Thursday, March 3, 2011

Cyberwar in Estonia and the Middle East

Did a member of your family help kick off a cyber assault that brought an entire nation to its knees? No, seriously, don't laugh. In April 2007, communications in the Baltic state of Estonia were crippled straight through a coordinated assault that relied on the computers of millions of innocent users around the world, just like you and your kin. The assault was predominant in fully demonstrating how cyber war had moved from idea to reality. And it all started with the movements of a singular soldier.

The Bronze Soldier is a two-meter model which formerly stood in a small quadrate in Tallinn, the Estonian capital, above the burial site of Soviet soldiers lost in the Second World War. The memorial has long divided the citizen of the country, with native Estonians considering it a stamp of Soviet (and formerly Nazi) occupation and a large minority citizen (around 25% of the total) of ethnic Russian immigrants looking it as an stamp of Soviet victory over the Nazis and Russian claims over Estonia. When the country's newly appointed Ansip government initiated plans to relocate the model and the remains as part of a 2007 electoral mandate, the move sparked the worst riots the country had ever seen - and a thinkable, cyber assault from Russia.

South Kyrgyzstan

On April 27, as two days of rioting shook the country and the Estonian embassy in Moscow found itself under siege, a immense distributed denial-of aid (DdoS) assault overwhelmed most of Estonia's internet infrastructure, bringing online activity practically to a standstill. The targets were not troops websites but civilian sites belonging to organizations such as banks, newspapers, internet aid providers (Isps), and even home users. Much of the onslaught came from hackers using Isp addresses in Russia, but the most devastating element in the assault was a botnet which co-opted millions of previously virus infected computers around the globe to pummel the Estonian infrastructure.

Anatomy of a Cyber Attack

The botnet fooled Estonian network routers into continuously resending useless packets of facts to one another, rapidly flooding the infrastructure used to conduct all online business in the country. The assault centered generally on small websites which were easy to knock out, but nevertheless was devastatingly effective. Bank websites became unreachable, paralyzing most of Estonia's financial activity. Press sites also came under attack, in an endeavor to disable news sources. And Isps were overwhelmed, blacking out internet way for principal portions of the population.

While the Estonian government was expecting there to be an online backlash to its decision to move the statue, it was completely unprepared for the scale of the cyber attack. Estonia's defense priest went on narrative to speak the assault "a national safety situation", adding "it can effectively be compared to when your ports are shut to the sea."(1)

Once it became clear that most of the country's online business infrastructure was being affected, the Computer accident Response Team for Estonia (Cert-Ee) issued a plea for help from It safety specialists worldwide and an ad-hoc digital recovery team was assembled, which included citizen from my own firm, Beyond Security. It took us a few days to get to the lowest of the threat and begin setting up frontline defenses, which generally complex implementing Bcp 38 network ingress filtering techniques over affected routers to forestall source address spoofing of internet traffic. The assault waned speedily once we started taking defensive measures. But in the days it took to fight off the attack, it is likely that the country lost billions of Euros in reduced productivity and business downtime.

Cyber War in the Middle East

The Estonian incident will go down in history as the first major (and hopefully biggest ever) example of full-blown cyber warfare. However, there is one place on earth where cyber war has come to be part of the day-to-day online landscape - and it is still ongoing.

In the Middle East, the Arab-Israeli disagreement has a principal online element, with thousands of attacks and counter-attacks a year. This has been the situation since the collapse of peace talks in the region and was preceded by a spontaneous wide-scale cyber war between Arab and Israeli hackers in 1999 and 2000. Arab sympathizers from many nations are involved. A group of Moroccan hackers have been defacing Israeli web sites for the last six years or so, and recently Israel's troops radio middle point was infiltrated by an Iraqi hacker.

Unlike the blitzkrieg-like assault in Estonia, this protracted warfare is not intended to paralyze principal enemy functions but more to sap morale, drain resources and hamper the economy. The targets are typically low-hanging fruit in internet terms: small transactional, informational and even homespun web sites whose safety can indubitably be compromised. Taking over and defacing these sites is a way of intimidating the opposition - creating a feeling of 'if they are here, where else might they be?' - and leads to principal loss of data, profits and trust for the site owners.

Cyber War Spreads

If the Estonia and Middle East examples were our only experiences of cyber warfare then it might be tempting to put them down to local factors and therefore not of concern to the wider safety community. Sadly, however, these instances are simply part of a much larger trend towards causing disruption on digital communications platforms. In January this year, for example, two of Kyrgyzstan's four Isps were knocked out by a major DdoS hit whose authors remain unknown.(2) Although details are sketchy, the assault is said to have disabled as much as 80% of all internet traffic between the former Soviet Union republic and the west.

The assault appeared to have originated from Russian networks which are belief to have had links to criminal activity in the past, and probably the only thing preventing ample disruption in this instance was the fact that Kyrgyzstan's online services, unlike those in Estonia, are poor at the best of times. It was apparently not the first such assault in the country, either.(3) It is claimed there was a politically-motivated DdoS in the country's 2005 presidential elections, assertedly attributed to a Kyrgyz journalist sympathizing with the opposition party.

China has also engaged in cyber warfare in up-to-date years, albeit on a smaller scale. Hackers from within the country are said to have penetrated the laptop of the Us defense secretary, sensitive French networks, Us and German government computers, New Zealand networks and Taiwan's police, defense, selection and central bank computer systems.

In a similar fashion, in 2003 cyber pests hacked into the Uk Labor Party's lawful website and posted up a picture of Us President George Bush carrying his dog - with the head of Tony Blair, the Prime priest of the Uk at the time, superimposed on it.(4) The incident drew attentiveness to government sites' lax arrival to safety although in this singular event it was reported that hackers had exploited the fact that monitoring equipment used by the site hosting business had not been working properly. And as long ago as 2001, animal ownership activists were resorting to hacking as a way of protesting against the fur trade, defacing luxury brand Chanel's website with images of slaughtered animals. (5)

The Case for the Defense

What do all these incidents mean for course makers worldwide? Both the Estonian and Middle Eastern experiences show clearly that cyber war is a reality and the former, in particular, demonstrates its devastating potential. In fairness, Estonia was in some ways the exquisite target for a cyber strike. Emerging from Russian sovereignty in the early 1990s with microscopic legacy communications infrastructure, the nation was able to leapfrog the developments of western European countries and organize an cheaper firmly based on online services, such as banking, business and e-government. At the same time, the small size of the country - it is one of the least populous in the European Union - meant that most of its web sites were similarly minor and could be indubitably overwhelmed in the event of an attack. Last but not least, at the time of the Estonian incident, nothing on a similar scale had been experienced before.

It is safe to say that other nations will now not be caught out so easily. In fact, if anything, what happened in Estonia will have demonstrated to the rest of the world that cyber weapons can be very effective, and so should be determined a priority for troops and defense planning.

What might make cyber warfare the tactic of choice for a belligerent state? There are at least five good reasons. The first is that it is 'clean'. It can knock out a target nation's entire cheaper without damaging any of the fundamental infrastructure.

The second is that it is an practically completely painless form of engagement for the aggressor: an assault can be launched at the press of a button without the need to commit a singular soldier.

The third presume is cost-effectiveness. A 21,000-machine botnet can be acquired for 'just a few thousand dollars', a fraction of the cost of a accepted weapon, and yet can cause damage and disruption indubitably worth hundreds of times that.(6)

The fourth is that it is particularly difficult for national administrations to police and safe their online borders. A DdoS assault may be prevented simply by installing best firewalls around a web site (for example), but no nation currently has the power to tell its Isps, telecommunications clubs and other online businesses that they should do this, which leaves the country wide open to cyber strikes.

The last but by no means least presume is plausible deniability. In none of the cyber war attacks seen so far has it been potential to link the assault with a government authority, and in fact it would be practically impossible to do so. In the case of the Chinese hack attacks, for instance, the authorities have provided a defense which amounts to saying: 'There are probably a billion hackers on our soil and if it was us we would have to be brainless to do it from a Chinese Ip address.'

A similar logic potentially provides absolution to the Russian management in the case of Estonia: if it is so cheap and easy to get a botnet to mount a DdoS attack, why would the Russians bother mounting hack attacks from their own Isps? And in the Kyrgyz attack, although the source of the DdoS clearly points to a Russian hand, the motives for Russia's involvement remain hazy, important to a suggestion that it may have been caused by Kyrgyzstan's own incumbent party, acting with hired cyber criminals from Russia.

Tactics For Protection

With all these advantages, it is unlikely that any troops power worth its salt is by this stage still ignoring the potential of cyber warfare. In fact, since the Estonia incident it is even potential that the incidence of cyber warfare has increased, and we are simply not aware of the fact because the defensive capabilities of the sparring nations have increased. After all, other important lesson from Estonia is that it is potential to mount a defense against cyber attacks. There is no singular solution, no silver bullet, but a range of measures can be taken to deal with the kinds of DdoS issues faced by Estonia and the kinds of hacker attacks still going on in the Middle East.

For DdoS assault avoidance, there are four types of defense:
o Blocking Syn floods, which are caused when the attacker (for example) spoofs the return address of a client motor so that a server receiving a relationship message from it is left hanging when it attempts to talk receipt.
o Implementing Bcp 38 network ingress filtering techniques to guard against forged facts packets, as employed successfully in Estonia.
o Zombie Zappers, which are free, open source tools that can tell a gismo (or 'zombie') which is flooding a theory to stop doing so.
o Low-bandwidth web sites, which forestall primitive DdoS attacks simply by not having enough capacity to help propagate the flood.

For hacker attacks such as those seen in the Middle East, meanwhile, there are
three main types of defense:
o Scanning for known vulnerabilities in the system.
o Checking for web application holes.
o Testing the entire network to detect the weakest link and plug any potential entry points.

A Doomsday Scenario?
All the above are useful defensive tactics, but what about strategic actions? First and foremost, the Estonian perceive showed that it is important for the local Cert to have priority in the event of an attack, in order to ensure that things can return to general as soon as possible.

Authorities can also as far as potential check national infrastructures for DoS and DdoS weaknesses,, and finally, national Certs can scan all the networks they are responsible for - something the Belgian Cert has already started doing. Given the openness of the internet and the differing challenges and interests of those operating on it, these measures will of course only contribute partial protection. But it is hoped they would be enough to forestall other Estonia incident. Or would they?

There is, unfortunately, other type of cyber war assault which we have yet to see and which could be any times more devastating that what happened in Estonia. Rather than trying to hack into web sites just to deface them - a time-consuming endeavor with relatively microscopic payback - this tactic would involve placing 'time bombs' in the web systems concerned. These could be set to lay dormant until triggered by a specific time and date or a singular event, such as a given headline in the national news feed. They would then kick off and shut down their host web site, whether using an internal DoS or some other mechanism.

The code bombs could lay dormant for long enough for a malicious branch to crack and infect most or all of the major web sites of a country. And in today's networked world, this is no longer about simply causing inconvenience. Think of the whole of principal services, from telephone networks to healthcare systems, which now rely on internet platforms. Knocking all these out in one go could have a truly fabulous impact on a nation's defensive capabilities, without the need for an aggressor to send a singular soldier into combat.

The means to generate such an assault surely exist. So do the means to defeat it. What has happened in Estonia and the Middle East shows we now need to reconsider cyber warfare as a very real threat. What could happen if we fail to guard against it indubitably does not bear mental about.

1. Mark Landler and John Markoff: 'Digital fears emerge after data siege
in Estonia'. New York Times, 29 May 2007.
2. Danny Bradbury: 'The fog of cyberwar'. The Guardian, 5 February 2009.
3. Ibid.
4. 'Labour website hacked'. Bbc News, 16 June 2003.
5. 'The fur flies'. Wired, 23 January 2001.
6. Spencer Kelly: 'Buying a botnet'. Bbc
World News, 12 March 2009.

Cyberwar in Estonia and the Middle East

Thanks To : todays world news headlines


Post a Comment