General Information About Cybersecurity
If your experience is at all like mine, you will find that you need to both educate and convince people — from the "on-the-front-lines" users to management. Here's some help. Tell them about telecommunications outages, big-money losses, cyberwar, COMSEC, and more.
In the following list:
AWST = Aviation Week and Space Technology
WSJ = Wall Street Journal
DOD = U.S. Department of Defense
This will always be very approximate, and significantly under-reported. Some losses aren't noticed, or the victim realizes that something happened but doesn't see the full extent. Also, it is embarrassing to admit to loss, individuals and organizations will report a smaller loss, or no loss at all.
Anderson Consulting estimated in 1997 that computer security breaches cost businesses 10 billion US$, and that 59% of businesses selling over the Internet reported security breaches.
In early 2018, Symantec reported that 978 million people in just 20 countries were affected by cybercrime in 2017, and consumer losses there were 172 billion US$.
Undersea Cable Losses
These happen far more frequently than most people realize. See the interactive Submarine Cable Map for fascinating details about cables, and the Submarine Telecoms Forum for reports on cable faults. Also see the list of international submarine cables for links to Wikipedia articles on many cables.
1929 — An earthquake in Newfoundland broke twelve trans-Atlantic cables by triggering a massive undersea avalanche.
2005 — A portion of the SEA-ME-WE 3 submarine cable (running from Germany, down the Atlantic coast and across the Mediterranean and Red Sea, to Arabia, Pakistan, India and Sri Lanka, then through Southeast and East Asia and to Australia) broke 35 kilometers south of Karachi. This disrupted almost all of Pakistan's communications with the rest of the world.
2006 — The SEA-ME-WE 3 submarine cable was severed 26 December by a magnitude 7.1 earthquake off the coast of Taiwan, causing a major disruption in Internet service to East Asia.
2007 — Pirates stole an 11 kilometer section of the T-V-H (Thailand - Vietnam - Hong Kong) cable in hopes of selling the 100 tons of cable as scrap. LIRNEasia has a story about this.
- 23 January — The FALCON cable was cut, disrupting service between Persian Gulf states and India.
- 30 January — The SEA-ME-WE 4 and FLAG telecom cables were almost simultaneously damaged several kilometers apart in the Mediterranean Sea near Alexandria, Egypt. There has been speculation that both were damaged by a ship dragging its anchor, but port video footage shows no ship passing through the area where the damage occurred.
- 1 February — The FALCON cable was cut between Muscat, Oman and Dubai, UAE.
- 3 February — A cabled called DOHA-HALOUL connect Qatar to the UAE was damaged, between the Qatari island of Haloul and the UAE island of Das.
- 4 February — SEA-ME-WE 4 is cut at another location, near Penang, Malaysia.
- 19 December — FLAG telecom, SEA-ME-WE 3, and SEA-ME-WE 4 cabes are cut in the Mediterranean, disconnecting Sicily, Malta, and Alexandria, Egypt, and disrupting 75% of data and voice communication between the Middle East and Asia and the rest of the world. The GO-1 cable linking Sicily to Malta was also cut. The reason was unclear, France Telecom issued a press release saying they had been cut by either bad weather conditions or a ship's anchor.
- For a description of these outages, see the Wikipedia article.
In late July,
the SAT-3 cable
was damaged, causing Internet connectivity
problems or complete outages in multiple
west African countries including
Benin, Togo, Niger, and Nigeria.
Togo and Niger were completely offline,
while Benin maintained some connectivity only by
rerouting traffic through neighboring countries.
All three used alternative satellite links to
maintain some connectivity.
Nigeria had a 70% bandwidth loss, causing
problems in banking, government, and mobile
networks (and probably slowing down all those
offers allegedly from the Widow Abacha
$12 MILLION US DOLLAR
with random e-mail recipients).
2010 — The SEA-ME-WE 4 system crossing the Mediterranean, Red Sea, and landing at several points along the northern Indian Ocean, was cut in three places off Palermo, Italy.
2011 — The Tōhoku earthquake in March 2011 damaged several undersea cables, including APCN-2 (a ring joining Japan, the Republic of Korea, China, Hong Kong, Taiwan, Malaysia, Singapore, and the Philippines), Pacific Crossing West and Pacific Crossing North, segments of the East Asia Crossing network, a segment of the Japan-U.S. Cable Network, and the PC-1 cable joining two points in Japan with two points on the U.S. west coast.
2012 — TEAMS (The East African Marine Systems) cable was cut in February by the anchor of a ship waiting to enter Mombasa, see the BBC story. Three fibers in the Red Sea had been cut ten days before that per the WSJ on Feb 28th, Eassy or the Eastern Africa Submarine Cable System, the Europe India Gateway (EIG), and the South East Asia Middle East Western Europe-3 (SMW-3). Renesys has an article describing these cuts and the impact on connectivity. TEAMS was cut again just 35 days after being repaired. Then in June, SMW-4 was cut near Singapore, largely disconnecting Bangladesh and severely degrading some providers' customers in Singapore, Pakistan, Kuwait and the UAE.
- Three Egyptian knuckleheads were arrested for trying to cut an undersea Internet cable in March. "According to Egyptian military spokesman Colonel Ahmed Mohammed Ali, three men were discovered attempting to sabotage an undersea Internet cable from a fishing boat located approximately 820 yards from Alexandria. As a result, Internet users in Egypt have suffered reduced speeds [....]" This was the SEA-ME-WE 4 fibre joining France, Algeria, Tunisia, Italy, Egypt, Sudan, Saudi Arabia, United Arab Emirates, Pakistan, India, Sri Lanka, Bangladesh, Thailand, Malaysia and Singapore. It's the main Internet backbone link joining Europe, the Middle East, the Indian subcontinents and South East Asia.
- TELE Greenland's submarine cables were cut by twice by a fishing trawler in May.
- In March there were cuts in the Persian Gulf Fiber Optic Gulf (FOG) cable, Middle Eastern and Indian FLAG-FALCON cable, the East Asian APCN-2 cable, and the East African EASSy cable. See an overview here.
- The Asia-America Gateway was broken between Vietnam and Hongkong in July and again in September, see stories here and here.
- The SEA-ME-WE 3 cable was broken between Jakarta and Singapore in December, 2014. It had suffered an earlier outage in July, causing an eight-week degradation of service.
- The West Lake Macquarie area of Australia was without phone and Internet for three weeks in January after a boat's anchor cut a major Telestra submarine cable.
- Bangladesh had degraded service for a week after damage to the 480 Gbps SEA-ME-WE 4 cable between Mumbai and Chennai.
- Multiple undersea cable faults connecting to the Mumbai landing point were blamed for Internet problems throughout India on 20 February. The cuts were in the I-ME-WE cable and the TGN-Intra Asia Cable System, about 110 km from Mumbai.
- A submarine fibre cable was supposedly sabotaged in April, cutting the country of Gabon off the Internet.
- The Southern Cross Cable network joining New Zealand, Australia, and Fiji to the U.S. lost a segment for 8 hours on 21 May when an excavator cut a buried fibre near Klamath Falls, Oregon. The same link had been cut in February when a boring machine cut through buried fibre line near Sacramento, California.
- The Asia America Gateway cable was broken on 26 May, from 13 April to 12 May, for several weeks starting in January, and 5–22 January. A related break in AAG was announced in early February, at a point near the Philippines. It then was taken down for repairs 5-12 June between its landing point in Vung Tau, Vietnam and the other landing points in Malaysia, Singapore, Thailand, Brunei, Hong Kong, the Philippines, Guam, Hawaii, and California.
- An undersea cable cut on 25 June degraded communication between Pakistan and the outside world.
- The only undersea cable joining the Commonwealth of the Northern Mariana Islands via Guam to the rest of the world was cut on 9 July, cutting off telephone, Internet, banking, and other communications.
- The Australia Japan Cable failed in 7,000 to 8,000 meters water depth between Maruyama, Japan and Tumon Bay, Guam on 24 August, forcing the rerouting of over 400 gigabits per second of traffic.
- Libya's landline phone system was taken down in most of the country after the submarine cable landing point at Sirte was damaged on 26 August. The area was held by ISIS, who likely were behind the damage.
- The I-ME-WE cable was cut on 9 October near Marseilles, cutting off 3.84 terabits per second to and from its landing points to the east in Catania, Italy; Tripoli, Lebanon; Alexandria and Suez, Egypt; Jeddah, Saudi Arabia; Karachi, Pakistan; and Mumbai, India.
- The SEA-ME-WE 3 cable suffered another break in September, degrading service to Australia and Brunei. It was thought to be repaired in October, but was again down between Singapore and Perth in early November.
- The SEA-ME-WE 4 cable between Annaba, Algeria and Marseilles, France, was cut on 22 October, taking out 80% of Algerie Telecom's international bandwidth. The cable was restored a week later.
- On 21 December the Basslink cable connecting Tasmania to the Australian mainland was disconnected, cutting off electricity as well as telecommunications. Repairs were expected to take two and a half months. Basslink is a HVDC power cable, operating at 400 kV DC and carrying 500 MW of electrical power. It includes a fibre link, the first non-Telestra fibre crossing the Bass Strait.
- Multiple submarine cable cuts near Egypt on January 23 reduced traffic to the UAE telecoms service provider du. The cuts to the EIG, FEA, and Falcon cables took longer to repair than first anticipated.
- The PPC-1 cable joining Cromer, Australia, with Piti, Guam, with 1.92 terabits per second capacity, was broken about 4,590 kilometers from its Guam landing on February 7, and was expected to be out for at least a month.
- A lightning strike on February 19 at the U.S. landing point of the Maya-1 cable system in Hollywood, Florida, cut off that cable leading to and Cancun, Mexico, continuing to the Cayman Islands; Puerto Cortes, Honduras; Puerto Limon, Costa Rica; Maria Chiquita, Panama; and Tolu, Colombia. Customers of one Cayman Islands telco could not reach emergency numbers during the outage.
- Cyclone Vardah damaged submarine cables to eastern India in early December 2016, repairs lasted until January.
- A ship's anchor cut three cables in the English Channel in November 2016, they were repaired on 8 January 2017.
- The Asia America Gateway cable to Vietnam broke on 8 January 2017.
- The Globacom-1 (GLO-1) submarine cable was cut on 16 February 2017. It runs from Britain to landing points in Lisbon and Nigeria.
- The Asia America Gateway cable to Vietnam broke a second time on 18 February 2017. In late March they were still waiting on repairs.
- The Intra Asia cable to Vietnam broke on 4 March 2017. It was fixed around 25 March.
- The Asia Pacific Gateway broke between Vietnam and Hong Kong on 6 June 2017.
- Congo-Brazzaville experienced a 15-day Internet outage after a submarine cable cut by a fishing vessel on 9 June.
- The SAT3 cable broke in mid-June about 53 kilometers from the Melkbosstrand landing station in South Africa.
- Seabed movement cut the MainOne cable on 18 June 2017, 3,000 kilometers south of Portugal, in 3,400 meters of water off Senegal. It was repaired on 2 July.
- The EASSy cable along Africa's east coast was damaged about 4 kilometers offshore Mogadishu on 23 June. The outage was estimated to cost Somalia US$ 10 million per day despite only 1.6% of the population being online in 2014. 3G service has been also switched off in southern Somalia since 2014 in response to a threat from al-Shabab militants. EASSy was repaired on 14 August.
- The SEA-ME-WE 4 cable was cut, in early July, degrading Pakistan's Internet service.
- The India – Middle East – Western Europe (IMEWE) cable went down on 5 August. It was still causing problems including cancelled domestic and international flights out of Islamabad at the end of that month.
31 August 2017 was a busy day.
- The SEA-ME-WE 3 submarine cable between Perth and Singapore was broken on 31 August, with repairs expected to take until mid October.
- The Asia America Gateway (AAG) was broken at two points about 66 and 85 kilometers from its Hong Kong endpoint.
- The Intra Asia (AI) cable was broken about 54 kilometers from its Hong Kong endpoint.
- The AAG was broken for the 5th time in 2017 on 7 November.
- The SEA-ME-WE 3 submarine cable linking Australia to Southeast Asia was cut for the 3rd time in 2017 on 3 December. It was initially expected to be fixed within a week, but repairs were pushed back to the 26th. Then later, to early January.
- The operators of the Basslink cable carrying electrical power and data to Tasmania damaged it by overloading the power capacity, according to a report on 20 December 2017 describing a study of the December 2015 outage.
- The Europe-India Gateway submarine cable suffered a fault 15 km off Alexandria, Egypt on 25 December. It impacted Internet traffic into the Middle East and India and was expected to take 3-4 weeks to repair.
- The Asia-Pacific Gateway submarine cable between Vietnam and Singapore failed on 27 December.
See these comments from a former CIA analyst on the vulnerability of civilian satellites.
Also see this 2002 GAO report on commercial satellite vulnerability.
1995 — Intelsat 511 was disabled for a few hours by an electrostatic discharge event, taking out some Australia-USA links. The event fired a thruster and turned the satellite out of alignment for the links to Earth.
1997 — A $200,000,000 Telstar satellite (and thus all its comm links) was taken out by an unexpected solar flare on 11 January. I was teaching a course that week, and many students complained the next day that the pay-per-view movies no longer worked in their hotel rooms.... Science, 31 January 1997, pg 623, and Science News, 1 February 1997, pg 68.
1998 — Galaxy VII failed 13 June and dropped several hours of several cable TV networks. Some other satellite failed 4 July 1998, dropping several hours of DirectTV. In both cases, a control processor failed, but they eventually could switch to a backup processor. WSJ, 9 Jul 1998, Reuters.
1998 — Galaxy IV failed in May and took out over 80% of North American pagers for several days. See the reports here, here, here, here and here. Wire news service including Reuters was affected. CBS and NPR had to use backup transmission links. The primary control processor had failed due to tin whisker growth.
2004 — Intelsat Americas-7 (formerly Telstar 7, later Galaxy 27) experienced a several-day power failure on 29 November 2004. See the reports here and here.
2006 — The Optus B1 satellite lost contact 30 March and among other things cut off some television service to New Zealand. Also see these reports.
2007 — XM Satellite Radio was off the air for a day in May, see the Washington Post article for details. "The company blamed a software glitch for the interruption."
2007 — Dish Network was out 19 and 22 August for two hours and a half hour respectively.
2007 — Alaskan public television was out on 20 August due to some satellite problems.
Outages Caused by Routing Blunders
2004 — TTNet in Turkey (AS9121) accidentally pretended to be the entire Intenet on the morning of Christmas Eve (U.S. time), leaving large chunks of the Internet unreachable for a few hours.
2008 — In February 2008, the Pakistani government was worried that a video disrespectful toward Muhammed had been uploaded to YouTube. Government leaders directed Pakistan Telecom to either force YouTube to remove the video or else shut down YouTube. Informed that neither of those was possible, the government settled for making it so no one using Pakistan Telecom could view anything on YouTube.
You don't do that by filtering rules, as the edge routers can't keep up. You do it by black-holing the route(s) to the corresponding IP block(s).
The problem was that they then propagated those black-hole routes over BGP to PCCW, an ISP in Hong Kong, which in turn propagated those extremely attractive routes across the Internet. It made it look as though some corner of Pakistan was, by far, the most attractive route to YouTube. Almost everyone's attempted connection got routed that way.
The result for most of the world was that you lost access to YouTube for a few hours. Somehow society survived that episode. The result within Pakistan was all telecommunications were disrupted for several days, maybe a week. Mobile phone couldn't connect to the network, wired phones had no dial tone. Also see the ArsTechnica report.
2010 — Renesys reported that something like 15% of the Internet's backbone traffic was re-routed through China for 18 minutes in April.
2014 — China suffered a country-wide Internet outage for 45 minutes on 22 January 2014. Chinese government spokesmen blamed the outage on the DNS root servers. But outsiders said that the Chinese government's attempt to control their citizens' Internet access involved a DNS poisoning operation that spun out of control.
They wanted to block access to 22.214.171.124, belonging to Dynamic Internet Technology, which provides the FreeGate censorship-circomvention tool and also hosts a Falun Gong news portal mirror. They instead poisoned the DNS records by mapping all domain names in the world to that single IP address. This was a massive distributed denial of service attack against that company, as China is estimated to have more Internet users than any other country (other than India) has people. But none of those masses could see anything until the DNS caches got straightened out.
2014 — Domestic Russia traffic between Moscow and Yaroslavl was routed through Stockholm and a China Telecom router in Frankfurt, Germany, see Ars Technica coverage here and an analysis by Dyn Research (formerly Renesys) here. It says that a networking sharing agreement and BGP peering relationship between Russian mobile provider Vimpelcom and China Telecom led to one party leaking the routes received from the other "over a dozen times in the past year between these two providers." The same author wrote about China's accidental 18-minute hijacking of backbone routes in 2010.
Authoritarian regimes in Africa, the Middle East, and Asia sometimes disconnect or otherwise disrupt national Internet access around elections or other times of anticipated unrest, or even during school testing times.
According to research by Oracle + Dyn, this started with Egypt disconnecting itself in January 2011. It was followed by intentional disruptions in Bahrain, Libya, and Syria.
The Migration of Political Internet Shutdowns
Oracle Dyn Global Business Unit The Global Economic Damage of Internet Blackouts
Egypt started this trend in January 2011:
Egypt Cuts Off Most Internet and Cell Service
The New York Times Egypt Leaves the Internet
Iraq blocked Internet access in June 2014 in areas where
ISIS has a physical presence:
Iraqi Government Takes Its Fight With ISIS Online
Then in May, August, and October 2015, Iraq blocked Internet
access to prevent 6th-grade school children
from cheating on tests:
Iraq Shut Down Its Internet to Prevent Sixth-Graders From Cheating
The Atlantic Iraq Hit by Major Internet Outage
Daily Beast Iraqi Government Shut Down Internet To... Prevent Exam Cheating?
Ars Technica How Iraq Turned Off the Internet
Wired Iraq shuts down internet to prevent students from cheating on exams
Uzbekistan had already done this, in August 2014:
Before a High-Stakes Standardized Test, Uzbekistan Shut the Whole Country's Internet Down
The Atlantic Uzbekistan Blocks Mobile Internet, SMS During Exams
Radio Free Europe / Radio Liberty
The National Intelligence Agency of the
Democratic Republic of Congo order that the Internet be
blocked in Kinshasa until further notice.
This was after bloody clashes between opponents of
President Joseph Kabila and police:
DR Congo authorities block Internet in Kinshasa — operators
In February 2016, Gujarat State in India blocked mobile
Internet access to stop exam cheating:
To beat exam cheats, Gujarat to block mobile internet today
The Times of India
In June 2016 Algeria blocked Internet access to stop
Algeria blocks Facebook, Twitter to stop exam cheats: state media
In July and August 2016 Syria
repeatedly shut down the Internet for 4 hours per day
to prevent cheating on national high school exams:
Syria goes to extremes to foil cheaters
Gabon shut down its Internet connection in September 2016
after announcing election results:
Cameroon block Internet access in English-speaking areas
of the country in January 2017 after a series of protests:
Cameroon goes offline after Anglophone revolt
CNN Cameroon's Internet Has Been Cut For Four Weeks With No End in Sight
An article in March 2017 reported on the seven-year series
of intentional interruptions to communications in the
Democratic Republic of Congo:
The Evolution of Internet Shutdowns in DR Congo
Togo cut Internet access through the fall of 2017 in
response to protests:
Why are people protesting in Togo?
Al Jazeera WhatsApp's role as a government protest tool is in the spotlight again as Togo blocks it
In December 2017 Equatorial Guinea held an election,
Internet access had been restricted for years (access to
opposition websites blocked for 4 years), more restricted
since the electoral campaign started in late October,
and entire cut off around the day of voting.
Deutsche Welle Reporters Without Borders News24
In January 2018 the Democratic Republic of Congo blocked
the Internet and set up physical barriers on roads:
Intentional BGP Hijacking
2013 — Renesys reported that over a period of several months attacks hijacked BGP routes from about 1,500 IP blocks for periods lasting from minutes to days, re-routing traffic through Belarus, Russia, and Iceland. Victims included a large banks, foreign ministries of several countries, a large US VoIP provider, and several ISPs. At one point traffic between two networks in Denver, Colorado, was redirected via the US east coast and Iceland. Also see the Renesys report The New Threat: Targeted Internet Traffic Misdirection.
September 2014 — Why Is It Taking So Long to Secure Internet Routing?
July 2015 — Ars Technica on Hacking Team orchestrated brazen BGP hack to hijack IPs it didn't own
July 2015 — Hacking Team and a case of BGP hijacking
April 2017 — Network traffic to and from MasterCard, Visa, and over two dozen other financial institutions was misrouted through Rostelecom, a telco controlled by the Russian government. See the BGPmon analysis and the Ars Technica article.
December 2017 — Network traffic to and from Google, Facebook, Apple, Microsoft, Mail.ru, Vkontakte, and other prominent sites was misrouted through AS39523, an obscure Russian network. See the analysis by BGPmon, the analysis by Qrator, and the Ars Technica article.
The 2012 NTP Outage
On November 19, 2012, the two stratum 1 NTP servers tick.usno.navy.mil and tock.usno.navy.mil went back in time by about 12 years. This caused outages in a wide range of PBXs, routers, and Active Directory servers. See NTP Issues Today at the NANOG mailing list, and Did Your Active Directory Domain Time Just Jump To The Year 2000? and Has your Windows Server 2003 Domain Controller time gone back to year 2000 (like Y2K)? at Microsoft's Technet.
Reports of GPS spoofing by Russia became common in 2017. Also see the academic paper "Hostile Control of Ships via False GPS Signals: Demonstration and Detection", Jahshan Bhatti and Todd E. Humphreys, Navigation, doi://10.1002/navi.183.
The Truth About Cars, 30 Jan 2017
Major BreachesMajor password breaches
Also see the list of major password breaches.
BitCoin and similar blockchain currency systems
have a poor track record.
Not the blockchain itself, but the storage.
The Blockchain Graveyard lists over 40 incidents in which
cryptocurrency institutions have suffered intrusions.
Most of them closed down afterward.
Almost all could have been prevented, as they happened
through social engineering, credential reuse, the takeover
of the cloud hosting account, or vulnerable applications.
Read about what's stored on a credit card:
Deconstructing a Credit Card's Data How Crooks Get the CVV
Sloppy Cloud Storage
Cloud storage platforms like Google Cloud and AWS or Amazon Web Services make it very easy to deploy and use high-capacity storage.
The problem may be that it's too easy. People who probably shouldn't be doing this, because they aren't careful enough, very likely don't know how to be properly careful, can now deploy storage in the public cloud and upload data.
Digital Shadows found over 12 petabytes of publicly accessible data belonging to organizations around the world, containing personal and financial information on customers, employees, and other data subjects. It was spread across over 1.5 billion files stored on AWS S3 storage buckets, rsync and SMB servers, FTP servers, NAS or Network Attached Storage devices, and misconfigured websites. You can read their April 2018 detailed report with registration, or read the overview in The Register.
Digital Shadows report The Register story
The Panama Papers, Mossack Fonseca, May 2016
Panama law firm Mossack Fonseca was specializing in helping its clients shield their money from taxes. In May 2016, it became public that 11.5 million documents, some 2.6 terabytes, some dating back to the 1970s, had been leaked to investigative journalists. The team of journalists uncovered illegal activities involving prominent poiltical and business figures around the world. The collection was called the Panama Papers.Sony
The leak was the largest to date by a wide margin — Wikileaks Cablegate was 1.7 GB, Ashley Madison 30 GB, and Sony Pictures about 230 GB. The Panama Papers breach was over ten times the size of the largest previous breach.
The Paradise Papers, November 2017International Consortium of
Then the Paradise Papers started to become public in November 2017. That was 13.4 million confidential electronic documents relating to offshore investments. It was 1.4 TB in size, so there were more documents but a smaller total data size than the Panama Papers.Le
Many large companies, national leaders, and prominent individuals were involved. Apple, Avianca, Nike, African politicians with lavish overseas homes, the British royal family, a rock star who owns a Lithuanian shopping center, and on and on.
Hackers gained access to personal and financial data of over 145 million U.S. consumers. Equifax is a credit bureau, so the data is pretty much everything you would need for identity theft.
Anthem Health Insurance, 2015Anthem medical
Hackers gained access to 80 million Anthem Health Insurance records including Social Security numbers, birthdays, addresses, income data, and email and employment details.
Target / Neiman Marcus, 2013Target
Major U.S. discount retailer Target suffered a security breach between Nov 27 and Dec 15, 2013. Up to 40 million consumer credit and debit cards may have been compromised, including customer names, card numbers, expiration dates, and CVV codes, making this the second-largest retail cyber attack to this point (after the 2007 TJX Companies compromised affecting 90 million). Debit card PIN data was also stolen, although it was encrypted with Triple-DES (nice use of 1998 technology...), and the names, mailing addresses, phone numbers and email addresses of up to 70 million additional people was also been stolen.
The malware involved is called BlackPOS and Картоха. The second of those is spelled in the Cyrillic alphabet, maybe looking a little different in Italic, Картоха, and pronounced car-toe-kha and not cap-tock-sa.
News and details include:
- Brian Krebs' initial announcement 18 Dec 2013.
- Target's initial press release 19 Dec 2013.
- CNN Money story 27 Dec 2013.
- Brian Krebs wrote an initial report on how the memory-scraping malware works, with links to a Reuters story and an analysis by US-CERT.
- iSIGHT Partners released a report on Картоха/BlackPOS. 16 Jan 2014
- Wired ran a story on the iSIGHT Картоха/BlackPOS. report. 16 Jan 2014
- Wired ran a story pointing out that Target and others were victims of a large hack in 2005. 17 Jan 2014
- Time magazine said Sergey Tarasov, a 17-year-old Russian, did it, he denied it, then Rinat Shabayev claimed credit for Картоха/BlackPOS. 20-27 Jan 2014
- FBI says Картоха/BlackPOS was connected to twenty breaches. 24 Jan 2014
- Target announced that the intruder stole and used a vendor's credentials. 30 Jan 2014
- Brian Krebs announced that the intrusion was via an HVAC or heating, ventilation and air-conditioning subcontractor that worked at Target and other top retailers including Whole Foods and Trader Joe's. Fazio Mechanical Services of Sharpsburg PA had remote access to Target networks for electronic billing, contract submission, and project management (not, as initially thought, to monitor energy consumption and temperatures in stores as often done by HVAC contractors). Target's network infrastructure did not separate the HVAC systems from the POS or point-of-sale terminals, allowing the compromised HVAC account to push malware onto the POS terminals. The first malicious access was on 15 Nov; from then through 28 Nov the attackers uploaded data-stealing malware to a small number of POS terminals and tested that it worked as designed. Just two days later, by the 30th, the malware had been installed on a majority of Target's POS terminals and were actively collecting consumer card data. It was uploaded to compromised "drop" systems and eventually uploaded to Russia and Eastern Europe where it immediately went on the black market. 14 Feb 2014
- Kreb elaborated that the breach seems to have started with malware delivered through email phishing to employees of the HVAC contractor. Sources close to the investigation say that the Citadel password-stealing malware was used. They also report that Fazio was relying on the free version of Malwarebytes Anti-Malware. The free version is on-demand only, it does not do real-time protection (that's in the pro version), and its license explicitly prohibits corporate use. Sources close to the investigation say that the Citadel password-stealing malware was used. They also report that Fazio was relying on the free version of Malwarebytes Anti-Malware. The free version is on-demand only, it does not do real-time protection (that's in the pro version), and its license explicitly prohibits corporate use. 14 Feb 2014
- Brian Krebs presented a detailed description of how Картоха/BlackPOS and similar memory-scraping POS malware works. 14 Feb 2014
- Businessweek article alleging that the FireEye security service notified Target's security team about the breach, but they did not act in time to prevent the theft, 13 March 2014.
Luxury retailer Neiman Marcus revealed a breach based on the same malware, running 16 July through 30 October 2014. See a Reuters story of 12 Jan 2014 and an initial Dark Reading report of 13 Jan 2014; then a Neiman Marcus announcement updated 21 Feb 2014 and Ars Technica (24 Jan) and Dark Reading (23 Jan) analyses of a theft of 1.1 million customers' debit and credit cards. Also see the New York Times story of 23 Jan 2014.
Heartland Payment Systems, 2008
A 2008 breach at Heartland Payment Systems compromised tens of millions of credit and debit card transactions.
Other Major Breach News
A London banking organization allegedly paid millions of pounds to stop a two-year series of attacks mixing logic bombs with electromagnetic pulse weapons: London Sunday Times, 2 June 1996, pg 1; 9 June 1996, pg 1. Note that this story is now widely thought to be overly hyped and possibly a complete fabrication, especially the part about the electromagnetic pulse weapons. Some self-proclaimed "infowar specialists" carry on endlessly about HERF guns and EMP devices. Caveat lector!
Chinese and Bulgarian factories,
in concert with companies
in countries that are close allies and trading partners
of the U.S.,
steal software and pirate it as fast as the CD-ROM
presses will run.
take bus #92 out to the big market at Kadaka Torg.
Sankt Peterburg, Russia,
the big bootleg market is diagonal from the
rear corner of the Gostinniy Dvor shopping arcade along
go to the weekend flea market on University Square,
just outside the entrance to the Grand Bazaar.
All offer CD-ROM's intended as master disks for OEM's.
Bulgaria has made a few "show raids" on companies like Unison,
with little real effect.
Digital watermarking, related to steganography (hiding messages in data), has been around a long time:
- It was used by Demaratus, a Greek, to send a message to the Spartans in the war between the Greeks and the Persians in 480 B.C. [see "The Histories" by Herodotus, "The Code Book" by Simon Singh, and "The Codebreakers" by David Kahn]
- Much later than that (in 1500!), it was described by the Benedictine monk Johannes Trithemius in Steganographia. He described a method of hiding text in a prayer book.
- Playboy used it to watermark imagery sold in electronic form since 1997. See the Digimarc press release or Secure Computing, Aug 1997, pg 15.
It's been discussed in non-specialist
publications since the mid-1990s:
- Nature, 12 Dec 1996, pg 514
- AWST, 20 Oct 1997, pg 13, and 3 Nov 1997, pg 17
- Business Week, 1 Sep 97, pg 35
- New York Times, 17 Feb 1999.
- The U.S. Air Force Research Lab wants to transfer their work on the technology to the civilian sector.
For huge losses most people willingly ignore, see Scientific American, July 1997, pp 82-89, for a great article, "Taking Computers to Task" by W. W. Gibbs. For example, Sun Microsystems prohibited fancy presentations, as they found that people can quickly assemble quality technical information but they will waste lots of time trying to make slides look pretty.
COMSEC — attacking satellite communications
1986 — An operations engineer at a satellite uplink station over-rode the HBO signal through Galaxy 1, broadcasting a 4.5-minute protest of HBO's rates for satellite dish owners.
2014 — IOActive published a paper describing how they reverse-engineered the firmware of several commercial satellite terminals from various vendors. They found a number of security risks including what appear to be backdoors, hardcoded credentials, undocumented and insecure protocols, and the use of weak encryption algorithms. Only one vendor, Iridium, responded. Especially interested weaknesses include:
Harris RF-7800-VU024 and RF-7800-DU024 military land mobile and land portable BGAN terminals. Those units are used with software-defined radios such as the FALCON III AN/PRC-117G SDR. Malware running on an infected laptop connected to the terminal could inject malicious code, obtaining the GPS coordinates of the system and then possibly cutting off communication.
Hughes BGAN M2M terminal. This was found to be susceptible to a remote exploit. If the attacker knows the Mobile Subscriber Integrated Services Digital Network-Number (MSISDN) and the International Mobile Equipment Identity (IMEI), he can send an SMS incorporating the backdoor "admin code" and install malicious firmware.
Cobham BGAN terminal. The attack scenario is that a military unit member could be browsing the Internet during personal time and be lured onto the wrong website, to be hit with a client-side attack that would install malicious firmware which leaks the device's GPS-derived location.
2015 — A researcher from Synack announced at Black Hat that he could monitor and modify data flowing through a Globalstar satellite network. This was reported by Wired, Reuters, CNN, and others.
Other documents and articles:
Infosec Institute: "Hacking Satellites ... Look Up to the Sky" SpaceNews: "Eutelsat To Field Test New Anti-jamming Capability" Wired: "Russian Spy Gang Hijacks Satellite Links to Steal Data" Vice Motherboard: "This $1,000 Device Lets Hackers Hijack Satellite Communications"
COMSEC — attacking cellular/mobile & GSM telephony
To intercept both directions of a cellular telephony conversation, the eavesdropper will need to listen somewhere near the handset.
Digital AMPS (a GSM competitor once popular in North America, although now end-of-life) uses CAVE (Cellular Authentication, Voice Privacy and Encryption) and CMEA (Cellular Message Encryption Algorithm). These perform three main functions:
- Authenticate to the network that the unit requesting service is a legal subscriber.
- Generate codes to protect control channel data, including all digits dialed on the keypad (dialed numbers, plus later PIN's etc). Control channel data is encrypted with CMEA (Cellular Message Encryption Algorithm).
- Generate two keys to "mask" the digitized forward and reverse voice channels.
The voice "masking" was known to be cryptographically weak in 1992. On 20 March 1997, Bruce Schneier (author of Applied Cryptography) and David Wagner (UC Berkeley grad student) announced breaking CMEA. The response of the Cellular Telephone Industry Association (CTIA) was to lobby for laws to make it illegal to break their breakable system, so they can continue to advertise it to an unwary public as "unbreakable".... See Monitoring Times, June 1997, pp 28-29, and Bruce Schneier's Crypto-Gram for more details.
Targeted eavesdroppers can use a cell site emulator, which could be something like the CCS Digital Data Interpreter. These emulators use the non-voice data streams to track frequency changes, cell hand-offs, etc., and capture all the call information and content while tracking location. These are expensive, but they really do the job! The OKI 900 controlled by the right software running on a laptop is a lower-budget cellular intercept platform that's still pretty capable.Build a
Much more capable and still under US$ 500 for the whole system, build your own GSM base transceiver system using a Raspberry Pi and a bladeRF x40 software-defined radio.Harris Corporation
Surveillance Manuals U.S. Government
catalog of mobile
Better yet, use what the FBI and local law enforcement use to intercept and track mobile phones. A Harris Corporation StingRay spoofs a legitimate cell tower, tricking all nearby mobile phones and other wireless communication devices including air cards for GSM Internet connectivity on laptops. The devices all connect to the StingRay instead of the legitimate carrier tower. By moving the StingRay around, authorities can pinpoint the device location down to a specific apartment in a building.
Cruder forms of this technology have been used by law enforcement for at least 20 years. An FBI agent in a case in Utah in 2009 described using a cell site emulator more than 300 times over a decade, and indicated that they were used daily by U.S. Marshals, U.S. Secret Service and "other federal agencies".
Harris' cell site emulator product in the mid 1990s was the Triggerfish. By 2013 Harris' current model of full-sized cell site emulator had been the StingRay for some years. The KingFish is a hand-held unit easily carried up and down hallways of apartment buildings and hotels.
Harris's mobile phone surveillance products are named after fish and related terms — StingRay, Kingfish (a hand-held StingRay), Triggerfish, Amberjack, Gossamer, Harpoon — "StingRay" is the one the media has fixated on.
Other companies including Verint, View Systems, Altron, NeoSoft, Cobham Surveillance (formerly MMI Research Products), Ability and Meganet make systems similar to the Harris StingRay, intercepting and tracking GSM/UMTS based communications. But the Harris StingRay and KingFish can also track CDMA2000, and iDEN, and can support three different communications modes simultaneously. The StingRay II supports four communications modes simultaneously. When the City of Miami was shopping for Harris wireless surveillance products in September 2008 and published the Harris price list on their web site, a StingRay II cost $148,000 plus $22,000 per supported mode. A KingFish was $27,800 for just UMTS plus $18,000 each for GSM, CDMA and iDen modes. The Israeli company Rayzone makes an interceptor named Piranha that claims to work against CDMA and GSM 2G, 3G, and 4G systems.
IMSI catchers collect identification and location information for nearby phones, and in some situations can capture voice conversations, text messages, and web history. IMSI or International Mobile Subscriber Identity is the unique serial number the cellular system uses to identify your phone. See this background on IMSI catchers and Stingray.
The U.S. Government has been very secretive about the use of IMSI catchers and similar systems by law enforcement and other agencies. The FBI has made local law enforcement sign non-disclosure agreements, and has instructed law enforcement agencies to lie about the use of the technology. Meanwhile the Baltimore police used Stingray over 25,000 times. See descriptions in Newsweek, in Wired here and here, in STL Today, in Ars Technica, in Vice, and from the ACLU.
Unexplained IMSI catchers have been detected across the U.S. according to stories in the Washington Post, Wired, Gizmodo, and VentureBeat.
You can build your own or just buy one on line, and many SMS spammers use them in China.
For more details on GSM hacking, see the announcement of GSM cloning and how security-through-obscurity isn't security at all.
Your Secret Stingray's No Secret Anymore: The Vanishing Government Monopoly Over Cell Phone Surveillance and Its Impact on National Security and Consumer Privacy is a 2014 paper by Stephanie Pell of the Stanford Law School Center for Internet and Society and Christopher Soghoian of the Yale University Information Society Project. They describe how the law enforcement and national government monopoly on cellular interception has vanished, and now criminals, the tabloid press, and anyone with a little motivation and money can eavesdrop. The Associated Press reported on 12 June 2014 that "The Obama administration has been quietly advising local police not to disclose details about surveillance technology they are using to sweep up basic cellphone data from entire neighborhoods. [...] Citing security reasons, the U.S. has intervened in routine state public records cases and criminal trials regarding use of the technology. This has resulted in police departments withholding materials or heavily censoring documents in rare instances when they disclose any about the purchase and use of such powerful surveillance equipment."
Also see Privacy International and their study of the $5 billion per year global surveillance industry.
Late 1999 saw announcements of GSM cracking (which, for the U.S.A., effects "Digital PCS" as well). Summarizing from Bruce Schneier's Crypto-Gram newsletter, 15 December 1999, the relevant algorithms at the time were:
- A3 is the authentication algorithm to prevent phone cloning.
- A5/1 is the stronger of the two voice-encryption algorithms.
- A5/2 is the weaker of the two voice-encryption algorithms.
- A5/3 has been added more recently for 3G communications.
- A8 is the voice-privacy key-generation algorithm.
Schneier says, "These algorithms were developed in secret, and were never published. "Marc Briceno" (with the Smartcard Developer Association) reverse-engineered the algorithms, and then Ian Goldberg and David Wagner at U.C. Berkeley cryptanalyzed them. Most GSM providers use an algorithm called COMP128 for both A3 and A8. This algorithm is cryptographically weak, and it is not difficult to break the algorithm and clone GSM digital phones. The attack takes just 2^19 queries to the GSM smart-card chip, which takes roughly 8 hours over the air. This attack can be performed on as many simultaneous phones in radio range as your rogue base station has channels." Summarizing now, the breaks and the publishing dates are:
- A3 and A8 — Can always be broken in 8 hours over the air (as above). All A8 implementations tested did not use COMP128, they used a weakened form! (April 1998)
- A5/2 — Can be broken in real-time without any trouble. (August 1999) Read Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication by three researchers at Techion - Israel Institute of Technology.
A5/1 — Given the first two minutes of the
conversation, one PC with 128 MB of RAM and two 73 GB
hard drives can find the A5/1 key in about
one second. (May 1999)
Real Time Cryptanalysis of A5/1 on a PC Software-Hardware Trade-offs: application to A5/1 Cryptanalysis Cryptanalysis of the A5/1 GSM Stream Cipher On Hardware-Assisted Cryptanalysis of A5/1
Then in Feb 2008 Schneier again commented on A5/1 cryptanalysis. There had been quite a bit of coverage of announcements of further A5/1 cryptanalysis and practical systems to break GSM keys. This 2008 attack is completely passive, requires about US$ 1000 in hardware, and breaks the key in about 30 minutes:
- "Research May Hasten Death of Mobile Privacy Standard", Washington Post, Feb 2008
- Forbes magazine, 21 Feb 2008
- Govenment Computer News, 20 Feb 2008
- Information Week, 20 Feb 2008
A5/3 or Kasumi is used for confidentiality and integrity in 3G telephony. It is stronger than A5/1, but it is also vulnerable! A 2010 paper reports "The privacy of most GSM phone conversations is currently protected by the 20+ years old A5/1 and A5/2 stream ciphers, which were repeatedly shown to be cryptographically weak. They will soon be replaced in third generation networks by a new A5/3 block cipher called KASUMI, which is a modified version of the MISTY cryptosystem. In this paper we describe a new type of attack called a sandwich attack, and use it to construct a simple distinguisher for 7 of the 8 rounds of KASUMI with an amazingly high probability of 2-14. By using this distinguisher and analyzing the single remaining round, we can derive the complete 128 bit key of the full KASUMI by using only 4 related keys, 226 data, 230 bytes of memory, and 232 time. These complexities are so small that we have actually simulated the attack in less than two hours on a single PC, and experimentally verified its correctness and complexity."
The industry (predictably) claimed this was all impossible, as it required unavailable hardware. Yeah, right. Well under US$ 10,000 should provide a high-quality intercept station. For details of the analysis see the Smartcard Developer Association and the references here.
See this project to design and build a relatively inexpensive (US$ 700) GSM receiver and crack A5/1.
Further GSM security and insecurity references include GSM Security FAQ: Have the A5 algorithms been broken? and GSM Security Algorithms.
August 2009 saw further reports on making A5/1 cracking more practical and less academic. See Subverting the security base of GSM by Karsten Hohl and Sascha Krissler, presented at the Hacking At Random conference in Aug 2009. The DarkReading mailing list discussed the work.
December 2009 brought even further A5/1 cracking results. An article from late December 2009 reported that a complete GSM intercept station could now be built for about $4000, and it can handle the random channel hopping. A 2TB Rainbow Table is used to rapidly find the encryption key. A low-end intercept station could be built around a PC with a medium-end graphics card, at least 2TB of disk storage, and two GNURadio USRP2 computer-controlled receivers. A few minutes of conversation will be required to gather enough information. More elaborate and expensive systems using FPGA devices could break the encryption "almost instantaneously".
In 2012, researchers at Ruhr University Bochum broke the A5-GMR-1 and A5-GMR-2 algorithms used on satellite phones. They report a ciphertext-only attack on A5-GMR-1 with average complexity 232 steps, and a known-plaintext attack on A5-GMR-2 for which "the encryption key for one session, i.e., one phone call, can be recovered with approximately 50–65 bytes of key stream and a moderate computational complexity."
This 2017 paper reported a real-time attack on the GMR-2 cipher, needing only 15 bytes (or one frame) of keystream and 0.020 seconds of computation. Their description is that GMR-1 is "a proprietary variant of GSM A5/2" while GMR-2 is "an entirely newly designed stream cipher."
Also see these attacks on the SNOW 3G and SNOW 2.0 crypto primitives intended as replacements for KASUMI, and on the ZUC stream cipher used in 3GPP:
The good news is that this 2016 paper found that the AKA protocol looks much safer. AKA uses a set of AES-based algorithms called MILENAGE, and the TUAK algorithms which are based on a modification of Keccak.
If you want voice COMSEC on the cheap, check out PGPfone. You use your computer's audio interface and PGP software to encrypt and decrypt a pair of audio streams.
Mobile networks have been hacked by attacking the insecure GPRS backbone links used by most mobile phone providers. This was announced and demonstrated at the Chaos Communication Camp 2001.
GPRS encryption has been broken, see articles in ComputerWorld, in The Register, and MIT Technology Review.
To build your own GSM femtocell, see the Vodafone - THC Wiki.
GSM Jamming and other DoS
From an article about the common use of cell phones by prisoners despite its illegality, in Urgent Communications, a trade magazine for public-service and emergency radio communications ("Arresting Developments", August 2010, pp 42-47): South Carolina's prison system found 3,024 cell phones among its population of 24,000 inmates, a 1:8 ratio, in the 2009 fiscal year. A Texas correctional facility was found to have 239 cell phones in use in one 400-inmate wing.
CellAntenna makes cellular systems: in-building repeaters, signal boosters, antennas, etc. CJam Cellular Jamming Technology seems to be CellAntenna under another name, and they openly market cell phone jamming systems.
Security Intelligence Technologies builds and sells GSM jammers.
Bomb Jammer builds and sells GSM jammers, including their "VIP 200 Bomb Jammer". Many of these companies market their products as jammers just for the control links for improvised explosive devices (IEDs).
Netline Communications Technologies of Israel sells a system called CellTrack. It has multiple covert devices that can detect a variety of GSM/cellular standards simultaneously, tied into a central computer doing the overall analysis.
Armed Forces International provides information on a vendors of a range of military-related products.
DNS (Domain Name System) Security Issues
DNS should work as follows:
The human user types
www.cromwell-intl.cominto a browser. The browser recognizes that this is not an IP address, and it makes a library call to the resolver. That creates a DNS query packet asking for an A record for the fully-qualified domain name (FQDN). This is a relatively simple UDP datagram.
- That DNS query is sent to the client's nameserver. If you are reading this at home, that means the DNS server specified by your ISP when your system used DHCP to get its IP configuration. If you are at work, then it would be your corporate DNS server. Either way, the DNS server is willing to do some work on behalf of the client and answer its questions because it's a client.
That nameserver (labeled "ISP nameserver" below)
doesn't know and it doesn't know who to ask.
So it asks a server authoritative for the entire
.comdomain, "Where is the nameserver for the cromwell-intl.com domain?", asking for an NS record. The root servers are authoritative for
.comand so its IP address is coded into the DNS server software.
.comserver answers the direct question and also passes along the answer to the obvious next question, "What are their IP addresses?". As it turns out, there are four. One question was asked, there were four answers and four additional pieces of useful information.
Your nameserver now picks one of those servers
and asks the original question,
"What is the IP address for
That nameserver responds that
www.cromwell-intl.comis really an alias. The canonical name is
cromwell-intl.comand its IP address is 126.96.36.199. This information should be good for a while, feel free to cache it for 3,600 seconds.
- Your ISP returns that information to your client, which receives it and passes the information along to the browser application. It makes a connection to TCP port 80 on that IP address, and this page loads.
- Meanwhile your nameserver is caching that information in case some client asks the question within the Time To Live value.
Below you see those numbered steps as ASCII art:
[1,2] client -------> ISP nameserver DNS query: www.cromwell-intl.com A record  ISP nameserver ------------> .com name server DNS query: cromwell-intl.com NS  ISP nameserver <------------ .com name server ;; ANSWER SECTION: cromwell-intl.com. 18418 IN NS ns-cloud-c2.googledomains.com. cromwell-intl.com. 18418 IN NS ns-cloud-c4.googledomains.com. cromwell-intl.com. 18418 IN NS ns-cloud-c1.googledomains.com. cromwell-intl.com. 18418 IN NS ns-cloud-c3.googledomains.com. ;; ADDITIONAL SECTION: ns-cloud-c1.googledomains.com. 18418 IN AAAA 2001:4860:4802:32::6c ns-cloud-c2.googledomains.com. 18418 IN AAAA 2001:4860:4802:34::6c ns-cloud-c3.googledomains.com. 18418 IN AAAA 2001:4860:4802:36::6c ns-cloud-c4.googledomains.com. 18418 IN AAAA 2001:4860:4802:38::6c ns-cloud-c1.googledomains.com. 18418 IN A 188.8.131.52 ns-cloud-c2.googledomains.com. 18418 IN A 184.108.40.206 ns-cloud-c3.googledomains.com. 18418 IN A 220.127.116.11 ns-cloud-c4.googledomains.com. 18418 IN A 18.104.22.168  ISP nameserver ------------------------> ns-cloud-c1.googledomains.com DNS query: www.cromwell-intl.com A  ISP nameserver <------------------------ ns-cloud-c1.googledomains.com ;; ANSWER SECTION: www.cromwell-intl.com. 3600 IN CNAME cromwell-intl.com. cromwell-intl.com. 3600 IN A 22.214.171.124 [7,8] client <------- ISP nameserver <---> cache DNS answer: www.cromwell-intl.com CNAME = cromwell-intl.com Additional resource record: cromwell-intl.com A = 126.96.36.199 TTL = 3600 seconds
What the attacker wants to do:
The attacker wants to fool many people into looking at the wrong web site. They build a bogus web site on some server. It looks like something people would trust, for example, a clone of the
citibank.com web site.
Of course, it is just going to steal information if
anyone visits it and believes it's really Citibank!
They will then try to fool as many DNS servers as possible
into beliving that the IP address for
citibank.com is whatever IP address they have
for their bogus site.
So how do the bad guys fool the world-wide DNS infrastructure?
Problem #1 — Stateless DNS
Early versions of the BIND DNS server did not keep track of which questions they had asked. If they got an answer, they assumed it was relevant and put it in the cache. So the bad guy does this:
Someone should run the reverse service,
providing PTR (or "pointer") records saying,
for example, that
188.8.131.52 corresponds to
cromwell-intl.com.Really this is done as a DNS PTR record:
184.108.40.206.in-addr.arpa IN PTR cromwell-intl.com
The bad guy takes responsibility for providing this service for his small block of IP addresses. Let's say he's at 220.127.116.11. That IP address belongs to a Romanian ISP from which I see a bunch of probes. Our theorized hacker has a DNS server responsible for at least this part of the reverse space under
18.104.22.168.in-addr.arpa IN PTR hackerpc.romtelecom.ro
or something like that....
The bad guy does some surveillance
to find name servers running old and vulnerable
- Find the IP addresses for a bunch of Internet Service providers.
For each of those IP addresses, run this
$ dig @IP version.bind chaos txt
That should just fail, but sloppily configured servers will answer. Some of those will report old versions, effectively announcing, "I am vulnerable!"
- For each vulnerable DNS server, each one of which represents an entire domain or organization about to be misled, the bad guy intentionally attempts a connection that will fail. A good example would be to connect to TCP port 23, the TELNET service, on the nameserver itself.
- That target nameserver may try to resolve the attacker's IP address back to a hostname, meaning that it will send a DNS query for the PTR record to the nameserver under the bad guys contol.
That nameserver responds with the requested answer:
22.214.171.124.in-addr.arpa IN PTR hackerpc.romtelecom.ro TTL=3600
However, it also sends some additional resource records in that DNS reply packet. These are unsolicited responses, answers to questions that were not asked:
www.citibank.com IN A 126.96.36.199 TTL=31536000
citibank.com IN A 188.8.131.52 TTL=31536000
www.bankofamerica.com IN A 184.108.40.206 TTL=31536000
bankofamerica.com IN A 220.127.116.11 TTL=31536000
and so on, trying to inject bogus information about the IP addresses of banking sites with a time to live of one year.
Now when any client of that vulnerable nameserver
resolves any of those hostnames to an IP
address, they are given the bogus answer
corresponding to the hacker's hostile site.
This was the technology behind the September 1997
"CIA web page hack" and many more attacks
This is called a cache poisoning attack.
Problem #2 — The Kaminsky DNS Vulnerability
Dan Kaminsky discovered a very serious problem in DNS and publicized it in the summer of 2008. Left out of the above explanation was the detail that DNS packets contain a field called the Query ID. This allows a DNS server to match answers to questions, and it allows newer DNS implementations with some sense of state to tell if a given answer corresponds to a question that they had asked.
The problem is that the Query ID is reasonably easy to guess in many DNS server implementations. The bad guy now:
Builds a DNS server claiming to be authoritative
for a sensitive domain like
citibank.com.However, it will always give the bad guy's IP address as the answer to any address queries!
- Surveils Internet DNS servers to find ones probably vulnerable to this attack.
- For each one, make some legitimate queries to estimate the state of the Query ID field.
Ask a question that will require the target
server to send a query to the
citibank.comnameserver. Ask for the IP address of a hostname known not to exist,
"What is the IP address of
Since the nameserver very likely will not answer questions for clients not within its domain, the bad guy simply forges the source IP address on the DNS query datagram. It will get to the server just fine as long as the bad guy's ISP does not do sanity checking, and the bad guy will have selected an ISP that does not do sanity checking in order to support this and many other attacks.
Using a network of compromised PCs under his control,
the bad guy launches a blizzard of bogus DNS
responses with various Query ID values.
His hope is that one of them will be correct.
Depending on the predicability of the Query ID field
and the number of compromised hosts under his control,
this may be very likely indeed.
Each of those packets uses Authority records to
delegate further questions about the
citibank.comdomain to the bad guy's bogus server.
"I don't know the answer, but you can find the answer by asking the nameserver
ns1.citibank.comand its IP address is 18.104.22.168."
However, that is the bad guy's hostile DNS server. Now every question about the
citibank.comdomain will be sent to the bad guy's DNS server — he effectively owns the
citibank.comdomain as far as that victim nameserver's domain is concerned.
This is also a cache poisoning attack, but it is far more powerful.
So, how do you avoid being a victim?
Update your DNS server.
Make sure your server is running up-to-date DNS server software! Patched DNS server software will randomize both the UDP port used for its queries and the Query ID field itself. Unfortunately, six or so months after Kaminsky's discovery was announced to great fanfare, mention in newspapers and so on, over 25% of the DNS servers on the Internet were found to still be running out of date and vulnerable software!
Configure your DNS server correctly.
Use the Team Cymru Secure BIND Template.
Open DNS Resolver Project.
You can query CIDR blocks of IP addresses to see if you have any open DNS resolvers.
The Measurement Factory.
It's similar to the Open DNS Resolver Project.
This is another web-based tool for testing DNS servers.
The djbdns DNS server by Daniel J Bernstein has correctly randomized both the source UDP port and Query ID since the beginning. Many people find his djbdns easier to configure than the much more commonly used BIND software from ISC.
Incidents and Anecdotes
"Security through obscurity"
"Security through obscurity" has known to be ineffectual
for well over a century.
Auguste Kerckhoffs (1835-1903) stated
that the security of a cryptosystem must not depend on
keeping its algorithm secret.
See his article "La cryptographie militaire",
in Journal des sciences militaries,
vol IX, pp 5-38, Jan 1883.
Overview The original paper (PDF)
U.S. Government fear-mongering about electrical power grid hacking:
The U.S. Department of Homeland Security released a very contrived video in September 2007 showing catastrophic failure of an electrical power generator. This got notoriety as the "Aurora Generator Test", conducted in March 2007. But it was largely interpreted as little more than an intentional scare story by DHS.
Then "CIA senior analyst Tom Donahue" seems to have gone on a one-man fright crusade:
- "A CIA analyst told attendees at a SANS Institute conference that hackers infiltrated an overseas power grid to knock out power. Senior analyst Tom Donahue did not say which cities were affected, or for how long power was cut. The warning came in the wake of a U.S. Department of Homeland Security video demonstrating a hacker taking over a power grid." SC Magazine, March 2008, pg 14
- "We have information, from multiple regions outside the United States, of cyber intrusions into utilities, followed by extortion demands," Donohue said at the SCADA 2008 Control System Security Summit in New Orleans [16 Jan 2008]. "We suspect, but cannot confirm, that some of these attackers had the benefit of inside knowledge," he said. "We have information that cyberattacks have been used to disrupt power equipment in several regions outside the United States. In at least one case, the disruption caused a power outage affecting multiple cities. We do not know who executed these attacks or why, but all involved intrusions through the Internet." See a description in Governmnet Executive, 18 Jan 2008.
June 2008 — "Last month the National Journal cited two computer security professionals, who in turn cited unnamed U.S. intelligence officials, in reporting that China's People's Liberation Army may have cracked the computers controlling the U.S. power grid to trigger the cascading blackout that cut off electricity to 50 million people in eight states and a Canadian province [in August, 2003]" But cyber security consultant Paul Kurtz, who worked at the White House at the time of the blackout, said they're no truth to the claim and many others have backed him up.
April 2009 — This same story appeared, again, in the Wall Street Journal this time (4 April 2009, article by Siobhan Gorman). The article is based on anonymous sources and "former national-security officials". It goes on to re-hash "CIA senior analyst Tom Donahue", making this just yet another cycle of the same old scare story.
April 15, 2009 — Time magazine observes that there have been no instances of cyberattacks taking down national power grids.
It has been observed in a Wired article that these scary stories are suspiciously correlated with US Government announcements of the need for increased surveillance.
A more prominent threat is physical attacks. Some have taken place, see stories at the Los Angeles Times, Reuters, and the Wall Street Journal for reports on an April 2013 attack on the PG&E Metcalf substation near San Jose, California, when rifle shots damaged 17 transformers.
See the following section about attacks on infrastructure for things that really did happen.
Russian Business Network (RBN) cyber-crime organization
A 13 Oct 2007 Washington Post article "Shadowy Russian Firm Seen as Conduit for Cybercrime" reported, "An Internet business based in Saint Petersburg has become a world hub for Web sites devoted to child pornography, spamming and identity theft, according to computer security experts. They say Russian authorities have provided little help in efforts to shut down the company. The Russian Business Network sells Web site hosting to people engaged in criminal activity, the security experts say. Groups operating through the company's computers are thought to be responsible for about half of last year's incidents of "phishing" VeriSign said that the Rock Group phishers used RBN to steal about US$ 150 million over the preceding year. Symantec said that RBN was "responsible for hosting Web sites that carry out a major portion of the world's cybercrime and profiteering." RBN does not have its own web site, you must contact its operators via instant-messaging or obscure Russian-language online forums. You must also prove that you are not a law enforcement investigator by demonstrating active involvement in theft of consumers' financial and personal data.
Russky Newsweek described "the world of Russian hackers" in December 2009. It mentions the apparently connections between international conflict on the Internet between Russia and Estonia and Georgia, attacks against Citigroup, and massive identity theft and spamming. But it's still uncertain if RBN was really one criminal vast organization or if it was a host to multiple Internet based gangs. Interesting anecdotes in that article include:
- "Aleksandr Gostev, director of Kaspersky Labs, a global research and threat analysis center, believes that RBN's servers are located in Panama."
- "According to one study, the network comprised 406 addresses and 2090 domain names by the end of 2007."
- "The original RBN was behind the cyberattack on Estonia, Paget says, and, according to a study by the U.S. Cyber Consequences Unit (US-CCU), one of its successors was behind the virtual assault on Georgia."
- "One of RBN's most prosperous businesses is Internet pharmacies, with the international organization Spamhaus naming Canadian Pharmacy as the main propagator of criminal cyberschemes." The bootleg medications are produced in India, and several dozen virtual pharmacies makes sales mostly to the U.S.
- "According to Dmitry Golubov, who describes himself as the leader of the Internet Party of Ukraine, a group of 20 to 25 people account for 70 percent of the world's spam. 'A database of active e-mails costs money,' says Golubov. 'For example, a million addresses of purchasers of access to porn resources costs $25,000 to $30,000.'"
U.S. military use of commercial telecommunication links:
Early 1990s — "About 20% of satcom support for Operation Desert Storm came from commercial [satellite] fleets." AWST 19 Nov 2007 pp 52-53.
1995-1996 — 95% of military communication at least touches the public switched networks. DOD is primarily reactive with no uniform policy for assessing risks, protecting systems, responding to incidents, or assessing damage. Military and Aerospace Electronics, January 1997, pg 17; AWST, 13 Jul 1998, pp 67-70 (quoting Maj. Gen. John Casciano, USAF director of intelligence); Lt Gen Kenneth A Minihan, "Intelligence and Information System Security", Defense Intelligence Journal, vol 5 n 1 (Spring 1996), pg 20.
2007 — "Now about 80% of all satellite communications in Iraq and Afghanistan come from commercial spacecraft, which may in some cases simultaneously provide services to friendly forces, as well as adverseries. AWST 19 Nov 2007 pp 52-53.
2008 — "Roughly 85% of [U.S.] military satellite communications are processed by commercial entities, but those services are purchased in an ad hoc fashion." AWST Oct 13, 2008, pg 34.
A 19 Nov 2007 AWST article (pp 52-53) described the USAF 16th Space Control Squadron (SPCS), dedicated to "defensive counterspace" and detecting and locating jamming to satellite links. It says that the 16th SPCS, based at Peterson AFB in Colorado, operates the new Rapid Attack Identification Reporting System (Raidrs), alerting its operators of interference to satellite communications links at UHF and the microwave C, Ku and X bands. It's designed and manufactured by Integral Systems of Lanham, Maryland. Each Raidrs site includes up to six 2.4-meter dish antennas to monitor signals, and a 3.7-meter antenna connected to a Blackbird system, said to operate like a spectrum analyzer. Two more 4.5-meter antennas are said to locate the distant ground-based jamming or interference source. The article made it sound as if the location is done by precise measurement of uplink signals reflected from the satellite bodies of the intended relay satellite and another satellite in a nearby orbit — an impressive achievement if correct.
USB storage devices and issues for the military
"Colombia's struggling guerrila movement appears to have suffered yet another defeat because of technology. The names of more than 9,000 rebels have fallen into government hands. Two government officials said this week [26 Sep 2008] that soldiers raiding a rebel camp in February  found a memory stick that held the names, aliases and identity numbers of 9,387 rebels — and even included the photos of some of them." The group was FARC, the Revolutionary Armed Forces of Columbia. New York Times 26 Sep 2008, pg A8.
USB storage devices have been stolen from U.S. military bases in Afghanistan by local cleaning staff and sold in the local bazaars through the 2000s. Stories were carried by the BBC and the Los Angeles Times.
Attacks against infrastructure, many mentioned in the article found here. Meanwhile, do not be frightened by apparently weak claims of hacker attacks on the U.S. power network, debunked in elsewhere on this page.
And pipelines and sewers and ...
The classic story is Agent Farewell and the Siberian Pipeline Explosion, in which an explosion around the end of October 1982 in the middle of Siberia "vaporized a large segment of the newly-build trans-Siberian pipeline". Thomas Reed's At the Abyss: An Insider's History of the Cold War describes the U.S. CIA working with a Canadian supplier to compromise the system's SCADA software with a logic bomb. The resulting explosion is enthusiastically described as "visible from space" and "1/7 the magnitudes of the nuclear weapons dropped on Japan during WWII". (combined? each?) See the National Security Archive report for a fairly calm description, and also see the CIA's Center for the Study of Intelligence report. Despite the American enthusiasm for the supposed cataclysm, there were no known physical casualities and seems to have gone unknown to the Soviet public.
1999 — Malicious hackers took control of a Gazprom gas pipeline in Russia for around 24 hours.
2000 — A disgruntled ex-employee accessed the
industrial control systems of a
sewage treatment plant in Maroochy Shire,
and released at least a million liters of raw sewage
into a river and onto the grounds of a hotel.
"Located in a tourist area on the east coast, the sewage system has 142 pumping stations connected by radio to monitoring computers.
The troubles began when the installation company, Hunter Watertech, finished installing the control system in December 1999 and the site supervisor for HWT, Vitek Boden, resigned 'under circumstances that are not exactly explained'. He applied to MSC for a position, but was rejected.
The following month, January 2000, strange things started to happen. Pumps were not running when needed, alarms were not being reported to the control centre, and there was a loss of communications between the control centre and the pumping stations.
The evidence began to point to outside agents interfering with the system. With data logging this became more apparent when engineers noticed a spoofed pump station ID. The system was receiving signals from a pumping station ID that wasn't where it should have been — and it wasn't sending the right sort of signals. After inspecting one particular pump station site and re-coding its ID, it became clear that they were receiving signals coming in from a station that didn't exist. Radio monitoring was also starting to detect these transmissions. After nearly two months of baffling problems, on 16 March they began to get some hard evidence of what was going on. They spotted radio transmissions controlling various pump stations from the fake ID.
By this time, in the middle of March, a lot of faults were occurring and it was obvious that the hacker wasn't just playing around with the control system. There were sewage leaks, caused by overflowing tanks when pumps were turned off. The golf course next to the Hyatt Hotel was flooded with a million litres of sewage. A major overflow into a residential area and tidal canal polluted an estuary; in the surrounding area on Australia's Sunshine Coast, creeks turned black and cost the government Au$100,000 to set up an environmental monitoring programme."
Also see "Malicious Control System Cyber Security Attack Case Study — Maroochy Water Services, Australia".
2003 — The "Slammer" worm disabled a safety monitoring system at Davis-Basse nuclear power plant in Ohio, USA. Of course, this was not the original intent of the attack.
2007 — A former employee for a federally-owned canal system in California was charged with installing software that damaged a computer used to divert water out of a local river, as described in The Register. The Tehama Colusa Canal Authority operates two canals that move water out of the Sacramento River for use in irrigation and agriculture in Northern California. The perpetrator worked for the TCCA for more than 17 years before being fired on August 15, the date he is alleged to have installed the unauthorized software.
2007 — Lonnie Charles Denison was a SAIC
contractor working as a UNIX systems administrator
at the California Independent System Operator's data
center controlling California's power grid.
He had a dispute with his boss at SAIC and learned on
15 April that he had lost computer access privileges.
Minutes later he broke a glass cover and hit the
emergency power "off" button,
shutting down the facility.
This cut California off from the wholesale electricity
market (although it did not cut off power
to the state!).
Allegedly he e-mailed a bomb threat the next day
to a California ISO employee.
In December he pled guilty, and faced up to five years
in prison and $250,000 in fines.
The Register, 20 Apr 2007; Computerworld, 1 Jan 2008, pg 6; PC World and several other sources]
2010 — The Stuxnet worm was detected in June, 2010. This eventually led to many more discoveries of malicious software, eventually attributed to the U.S., see the cyberwar page for the details.
Read this good article about "The Great Firewall of China", the national firewall in People's Republic of China from The Atlantic Monthly.
In May 1998 an internal review of DOE facilities found serious security problems (classified info on open systems, anonymous ftp write permission, readable password files, etc) on 1,400 of 64,000 systems. Los Alamos had detected 15 security breaches in the preceding 6 months. Brock Meeks, MSNBC, 29 May 1998, Stark Abstracting.
Hardware cryptographic attacks — The Electronic Frontier Foundation developed and built a dedicated platform in 1998 for under US$ 250,000 that breaks DES-encrypted messages in 72 hours, an order of magnitude faster than the best distributed network attack at the time. Much of the cost was design and development — the next one with the same performance would cost $50,000 or less. Speed to break DES on this architecture drops linearly with dollars spent on hardware, so forget all the U.S. government claims about hardware solutions being impossible. Also remember that this is cost for today's hardware, and cost per performance falls fast over time. Click here for the EFF article.
Threats are under-reported, and that's no recent development:
- DISA estimates only 0.2% of attacks are reported. AWST, 27 Apr 1998, pg 27.
- Only one of 150 attacks against DOD computer systems is detected. AWST, 20 January 1997, pp 60-61.
ARPA/NSA/DISA/DSS Memorandum of Agreement for coordinating Infosec research programs
For current research and development, see Purdue's CERIAS group.
The classic Unix security paper is UNIX Operating System Security, in AT&T Bell Labs Technical Journal, October 1984.
See the Trusted Product Evaluation Program frequently-asked-question list on computer security.
Disaster recovery is a whole field in itself. Check out the Disaster Recovery Journal. For a light introduction, see IEEE Spectrum, December 1996, pg 49.
A very scholarly treatment of Internet congestion models is in Science,, vol 277, 25 July 1997, pp 477, 535-537.
Keep looking — here are some more web sites to check out.