Adam Vincent

Adam is a member of the Layer 7 Technologies Advisory Board – Public Sector for Layer 7 Technology and considered a trusted subject matter expert to the Department of Defense (DoD) and Intelligence Community (IC) in their goal of secure net-centric enablement and provided guidance in the government’s goal of sharing information more seamlessly.

January 15th, 2010

Iranian Cyber Army Strikes Again

Written by
Category Uncategorized
 

At the end of my post in December titled "Iranian Cyber Army Hacks Twitter", I asked "what's next for the Iranian Cyber Army". I appears that although trumped for media coverage this week with the Chinese attack on Google and Others, the Iranian Cyber Army has struck again, this time they have successfully defaced Baidu, a search engine based in China. Interestingly enough Baidu is the only competitor to Google in China, and stands to benefit should Google decide to close operations in China. For more information on the recent Google attack you can read my blog post on the topic (Cyber Attack on Google and Others).

It appears that Baidu was compromised similarly to Twitter on Tuesday, January 12th in that their DNS records were changed to point to a server hosted by the ISP ThePlanet.com in Houston, TX which displayed an Iranian Flag and message stating that the site was hacked by the Iranian Cyber Army to any user whom tried to use the Baidu website www.baidu.com. Baidu corrected the issue approximately 2 hours later according to sources on the internet.

As with Twitter, this appears to only have been a successful defacing attack, however the attacker could have just as easily created a fake baidu page, and pharmed or phished information from users.

It is startling the frequency at which these attacks are happening as of late and shows the dire need we have for a global cyber-coalition.

January 15th, 2010

Cyber Attack on Google and Others

On Tuesday, Google reported in their official blog that in mid-December they detected a "highly sophisticated and targeted" attack on their corporate infrastructure originating from China that resulted in the theft of intellectual property from Google. Additionally, Google stated in this blog that 20 other large companies were similarly targeted. Google went on to state that they have evidence to suggest that a primary goal of the attackers was to access the Gmail accounts of Chinese human rights activists. This incident, as well as the limitation on free speech imposed on Google by the Chinese government, is forcing Google to review the feasibility of their business operations in China.

In follow-up, a number of security firms who are supporting the investigation have concluded that the number of attacked companies is not 20 but between 30 and 34. Most of the attacked were large Fortune 500 companies. The attack code named "Aurora" by the attackers was made up of dozens of pieces of malware, and several levels of encryption to hide itself in the targeted company networks and to obscure activity.

The U.S. Government has been under this type of attack for many years. This is the first time that a highly organized and sophisticated attack was launched on private industry. Who knows what the impact of this will be on the global economy? The mind can only fathom what would happen if each of the companies attacked lost some intellectual property which resulted in them being "second to market" for a product that they have been planning for and building for months or even years.

What we know about Aurora

There is some debate currently on whether Aurora leveraged a vulnerability in Internet Explorer and Adobe's Reader and Acrobat applications or whether the attack only leveraged Internet Explorer. Either way, Aurora installation began on the targeted system by viewing a malicious website or potentially through opening a PDF document sent in an email but as I mentioned this has not been substantiated by Adobe. Once executed in the browser an encrypted shell script would run. The shell script downloaded the binary from an external machine which once executed would open a backdoor to the attackers Command and Control servers. These servers were purportedly running in hosted facilities in the US. This allowed the attacker some level of access into the users machine and the network to which the machine is connected.

Microsoft Versions Affected:

According to Microsoft, Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are affected.

Let's review the time line of events in this event. The following dates/times were derived from various sources on the internet.

Mid-December - Google detects a "highly sophisticated and targeted" cyber attack

January 2nd - Adobe becomes aware of "sophisticated, and coordinated" cyber attack

January 4th - Attack seems to have stopped as Command & Control Servers are shut down

January 12th/3pm - Google announces the Cyber Attack via blog

January 12th/3:16pm - Adobe announces the Cyber Attack via blog

January 12th/Evening - U.S. Government asks China for an Explanation

January 14th - Microsoft issues a security advisory


When looking at the time line the scary thing is that the attack seems to have been commencing from mid-December (let's say the 15th). If Google detected it at its start, which may not be the case, and it was not shut down till January 4th, the attackers had 21 days of access. It's scary to think how much information could have been stolen and potentially how much damage the attackers could have done in 21 days should this have been their goal.

As stated in the U.S. Government Cyberspace policy review, information and communication networks are largely owned and operated by the private sector, both nationally and internationally. The report goes on to state that Cyber security requires a public-private partnership as well as international cooperation. Unfortunately, we are sorely lacking in the ability to ensure a coordinated response and recovery to a significant incident should one occur. This time line only proves this point. It appears as though private/public communication did not effectively start till January 12th, during this time companies were infiltrated, but yet may not have known. Even if Google had notified all the companies it derived were under attack from the information they had available, there is nothing to say that another attack was not going on simultaneously by the same attackers but disconnected from the one affiliated with Google.

With worldwide cyber attacks becoming more focused, we must accelerate our ability to deal with them more rapidly in a coordinated fashion. This particular instance seems to have been about stealing information, monetary gain, or political issues. We need to remember that it could just have easily been about disrupting critical national infrastructure for pursuit of national disorganization and loss of life.

January 5th, 2010

Identity and Access Management in Cloud Computing #1

The new United States Federal Chief Information Officer (CIO) Vivek Kundra is serious about embracing cloud computing as a vehicle for rationalizing government IT assets, costs, and budgets. Aneesh Chopra, the Federal CTO follows suite, and has gone on the record to say that the federal government should be exploring greater use of cloud computing where appropriate. Cloud-based and Cloud application providing government storefronts like Apps.gov are being stood up in support of this goal. As stated by Vivek Kundra the major challenge they face in making cloud computing a reality is around Security and Privacy.

With this and an influx of government customers approaching Layer 7 for advice to deal with their cloud computing security and privacy challenges, I have been reading any cloud computing literature I can get my hands on. Although there is some good information coming out of the Cloud Security Alliance, NIST, and from industry sources, there is still a lack of sufficient detail on the topic of security and privacy to allow government customers to move forward smartly with cloud computing.

The fundamental shift from traditional IT to Cloud based IT is that enterprises are moving away from a model where they control all aspects of application delivery to a model where a large portion of the governance associated with the applications deployment and run-time characteristics of a service is controlled by the cloud provider. This is a significant move for the government which traditionally kept its IT close and its data even closer. One of the biggest questions is "How do I do Identity and Access Control and Management in the cloud" and that is a very good question.

There are a number of challenges associated with cloud computing and identity, access control and management, none of which have simple solutions. Challenges in provisioning identities for the cloud, storing identities so that the cloud has access, and enforcing fine-grained or even course grained access control in the cloud are all issues that have been resolved in the enterprise but require a new way of thinking in addressing them in cloud computing.

In the coming weeks, I will write a series of blog posts to flush out the concept of identity and access management in cloud computing, beginning next week with a description of cloud computing integration patterns.
December 18th, 2009

Iranian Cyber Army Hacks Twitter

Last night Twitter.com was hacked by a group purportedly titled the Iranian Cyber Army, at least that is what they want people to think. This group advertised they were responsible by displaying a redirected Web page with an Iranian flag and text that takes credit, saying "This website has been hacked by the Iranian Cyber Army". This morning another Web site (mawjcamp.org), which appears to be a Iranian Reformist website based outside of Iran, was also found to have been hacked.

This event comes at a time when the United States Government is saying that cyberspace is the next frontier for "organized" military/terrorist organizations to attack US critical infrastructure. Most probably don't think that Twitter is critical, however this does represent a formidable day in the cyber war. Although there have been other organized attacks to date, this is one of the most high profile instance of a politically motivated group attacking a website. Whether it is the so-called "Iranian Cyber Army" or a random group of mischiefs, this illustrates how vulnerable sites are to attack.

According to Twitter, the attack was accomplished by temporarily compromising the Twitter DNS records via DNS hijacking, to redirect incoming www.twitter.com to another webpage which was likely hosted on a free web hosting server, which hasn't been identified as of yet. DNS hijacking or DNS redirection is the proactive act of redirecting the resolution of Domain Name System (DNS) names to IP addresses from legitimate DNS servers to rogue DNS servers. This is done particularly for the practice of injecting malware into unsuspecting computers, pharming, phising or defacing.

This appears to only have been a successful defacing attack, the attacker could have just as easily created a fake twitter page, and pharmed or phished information from users. Those users would have unknowingly divulged their username and password to the attackers, and potentially their private tweets.

The question is: What is next from the Iranian Cyber Army?