lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.62.0808121602320.13744@linuxbox.org>
Date: Tue, 12 Aug 2008 16:06:09 -0500 (CDT)
From: Gadi Evron <ge@...uxbox.org>
To: bugtraq@...urityfocus.com
Cc: funsec@...uxbox.org, full-disclosure@...ts.grok.org.uk
Subject: Re: Internet attacks against Georgian web sites

This is an update of my previous post on the subject.

To be honest here, no one truly knows whats going on in Georgia's Internet 
except for what can be glimpsed from outside, and what has been written by 
the Georgians on their blog 
(http://georgiamfa.blogspot.com/2008/08/cyber-attacks-disable-georgian-websites.html 
outside their country). They are probably a bit busy avoiding kinetic 
bombing.

As mentioned in the previous post, Renesys has been following the Georgian 
links, which seem to be there, but occasionally drop due to possibly power 
failures. Renesys URL here: 
http://www.renesys.com/blog/2008/08/georgia_clings_to_the_net.shtml

Shadowserver and others have been following the botnets attacking the 
Georgians web sites, and that is confirmed as happening. Shadowserver was 
quoted, here: 
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9112399&intsrc=hm_list

According to Dancho Danchev, there have also been some defacements, which 
he describes here, along with other conclusions I don't necessarily agree 
with: http://blogs.zdnet.com/security/?p=1670

So--it is clear their web sites are under attack, and that Internet 
visibility-wise, the impact is real for the Georgians. And yet, it is 
simply too early and there is not enough information to call this an 
Internet war. It is too early to establish motive or who the perpetrator 
is, however much we may want to point fingers.

Following every and any political or ethnic tension, world-wide, an online 
aftermath comes, in the form of attacks, defacements, and enthusiast 
hackers swearing at the other side (which soon does the same, back).

While Georgia's suffering is real, such attacks are nothing but routine 
here in Israel. When I ran the defense for the Israeli government Internet 
operation and then the Israeli government CERT, such attacks would occur 
daily. Hackers on the other side would band together, talk, coordinate a 
date, exchange tools, and attack.

While I apologize for the analogy, post-9/11 Israelis were shocked. We 
were sympathizing and crying for the victims. What we did not understand 
was why people were still shocked ten minutes past, as this was a normal 
every-day life happening for us over here. The same applies for 
cyber-space, the Internet--we are used to this.

The difference in this attack was that the Georgian authorities, like 
numerous others around the world still aren't, were not prepared to face 
and fend against such an attack.

In my article "Fighting Botnets and Online Mobs" for the Georgetown 
Journal of International Affairs covering the Internet war in Estonia, I 
state how our opponents will no longer be just countries, or even 
organizations as Martin van Creveld once predicted ahead of his time, but 
that on the Internet playing field any individual or loosely affiliated 
group can be a player, affecting countries and yes, corporations as well. 
My article can be found here: 
http://www.ciaonet.org/journals/gjia/v9i1/0000699.pdf

The best article describing the events so far is by John Markoff at the 
New York Times: 
http://www.nytimes.com/2008/08/13/technology/13cyber.html?em

Gadi Evron.



On Mon, 11 Aug 2008, Gadi Evron wrote:

> In the last days news and government web sites in Georgia suffered DDoS 
> attacks. While these attacks seem to affect the Georgian Internet, it is 
> still there.
>
> Facts:
> 1. There are botnet attacks against .ge websites.
> 2. These attacks affect the .ge Internet infrastructure, but it's reachable.
> 3. It doesn't seem Internet infrastructure is directly attacked.
> 4. Every other political tension in the past 10 years, from a comic of the 
> Prophet Muhammad to the war in Iraq, were followed by online supporters 
> attacking targets which seem affiliated with the opposing side, and 
> vise-versa.
>
> Up to the Estonian war, such attacks would be called "hacker enthusiast 
> attacks" or "cyber terrorism" (of the weak sort). Nowadays any attack with a 
> political nature seems to get the "information warfare" tag. When 300 
> Lithuanian web sites were defaced last month, "cyber war" was the buzzword.
>
> Running security for the Israeli government Internet operation and later the 
> Israeli government CERT such attacks were routine, and just by speaking on 
> them in the local news outlets I started bigger so-called "wars" when 
> enthusiasts responded in the story comments and then attacks the "other 
> side".
>
> Not every fighting is warfare. While Georgia is obviously under a DDoS 
> attacks and it is political in nature, it doesn't so far seem different than 
> any other online after-math by fans. Political tensions are always followed 
> by online attacks by sympathizers.
>
> Could this somehow be indirect Russian action? Yes, but considering Russia is 
> past playing nice and uses real bombs, they could have attacked more 
> strategic targets or eliminated the infrastructure kinetically.
>
> Coulda, shoulda… the nature of what's going on isn't clear, but until we 
> are certain anything state-sponsored is happening on the Internet it is my 
> official opinion this is not warfare, but just some unaffiliated attacks by 
> Russian hackers and/or some rioting by enthusiastic Russian supporters.
>
> It is too early to say for sure what this is and who is behind it.
>
> The RBN blog (following the Russian Business Network) is of a different 
> opinion:
> http://rbnexploit.blogspot.com/2008/08/rbn-georgia-cyberwarfare.html
> and:
> http://rbnexploit.blogspot.com/2008/08/rbn-georgia-cyberwarfare-2-sat-16-00.html
>
> Also, Renesys has been following the situation and provides with some data:
> http://www.renesys.com/blog/2008/08/georgia_clings_to_the_net.shtml
>
> (Thanks to Paul Ferguson for the URLs)
>
> DDoS attacks harm the Internet itself rather than just this or that web site, 
> so soon this may require some of us in the Internet security operations 
> community getting involved in mitigating the attacks, if they don't just drop 
> on their own.
>
> Gadi Evron.
>
> --
> "You don't need your firewalls! Gadi is Israel's firewall."
>    -- Itzik (Isaac) Cohen, "Computers czar", Senior Deputy to the Accountant 
> General,
>       Israel's Ministry of Finance, at the government's CIO conference, 
> 2005.
>
>    (after two very funny self-deprication quotes, time to even things up!)
>
> My profile and resume:
> http://www.linkedin.com/in/gadievron
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ