RE: Russian cyberwar against Estonia?
On 22 May 2007 14:51, Trei, Peter wrote: In fairness, its worth noting that the issue is also mixed up in Estonian electoral politics: http://news.bbc.co.uk/1/hi/world/europe/6645789.stm The timing of the electronic attacks, and the messages left by vandals, leave little doubt that the 'Bronze Soldier' affair is the motivating factor. Whether Russian Government agents were involved in the attacks is not proven, but certainly seems possible. Patriotic script-kiddies have been taking it upon themselves to contribute botnet-driven DDoSen to pretty much every international incident going over the past few years, from the US-vs-China hacker wars back in Code Red days, to the Arab-Israeli conflict, to ... well, everything really. The fact that there's a real diplomatic incident going on may well be their motivation, but it's not evidence that they are in any meaningful sense 'state actors'. Occam's razor suggests that since the script kiddies will do this /regardless/, i.e. spontaneously and unprovoked, there's no need to posit additional sources of DDoS deliberately organized by the government (though of course it doesn't exclude the possibility). Why get your hands dirty when some unpaid volunteer will provide you plausible (because truthful) deniability? Perhaps I should coin the phrase Useful Skiddiots! cheers, DaveK -- Can't think of a witty .sigline today - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Russian cyberwar against Estonia?
Bill Stewart wrote: - Some teenage hacker who got annoyed at some other teenage hacker because they got into an argument on WoW or Myspace and decided to DDOS him Some years back, I was on the receiving end of this type of scenario bringing down connectivity for a small European country, and it was a larger one than Estonia. Out of curiosity, does anyone have information on how fat Estonia's external pipes are? -- Ivan Krstić [EMAIL PROTECTED] | GPG: 0x147C722D - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: Russian cyberwar against Estonia?
Bill Stewart wrote: At 01:04 PM 5/18/2007, Trei, Peter wrote: If the Russians aren't behind this, who else should be suspected? It isn't like Estonia has a wide selection of enemies. :-) There are three likely suspects - the actual Russian government (or some faction thereof) - Russian Mafia for whatever reasons (might not be distinct from a faction of the government, and usually if the Mafia's involved they're polite enough to send a note demanding money or something.) - Some teenage hacker who got annoyed at some other teenage hacker because they got into an argument on WoW or Myspace and decided to DDOS him (usually attacks like that don't take down much more than a small ISP or a university, but like D00d, you're so 0wn3d, I can take down ur whole *country* :-) The latter isn't as far-fetched as it sounds (well, ok a bit...) This threatens to get off-topic. To drag it back, I'll note that NATO has sent electronic warfare experts to observe and advise, and there is much speculation as to how countries should respond to such cyber attacks - at what point do they become an act of war, and how much certainty of the source must there be to merit a response? I guess its possible this was a random hacker, but the timing seems implausible. Aside from the DDOS attacks, many Estonian websites have been vandalized, and the vandals made it clear the moving of the monument was their motivation. Check out: http://www.economist.com/world/europe/displaystory.cfm?story_id=9163598 In addition, Estonia's embassy in Moscow has been blockaded, Russia has cut off oil and coal shipments, and closed some road and rail links. Putin has described the move as a 'desecration'. This is a major diplomatic feud. In fairness, its worth noting that the issue is also mixed up in Estonian electoral politics: http://news.bbc.co.uk/1/hi/world/europe/6645789.stm The timing of the electronic attacks, and the messages left by vandals, leave little doubt that the 'Bronze Soldier' affair is the motivating factor. Whether Russian Government agents were involved in the attacks is not proven, but certainly seems possible. Peter Trei Disclaimer: My own opinions; not my employers. Full disclosure: My ancestry is half Estonian. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Russian cyberwar against Estonia?
Alex Alten [EMAIL PROTECTED] writes: This may be a bit off the crypto topic, but it is interesting nonetheless. Russia accused of unleashing cyberwar to disable Estonia http://www.guardian.co.uk/print/0,,329864981-103610,00.html Estonia accuses Russia of 'cyberattack' http://www.csmonitor.com/2007/0517/p99s01-duts.html Given that there are large numbers of disaffected re-settled Russians living in Estonia, combined with the usual collection of hooligans who'll jump at any opportunity for a fight, why would Russia need to get involved? It makes for some nice posturing, but why would the Russian government bother when they can just sit back and let the local script kiddies cause havoc? (I was in the centre of Tallinn when the reported riots over this were happening and didn't even notice a disturbance. This whole thing seems more an excuse for media hype and political posturing than anything else. Ignore it and it'll go away. Something else will be along presently). Peter. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: 0wned .gov machines (was Re: Russian cyberwar against Estonia?)
At 6:34 PM + 5/20/07, John Levine wrote: I've heard nothing formal, but my strong understanding is a lot of US government machines, at least if we're talking workstations on non-classified nets, are in fact 0wn3d at this point. Well, here's an anecdote: at last year's CEAS conference, Rob Thomas of Team Cymru gave the keynote on the underground economy, with a most horrifying set of both live demos and selected snapshots of the online bazaars where online warez are traded, everything from zombie farms to spamware to stolen credit cards. One of the more amusing was a guy who offered a zombie in some part of the government that you'd hope would be moderately secure, NASA or someplace like that, at a higher than normal price. The immediate response was ridicule, bots on government nets are a dime a dozen, and aren't worth any more than any other bot. Oh, goodie. I get to the same source to show the opposite. At Rob's talk at the AOTA summit, he talked about someone offering some botted machines in a particular US government subnet at a normal prices and someone quickly over-bid by a suspiciously high amount. The assumption is that it was for the possible data on those machines. --Paul Hoffman, Director --VPN Consortium - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: 0wned .gov machines (was Re: Russian cyberwar against Estonia?)
A while ago, I did a rough calculation that made me state that 15-30% of all machines are no longer under the sole control of their owner. In the intervening months, I got some hate mail on this, but in those same intervening months Vint Cerf said 40%, Microsoft said 2/3rds, and IDC said 3/4ths. Whatever it is, it is 0. And, of course, definitions matter. I don't think that 0wned is a binary variable any more; there are degrees of 0wned-ness with a wide range between the optimist (I replaced` the only program that was trojaned) to the pessimist (Any compromise of any sub-component makes the entire edifice untrustable). --dan - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: Russian cyberwar against Estonia?
At 01:04 PM 5/18/2007, Trei, Peter wrote: If the Russians aren't behind this, who else should be suspected? It isn't like Estonia has a wide selection of enemies. :-) There are three likely suspects - the actual Russian government (or some faction thereof) - Russian Mafia for whatever reasons (might not be distinct from a faction of the government, and usually if the Mafia's involved they're polite enough to send a note demanding money or something.) - Some teenage hacker who got annoyed at some other teenage hacker because they got into an argument on WoW or Myspace and decided to DDOS him (usually attacks like that don't take down much more than a small ISP or a university, but like D00d, you're so 0wn3d, I can take down ur whole *country* :-) The latter isn't as far-fetched as it sounds (well, ok a bit...) - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: 0wned .gov machines (was Re: Russian cyberwar against Estonia?)
Ivan Krstić wrote: I think it's anything but surprising. There's only so much you can do to significantly improve systems security if you're unwilling to break backwards compatibility -- many of the fundamental premises of desktop security are fatally flawed, chief among them the idea that all programs execute with the full privileges of the executing user. part of this is that many of the basic platforms providing internet connectivity evolved from disconnected/unconnected desk/table top environment ... with lots of applications assuming that they had full free access to all resources. attempting to leverage the same platforms for connectivity to extremely hostility and anarchy of the internet creates diametrically opposing requirements. one countermeasure from the 60s is to use a dynamically created (padded cell) virtual machine for internet connectivity ... with limited scope and accesses. then when the session completes ... the environment is collapsed and everything is discarded. while the native system operation may have little or no defenses against the hostile internet ... the padded cell virtual machine environment is used to bound the scope of any penetration ... somewhat analogous to air gapping. recent post: http://www.garlic.com/~lynn/2007k.html#48 somewhat older reference: http://www.nsa.gov/selinux/list-archive/0409/8362.cfm - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: 0wned .gov machines (was Re: Russian cyberwar against Estonia?)
I've heard nothing formal, but my strong understanding is a lot of US government machines, at least if we're talking workstations on non-classified nets, are in fact 0wn3d at this point. Well, here's an anecdote: at last year's CEAS conference, Rob Thomas of Team Cymru gave the keynote on the underground economy, with a most horrifying set of both live demos and selected snapshots of the online bazaars where online warez are traded, everything from zombie farms to spamware to stolen credit cards. One of the more amusing was a guy who offered a zombie in some part of the government that you'd hope would be moderately secure, NASA or someplace like that, at a higher than normal price. The immediate response was ridicule, bots on government nets are a dime a dozen, and aren't worth any more than any other bot. R's, John - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: Russian cyberwar against Estonia?
Dave Korn wrote: On 18 May 2007 05:44, Alex Alten wrote: This may be a bit off the crypto topic, You betcha! but it is interesting nonetheless. Russia accused of unleashing cyberwar to disable Estonia http://www.guardian.co.uk/print/0,,329864981-103610,00.html Estonia accuses Russia of 'cyberattack' http://www.csmonitor.com/2007/0517/p99s01-duts.html shrugs Any IP address you find in a packet of a DDoS coming towards you is pretty likely not to be the source of the attack. So far there's no evidence to show anything other than that the russian .gov is just as liable to have virused and botted machines on its internal nets as the US .gov. 1. Do you have any particular evidence that any significant number of US .gov machines are bots? They may well be, just I haven't heard this. 2. If you read the articles, you'll find that there is a lot of circumstancial evidence to support the notion that the attacks are from Russia or Russia-sympathizers. The government recently moved a Soviet war memorial from the center of town out to a military cemetary in the suburbs, an action that Putin condemned as 'desecration', and which led to a fatal riot by ethnic Russians in Tallinn, as well as attacks on the Estonian embassy in Moscow. If the Russians aren't behind this, who else should be suspected? It isn't like Estonia has a wide selection of enemies. :-) Peter Trei - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
0wned .gov machines (was Re: Russian cyberwar against Estonia?)
Trei, Peter [EMAIL PROTECTED] writes: 1. Do you have any particular evidence that any significant number of US .gov machines are bots? They may well be, just I haven't heard this. I've heard nothing formal, but my strong understanding is a lot of US government machines, at least if we're talking workstations on non-classified nets, are in fact 0wn3d at this point. This should not be entirely surprising as I have heard informally that a considerable fraction of the machines at Microsoft have been suborned as well, and if Microsoft can't keep the bots off of their Windows machines, who can? What is interesting to me is that, even though things have nearly gotten as bad as they could possibly get, we still have seen very little real effort made to improve systems security (at least in comparison with what is necessary to make a big dent). Perry - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: 0wned .gov machines (was Re: Russian cyberwar against Estonia?)
On Sat, May 19, 2007 at 05:01:03PM -0400, Perry E. Metzger wrote: | | Trei, Peter [EMAIL PROTECTED] writes: | 1. Do you have any particular evidence that any significant | number of US .gov machines are bots? They may well be, just | I haven't heard this. | | I've heard nothing formal, but my strong understanding is a lot of US | government machines, at least if we're talking workstations on | non-classified nets, are in fact 0wn3d at this point. This should http://blog.support-intelligence.com/2007/04/doa-week-14-2007.html claims to measure bot activity. Now, it may be that US .gov hosts are worth more, and so don't get used in random DOS attacks, but I think this is some of the more interesting evidence out there. I've asked some questions about it in http://www.emergentchaos.com/archives/2007/04/month_of_owned_corporatio.html Speaking for me only, Adam - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: 0wned .gov machines (was Re: Russian cyberwar against Estonia?)
Perry E. Metzger wrote: What is interesting to me is that, even though things have nearly gotten as bad as they could possibly get, we still have seen very little real effort made to improve systems security (at least in comparison with what is necessary to make a big dent). I think it's anything but surprising. There's only so much you can do to significantly improve systems security if you're unwilling to break backwards compatibility -- many of the fundamental premises of desktop security are fatally flawed, chief among them the idea that all programs execute with the full privileges of the executing user. One Laptop per Child is breaking application backwards compatibility for a number of reasons, one of which is security. As a result, I'm earnestly hoping that our systems security platform, Bitfrost[0], will be an improvement on the scale you're talking about. But time will tell. (Sidenote: I'm giving a keynote at AusCERT tomorrow about exactly this, titled 'Everything you know about desktop security is wrong, or: How I Learned to Stop Worrying and Love the Virtual Machine'. Any list members who are at the conference should mail me if they want to play with an OLPC laptop and commiserate about desktop security over beer.) [0] Summary at http://wiki.laptop.org/go/Bitfrost with full spec at http://wiki.laptop.org/go/OLPC_Bitfrost -- Ivan Krstić [EMAIL PROTECTED] | GPG: 0x147C722D - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Russian cyberwar against Estonia?
This may be a bit off the crypto topic, but it is interesting nonetheless. Russia accused of unleashing cyberwar to disable Estonia http://www.guardian.co.uk/print/0,,329864981-103610,00.html Estonia accuses Russia of 'cyberattack' http://www.csmonitor.com/2007/0517/p99s01-duts.html - Alex -- Alex Alten [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: Russian cyberwar against Estonia?
On 18 May 2007 05:44, Alex Alten wrote: This may be a bit off the crypto topic, You betcha! but it is interesting nonetheless. Russia accused of unleashing cyberwar to disable Estonia http://www.guardian.co.uk/print/0,,329864981-103610,00.html Estonia accuses Russia of 'cyberattack' http://www.csmonitor.com/2007/0517/p99s01-duts.html shrugs Any IP address you find in a packet of a DDoS coming towards you is pretty likely not to be the source of the attack. So far there's no evidence to show anything other than that the russian .gov is just as liable to have virused and botted machines on its internal nets as the US .gov. cheers, DaveK -- Can't think of a witty .sigline today - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]