in asymmetric and symmetric deployment (same nation state standpoint) - Real cases www.zone-h.org the Internet thermometer
  21. 21. Digimetric interception Digimetric vs. Parametric - What it is - Uses and abuses - Distributed use on asymmetric and symmetric sensored networks Return-path: <fabio@xxxxxxxxx.com> Received: from mail.boot.it (unverified []) by boot.it (Rockliffe SMTPRA 6.1.16) with ESMTP id <B0002856784@localhost> for <roberto@boot.it>; Fri, 17 Sep 2004 10:43:28 +0200 Date: Fri, 17 Sep 2004 10:42:58 +0200 From: Fabio xxxxxxxxx <fabio@xxxxxxxx.com> MIME-Version: 1.0 To: roberto preatoni <roberto@boot.it> Subject: [Fwd: R: R: report] Mailer: Mozilla 4.75 [en] (Win95; U) Content-Type: multipart/mixed; www.zone-h.org the Internet thermometer
  22. 22. The process of updating investigative procedure based on interception from voice to data: technological aspects and examples of judicial aspects www.zone-h.org the Internet thermometer
  23. 23. Injected interception -Parametric & direct interception are passive instruments that have limits & don’t allow for the analysis of encrypted communications.  Instruments that guarantee privacy protection and/or anonimity are widely available & easy to use eg. Instant Messaging on SSL; VoIP solutions protected by AeS (eg. SKYPE); there are also systems that allow anonymous file exchange (MUTE) o messaging (Freenet or Entropy).  - Basic technology - When to use it - Usability in investigative procedure - Can it be detected? - Real cases www.zone-h.org the Internet thermometer
  24. 24. Injected interception revealed Intervene on the source What are the advantages?  The possibility of having direct access to all the data that the target computer accesses, independent of the means of data transport (physical of telematic).  The possibility of tracing the target’s IP address directly or by reverse connection techniques. What type of data can be accessed?  Complete access to all protected data sent on network channels  All data that DON’T normally transit on the network (USB keys, CDRoms, etc.).  Access to crypto instruments and keys that allow to decipher the relevant data  Direct access to encrypted physical disks or logical volumes  Audio/Video interception, if a microphone and/or webcam are present on the pc  Ie. SUB7 trojan www.zone-h.org the Internet thermometer
  25. 25. When to Use Injected Interception  When the subject is able to protect its communications  When a constant & punctual monitoring of a subject’s activity is necessary  When it isn’t physically possible to do environmental interception with traditional methods  When the subject has an elevated mobility (e.g. notebook)  When it’s not physically possible to access the target’s resources www.zone-h.org the Internet thermometer
  26. 26. Usability in Investigative Procedures Forensics know that guaranteeing that all confiscated media & data remain unmodified at the time of analysis, is of paramount importance. Controversy: - inserting an external injected agent, modifies the media both physically & logically with its Install function - who inputs the surveillance SW has the same privileges as the monitored subject www.zone-h.org the Internet thermometer
  27. 27. Privacy vs. Security Formal procedures for requesting the interception; Univocal agents, guaranteed by digital signatures & encrypted time stamping; Non repudiable auditing of the operations that are managed manually or automatically by the agent; Possibility of recreating the agent’s assembly process from the source code to the generation of the univocal executable. www.zone-h.org the Internet thermometer
  28. 28. Can the Agent be Uncovered? It depends on the motivation & the know-how used in the attack and the defence. In general, an agent can be discovered if the network to which the target pc connected is correctly monitored Therefore, the greatest effort must be funneled into reaching an extremely high technical complexity in the functions of:  Hiding  Camouflage  Autodestruct  Non-reverse trace back www.zone-h.org the Internet thermometer
  29. 29. Virus Technology at the Service of Justice: an Overview How do you inject an agent into the interested party’s computer? The means are many but the ways to be considered are principally: Technology Social Engineering Separately or in tandem www.zone-h.org the Internet thermometer
  30. 30. Trojans - Usability in investigative procedures - Potentiality in sensored networks - Trojan planning and development - Real cases - Usability of Trojans in Investigative Procedures www.zone-h.org the Internet thermometer
  31. 31. Potentiality in Sensored Networks • Integration with parametric interception infrastructure • Anonymity of Agent Communication through destination IP spoofing (e.g. Mailing of a letter to a nonexistent address. If we control the central post office exchange, we will be able to intercept and retrieve the letter and any other mail sent to the fictitious address.) www.zone-h.org the Internet thermometer
  32. 32. Trojan planning and development • A lot of trojans are available on the net • Many trojan coders privately sell releases of their trojans that are not detectable by antivirus programs for less than 100-200 USD • Trojans available on the Internet are not a good choice because: • They are undetectable by antivirus programs but are detectable by humans • Made by script kiddies (no design, bad source code) • Not so paranoid • No encrypted communication • No polymorphic self-encryption • No self-destruction capabilities • Not written for usage in formal investigative procedures • Trojans used for intelligence must be written, tested and approved with a formal development approach. • Real cases www.zone-h.org the Internet thermometer
  33. 33. Cyber attacks : an abstract built on Zone-H's experience www.zone-h.org the Internet thermometer
  34. 34. CYBERFIGHTS Kashmir related Iraq war related Code red release related Palestine-Israel related No-Global related www.zone-h.org the Internet thermometer
  35. 35. CYBERFIGHTS Kashmir related Iraq war related Code red release related Palestine-Israel related No-Global related www.zone-h.org the Internet thermometer
  36. 36. CYBERFIGHTS Kashmir related Iraq war related Code red release related Palestine-Israel related No-Global related www.zone-h.org the Internet thermometer
  37. 37. CYBERFIGHTS Kashmir related Iraq war related Code red release related Palestine-Israel related No-Global related www.zone-h.org the Internet thermometer
  38. 38. CYBERFIGHTS Kashmir related Iraq war related Code red release related Palestine-Israel related No-Global related www.zone-h.org the Internet thermometer
  39. 39. CYBERFIGHTS Kashmir related Iraq war related Code red release related Palestine-Israel related No-Global related www.zone-h.org the Internet thermometer
  40. 40. CYBER-ATTACKS ARE CONVENIENT BECAUSE: • Lack of IT laws • Lack of L.E. international cooperation • ISPs are non-transparent (privacy law) CYBER-ATTACKS ARE CONVENIENT BECAUSE: • General lack of security • No need to protest on streets • No direct confrontation with L.E. CYBER-ATTACKS WILL NEVER STOP BECAUSE: • Inherent slowness of the Institutions • The Internet is getting more complicated • Software producers are facing a market challenge www.zone-h.org the Internet thermometer
  42. 42. www.zone-h.org the Internet thermometer