Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Anonymous Attacks On Tunisian Government


Published on

Published in: Technology, News & Politics
  • Be the first to comment

Anonymous Attacks On Tunisian Government

  1. 1. Anonymous attacks onTunisian Government Haythem EL MIR, CISSP
  2. 2. About Presenter +10 year of security experience Technical Manager of the National Agency for computer Security of Tunisia Head of the Incident Response Team tunCERT National Cyber Space protection coordinator Setting-up of Incident Response units Consultancy and training in Africa
  3. 3. Introduction Computer Emergency Response Team are one of the main today tool to enhance cyber security. A CERT have to ensure: • A centralized coordination for IT security issues (Trusted Point of Contact) • Centralized and specialized unit for incident response. • Technology and security watch. • Cyberspace monitoring. • The expertise to support and assist to quickly recover from security incidents. • Awareness of all categories of users.
  4. 4. Who are Anonymous? Anonymous is a decentralized network of individuals focused on promoting access to information, free speech, and transparency. The group has made international headlines by exposing The Church of Scientology, supporting anti-corruption movements in many emerging countries. Anonymous are considered as a group of hacktivist, trying to act anonymously to hack information systems belonging to freedom enemies.
  5. 5. Anonymous favorite targets
  6. 6. Tunisian Anonymous Since the Tunisian operation in January 2011, Anonymous did not stopped to fascinate young Tunisian hackers and cyber activist. Small groups started to be constituted, and may anonymous initiatives was run to gather all these groups under the same organization and adopt the same objectives Tunisian Anonymous On facebook (About 110k) { Elite Attack} Anonymous TN On facebook (About 20k) AnoNYmOus On facebook (About 50k) AnonTunisia (Twitter)
  7. 7. Tunisian anonymous groups: main objectives Internet freedom (anti-censorship) Guarding the revolution objectives • Fighting the old regime • Investigating on corruption • Leaking confidential information Interfering with politics • They have their own political ideas • Fight some special political parties
  8. 8. Biggest attacks and breaches
  9. 9. Tunisian anonymous groups: in the media
  10. 10. The government position The Minister of ICT announced on the national TV that the National Information Security Agency and the Tunisian CERT will be fighting Anonymous: A declaration of War. Anonymous reacted by announcing a special operation against the security Agency on the 28th of April 2012 and another operation against the government for the 1st of May.
  11. 11. The main anonymous attack: dDos
  12. 12. The main anonymous attack: dDos Low Orbit Ion Cannon (loic) Web Stress Tool. Can be used in a stand- alone mode or it can be synchronized using an IRC Server. This software needs to be installed
  13. 13. HOIC: Hight Orbit Ion Cannon
  14. 14. The main anonymous attack: dDos With LOIC, Anonymous succeeded to cause a denial of service on many servers within few minutes  Very strange behaviour to be analyzed Analysis steps • Log analysis for a DDoSed servers   Surprising • LOIC traffic analysis • DoS simulation in lab • dDos simulation in lab • Server Analysis  The default configuration of web servers is the problem • Developing a new tuning and hardening guide for apache server to resist to such attacks
  15. 15. The main anonymous attack: dDos TCP Connection: Three way handshake 1 Apache HTTP sessions: GET HTTP 1.0 2
  16. 16. The main anonymous attack: dDos
  17. 17. The main anonymous attack: dDos IRC Server C&C
  18. 18. The main anonymous attack: dDos Good news: it cannot be used with proxy Proxy Server
  19. 19. The online LOIC: JS LOIC**
  20. 20. IRC communications #optunisia- Channel Topic: Operation Tunisia | Target: | Discuss further actions | English only in channel | DO NOT USE HIVE | Anonymity | | | | | | <Greeny> Hey im new what should i do before ddosing ? <@Ismael> inside Tn --> get on the streets and portest <GZ3r0> SQL Injection Vulnerability Detection <GZ3r0> <medo> fire port 53 udp #optunisia- Channel Topic: OperationTunisia | TARGET: port 53 (UDP) | HIVE IS UP: #loic | KEEP FIRING UNTILL TOPIC SAYS OTHERWISE | Setup GUIDE: | Join #operationfreedom for more government ass-whooping | ENGLISH ONLY
  21. 21. IRC communications <zargos> how can i do a fire with you <Mouwaten> please how to fire ? <VforTunisia> how can I help? <claude> 4anyone have a tutoriel how to ddos <lek> how can i join the attack ? <feh> i wonder how you can deface a website <mib_idlwgn> wait how do you do 64GB ping? <C0DeR> how can we enjoy the ddos attack ? <mib_yjp5ph> how can I change my MAC adress? <tunisianow> how to learn ddossing ? I was not only for Hacking <@Ismael> YOU have to RIOT on the STREETS <purpleleaves> people in tunisia get out on the streets and protest <op-Tunisia> pepolle in tunisia attacking in streets now <@Ismael> tunsians you have to get you asses on the street and end this <@Ismael> getb the f**k on the streets and RIOT! <@Ismael> Leave you computers the F**K alone and RIOT on the streets1 <Merovingien>: Some say a DDOS is the same as a street protest
  22. 22. IRC communications<zorro> ansi is not a !!!<zorro> Do not target ansi ; it is not a<zorro> ansi is a media web site<zorro> To All : be carefull about LOIC ; some versions are infected !!<zorro> Stock exchange is not Governmental !!<zorro> Do not target stock exchange<F_Youth> zorro => are u kidding?<zorro> But Indonesia would be a good target also LoL<zorro> No freedom in Indonesia !!<zorro> Tunisia is a very sunny country<zorro> DDoS in not efficient at all ; what a lot of energy spent in the wind !!<zorro> international pressure should go where really people suffer(palestine, afghanistan, iraq, ...)<@p2cv> zorro: then stop complaining and invite people to your cause<zorro> dont miss real causes : poverty, real oppression, lack of education,lack of health, child explotation<zorro> wikileaks does NOT provide food for african people<zorro> with DDoS, u r spending ur energy in the wind !!<@p2cv> !k zorro * zorro was kicked by Chuck (Requested (p2cv))
  23. 23. The main anonymous attack: dDos Country IP nb Country IP nb France 15208 Switzerland 934 United States 8891 Libya 794 Algeria 4762 Japan 738 Germany 3144 Egypt 3115 Spain 717 Total Country Total IP Argentina 707 Morocco 3028 186 77272 Russia 2874 India 703 Saudi Arabia 2853 Hungary 693 Total number of Brazil 2387 targets Attacks Poland 677 Canada 2346 Ukraine 647 44 DoS, DDoS, Defacement Italy 2023 Taiwan 1917 Netherlands 561 China 1716 United Arab Emirates 554 United Kingdom 1431 Qatar 486 Belgium 1223 Romania 1054 Bulgaria 486
  24. 24. The defense strategy The Tunisian CERT was the main coordinator to handle these attacks. Activation of the national reaction plan. Activation of the crisis mode. Incident coordination: • With local IS, Telco, and Critical infrastructures. • With international partners. Action taken • Watching hackers and studying their behavior. • Anticipating attacks. • Analyzing Millions of log lines and developing blacklist. • Sharing blacklist. • Neutralizing IRC servers. • Securing and Hardening vulnerable servers.
  25. 25. Role of the CERT: National coordination Inform all stakeholders (ISPs, Telcos, Defense, National Security, Financial Sector, Energy Sector, …). Monitor all critical Web Sites, and inform companies about any abnormal behavior. In case of attacks, collect and analyses log files. Identify the list of IPs participating to the attack, and develop a temporary black-list. Continuously update the black-list, until the end of the attack.
  26. 26. Role of the CERT: International coordination The LOIC was synchronized using 3 different IRC servers (1 in Russia, 2 In USA). 7 IRC server for communication (Canada, 3 Germany, Netherland, Austria)  Taking down theses server will end the attack. Collaboration with FIRST network and international partners to take down these servers. International assistance to mitigate the attack (exchanging list of IPs to filter).
  27. 27. Conclusion Anonymous is not a common group of hacker: • They are not hackers but they are a huge number of activist. • They do not use very sophisticated hacking techniques. • They can be assister by hacking groups (LulzSec, TeamPoison, …) and also local groups. Facing anonymous attack, can only be done through coordination. Anonymous will be one of the main threat for the next period: • Their number is increasing. • They start to be organized. • They start to learn hacking and recruit hackers.
  28. 28. Thank you!