Cybercrime, Cyberwars, Cyberterrorism and Hacktivism – Part 2 - The internet

The internet is a fantastic tool for organising attacks. Back in 2005 a web forum for Muslim extremists called on its members to organise an Islamist hackers’ army to carry out internet attacks against the U.S. government. The site posted hints and tips, software and links to other resources to help potential hacktivists. 

Called al-Farooq, the forum “represents a how-to manual for the disruption and/or destruction of enemy electronic resources, including e-mail, web sites and computer hardware.” according to The Jamestown Foundation [1], a US-based research group. One member of the forum called for the creation of an Islamist organisation, which he dubbed “Jaish al-Hacker al-Islami,” or the Islamic Hacker’s Army.

Reportedly, there was a set of tools maintained in a “hackers library” on the al-Farooq site, offering a range of malware designed to steal passwords, anonomise web surfing and otherwise mess with a targeted computer system. There is no doubt that the internet is an important tool for various political groups wishing to spread their propaganda, share new ideas, recruit new members and develop tools and techniques for attacking targets. 

Common mainstream social media and file sharing sites such as YouTube and Facebook are used as ways of demonstrating terrorist acts or spreading propaganda to an audience they may otherwise not be able to reach, simply due to the massive adoption of these sites by so many people. Facebook now has over 500 million users, presenting a rich hunting ground for all types of hacktivist groups, all of whom can sidestep conventional steps to prevent them spewing propaganda (such as website take downs) and go direct to a ready made and often receptive user base. After all, the use of these sites by corporations as part of their outbound marketing mix gives credence to the effectiveness of this approach! 

Open Source Intelligence Gathering (OSINT)
One significant use of the internet has to be the gathering of information and intelligence in preparation for criminal activities—terrorist or otherwise. The current culture of information sharing, most notably by those who are not quite middle-aged, provides a wealth of data that can be harvested by criminals and terrorists.

Quite frankly, everything and anything about some people’s lives is now published for all and sundry to see. In fact I would suggest that it is harder to find someone that doesn’t have a profile rather than one that does… Open source intelligence has now become a specialist art (or science), assisted in the main by many people’s stupidity.

The Please Rob Me website [2] extracted users’ profile and location information and highlighted when they were not at home—mostly as they “Tweeted” that they were elsewhere. This level of open source intelligence gathering has been extended by others into a mapping service [3] so that when users Tweet and their GPS logs their position, this data is sent to a mapping site and their location displayed for all to see. There are reports of experiments to track the precise location of users in the United States who happen to work at Fort Meade, Maryland.

This is the home of the NSA, the National Security Agency, which is the cryptographic intelligence agency for the US Department of Defense. Yes, NSA employees were revealing where they were at any moment in time enabling those with ulterior motives to track them down and target them.

The UK’s Ministry of Defence has had similar problems [4]. Most would accept that you can watch employees coming and going from these locations but why make it any easier for potential attackers? Such information is reportedly being used in targeted phishing attacks where specific executives of companies working in sensitive areas, such as military suppliers, are being singled out using these techniques.

The huge number of webcams available across the internet enables target reconnaissance to be carried out from the comfort of home. Admittedly a lot of official “traffic cams” have built-in delays of a few minutes, undoubtedly to reduce their real time usefulness to criminals and enable the authorities to cut the feed if needed, but there is a vast number of other webcams available for viewing. Many of these are intentionally webcasting for marketing purposes in hotels, restaurants and tourist areas but others are local security cameras that have not been secured and can be used by anyone. Of course, if these existing cameras fail to provide appropriate target coverage it is trivial for many groups to set up their own facilities for target reconnaissance or even in support of an action.

Mobile phones are also being increasingly targeted by criminals and terrorists as there are a number of ways in which mobile phone voice data can be intercepted.

Spyware can be loaded onto a phone that, in turn, can activate the phone as a bugging device with full remote control available to an eavesdropper. Advanced spyware has a number of features, including voice-activated microphones to save on battery life and the ability to auto forward SMS messages and the contact list on a phone. GSM encryption can be hacked and a number of attacks have been demonstrated which, in theory and given suitable resources, shows that mobile phone encryption could be compromised. This is a passive attack and is undetectable as the signals are received using a specialised radio, which is both portable and easy to hide.

Finally, we must not forget the inside threat. Threats to information security systems often emanate from inside an organisation and these can take the form of knowledgeable insiders being bribed or bullied into supplying relevant cell phone data and can even be an employee planted by a security agency. In June 2010, a technician who worked in a Lebanese mobile phone operator [5] was arrested for being an Israeli spy and giving access to phone calls for 14 years. Because of the man’s role on the technical side of the cell phone network’s operations, it was assumed that the entire national network had been compromised.

More advanced attacks involve mobile phone “capture”, This is an interesting hack as it exploits a couple of design weaknesses found within GSM mobile phones.

The first is that, whilst a mobile phone needs to authenticate itself to a network, the network itself is not authenticated by the mobile phone. Couple this with the design requirement for mobile phones to connect to the most local base station, based on signal strength, a fake base station can be setup and all local call traffic captured. As mobile phone calls are only encrypted from the phone to the base station a fake base station will be able to process calls “in the clear”. This is called an active attack and, whilst it may appear complicated, a number of commercial products are available to authorised agencies and government departments.

In early 2010, active attacks were demonstrated using hardware and software that can be purchased for around £1000, less than 1% of commercially-available solutions. 3G phones utilise mutual authentication between the phone and the network so aspects of these attacks will no longer be valid when networks are exclusively 3G and above. Until then the sharing of GSM and 3G systems in support of broader network coverage can still see 3G phones subject to compromise using this approach.

The next article in this series will cover specific computer attacks including DDoS and Stuxnet.

References

[1] The Jamestown Foundation website. http://www.jamestown.org/ Last accessed 9th December 2010
[2] Please Rob Me website. http://pleaserobme.com/ Last accessed 9th December 2010
[3] Twittermap website. http://twittermap.tv/ Last accessed 9th December 2010
[4] BBC News 25th June 2008. “MoD ‘Facebook generation’ warning”. Available at http://news.bbc.co.uk/1/hi/uk_politics/7473818.stm Last accessed 9th December 2010
[5] BBC News 29th June 2010. “Lebanon arrests ‘Israeli spy’ from mobile phone company” Available at http://www.bbc.co.uk/news/10444459 Last accessed 9th December 2010