Cyberwar
Ecce Homo! Loquitur...
Thread Starter
Cyberwar
An unknown state is working out how to destroy the internet -CapX
Over the past year or two, someone has been probing the defenses of the companies that run critical pieces of the Internet. These probes take the form of precisely calibrated attacks designed to determine exactly how well these companies can defend themselves, and what would be required to take them down. We don't know who is doing this, but it feels like a large a large nation state. China and Russia would be my first guesses.
First, a little background. If you want to take a network off the Internet, the easiest way to do it is with a distributed denial-of-service attack (DDoS). Like the name says, this is an attack designed to prevent legitimate users from getting to the site. There are subtleties, but basically it means blasting so much data at the site that it's overwhelmed. These attacks are not new: hackers do this to sites they don't like, and criminals have done it as a method of extortion. There is an entire industry, with an arsenal of technologies, devoted to DDoS defense. But largely it's a matter of bandwidth. If the attacker has a bigger fire hose of data than the defender has, the attacker wins.
Recently, some of the major companies that provide the basic infrastructure that makes the Internet work have seen an increase in DDoS attacks against them. Moreover, they have seen a certain profile of attacks. These attacks are significantly larger than the ones they're used to seeing. They last longer. They're more sophisticated. And they look like probing. One week, the attack would start at a particular level of attack and slowly ramp up before stopping. The next week, it would start at that higher point and continue. And so on, along those lines, as if the attacker were looking for the exact point of failure.
The attacks are also configured in such a way as to see what the company's total defenses are. There are many different ways to launch a DDoS attacks. The more attack vectors you employ simultaneously, the more different defenses the defender has to counter with. These companies are seeing more attacks using three or four different vectors. This means that the companies have to use everything they've got to defend themselves. They can't hold anything back. They're forced to demonstrate their defense capabilities for the attacker.
I am unable to give details, because these companies spoke with me under condition of anonymity. But this all is consistent with what Verisign is reporting. Verisign is the registrar for many popular top-level Internet domains, like .com and .net. If it goes down, there's a global blackout of all websites and e-mail addresses in the most common top-level domains. Every quarter, Verisign publishes a DDoS trends report. While its publication doesn't have the level of detail I heard from the companies I spoke with, the trends are the same: "in Q2 2016, attacks continued to become more frequent, persistent, and complex."
There's more. One company told me about a variety of probing attacks in addition to the DDoS attacks: testing the ability to manipulate Internet addresses and routes, seeing how long it takes the defenders to respond, and so on. Someone is extensively testing the core defensive capabilities of the companies that provide critical Internet services.
Who would do this? It doesn't seem like something an activist, criminal, or researcher would do. Profiling core infrastructure is common practice in espionage and intelligence gathering. It's not normal for companies to do that. Furthermore, the size and scale of these probes—and especially their persistence—points to state actors. It feels like a nation's military cybercommand trying to calibrate its weaponry in the case of cyberwar. It reminds me of the U.S.'s Cold War program of flying high-altitude planes over the Soviet Union to force their air-defense systems to turn on, to map their capabilities.
What can we do about this? Nothing, really. We don't know where the attacks come from. The data I see suggests China, an assessment shared by the people I spoke with. On the other hand, it's possible to disguise the country of origin for these sorts of attacks. The NSA, which has more surveillance in the Internet backbone than everyone else combined, probably has a better idea, but unless the U.S. decides to make an international incident over this, we won't see any attribution.
But this is happening. And people should know.
Over the past year or two, someone has been probing the defenses of the companies that run critical pieces of the Internet. These probes take the form of precisely calibrated attacks designed to determine exactly how well these companies can defend themselves, and what would be required to take them down. We don't know who is doing this, but it feels like a large a large nation state. China and Russia would be my first guesses.
First, a little background. If you want to take a network off the Internet, the easiest way to do it is with a distributed denial-of-service attack (DDoS). Like the name says, this is an attack designed to prevent legitimate users from getting to the site. There are subtleties, but basically it means blasting so much data at the site that it's overwhelmed. These attacks are not new: hackers do this to sites they don't like, and criminals have done it as a method of extortion. There is an entire industry, with an arsenal of technologies, devoted to DDoS defense. But largely it's a matter of bandwidth. If the attacker has a bigger fire hose of data than the defender has, the attacker wins.
Recently, some of the major companies that provide the basic infrastructure that makes the Internet work have seen an increase in DDoS attacks against them. Moreover, they have seen a certain profile of attacks. These attacks are significantly larger than the ones they're used to seeing. They last longer. They're more sophisticated. And they look like probing. One week, the attack would start at a particular level of attack and slowly ramp up before stopping. The next week, it would start at that higher point and continue. And so on, along those lines, as if the attacker were looking for the exact point of failure.
The attacks are also configured in such a way as to see what the company's total defenses are. There are many different ways to launch a DDoS attacks. The more attack vectors you employ simultaneously, the more different defenses the defender has to counter with. These companies are seeing more attacks using three or four different vectors. This means that the companies have to use everything they've got to defend themselves. They can't hold anything back. They're forced to demonstrate their defense capabilities for the attacker.
I am unable to give details, because these companies spoke with me under condition of anonymity. But this all is consistent with what Verisign is reporting. Verisign is the registrar for many popular top-level Internet domains, like .com and .net. If it goes down, there's a global blackout of all websites and e-mail addresses in the most common top-level domains. Every quarter, Verisign publishes a DDoS trends report. While its publication doesn't have the level of detail I heard from the companies I spoke with, the trends are the same: "in Q2 2016, attacks continued to become more frequent, persistent, and complex."
There's more. One company told me about a variety of probing attacks in addition to the DDoS attacks: testing the ability to manipulate Internet addresses and routes, seeing how long it takes the defenders to respond, and so on. Someone is extensively testing the core defensive capabilities of the companies that provide critical Internet services.
Who would do this? It doesn't seem like something an activist, criminal, or researcher would do. Profiling core infrastructure is common practice in espionage and intelligence gathering. It's not normal for companies to do that. Furthermore, the size and scale of these probes—and especially their persistence—points to state actors. It feels like a nation's military cybercommand trying to calibrate its weaponry in the case of cyberwar. It reminds me of the U.S.'s Cold War program of flying high-altitude planes over the Soviet Union to force their air-defense systems to turn on, to map their capabilities.
What can we do about this? Nothing, really. We don't know where the attacks come from. The data I see suggests China, an assessment shared by the people I spoke with. On the other hand, it's possible to disguise the country of origin for these sorts of attacks. The NSA, which has more surveillance in the Internet backbone than everyone else combined, probably has a better idea, but unless the U.S. decides to make an international incident over this, we won't see any attribution.
But this is happening. And people should know.
This isn't a new phenomenon.
Twenty years ago such activities were well documented and understood within the ICT industry.
What's changed is twofold;
a) the general media/public awareness of incidents and
b) the increased sophistication of tools available to both conduct and then detect and respond to such attacks.
JAS
Twenty years ago such activities were well documented and understood within the ICT industry.
What's changed is twofold;
a) the general media/public awareness of incidents and
b) the increased sophistication of tools available to both conduct and then detect and respond to such attacks.
JAS
I don't own this space under my name. I should have leased it while I still could
JAS, and the increased reliance on Networked Enabled warfare, and of course everything else.
You don't need to crack traffic security to 'read' the data, simply breaking the link can be devastating. DSA was even applied during WW 2. Cut a phone cable, enforce radio traffic.
You don't need to crack traffic security to 'read' the data, simply breaking the link can be devastating. DSA was even applied during WW 2. Cut a phone cable, enforce radio traffic.
Join Date: Jun 2009
Location: Lincolnshire
Age: 82
Posts: 165
Likes: 0
Received 0 Likes
on
0 Posts
While not exactly Cyberwars, I came across my first internet attack back in 1984 (32 years ago) while working at a Technical Operations Centre in Hampshire. While using the IBM network. It was coming up for Christmas when I received an e-mail from the South African top hardware specialist with an electronic Christmas card as an attachment.
It seemed strange as even though we were on very good terms, we didn't send Christmas cards to each other! I went & saw my Boss & explained my suspicions, when his 'phone rang with an urgent call from Johannesburg with a very panicky Specialist warning me not to open the attachment as they just found out that it was infected!!
It seemed strange as even though we were on very good terms, we didn't send Christmas cards to each other! I went & saw my Boss & explained my suspicions, when his 'phone rang with an urgent call from Johannesburg with a very panicky Specialist warning me not to open the attachment as they just found out that it was infected!!
Join Date: Jul 2006
Location: bristol
Age: 56
Posts: 1,051
Likes: 0
Received 0 Likes
on
0 Posts
As has already been said, these attacks aren't new. What should be a cause for concern is the lack of security at most large or country level organisations. The issue for me is the poor security rather than the sophistication of attacks.
I know of national institutions or international companies that have had data (including very sensitive data) stolen multiple times but each time with the same method used.
There was an advert on TV earlier tonight for a 'household name' company. They have had all their customers address and banking details stolen three times. It would take around a mornings work to prevent that attack from happening again but the company wont spend a penny on extra security.
I know of national institutions or international companies that have had data (including very sensitive data) stolen multiple times but each time with the same method used.
There was an advert on TV earlier tonight for a 'household name' company. They have had all their customers address and banking details stolen three times. It would take around a mornings work to prevent that attack from happening again but the company wont spend a penny on extra security.
VIProds, thanks for sharing that. When I was studying Computer Science, I wrote a brief history of threats to network security. It was widely believed at the time that the 'Christmas Card' incident was the first documented case of a virus "in the wild".
Join Date: Jun 2009
Location: Lincolnshire
Age: 82
Posts: 165
Likes: 0
Received 0 Likes
on
0 Posts
Stu666 Yes, this is the first time that we had come against any thing like this. In the 60'S & 70's Industrial espionage was rife, so we were always aware of people & Companies trying to gain access to information, but the "Christmas card" was destructive.
I used to carry around with me a floppy disk with some simple software on it, so if anyone left their work station logged on & left it to get a coffee or go to lunch, I would load the software so when they came back, a message would come up on the screen saying that is was deleting all their files & would show them disappearing one by one. Nothing was happening in reality , but it was enough to make them think twice about leaving their work station logged on while unattended!!
I used to carry around with me a floppy disk with some simple software on it, so if anyone left their work station logged on & left it to get a coffee or go to lunch, I would load the software so when they came back, a message would come up on the screen saying that is was deleting all their files & would show them disappearing one by one. Nothing was happening in reality , but it was enough to make them think twice about leaving their work station logged on while unattended!!
I don't own this space under my name. I should have leased it while I still could
Wander, we were instructed is a method of inserting a virus or sniffer program.
You label a floppy: Management salary scales or some such then accidentally drop it somewhere in or near the target. Human nature being what it is, people will be tempted to sneak a peek.
You label a floppy: Management salary scales or some such then accidentally drop it somewhere in or near the target. Human nature being what it is, people will be tempted to sneak a peek.
I can imagine, I was just trawling back the memory to those firstly 7" disks that really were floppy, then the later 3 and a bit inch ones. In today's terms held bugger all too
Join Date: Jun 2009
Location: Lincolnshire
Age: 82
Posts: 165
Likes: 0
Received 0 Likes
on
0 Posts
Wander, sorry about that. 1st & 2nd generation computers used a small disc that was fitted in a square 6"x6" cardboard envelope to load programmes or diagnostics into the computer. It flopped about, thus the name. They eventually got the size down to about 2"x2" & the disk was held in a stiff plastic envelope, but it was still "a floppy disk" If my memory serves me right, the maximum storage that it could hold was 1 Megabyte (1Mb).
Avoid imitations
Join Date: Nov 2000
Location: Wandering the FIR and cyberspace often at highly unsociable times
Posts: 14,576
Received 433 Likes
on
228 Posts
If my memory serves me right, the maximum storage that it could hold was 1 Megabyte (1Mb).
I read not too long ago that NASA needed to access files on obsolete 720K disks. Unfortunately, they had disposed of all their associated disk drives.
I would have been all set to help but I'd thrown my own redundant 720K drive in the skip only a couple of weeks before; it had been in my sideboard for about 15 years.
I still have some 1.44 floppies in my drawer alongside some LS-120 (Laser Servo) 120MB discs. These were the same size as the IDD floppies and looked similar but had the capacity of over 80 of them. I don't think the LS-120 drive really caught on in UK; I used them in a computer I built during an overseas contract.
I don't own this space under my name. I should have leased it while I still could
There were also double capacity 3.5s at 2.88 Mb.
My first HDD was 40 Mb and using some nifty software I had 80 Mb useable. There was also a very clever programmer who could take an Exe file and compress it to fit on one floppy. Frances Bellard with LZEXE.
My first HDD was 40 Mb and using some nifty software I had 80 Mb useable. There was also a very clever programmer who could take an Exe file and compress it to fit on one floppy. Frances Bellard with LZEXE.