Wednesday, July 26, 2006

MySpace vs. the US Military

Recent events in light of the new global battlespace created by information technology, the meaning of security, the hallmarks of asymmetric warfare and the resources we need to get by are changing.

Two things:

  • The social networking hero, MySpace was hit by a powerful worm about 10 days ago.
  • The US military saw in coming and didn't stop it.
Why?

They were involved in the annual Cyber Defence Exercise (CDX), an annual competition between students at the five U.S. Service Academies that has developed into an exercise where defensive technologies are implemented and tested.

Remember - these are the guys that use terms like 'Adversary Characterization and Scoring Systems', 'motivational counter-agent subtypes' and 'intrusion signature analysis'. They have great gadgets like the remote active operating system fingerprinting tool, Xprobe2_vb.

They propose that to make the internet safer – it should be attacked even more.

Truth in point - the two similar events that have been publicized recently are the DEFCON 'Capture the Flag' (CTF) competition and the military Cyber Defence Exercise. These two competitions follow different paradigms.

The DEFCON event set all teams to be both attackers and defenders, while the Cyber Defence Exercise focuses the teams on defensive operations only. So why wouldn't they alert MySpace?

According to the Internet Storm Center and a recent announcement by Hitwise, MySpace has become the #1 most popular destination on the Web.

An unusual aspect of this worm was that it resided purely on MySpace pages, rather than installing itself on personal computers of its victims.

The essential component of the worm, which Symantec called ACTS.Spaceflash, was a Flash object that was embedded in the victims' profile pages on MySpace. The offending code resided in the redirect.swf file, and looked like this:

getURL("http://editprofile.myspace.com/index.cfm?
fuseaction=blog.view&friendID=93634373&blogID=144877075", "_self");

The viewer of the Flash object was redirected to a page that, through clever scripting, modified the victim's profile. As a result, whenever someone viewed the victim's profile, the viewer's profile would also get infected.

Essentially, the weakness that these attacks exploited was the ability of users to embed active content in the form of Flash objects in MySpace pages. This - in some convoluted way - brings me to the Honeypots.

Honeypots are information system resources, whose value lies in unauthorized or illicit use of these resources. The Honeypot Project that has established a world-wide distributed sensor system of honeypots. All platforms send all logging data to a central database, enabling some major mining and data correlation.

Why?

To see how the collected data can be used to learn more about cyber-attack patterns. In addition, they are trying to define the root-causes of attacks, specific tools or techniques used by attackers.

Why?

Here we go - almost all aspects of our life read: internet, fix or mobile phone, online banking, depend heavily on computer systems. Due to the growing pervasiveness of computers and ubiquitous mobility of users and devices, this dependence is steadily increasing.

Nevertheless, there are more and more security threats in communication networks: we are flooded with unsolicited bulk e-mail spam, we have huge problems with viruses, worms and other malware, Denial-of-Service (DoS) attacks, electronic fraud and crackers are often able to break into systems - downsides of the digital economy, social networking sites and in general, Web 2.0.

An approach to learn more about attacks and attack patterns is based on the idea of electronic decoys, called honeypots. A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource.

Honeypots can also be combined into networks of honeypots (honeynets) to learn more about the diverse proceeding of attackers. Honeypots are cool but there are several projects that exist to observe malicious traffic on a large-scale base or the whole Internet.

They often consist in monitoring a very large number of unused IP address spaces to monitor malicious activities. Network telescopes, blackholes, darknets or Internet Motion Sensor (IMS) are the better known ones.

All of these projects have the same approach: they use a large piece of globally announced IPv4 address space and passively monitor all incoming traffic.

For example, the network telescope run by the University of California (which the several national militaries have access to) uses 224 IP addresses. This is 1/256th of all IPv4 addresses.

This means that one packet is 256 is 'read', stored and analyzed. That's allot!

And here's the catch - the telescope contains almost no legitimate hosts, so inbound traffic to nonexistent machines is always anomalous in some way, i.e., the principle of honeynets is also used in this context. By analyzing all packets, they are able to infer information about attackers.

While remaining 'unseen'.

So you see, the MySpace attack was perfect. Finally some of the boys and girls in black hats saw some real-time action.

Valuable? Definitely.

Fun? Oh yaaaaa!!

Moral? Well .....

Legal? Hmmm ......

0 Comments:

Post a Comment

<< Home