Chapter 11
Study findings.
60.4% of USAF personnel posting on Mys.p.a.ce have provided sufficient information to make themselves vulnerable to adversary targeting (Figure 6-2), including seven critical variables of information: First name Last name Hometown Home state Duty location Public account Job type 25.4% were found to be fair targets, and only 14.2% were found to be poor targets (not vulnerable).
Figure 6-2. 60.4% of 500 partic.i.p.ants were vulnerable to adversary targeting.
TwitterGate: A Real-World Example of a Social Engineering Attack with Dire Consequences.
On May 1, 2009, a French hacker going by the alias of Hacker Croll announced that he had penetrated Twitter's security and accessed its company records. (Twitter is a popular microblogging service.) Screenshots of a few of them were posted as proof on a forum at zataz.com, a French website.
This was the second time in 2009 that Twitter had a breach in its security (the first being in January by a hacker named GMZ), and also for the second time, Twitter CEO Evan Williams announced that a "thorough, independent security audit of all internal systems and implementing additional anti-intrusion measures to further safeguard user data" would be done.
Williams also claimed, much to Croll's chagrin, that no important files were accessed, nor was anything taken.
Deciding to teach Twitter a lesson and provide a warning to corporations everywhere, Croll sent a zipped file of over 300 Twitter doc.u.ments, including financial statements and executive memos and meeting notes, to TechCrunch, a popular and influential IT website owned by Silicon Valley entrepreneur Michael Arrington.
TechCrunch created a firestorm of controversy on July 16, 2009, when it published a number of the stolen doc.u.ments on its website.
TechCrunch followed that up with a detailed accounting of exactly how Hacker Croll accomplished his break-in. He didn't use any hacking tools, Croll told reporter Robert McMillan for a May 1, 2009 article for IDG News: "One of the admins has a Yahoo! account, I've reset the pa.s.sword by answering to the secret question. Then, in the mailbox, I have found her [sic] twitter pa.s.sword," Hacker Croll said Wednesday in a posting (http://www.warezscene.org/hacking/699733-twitter-got-hacked-again-3.html#post1312899) to an online discussion forum. "I've used social engineering only, no exploit, no xss vulnerability, no backdoor, no sql injection."
According to the information that Croll provided to TechCrunch, here is the rather simple process that he followed to crack Twitter's security and gain access to its files.
Using publicly available information, he built a profile of the company with emphasis on creating an employee list.
For every employee identified, he looked for email addresses, birth dates, names of pets, spouses, and children.
He began accessing popular web services that each employee may have had an account with (e.g., Gmail, Yahoo!, Hotmail, YouTube, Mys.p.a.ce, Facebook, etc.), and using the discovered email address as the username (which frequently is the case), he initiated steps to recover the pa.s.sword. Pa.s.swords are often answers to standard questions, such as "What is your mother's maiden name?", or the service may provide an option to email the forgotten pa.s.sword to a secondary email address. This is where Hacker Croll's patient discovery of personal data combined with flawed security design and sheer luck to enable a successful hack.
Croll tried to access a Twitter employee's Gmail account. He opted for emailing the forgotten pa.s.sword to a secondary email address. Gmail provides users with a clue as to which email address they had picked by obscuring the first part but revealing the service ([email protected]). Once he saw it was a Hotmail account, Croll went to Hotmail and attempted to log in with the same username. Here is where luck stepped in: Hotmail's response to Croll's login attempt was that the account was no longer active. Croll immediately re-registered the account with a pa.s.sword that he picked, then went back to Gmail and requested that the forgotten pa.s.sword be emailed to the secondary account, which Croll now owned. Gmail reset the pa.s.sword and sent out a new one to the Hotmail account, thus giving Croll full access to a Twitter employee's personal email.
His next task was to discover the original pa.s.sword and reset it so that the employee would never suspect that her email account had been hacked. Thanks to Gmail's default of storing every email ever received by its members, Croll eventually found a welcome letter from another online service that, for the member's benefit, fully disclosed her username and pa.s.sword. Recognizing that 99% of web users stick with the same pa.s.sword for everything, he reset the Gmail pa.s.sword to the one he just discovered, and then waited for the Twitter employee to access her Gmail account. Sure enough, the employee soon signed in, sent a few emails, and signed out, never suspecting a thing.
Now armed with a valid username and pa.s.sword, Croll dug further into the employee's Gmail archives until he discovered that Twitter used Google Apps for domains as their corporate email solution. Croll logged in with his stolen employee username and pa.s.sword and began searching through all of that employee's company emails, downloading attachments, and, in the process, discovered the usernames and pa.s.swords for at least three senior Twitter executives, including CEO and Founder Evan Williams and Co-founder Biz Stone, whose email accounts he promptly logged into as well.
Croll didn't stop there either. He continued to expand his exploitation of Twitter data by logging into the AT&T website for cell phone records and iTunes for credit card information. (According to the TechCrunch article, iTunes has a security flaw that allows users to see their credit card numbers in plain text.) The end result can be seen online, as TechCrunch published some of the stolen information, and the rest will probably find its way online eventually through other channels.
Although this real-life example of computer network exploitation (CNE) did not involve a government or military website, the essential process is the same. Had this been a successful SQL injection attack instead of a pure social engineering attack, all of the usernames and pa.s.swords would have been discovered in a matter of minutes and a full dump of the contents of the company's database would have occurred.
Twitter may soon become the world's largest SMS-based channel of communication. It is already being exploited by the intelligence services of numerous nations, thanks to the publicity that it has received during the Iran election protests and last year's Mumbai terror attacks.
Automating the Process.
The advent of social software and its rapid popularity has transformed the way that intelligence organizations around the world can collect information on their adversaries.
Both the United States and the Russian Federation armed forces have been struggling to find a way to prevent, reduce, or control the spontaneous writings of their troops on their personal web pages in a variety of social media, which often reveal far too much information on matters impacting OPSEC. If this information is sc.r.a.ped, filtered, and aggregated properly, it can easily provide an asymmetric advantage to one's enemy.
For an intelligence operative who is seeking to recruit and turn a person employed in a sensitive position, social software is a dream come true. No longer do case officers have to rely solely on arranging in-person meetings or one-to-one engagements to build relations.h.i.+ps that may lead to turning a foreign service officer into an espionage a.s.set, for example.
Today, almost the entire recruitment process can be done online, from finding likely candidates to building out a profile, to crafting an online presence with a backstory that will act as a suitable lure.
The new case officer might very well be a social network a.n.a.lyst familiar with the open source information retrieval library called Lucene, Hadoop for scaling thousands of nodes of information, and Nutch for data retrieval, parsing, and cl.u.s.tering-all fed by the APIs that each social software service have conveniently created to entice developers to build new, fun applications on top of their platforms.
Spook Finder 1.0, anyone?
Catching More Spies with Robots.
A more sophisticated alternative is the use of robots (bots) that, with the right programming, can appear online as a genuine person.
The following content was provided by a Russian technologist and member of the Project Grey Goose team at my request. It represents, at the time of this writing, a serious and emerging threat present on Russian social networks, but Project Grey Goose investigators expect to see these capabilities migrate over to Facebook and other social software sites in the very near future.
The automation and virtualization of social network ent.i.ties.
Automation and simulation of artificially created activities performed inside Russian social networks (vKontakte.ru and Odnokla.s.sniki.ru) are virtualizing communication to the degree that one cannot be certain of who he really is becoming friends with.
In a normal social network scenario, a user would create a profile, upload a couple of pictures, record his ties to universities and/or place of work in the profile, and, for the most part, then be ready to find and begin socializing with friends or colleagues. But how does one tell the real thing from a virtual mock-up?
That is what's happening right now in the Russian social networks VKontakte.ru and Odnokla.s.sniki.ru. Virtual ent.i.ties are pretending to be real people in a way that enables criminals to gather personal information from the unsuspecting.
If a social network relies on a system of "votes" or ratings to validate trust, getting most of them to elevate the "trust" to an adequate level already can be automated.
If a site is vulnerable to a cross-site scripting attack, thousands of users can be affected within mere seconds, just by pus.h.i.+ng a b.u.t.ton on the operator's workstation.
If a group of people does not like a particular partic.i.p.ant or the site itself, it takes only 10,000 rogue users connecting simultaneously to bring the server down and cause denial of service attacks.
If one needs a user's trust or pa.s.sword (which is very close to being the same thing in certain circ.u.mstances), there's nothing to prevent the operator to invite unsuspected users to a social honeypot, a virtual society created by the attacker to lead "the herd" to adversarial actions.
These mechanisms exist today in the Russian cyber underground and are available at a very affordable price.
Owning social network users for a small budget of $300$1,300.
The following scenario may be fully automated: Find valid user account/IDs.
Register thousands of new accounts, with random data, organizing newly created profiles in groups.
Create new groups with hot topics, generating traffic to these new artificial groups.
Invite new members, either through ma.s.s-sent or targeted-search messages, to partic.i.p.ate in the artificial groups.
Hook some form of exploitation mechanism to the visitors.
The following applications are available for purchase using the anonymous payment system known as WebMoney: ID grabberI Iterates through valid IDs, finding new user IDs that become active on the system through scenarios or custom search parameters.
Price: 44 WebMoney dollars Automated registration Automatically registers multiple account in the social network with custom profiles with granular detail capability, starts services, uploads random photos, fills out the "user's" interests, and connects them to random places of work and study.
Price: 55 WebMoney dollars Automated searcher Searches for specific accounts, inviting them to the automated, custom-created groups.
Price: 50 WebMoney dollars Automated group creator Creates groups by interest, by location, by age, and so on.
Price: 44 WebMoney Dollars Buying/integrating XSS exploit Creates a cross-site scripting exploit for the social network and embeds it into the newly created pages.
Price: 1001,000 WebMoney dollars Once the user is trapped inside this virtual circle of automated "friends," it is very hard not to follow through and not to accept friends.h.i.+p from at least one of the zombies peacefully trying to make contact under the guise of someone you might have worked with years ago.
Bringing down a social network from the inside.
So aside from exploiting the users, stealing their private data, and trust and relations.h.i.+p mapping to other legitimate users, what else could be on the attacker's mind?
How about a reverse denial of service on the server itself?
If one account in Vkontakte.ru can have a maximum of 2,500 "friends" in his social network, and the attacker is able to create an unlimited number of accounts by utilizing proxies and linking them to other users or to each other, what would it take to create an automated script to initiate ma.s.sive traffic among those zombied accounts without the use of any external ent.i.ty or owning a powerful external botnet?
The answer is not much, really. Depending on what logic is being put behind the attack, only one remote login with the proper command initiation can trigger a chain reaction that can bring down the network from the inside.
The problem is not isolated to Russian social networking sites; it's just that the local underground is currently more interested in testing where things may go until the path is verified for making some form of guaranteed profit.
Also, it's much easier to converse in your own language and within your own culture, and use social engineering techniques for exploitation. However, all of that can be overcome if there is enough money to be made.
Chapter 7. Follow the Money.
Cybers.p.a.ce as a domain for modern warfare creates a lot of complexities that don't exist in other types of conflicts. You cannot visually identify the enemy, nor be sure what his nationality is. The one thing that you can count on is that someone has to pay for the necessities of virtual combat. Therefore, one sound strategy in any cyber investigation is to follow the money trail created by the necessary logistics of organizing a cyber attack-domain registration, hosting services, acquisition of software, bandwidth, and so on.
False Ident.i.ties.
One of the main reasons why malicious activities can prosper online is due to lax verification of domain registration data, also known as WHOIS information. Starting with Internet Corporation for a.s.signed Names and Numbers (ICANN) and continuing with hosting companies and accredited domain registrars of all sizes, verification is not universally enforced.
Fortunately, one of the forensic methods that can crack false ident.i.ty data is the global trend toward social computing. In the digital world of the Internet, as in physical s.p.a.ce, you leave evidence of where you've been.
If you're an ardent social computing fan who is active in Facebook, Mys.p.a.ce, LiveJournal, or Twitter, your virtual footprint will be very extensive. If you make your living on the Internet as a web service provider or forum administrator, your footprint will be even larger.
The IDC is an organization that studies how much data is generated by individuals and businesses each year (Figure 7-1). According to the IDC whitepaper "The Diverse and Exploding Digital Universe" (March 2008), "the digital universe contained 281,000,000,000 gigabytes, which works out to about 45 gigabytes per person on the planet." Of that, half is due to an individual's actions online. The other half is what the IDC refers to as your digital shadow-ambient content created by others about you (video on traffic cameras or at ATMs, credit card transactions, medical records, etc.).
Figure 7-1. The expanding digital universe Now imagine that you want to create a forum to recruit, train, and launch cyber attacks against state networks or websites. You won't use your real name or known alias for fear of reprisals. Instead you'll create a fict.i.tious name for your domain registration and/or server hosting plan that cannot be traced back to you.
This is not as easy as it sounds, because some domain registrars will attempt to verify the authenticity of the information that you provide. Your name and address may also have to match those attached to the credit card that you use to make the purchase. This poses a serious problem for those individuals who want to act surrept.i.tiously.
Because of that, members of the cyber underground have identified which hosting providers and domain registrars have lax verification and payment policies, and patronize them exclusively. The Russian Business Network (RBN) is a prime example. Although the RBN went dark in November 2007 after an increasing amount of attention was being paid to its operations, some of the IP blocks a.s.sociated with it are still active.
The genius of the RBN was that it built a bulletproof loop that guaranteed its online businesses uninterrupted service, regardless of how many complaints were filed against its various websites.
Like the RBN, the StopGeorgia.ru forum is part of a network that's been bulletproofed. The rest of this chapter walks you through the intricate relations.h.i.+ps, aliases, and sh.e.l.l companies that were created to serve that purpose. Before getting to the specifics of the StopGeorgia.ru network, let's begin with an introduction to how bulletproofing works.
Components of a Bulletproof Network.
A bulletproof network refers to a series of business relations.h.i.+ps that make it extremely difficult for authorities to shut down web enterprises engaged in criminal activities.