Upload
dennis-cummings
View
215
Download
0
Tags:
Embed Size (px)
Citation preview
TALLINN MANUALTALLINN MANUALONON
THE INTERNATIONAL LAWTHE INTERNATIONAL LAWAPPLICABLE TO APPLICABLE TO
CYBERWARFARECYBERWARFARE
Rule 11-Definition of Use of Force. A cyber operation constitutes a use of force when its scale and effects are comparable to non-cyber operations rising to the level of a use of force.
Rule 30-Definition of Cyber Attack. A cyber attack is a cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects.
Rule 2-Jurisdiction : Without prejudice to applicable international obligations a State may exercise its jurisdiction:(a) over persons engaged in cyber activities on its territory;(b) over cyber infrastructure located on its territory; and (c) Extraterritorially, in accordance with international law.
Rule 21-Geographical Limitations. Cyber operations are subject to geographical limitations imposed by the relevant provisions of international law applicable during an armed conflict.
Parts of Computrace
Persistent Module installed in BIOS / Firmware
Rein
stal
led
MIS
SIN
G
Rein
stal
led
MIS
SIN
G
Rein
stal
led
MIS
SIN
G
(from OS)(from OS)
Agent communicate Agent communicate with Absolute with Absolute
Monitoring Centre at Monitoring Centre at regular intervalregular interval
(Non-removable part of BIOS)Self-healing capability repair the Persistent Module in case BIOS flashed!!
-or--or- -or--or-
This is How actual Recovery process works:
Once Computer Agent installed & Computer Stolen Owner contact Absolute Software
Absolute Software coordinate with Law
Enforcement Agency to recover Stolen Laptop
Location of Stolen Laptop identified by (IP
Address, Region)
Absolute Theft Recovery Team remotely
communicate with stolen Laptop once online
Computrace partners
Computrace partnered with mentioned firm to embed Computrace-agent-module
in firmware of their machines
Some facts about computrace
Hardware backdoors are lethal, because:
• They can be injected at manufacturing time– (without your knowledge)
• They are small & stealth– (requires less than 200kb of disc space & bandwidth)
• They can’t be removed by any known means– (formatting/OS reinstallation/AV/HDD replacement)
• They can circumvent other types of security– (because of a trusted, small, stealthy & persistent module)
Hardware backdoor is no more an imagination, its practical
Hardware backdoor is no more an imagination, it’s practical
Schneier: possible backdoor in
IPMI, iDRAC, IMM2, iLO
Click image to read paper
Hardware backdoor is no more an imagination, it’s practical
Captured Intel Drone – An American Intelligence Disaster?
“In the case of the stolen CIA drone, the hardware with the backdoor was most likely embedded within the telemetry system, which is the multi-function brain of the drone, in fact every system within the drone is routed through the telemetry system, every sensor, every control, everything”
“Once that hardware is triggered it is programmed to change the all the other frequencies used to control the secret drone and allow the Iranians to take total and complete control.”
Click image to read main article
What if Computrace like technology misused?
• Can become a perfect backdoor• Persistent• Stealthy • Portable (hardcoded in motherboard)
• Remote Access & Remote update• No platform dependency• Non-detectable by AV
consider the impact of a compromised
device in a military environment, or in a massive distribution
of technological systems of large
diffusion.
Realistic Attack Scenario
what if someone hardcoded this type of
backdoor in a motherboard and put
it up for sell
Realistic Attack Scenario
or what if a nation state / government make use
of this technology to access your private
information
Cyber-conflicts through agesYear Operation
NameSuspect Victim Type of Operation
1998 Moonlight Maze
Russia US Surveillance
2003 Titan Rain China US Surveillance
2006 Wikileaks Julian Assnage
Nation States Hacktivism & Espionage
2007 Tullinn Cemetery
Russia Estonia Website defacement & Denial of Service Attack
2007 Orchard Israel Syria Physical Destruction of Nuclear Fuel Refining plant
2008 South Ossetia War
Russia Georgia Website defacement & Denial of Service Attack
2009 Aurora China US Industry Espionage
2009 Ghostnet China Tibetan government-in-exile, India
Espionage
Cyber-conflicts through agesYear Operation Name Suspect Victim Type of Operation
2010 Night Dragon China Oil & Natural Gas companies
Industrial Espionage
2010 Stuxnet & Duqu US/ Israel Iran Cyber weapon
2011 Occupy Movement
Anonymous Nation States Hacktivism
2012 Flame US/ Israel Iran Cyber weapon
2012 Iran retaliates Iran US Banks Surveillance & Denial of Service
2013 Shanghai Group (ATP1)
China US Cyber Intelligence
2013 Unnamed ( by NTRO)
China India Cyber Intelligence
2013 Hangover India Pakistan Cyber Intelligence
2013 Nettraveler China India Cyber Intelligence
2013 Prism US World Cyber Intelligence
Source : Rayn Mayer http://www.youtube.com/watch?v=scNkLWV7jSw
State Sponsored
Multi-disciplinary groups of
work force
Knowledge of deep
internals of PLC
Specific Target
Knowledge of personnel behavior of
target
Use of score of zero-day
vulnerability at one go
Use of Authentic (stolen) Digital
Signatures
Stuxnet Geographical Distribution
Source : Symantec Security Response
Source : http://www.securelist.com/en/analysis/204792257/Kaspersky_Security_Bulletin_2012_Cyber_Weapons on 10 April 2013
Stuxnet & family
Operation Orchard6th September 2007
Israel's 2007 bombing of an alleged atomic reactor in Syria was preceded by a cyber attack which neutralized ground radars
and anti-aircraft batteries.
255 Kms
145 Kms
Key Findings• APT1 is believed to be the 2nd Bureau of the People’s
Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department ( 总参三部二局 ), which is most commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398 (61398 部队 ).
• APT1 has systematically stolen hundreds of terabytes of data from at least 141 organizations, and has demonstrated the capability and intent to steal from dozens of organizations simultaneously.
• APT1 focuses on compromising organizations across a broad range of industries in English-speaking
• Countries.
Key Findings
• In over 97% of the 1,905 times Mandiant observed APT1 intruders connecting to their attack infrastructure, APT1 used IP addresses registered in Shanghai and systems set to use the Simplified Chinese language.
• The size of APT1’s infrastructure implies a large organization with at least dozens, but potentially hundreds of human operators.
Source
OPERATION HANGOVEROPERATION HANGOVER
The name, “Operation Hangover”, was derived from the name of one of the most frequently used malwares. The project debug path is often visible inside
executable files belonging to this family.
Purpose & ObjectivePurpose & Objective
Highly-Targeted Social Engineering Highly-Targeted Social Engineering TacticsTactics
• Decoy Files/websites were used– specifically geared to the particular sensibilities of regional
targets including cultural and religious subject matter. • The initial spear phishing mail contained two files as
attachments – a document named “220113.doc”, and – an executable file “few important operational
documents.doc.exe”
Infrastructure DevelopmentInfrastructure Development
Infrastructure DevelopmentInfrastructure Development
• Case expansion was through domain usage and registrations
• Domains registered by the attackers are “privacy protected”.– registrant has paid the domain registrar to
withhold identity information related to the registration
Target data
• Hanove Uploaders recursively scan folders looking for files such as:
• Hanove keyloggers set up keyboard hooks or polls to capture keypresses and log these to a text file.
• Capture other data as well, such as clipboard content, screenshots, titles of open windows and content of browser edit fields.
• The stolen data are uploaded to remote servers by FTP or HTTP.
Target Selection
Attribution
“continued targeting of Pakistani interests and origins suggested that the attacker was of Indian origin”
KimT on iOS
Top 10 Infected Countries
Recommendations
Recommendations
Proposed Structure for Cyberwar Management