Return-Path: <sentto-279987-1806-1000334740-fc=all.net@returns.onelist.com> Delivered-To: fc@all.net Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Wed, 12 Sep 2001 16:30:15 -0700 (PDT) Received: (qmail 839 invoked by uid 510); 12 Sep 2001 23:28:17 -0000 Received: from n10.groups.yahoo.com (216.115.96.60) by 204.181.12.215 with SMTP; 12 Sep 2001 23:28:17 -0000 X-eGroups-Return: sentto-279987-1806-1000334740-fc=all.net@returns.onelist.com Received: from [10.1.4.55] by ej.egroups.com with NNFMP; 12 Sep 2001 22:45:40 -0000 X-Sender: fc@big.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-7_3_2_1); 12 Sep 2001 22:45:40 -0000 Received: (qmail 55126 invoked from network); 12 Sep 2001 22:44:54 -0000 Received: from unknown (10.1.10.142) by l9.egroups.com with QMQP; 12 Sep 2001 22:44:54 -0000 Received: from unknown (HELO big.all.net) (65.0.156.78) by mta3 with SMTP; 12 Sep 2001 22:44:47 -0000 Received: (from fc@localhost) by big.all.net (8.9.3/8.7.3) id PAA05516 for iwar@onelist.com; Wed, 12 Sep 2001 15:44:38 -0700 Message-Id: <200109122244.PAA05516@big.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL1] From: Fred Cohen <fc@all.net> Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Wed, 12 Sep 2001 15:44:38 -0700 (PDT) Reply-To: iwar@yahoogroups.com Subject: [iwar] [fc:Warning-&-Indicators---Cyber-Conflict] Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit The below points deal with the emerging cyber conflict tied to the 11 Sept. 2001 terrorist attacks. At this point it is emerging only. I'm keeping my fingers crossed that this does not escalate further (the physical component is more than enough to keep track of), but in case it does, here is what to look for and some points for consideration. If you see any traffic you believe is related to this, I'm very interested. ... What to Look For/How a Cyber Conflict Develops 1. Event Occurs 2. Email traffic among concerned individuals picks-up. 3. Discussion boards and chat rooms light up. 4. Purpose-built lists and online communities formed to discuss the event. 5. Intelligence collection and targeting. 6. Organized groups formed to carry out attacks. 7. Known tools deployed or slightly modified. 8. Public and private attack tracks begin. 9. Purpose-built attack tools released. 10. Dedicated perception management campaign launched. 11. More sophisticated attacks that required preparation time launched. 12. Additional groups and supporters from around the world rally to the cause. 13. Behind the scenes infrastructure targets and other indirectly connected organizations hit. 14. Continued evolution of attack tools and tactics. Points for Consideration The potential cyber conflict has the ability to escalate without the support of nation-state actors. Never before have nations had to deal with patriotic populations that have the ability to launch potentially damaging strikes against another country on their own initiative. This new development raises a significant number of issues that will continue to complicate international relations for the near future. What if a targeted country refuses to believe it's a 17-year-old kid and considers an attack an act of state-sponsored Information Warfare? How do you stop patriotic activists in your own country from launching attacks against a foreign country to right a perceived wrong? How does a country under cyber siege from another's citizens, not the government, respond? In the past, the fact that not everyone had an ICBM sitting in their living room or a B-2 bomber parked in their driveway prevented individual citizens from launching their own attacks. These same barriers don't exist in the cyber realm. A certain portion of the attackers will believe passionately in their cause while others will be involved just because it seems like a cool thing to do. Due to the context of these types of conflicts, some hackers and others that consider themselves to be "ethical" find justification for crossing lines they normally wouldn't, consequently enhancing the talent pool available to both sides. An individual might be unwilling to crack a system for criminal profit but avenging the death of a fellow countryman or launching a counterstrike falls into a different sphere. During periods like this, NOT ALL activity originating from either party and targeting the other necessarily has anything to do with the current tensions. The level of sophistication of the participants on both sides is likely to run the gauntlet from extremely skilled to knowing how to do no more than surf to a web page and click on a few buttons. Participants will range from organized groups to lone actors. Attackers with other motives (criminal profit, etc.) may try to launch attacks designed to be lost in the background noise generated by current tensions or direct suspicions to another party. We are going to continue to see more of this type of cyber-based protest/action/conflict in the future when tensions in the physical realm rise. Developments So Far Shortly after 11 Sept. terrorist attacks "US supporters" began posting messages on bulletin boards calling for attacks and posting target intelligence. The targets so far are Arab networks and sites specific to Muslim extremist groups. Lessons Learned from the Israeli-Palestinian Cyber Conflict There are two classes of targets. Targets of opportunity can include anything from non-profit organizations and mom-and-pop shops to multinational corporations and government agencies. If systems are vulnerable and picked up in a scan, problems can be expected. The second class of targets are made up of those that are specifically targeted either because they are high-profile, the attackers perception of what they represent, or services they provide to another organization. Targets range from web sites, DNS servers, chat rooms, bulletin boards, FTP sites, ISP infrastructure, closed databases, e-commerce servers and a wide range of others. While web page defacements and some other actions are public by their very nature, this does not mean that strikes are restricted to these types of attacks only. During the Israeli-Palestinian Cyber Conflict, groups would launch very public denial of service campaigns and defacements while behind the scenes working with skilled crackers to gain root access to targeted systems. It is important to understand the public actions and how they relate to your operations and then raise your vigilance to deal with the lone actor or silent group that is likely to attempt the more sophisticated attack. - ______________________ IntelCenter Voice (703) 370-2962 Fax (703) 370-1571 Email - <a href="mailto:information@intelcenter.com?Subject=Re:%20[LEANALYST]%20Warning%20&%20Indicators%20-%20Cyber%20Conflict%2526In-Reply-To=%2526lt;p0510039ab7c555fec6e4@[199.174.154.114]">information@intelcenter.com</a> Web - http://www.intelcenter.com PGP Public Key - available upon request PO Box 22572 Alexandria, VA 22304-9257 USA ------------------------ Yahoo! Groups Sponsor ---------------------~--> Secure your servers with 128-bit SSL encryption! Grab your copy of VeriSign's FREE Guide: "Securing Your Web Site for Business." Get it Now! http://us.click.yahoo.com/n7RbFC/zhwCAA/yigFAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-09-29 21:08:41 PDT