Digg this story   Add to del.icio.us  
Act Locally, Pwn Globally
Jeffrey Carr, 2009-03-27

On December 24, 2008, the Pakistani Whackerz Cr3w defaced a part of India's critical infrastructure, the Eastern Railway system Web site. The defacement appeared on a scroll feed which read: “Cyber war has been declared on Indian cyberspace by Whackerz- Pakistan (24 Dec-2008).”

When that message was clicked, according to an account in India's The Financial Express newspaper:

... the scroll opened into a new window which claimed that "Mianwalian of Whackerz" has hacked the site in response to the air violation of Pakistan. It also claimed that it will continue to hack more Indian military and government sites. The threat note also claimed that servers of Indian financial institutions will also be hacked with the help of the group's members working in computer departments of "foreign companies." Data belonging to "Indian nationals (only Hindus)" will be destroyed eventually, it added.

Another threat note asked the visitors of the website to watch the real Indian conspiracy in Mumbai attacks on the website-www.brasstacks.pk. Brasstacks claims to be "a unique Pakistani think tank devoted to the study of regional and global political events and their implications for Pakistan's security and interests." The note ended with the slogan "Long live Pakistan."

When I first read this story, I assumed that it was just another instance of Pakistani hackers attacking Indian Web sites. Yet, attacking a transportation hub elevated the importance of the attack, so I opened a Grey Goose investigation into it. Within a few hours, I had successfully identified the primary hacker involved as a Canadian citizen who was employed by a global telecommunications company. Another member of Whackerz turned out to be not Pakistani, but Egyptian, and was employed as a software engineer at a computer company based in the Middle East. A third member — the leader — graduated from medical school in Pakistan.

So we have a Canadian citizen launching an attack against a vital piece of India's infrastructure on behalf of a Pakistani hacker crew whose members were in countries other than Pakistan. The obvious question is how does Indian law enforcement prosecute that attack? In this case, its not a problem of attribution. We know exactly who's responsible. The larger problem is where are the international treaties that would allow prosecution for cyber attacks?

Another example that illustrates this problem in a more dramatic way was the use of a Russian forum, www.StopGeorgia.ru, as a base for launching attacks against Georgian Web sites. The forum was hosted by a small Russian company that had leased its server from a London shell company operating out of a mail drop. The company was actually owned by a Russian national residing in the Netherlands who had leased a server block from a major hosting and services company in Plano, Texas in the United States. Assuming that anyone wanted to prosecute the StopGeorgia.ru forum's owner, where would they start and where does the responsibility for those attacks ultimately lie?

These are not unique examples. Bad actors rely on mazes like these to perform acts of financial crime, espionage, terrorism, and network warfare without fear of reprisal or prosecution.

We need to change the game. We need an international effort to mandate verification of registration information for all Internet services and products. Even ICANN has been too lax in its verification procedures, according to a 2005 U.S. General Accountability Office study which found that eight percent of all domains had at least one instance of obviously false WHOIS information.

Moving up from ICANN, we need to hold large hosting companies responsible for criminal behavior on their leased sites. In other words, enforce their terms-of-service agreement. StopBadware.org lists the top ten infected network blocks responsible for the world's badware. SoftLayer Technologies comes in at number seven with 3,507 infected sites, followed by The Planet, another Plano, TX company, at number eight with 3,166 infected sites.

Finally, we need a commitment from governments to provide no safe harbors for cyber criminals and cooperate in international investigations. One way to start the process would be to form a world body solely for the purpose of building the cooperative networks needed to initiate and complete international network forensic investigations.

Unfortunately, in spite of the billions of dollars lost each year to cybercrime, and the onslaught of network intrusions against Western governments' secure and unsecured networks, there isn't universal agreement yet as to either how serious the problem is or what steps would be necessary to fix it.

I believe that's why a public discussion of possible cyber disaster scenarios such as this one may be instrumental in moving us forward to making the Internet a more civilized and trustworthy environment.

Jeffrey Carr, a principal consultant at GreyLogic, is a cyber intelligence expert who writes the IntelFusion blog and specializes in the investigation of cyber attacks against governments and infrastructures by state and nonstate hackers. His book, Inside Cyber Warfare, will be published by O'Reilly Media in late 2009.
    Digg this story   Add to del.icio.us  
Comments Mode:
Act Locally, Pwn Globally 2009-03-29
Act Locally, Pwn Globally 2009-04-06
Critical National Infrastructure? 2009-04-06
Anonymous (1 replies)
RE: Act Locally, Pwn Globally 2009-04-13


Privacy Statement
Copyright 2010, SecurityFocus