In this lesson, we'll look more in depth at two different cyber attacks.


Statue commemorating Soviet WWII soldiers that was moved by the Estonian government, sparking attacks.
(from wired.com article)

2007 Take-down of Estonia: DDoS at the level of a nation

In 2007, the nation of Estonia was victimized by coordinated DDoS attacks against many national institutions. The Wired article referenced below gives a really nice, dramatic account of the attacks. The scope of the attacks and the fact that it was really an attack against a nation, make this an interesting case study for us.

Estonia is a small Baltic country that used to be part of the Soviet Union. On April 27th, 2007, the Estonian government moved a Soviet-era memorial to the Soviet soldiers that fought in WWII from a prominent location in downtown Tallinn to a military cemetery in the suburbs. This was a very contentious issue between Estonia and Russia. In the days that followed, Estonian institutions, both governmental and non-governmental, were targeted by a wave of cyber-attacks — predominantly DDoS attacks. This was really an attack on the network infrastructure of the whole nation.

Some of the attacks were carried out by "script kiddies", meaning users who are not particularly knowledgeable about hacking but who blindly follow instructions on hacker websites to carry out attacks. For example they might copy a script that sends thousands of ping requests a second to a host. If that host is providing service as a DNS or web server, it might stay so busy responding to pings that it can't provide its service. Chat rooms provided a means to encourage script kiddies to attack, to coordinate the attacks, and to give instructions on how to carry out attacks. For example, the Wired article below quotes this post from a Russian online forum: "You do not agree with the policy of eSStonia??? You may think you have no influence on the situation??? You CAN have it on the Internet!"

Another kind of DDoS attack was carried out on, for example, the Postimes (www.postimees.ee), an Estonian newspaper/website. The website has message boards, and the attackers had scripts that posted spam to the message boards. This kept legitimate users out, clogged up the message boards with garbage, and ultimately brought down the site's servers. We can actually carry out this kind of attack on rona and the instructor message boards. It's quite illustrative. The instructions below tell you how to instantly post 100 new spam messages to the message board.

  1. Create an account on your instructor's message board and login. (We're assuming here you're attacking instructor bilzor.)
  2. Copy the code on the right, paste it into the SI110 Batch Interpreter, and click "Run" to execute it.
  3. Now go look at the page, and you should see a 100 new silly 30-word messages.
   
var i = 0;
while(i < 100)
{
	i = i + 1;

	// Make a silly random message
	var words=["the","rain","in","Spain","falls","mainly","on","the","plain"];
	var msg = "";
	var j = 0; while(j < 30) { msg = msg + words[Math.floor(Math.random()*9)%9]+" "; j = j + 1; }

	// Posts message to message board without navigating to the message board
	try
	{
		var xmlhttp = new XMLHttpRequest();
		xmlhttp.open("GET", "http://rona.academy.usna.edu/~bilzor/msg/mb.cgi?msg="+msg,true);
		xmlhttp.send(null)
	} catch (e)
	{
		xmlhttp=false;
	}
}
If you follow these instructions (which you should only do if and when your prof says it's OK!) then congratulations: you're a script kiddie! If you modified the above code to suit your own nefarious purposes, then congratulations: you're an evil hacker!

More serious than the script kiddies in the attacks on Estonia, there were attacks from Botnets, large collections of zombies, which are hosts that have been compromised by an attacker, but just function as usual until they receive the command to start whatever malicious activity is required by their masters. In this case, the botnets were used to perform DDoS attacks. The Wired article reports that in one day there were over 58 separate botnet attacks on Estonian targets. Estonia was being attacked by large numbers of hosts from Egypt, Vietnam and Peru ... not countries with a traditional interest in Estonian politics. These hosts were in fact simply zombies in a botnet.

In the face of something like this, what can be done? Since the attacks are coming from all over the world, the only thing that Estonia could do on its own was to sever its connections to the rest of the world. This is, obviously, a disaster. To address the problem in an acceptable way required the cooperation of many players outside of Estonia. The botnet IPs needed to be identified and packets from them filtered out not at their target, Estonia, because it was an overwhelming amount of traffic at that point, but closer to their sources. ISPs around the world would have to agree to filter out traffic from the attacking IP Addresses that fell within their corner of the Internet. The below Wired article has an interesting section describing how that happened.

References

  1. article Hackers Take Down the Most Wired Country in Europe, Wired, August 21, 2007.
  2. article A look at Estonia's cyber attack in 2007, MSNBC, July 8, 2009.
  3. article Estonia readies for the next cyberattack, Computerworld, April 7, 2010.
  4. The cyberattack that changed the world. The Daily Dot. Retrieved: 30 Nov 2016.

2011 Attack on Lockheed-Martin

In late May of 2011, Lockheed-Martin (a big defense contractor) was targeted by a cyber-attack. The way in which this attack was carried out makes it an interesting case study for us. Lockheed-Martin claimed that it discovered the attack early and reacted to it quickly, with the result that no real harm was done. We have no real way to know whether or not that's accurate. In any event, what it does speak to is the importance of defense in depth and vigilance in network defense.


SecurID Key Fob
The story of the Lockheed-Martin break-in starts with an idea we discussed in the Models and Tools section of the course: Two-factor authentication. Recall that a "factor" in authentication can be something you know, something your are or something you have. A two-factor authentication system requires you to present instances of two of these three to authenticate with a system. Lockheed-Martin employed a two-factor authentication system that combined a password (thing you know) with SecurID, a system produced by RSA labs that provides a "thing-you-have" factor. The way SecurID works is as follows: You get a little key fob, like the one shown to the right, which displays a number, which changes every 60 seconds. Each key fob has a unique number called its seed, which determines what number is shown in the fob at any given point in time. The server stores your username, password hash and the seed value for your key fob, and this allows it to determine what number is showing on your key fob. The server also stores the algorithm used to generate the number for a specific seed value, date, and time. When you authenticate, you enter your username and regular password, then you look at the key fob and enter in the number shown there. The authentication server knows what number should be shown at that time on the key fob, since it has the algorithm, and so can verify that the key fob is indeed a thing you have. This is called a One Time Password (OTP) system.

This OTP two-factor authentication system is really just another instance of defense in depth. Stealing a person's password isn't enough; you've got to steal their key fob, which is a physical thing-you-have. Thus, even if a bad guy has a key logger on your computer, he can't really authenticate because, while he'll see your password and he'll see the number you typed in from your key fob, that number isn't valid when he tries to login with your stolen credentials. On the other hand ...


The email used in the RSA attack (from wired.com). Mouseover to enlarge.

In March of 2011, someone attacked RSA with a relatively unsophisticated Phishing attack. Would you open the attachment from the e-mail shown on the right? The attachment is an Excel file, and it has embedded code that exploited a zero-day vulnerability in Adobe Flash in order to set up a sophisticated backdoor — a way for the attackers to get into the computer. This means even if RSA had up to date software, the exploit would still have been successful. Furthermore, even anti-virus software running on their systems did not stop the advanced remote access tool variant that was installed. The only thing that would stop this attack is educated and aware employees - employees that would know not to open the email attachment.

The backdoor gave the attackers low level access and they persisted on the network until they escalated their privileges. With root/administrator privileges, the attackers were able to ultimately steal from RSA the seed values of we're-not-sure-how-many SecurID key fobs. [Note: RSA has not, as far as we're aware, admitted that any seed values were stolen. However, there seems to be overwhelming evidence that they were.]

The algorithm used to generate the OTP was not considered a company secret since it was shared with the organizations that purchased the SecurID so that their servers could compute the OTPs. Thus, it is reasonable to assume the attackers could have already had the algorithm - perhaps they worked for an organization that purchased the SecurID system from RSA.

While RSA admitted that the attack took place at the time, they wouldn't specify what if anything had been compromised, and they claimed that the attack would not allow a "direct attack" on SecurID.

Presumably their rationale was that the seed values alone weren't enough to attack authentication, because you would have to be able to match the seed value with a particular account, i.e. you'd have to know the system it was used to login to and username on that system for the individual with the key fob. With the large number of organizations that had purchased the SecurID key fobs from RSA, they may have felt that the probability of the attackers being successful at matching the seed values to a specific user at a specific organization was extremely low.

If this was their logic, it was flawed, as we will see below. Either that or they were playing semantic games with the phrase "direct attack".

Advanced Persistent Threat - the process    Advanced Persistent Threats: How They Work on Symantec.com.
   
Notice the overlap with many of the aspects of security we have addressed in this course: Then, in late May of 2011, the action moved to Lockheed-Martin - something RSA had not considered. Attackers managed to get a key logger on a host belonging to someone who worked for the company. The host was a computer used by the employee to telecommute (VPN) into Lockheed Martin's network. The key logger recorded the username, password and SecurID one-time-passwords (OTPs) used by the victim when he authenticated, along with the date/time of the login. This is just the kind of scenario two-factor authentication is designed to protect against. The attacker can't authenticate, because knowing the username, password and an old OTP isn't enough: the current OTP is required, thus the attacker needs to have the SecurID key fob.

However ... these attackers had the stolen seed values and probably also the algorithm that generated the OTP from a given seed value. Therefore, for a given seed value and date/time, they could simply calculate the OTP a key fob with a given seed value would display at specific date/time. All they had to do was to write a program that would compute, for every stolen seed value, the number that would've been showing at the date/time their key logger recorded the victim's login. Once they found a match with the OTP the key logger recorded, they'd have matched a seed value with a username, at which point it was as if they actually had the key fob themselves. Whether this exact method was used or not, the bottom line is that attackers were able to authenticate on Lockheed-Martin's system with a valid username, password and SecurID OTP.

Lockheed-Martin claims to have recognized very quickly that their authentication was compromised and taken steps to secure their system. In particular they said that no important data was lost. Whether to believe that is up to you. The problem is that, as with RSA, companies do not like to confess that they've been hacked or that a breach is serious. At least two other companies were attacked this same way using the stolen RSA seed values. RSA was forced to admit that the seed values had indeed been stolen, and decided it would replace every one of the SecurID tokens (key fobs and other similar devices). All 40 million of them. There are some very interesting aspects of this attack that are worth thinking about.

References

  1. article Lockheed Martin Suffers Massive Cyberattack, InformationWeek, May 31, 2011.
  2. article How bad was the cyber attack on Lockheed Martin? Christian Science Monitor, May 29, 2011.
  3. article RSA Details SecurID Attack Mechanics, InformationWeek, April 04, 2011.
  4. article RSA finally comes clean: SecurID is compromised, ARSTechnica, June 2011.
  5. article Researchers Uncover RSA Phishing Attack, Hiding in Plain Sight, Wired, August 26, 2011 .
  6. article After the Cyber Attack on Lockheed Martin, What's the Future of RSA SecurID? Popular Mechanics, June 3, 2011.
  7. article Gauging The Long-Term Effects Of RSA's Breach Dark Reading, Nov 14, 2011.
  8. article China Hacked RSA, U.S. Official Says Dark Reading, Mar 29, 2012.

And so on and so forth ...

Cyber-attacks are happening all the time. There is an endless supply of news articles. Here are a few recent news items ... not necessarily the most important, just what we happened to see.