Forget Bombs and Guns … this is the new Battle Field

Introduction

Anonymous faceAs we have seen in Russia’s suspected cyber attack on Web sites in Estonia, and in the Arab Spring uprising, the Internet is playing an increasing part within conflicts around the World. Thus as we move into an Information Age, the battle field of the future is likely to be in Cyber Space, along with this it will also be the place where nation states will struggle to control news outlets.

Over the centuries, information has often been controlled by traditional media outlines, where viewpoints on whether organisations and individuals are seen generally as threats is defined by the government of the time. On the Internet, national boundaries have become blurred, and the control that any nation can have of dissemination on the Internet has been eroded, especially in the openness of platforms such as Twitter, Facebook, and also on news Web sites. This article outlines how the Syrian Electronic Army (SEA), a pro-Assad group of “hacktivists”, with its limited resources, managed to compromise one of the leading news agencies in the World, and not by directly compromising their site, but an associated one. This expands the scope of compromises from not just sites operated by organisations, but also to their trusted partners.

Reuters Hack

Over the weekend (at 12noon on Sunday 22 June 2014) this was highlighted by the SEA redirecting users to a page which stated:

Stop publishing fake reports and false articles about Syria!UK government is supporting the terrorists in Syria to destroy it. Stop spreading its propaganda.

The target, though, was not the Reuters site, but on the content it hosted, and which is used by many other media outlets. This has happened in other related hacks on sites, such as with the New York Times, where the SEA went after the domain name servers of the New York Times and Twitter, though the registry records of Melbourne IT. Thus when a user wanted to go to the New York Times site, they were re-directed to a page generated by the SEA.

In the case over the weekend, the web advertising site Taboola was compromised, and which could have serious consequences for their other clients, who include Yahoo!, the BBC and Fox News. With the increasing use of advertising material on sites, it will be great worry to many sites that messages from hacktivists could be posted through them. Previously, in 2012, Reuters was hacked by the SEA (Syrian Electronic Army) who posted a false article on the death of Saudi Arabia’s foreign minister Saud al-Faisal.

In a previous hack on The Onion, the SEA used one of the most common methods of compromise: a phishing email. With this a person in the company clicked on the malicious link for what seemed to be a lead story from the Washington Post story. Unfortunately it re-directed to another site and then asked for Google Apps credentials. After which, SEA gained access to the Web infastructure and managed to post a story.

It is possible that this attack on Reuters is based on this type of compromise, as it is fairly easy to target key users, and then trick them into entering their details. Often the phishing email can even replicate the local login to an intranet, but is actually a spoofed version. In the case of The Onion, SEA even gained access to their Twitter account.

In classic form, The Onion, on finding the compromise, posted and article leading with:

Syrian Electronic Army Has A Little Fun Before Inevitable Upcoming Death At Hands of Rebels.”

While it took a while for The Onion to understand what had happened on their network, Reuters detected the compromise, and within 20 minutes the content had been fixed.

A cause or a fight?

Organisations need to understand that there are new risks within the Information Age and there are new ways to distribute messages, especially from those who are skillful enough to be able to disrupt traditional forms for dissemination. Thus Hacktivism can become a threat to any nation state and organisation (Figure 1).

Slide3Figure 1: Security is not just technical, it is also Political, Economic, and Social

The important thing to note about Hacktivism is that the viewpoint on the Hacktivist will often be reflected on the political landscape of the current time, and that time itself can change this viewpoint. While Adolf Hitler and Benito Mussolini are still rightly seen as terror agents, Martin Luther King and Mahatma Gandhi are now seen as freedom fighters. Thus viewpoints often change and for some the Hacktivist can have the image of a freedom fighter.

Slide6Figure 2: Hacktivism

Big v Little

The Internet supports a voice for all, and there are many cases of organisations and national states upsetting groups around the World, and where they have successful rebelled against them. In 2012, Tunisian Government web sites were attacked because of Wikileaks censorship, and in 2011, the Sony Playstation Network was hacked after Sony said they would name and shame the person responsible for jail breaking their consoles (Figure 3). It can be seen that just because you are small on the Internet, doesn’t mean you cannot have a massive impact. Sony ended up losing billions on their share price, and lost a great deal of customer confidence.

Slide7Figure 3: Hacktivism examples

HBGary Federal

The HBGary Federal example is the best one in terms of how organisations need to understand their threat landscape. For this Aaron Barr, the CEO of HBGary, announced that they would unmask some of the key people involved in Anonymous, and contacted a host of agencies, including the NSA and Interpol. Anonymous bounced a message back saying that they shouldn’t do this, as they would go after them. As HBGary were a leading security organisation, they thought they could cope with this and went ahead with their threat.

Anonymous then searched around on the HBGary CMS system, and found that a simple PHP request of:

http://www.hbgaryfederal.com/pages.php?pageNav=2&page=27

give them access to the complete database of usernames and hashed passwords for their site. As the passwords were not salted, it was an easy task to reverse engineer the hashes back to the original password. Their target, though, was Aaron Barr and Ted Vera (COO), each of which used weak passwords of six characters and two numbers, which are easily broken.

Now they had their login details, Anonymous moved onto other targets. Surely they wouldn’t have used the same password for their other accounts? But when they tried, the can get access to a while range of their accounts using the same password (including Twitter and Gmail). This allowed Anonymous access to GBs of R&D information. Then the noticed that the System Administrator for their Gmail Email account as Aaron, and managed to gain access to their complete email system, and which included the email system for the Dutch Police.

Slide9Figure 4: Access to email and a whole lot more.

Finally they went after their top security expert: Greg Hoglund, who owned HBGary. For this they send him an email, from within the Gmail account, from a system administrator, and asking for confirmation on a key system password, of which Greg replied back with it. Anonymous then went onto compromise his accounts, and which is a lesson for many organisations. While HBGary Federal has since been closed down, due to the adverse publicity around the hack, the partner company (HBGary) has went from strength-to-strength, with Greg making visionary presentations on computer security around the World.Slide10Figure 5: Greg’s compromise.

 

Conclusions

A likely focus of the intrusion is around a spear phishing email, where users are tricked into entering their user details, which allows the intruder to gain access to privileged systems. The worry for this compromise is that the Reuters site integrates over 30 third-party/advertising network agencies into its content, and a breach on any of these could compromise their whole infrastructure.

I am a technologist and not a political analyst, so I couldn’t make any political judgments around Hacktivism, but HBGary shows us a few things:

  • Use strong passwords.
  • Never re-use passwords.
  • Patch systems.
  • Watch-out of social engineering.
  • Beware of unchecked Web sites.
  • Get an SLA (Service Level Agreement) from your Cloud provided. Organisations need to react quickly on a data breach, especially for email, and an SLA should state how quickly the Cloud provider will react to requests for a lockdown of sensitive information, along with providing auditing information to trace the compromise.
  • Don’t store emails in the Cloud.
  • Test your Web software for scripting attacks.

And for the Internet providing mechanisms for those with a grievance to air their viewpoint, well some would say that individuals have rights to give their viewpoints, while others will say that their viewpoints are a threat against society, so it’s important for us all to make up our own minds, and for us to assess each on its merit.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s