Federal Strategy Unit for IT FSUIT Federal Intelligence Service FIS
Reporting and Analysis Centre for Information Assurance MELANI www.melani.admin.ch
Information Assurance
Situation in Switzerland and Internationally
Semi-annual report 2010/II (July – December)
MELANI – Semi-annual report 2010/II
Information Assurance – Situation in Switzerland and Internationally
Contents
1 Focus Areas of Issue 2010/II ...... 3 2 Introduction ...... 4 3 Current National ICT Infrastructure Situation ...... 5 3.1 Distributed denial-of-service attacks against SP, CVP, FDP and SVP websites5 3.2 Attacks of Wikileaks sympathizers ...... 5 3.3 First Cyber Europe exercise ...... 6 3.4 "Stories from the internet" for more security in the information society ...... 7 3.5 Phishing of e-mail accounts ...... 8 3.6 Mobile Internet outage ...... 8 3.7 Radio outage in the Bern region ...... 9 3.8 "Black hat SEO" campaign also with .ch domains ...... 9 3.9 Fight against malicious websites ...... 11 3.10 27C3: we come in peace – and hack your website ...... 13 3.11 Anti-Botnet Initiative Switzerland evaluation study ...... 15 3.12 Cyber Defence Project Leader ...... 15 3.13 OpenX server ...... 15
4 Current International ICT Infrastructure Situation ...... 16 4.1 Stuxnet attack on industrial control systems ...... 16 4.2 Wikileaks ...... 17 4.3 SSL and two-factor authentication – security for customers ...... 19 4.4 Incidents related to trading in emissions rights ...... 19 4.5 NATO trains cyber defence and includes cyber threats in its strategic concept20 4.6 Trend toward USB worms ...... 21 4.7 "Here you have" computer worm – "Iraq Resistance" ...... 22 4.8 Dutch police separate large botnet from the Internet ...... 23 4.9 ZeuS and SpyEye – merger of two of the largest e-banking trojans? ...... 23 4.10 "J1 Network" money laundering organization broken up ...... 24 4.11 Credit card money mule ...... 25
5 Trends / Outlook ...... 26 5.1 Stuxnet – the beginning of SCADA trojans ...... 26 5.2 DDoS – background and motivations ...... 27 5.3 Mobile (in)security ...... 29 5.4 Cloud computing – security measures ...... 31 5.5 Network monopoly – a security problem? ...... 32
6 Glossary ...... 34 7 Appendix ...... 39 7.1 DDoS – Analysis of an increasingly frequent phenomenon ...... 39
2/42 MELANI – Semi-annual report 2010/II
Information Assurance – Situation in Switzerland and Internationally
1 Focus Areas of Issue 2010/II • Stuxnet - Attack against control systems Using the example of the Stuxnet computer worm, the media widely discussed the problem of attacks on control systems (SCADA) during the reporting year – a problem that had been a concern of experts for quite some time. Stuxnet is, however, the first case that drew considerable attention worldwide. With sufficient motivation and resources, practically any system can be infiltrated and sabotaged sooner or later. It must be expected that similar attacks will occur again in future. ► Current topics internationally: Chapter 4.1 ► Current topics internationally: Chapter 4.6 ► Trends / Outlook: Chapter 5.1 • Distributed denial-of-service (DDoS) attacks Attacks on the availability of websites, i.e. distributed denial-of-service (DDoS) attacks, are used for various purposes in the cyberworld. Initially, attacks occurred primarily as simple acts of vandalism. Meanwhile, however, the motivations have shifted. DDoS attacks are currently observed as tools of revenge, for instance, as a way to damage competitors or extort protection money, or as politically motivated attacks. ► Current topics in Switzerland: Chapter 3.1 ► Current topics in Switzerland: Chapter 3.2 ► Trends / Outlook: Chapter 5.2 ► Appendix: Chapter 7.1 • Smartphone security For a long time, it was assumed that the threat of viruses for smartphones was modest, since smartphones were not seen as a worthwhile target for the malware industry. Reasons included the large number of operating systems, the difficulties in spreading malware, and the lack of "computer crime business models". The increasing popularity of smartphones and mobile phones with PC-like functionality and the storage of sensitive data on these devices is making them increasingly attractive for criminals, however. ► Trends / Outlook: Chapter 5.3 • Website infections persist at high level Website infections are currently the most widely used dissemination vector for malware. Central servers offering content to different websites play a key role in this regard. A single act of compromising especially online advertising, but also statistics services, can result in far-reaching consequences. ► Current topics in Switzerland: Chapter 3.9 ► Current topics in Switzerland: Chapter 3.13 • Phishing against Internet services increases Especially vulnerable are those services protected only by a username and password and if money can be made directly or indirectly by accessing them. In addition to emissions trading, this primarily concerns credit cards, online payment systems, auction platforms, e-mail providers, and social networks. ► Current topics in Switzerland: Chapter 3.5 ► Current topics internationally: Chapter 4.3 ► Current topics internationally: Chapter 4.4
3/42 MELANI – Semi-annual report 2010/II
Information Assurance – Situation in Switzerland and Internationally
2 Introduction
The twelfth semi-annual report (July – December 2010) of the Reporting and Analysis Centre for Information Assurance (MELANI) presents the most significant trends involving the threats and risks arising from information and communication technologies (ICT). It provides an overview of the events in Switzerland and abroad, illuminates the most important developments in the field of prevention, and summarizes the activities of public and private actors. Explanations of jargon and technical terms (in italics) can be found in a Glossary (Chapter 6) at the end of this report. Comments by MELANI are indicated by a shaded box.
Selected topics covered in this semi-annual report are outlined in Chapter 1.
Chapters 3 and 4 discuss breakdowns and failures, attacks, crime and terrorism connected with ICT infrastructures. Selected examples are used to illustrate important events of the second half of 2010.
Chapter 5 discusses trends and contains an outlook on expected developments.
Chapter 7 is an Appendix with expanded technical explanations and instructions on selected topics covered in the semi-annual report.
4/42 MELANI – Semi-annual report 2010/II
Information Assurance – Situation in Switzerland and Internationally
3 Current National ICT Infrastructure Situation
3.1 Distributed denial-of-service attacks against SP, CVP, FDP and SVP websites
The websites of the four largest Swiss political parties were attacked using distributed denial- of-service (DDoS) within a single week and were impaired or shut down for several hours. In the case of the SP, the attacks began on Monday, 8 November 2010, while the CVP registered an attack on the following Thursday. On Friday evening, it was the FDP's turn, and on Sunday the SVP's. According to the SP, up to 200 computers especially from Germany, the Netherlands and the United States accessed the website at the same time. Within four hours, this amounted to eight million hits. The CVP spoke of more than 120 computers that initiated access to their website at the same time. The attacks probably were carried out using a botnet.
Nothing is known about the motivation of these attacks, especially whether the attacks were related to the popular votes on 28 November 2010. The main issue on that day was the Expulsion Initiative. In addition to the known attacks, there was probably a substantial number of attacks (against smaller companies and websites) that were not made public.
Even someone without a lot of technical know-how can procure a DDoS attack on the black market relatively easily. The price is based on the capacity of the attacked website. Generally, such attacks can be booked already for just a few hundred dollars. Since the attacking computers are compromised systems belonging to unsuspecting users, it is very difficult to determine the origin of the attack by technical means. Depending on the type of attack, the sender IP address may also be falsified.
3.2 Attacks of Wikileaks sympathizers
On 5 December 2010, the financial service provider PostFinance blocked the donation account of Wikileaks founder Julian Assange due to incorrect information concerning his purported residence in Geneva. Consequently, the website of PostFinance was attacked by way of distributed denial-of-service (DDoS), presumably by Wikileaks supporters. The attacks impaired the website for about 22 hours, effectively slowing down or making access impossible for the 1.2 million e-banking clients of PostFinance. The attacks were apparently coordinated by an informal group called "Anon Operation", which has been carrying out electronic retaliation since December 2010 against alleged Wikileaks opponents. The group made a public appeal to download a programme from the Internet that could be used to send bogus queries on a large scale to any Internet address. The higher the number of Internet users employing this programme, the higher the probability that the selected Internet site would be overloaded from a given point in time and thus could no longer be accessed. In addition to PostFinance, the eBay subsidiary PayPal and the websites of MasterCard, Visa, Interpol, and the Swedish authorities were targeted by similar attacks.
Prosecutors made arrests in connection with this attacks in various countries. In the United States, the FBI searched 40 homes.1 In the United Kingdom, the police arrested five
1 http://www.tagesanzeiger.ch/digital/internet/FBIAktion-gegen-Anonymous/story/23000748 (as of 10 January 2011). 5/42 MELANI – Semi-annual report 2010/II
Information Assurance – Situation in Switzerland and Internationally
suspected computer hackers.2 The Dutch police arrested a 16-year-old who participated in this campaign.3 But also the authorities in Germany and France began investigations of their own.4
Normally, botnets are used for such attacks. In this case, Wikileaks sympathizers could download a programme called "Low Orbit Ion Canon" (LOIC) and then enter the attacked URL manually or voluntarily let their computer be remote-controlled. This appeal was made using social networks such as Facebook and Twitter. Because it’s also possible to run LOIC in a browser, even persons with little IT know-how have been able to participate in the attack. Because most of the involved attackers had no IT-knowledge, it was relatively easy for the police to identify the people behind this attack.
DDoS attacks are nothing new and are often used to blackmail or damage competitor businesses. But also politically motivated attacks such as the case above are becoming more frequent. In addition to demonstrations in the streets, protests are increasingly also carried out in virtual space.
3.3 First Cyber Europe exercise
On 4 November 2010, the European Union carried out its first pan-European exercise to test the ability of EU and EFTA countries to respond to a potential cyber attack. The one-day exercise was organized by the European Network and Information Security Agency (ENISA). The following areas were tested: critical information infrastructure protection, cybercrime prosecution, GovGERTs, and regulators. A total of 22 EU and EFTA countries participated in the exercise, including Switzerland. Additionally, eight European countries attended as observers in the exercise control room in Athens. More than 150 experts from 70 public offices throughout Europe took part in the exercise. In Switzerland, these were the Reporting and Analysis Centre for Information Assurance (MELANI) with GovCERT.ch, the Federal Criminal Police, and the Federal Office of Communications. All participating countries were confronted with more than 320 incidents. The basis of the exercise was a scenario in which the Internet connections between the participating European countries gradually break down or are substantially curtailed. During the exercise, participating countries had to work together to prevent further breakdowns and to restore the connections. Both international cooperation, but also national cooperation among the individual offices responsible for combating cyber attacks were tested. The focus was primarily on testing channels of communication, communication points and processes within and between the individual countries. The goals also included gaining insight on incident management within Europe, in order to improve processes for mutual support in the event of incidents or massive cyber attacks.
The Cyber Europe 2010 exercise was a first important step to strengthen Europe's cyber- preparedness and is to be seen in connection with the strengthened engagement of the EU in the field of critical information infrastructure protection (CIIP). At the CIIP ministerial conference of the EU member states in Tallinn in spring 2009, the urgent need was
2 http://cms.met.police.uk/news/arrests_and_charges/five_arrested_under_computer_misuse_act (as of 10 January 2011). 3 http://www.n-tv.de/politik/Hacker-rufen-zum-Cyber-Krieg-article2110826.html (as of 10 January 2011). 4 http://www.spiegel.de/netzwelt/netzpolitik/0,1518,742298,00.html (as of 10 January 2011).
6/42 MELANI – Semi-annual report 2010/II
Information Assurance – Situation in Switzerland and Internationally
recognized to increase defensive capacities, security and stability relating to critical information infrastructure within the EU. This exercise was the first of its kind in Europe. Even just the fact that 22 European countries participated in the exercise can be considered a success. It is still too early for a detailed analysis. But it can already be said that communication especially among the national CERTs functioned smoothly. At the European but also at the worldwide level, there are already established contact lists and organizations such as the European Government CERTs – EGC, which are used every day. Private operators of critical information infrastructure were not included in this first exercise. Their involvement is planned for future exercises, however.
3.4 "Stories from the internet" for more security in the information society
Various offices of the federal government and the cantons have issued a joint publication called "Stories from the internet… that no one wants to experience". Using comics, the brochure illustrates dangerous situations on the Web and how to recognize them, react to them, or prevent them. The stories deal with the disclosure of personal data, criminal activity on the Internet, insufficient protection of children and young people, deceived consumers, unsecured computers, and unencrypted WLAN networks. Each story includes links to organizations offering more detailed information. The goal is to strengthen the security and confidence of the population when dealing with information and communication technologies (ICT). The comic stories are addressed to the entire population in German, French, Italian, Romansh, and English. They are available for download from the Internet or can be ordered as a printed brochure.5 Upon request, the stories may also be obtained in suitable file formats for publication (with indication of the source). The brochure is an implementation measure of the "Security and Confidence" concept, which was acknowledged by the Federal Council on 11 June 2010.6 This concept outlines measures intended to assist the population and SMEs with the safety-conscious and legally compliant use of information and communication technologies (ICT), also with the goal of strengthening confidence in ICT. The measures are implemented under the direction of OFCOM's Information Society Coordination Office, together with various professional organizations.
The Internet, computers and cell phones now belong to the daily life of people in Switzerland. The advantages of Internet use are always also associated with risks, however. Unlike on a walk through the streets, the dark corners of the Internet are not always immediately visible. This brochure helps to identify threats on the Internet and has met with a positive response by the population. It is being successfully used in schools, for parent education, awareness- raising in businesses and police offices, and for consumer information. The brochure was quickly out of stock and had to be reprinted.
5 http://www.geschichtenausdeminternet.ch/index_en.html (as of 10 January 2011). 6 http://www.bakom.admin.ch/themen/infosociety/01691/01710/index.html?lang=en (as of 10 January 2011). 7/42 MELANI – Semi-annual report 2010/II
Information Assurance – Situation in Switzerland and Internationally
3.5 Phishing of e-mail accounts
Since December 2010, an increase in phishing e-mails against e-mail providers has been observed, including Swisscom. Unlike earlier attacks, in which the victim was asked to enter the username and password directly into the e-mail and return them to an indicated e-mail address, the new attacks send a link which the victims is asked to click in order to reach a phishing page. This bogus website looks deceptively like the original and requests the victim to enter username and password as well as additional personal data. This approach is familiar from earlier attacks against financial service providers. This more laborious approach means two things: potential victims are no longer responding to crude e-mails (or at least not often enough), and e-mail login data continue to be much in demand on the black market, since they can be easily sold.
MELANI shares the assessment that access data to Internet services and especially credit card data are being targeted by cybercriminals. Phishing attempts against e-mail service providers such as Bluewin, Hotmail, etc., are increasing. More and more, login data are also stolen from website administrators, which are then used to place drive-by infections on websites. Examples of scams carried out with such login data are described in Chapter 3.3 of Semi-annual report 2009/17 and Chapter 3.6 of Semi-annual report 2008/28. Classical phishing against Swiss financial service providers is now being observed only sporadically. The reason is the introduction of various security elements in e-banking.
It should be noted that e-banking attacks (classical phishing and e-banking malware) with two-factor authentication and phishing against Internet services that are protected only by username and password are perpetrated by different criminal groups using different business models. Groups engaging in "simple" phishing are interested in login data, but not necessarily in the scams that can be committed with the help of these data. This reduces the criminal energy employed, since the data are "merely" sold, but are not used for the actual scam. In the case of e-banking attacks, it is no longer possible to separate the stealing of login data from the actual scam, since two-factor authentication necessitates a small time window in which the entire scam can be perpetrated. In addition to the greater complexity, the question especially arises how the scammed money can be obtained. The money must be laundered for that purpose, which requires a large infrastructure of financial agents. This in turn requires good organization and especially more criminal energy.
Many services on the Internet can be accessed simply by entering a username and password. If the client forgets his password, it can be reset using the "Reset password" link. The new password is then sent by e-mail. An attacker who succeeds in hacking the e-mail account can use this service to access various services of the victim and use them for the attacker's own purposes.
3.6 Mobile Internet outage
On 9 November 2010, a malfunction interfered with the mobile Internet of Swisscom. Practically all Swisscom Mobile customers were cut off from the Internet for several hours. According to Swisscom, a malfunction on the GPRS network occurred around 7:30 a.m. during maintenance work. To remedy the malfunction, the service had to be rebooted over
7 MELANI Semi-annual report 2009/1, Chapter 3.3: http://www.melani.admin.ch/dokumentation/00123/00124/01093/index.html?lang=en (as of 10 January 2011). 8 MELANI Semi-annual report 2008/2, Chapter 3.6: http://www.melani.admin.ch/dokumentation/00123/00124/01085/index.html?lang=en (as of 10 January 2011). 8/42 MELANI – Semi-annual report 2010/II
Information Assurance – Situation in Switzerland and Internationally
the course of the morning. The reboot caused problems, leading to the large-scale outage.9 Phoning on the mobile network was not affected, nor were the sending and receipt of text messages or fixed-line connections. As compensation, Swisscom reimbursed ten francs to each Internet customer. In addition to mobile phones, payment terminals for credit cards, the portable computers of SBB train conductors and other devices were affected by the malfunction.
More and more, the mobile Internet is part of everyday life: quickly checking the departure times of buses, buying a ticket, or downloading the latest news. When the mobile Internet breaks down, these services can no longer be used. That is certainly bearable.
But also other "more important" services such as mobile credit card terminals run increasingly frequently on the basis of the mobile Internet. Yet again different is the situation of remotely operated control systems in industry and the utility infrastructure: should these no longer be controllable remotely, this can have serious consequences for parts of the population.
3.7 Radio outage in the Bern region
At 7:15 a.m. on 16 December 2010, a motorist slid off the icy road and hit an electricity pole of the BKW Bern Electricity Works. This was enough to cause a power outage throughout the region. In addition to the households that were without electricity that morning, the power supply to the nearby transmission tower on the Bantiger was interrupted. This interfered with the entire radio and television transmission in the Bern region. To prevent such incidents, the transmission tower can be powered using two mutually independent supplies. Unfortunately, the switch that is supposed to activate the alternate circuit in such cases also malfunctioned.
Radio is used for nationwide alarms in the event of a disaster or breakdown. For instance, the Nuclear Emergency Concept specifies that the cantons and the National Alarm Centre of the Swiss Federal Office for Civil Protection must provide instructions to the municipalities by radio in the event of a reactor accident10. It is well known by Swiss citizens that the radio should be turned on if a siren alarm sounds. For this reason, it is particularly important to pay close attention to failure safety and stability in this area. Accordingly, large transmitters are assigned to a high availability class. This also applies to the Bantiger transmission tower. A key indicator in this regard is the maximum allowable outage time per outage. Availability encompasses the entire supply chain, i.e., not only the transmitter, but also the broadcasting programme feed, transmission control, etc. On the other hand, there are no requirements governing emergency power for the regular radio programme. This is unlike the information provided to the population in crisis situations (IBBK). Higher protection requirements apply here. A separate IBBK radio broadcast network is available for this purpose. Such an incident shows the importance of a regular review of emergency concepts.
3.8 "Black hat SEO" campaign also with .ch domains
Search engine optimization (SEO) encompasses measures intended to improve the search engine rankings of websites. Search engine optimization is a branch of search engine
9 http://www.swisscom.com/GHQ/content/Media/Medienmitteilungen/2010/20101109_MM_Stoerung_Mob_Internet_aufgehoben .htm (as of 10 January 2011). 10 http://www.ensi.ch/fileadmin/deutsch/files/nfs_2006d.pdf , page 8 (as of 10 January 2011). 9/42 MELANI – Semi-annual report 2010/II
Information Assurance – Situation in Switzerland and Internationally
marketing. Techniques such as cloaking, keyword stuffing and hidden text (or hypertext) are used to lift unknown sites to the top of search engine rankings and to ensure better visibility and thus higher traffic. Ethical search engine optimization is called "white hat" optimization. It does without unwelcome practices and follows the guidelines of the various search engines. In contrast, optimization using unwelcome methods is called "black hat" optimization.
Scammers wanting to spread malware as efficiently as possible on the Web will infect popular websites (see Chapter 5.5). Using a single website, tens of thousands of computers can be infected in that way. Usually, however, the most popular websites are the best protected (there are numerous exceptions on the Web that prove the rule). With the SEO technique, it suffices to compromise lesser known (and less well protected) websites with little traffic and then to catapult them to the top of search engine rankings.
In August 2010, a sustained "black hat SEO" campaign took place with the goal of spreading scareware. It also included various Swiss domains11. After a vulnerability was discovered on a Swiss web server, a forwarding address (self.location.href) was placed on every domain name on that server, referring the user to a website with the TLD "co.cc", which displayed the message "You're infected" and offered the user a programme purported to clean the computer (see figure). If the programme was downloaded and installed, however, the problems only just began. The technique used in this case to forward many hacked sites to a single target site is called link farm. This technique also falls within the scope of "black hat SEO".
Figure 1: When surfing to compromised .ch websites, the user is redirected to a website claiming that the computer has been infected.
Even websites that do not appear very attractive to criminals should always be protected with the necessary care. Anyone using a content management system (CMS) such as WordPress, Joomla, Drupal, etc., should regularly update these applications and thereby prevent criminals from having free rein. Additionally, hosting providers should strive for enhanced security with respect to web servers.
11 Dancho Danchev, information assurance expert, analyzed the campaign in detail in his blog: http://ddanchev.blogspot.com/2010/08/dissecting-scareware-serving-black-hat.html (as of 10 January 2011). 10/42 MELANI – Semi-annual report 2010/II
Information Assurance – Situation in Switzerland and Internationally
3.9 Fight against malicious websites
Background
Increasingly, cybercriminals are hacking legitimate websites and placing malicious code on them. In this way, phishing websites can be set up (see Chapter 3.5) or website infections can be smuggled in (see Chapter 3.13). In the latter case, accessing a manipulated website may already suffice for one's computer to become infected with viruses or trojans.
All Internet-capable computers can become infected with malware. Linux and MacOS users have a false sense of security if they believe that viruses and trojans are only a problem for Windows. Additionally, smartphones are also targets of attacks – with an increasing trend (see Chapter 5.3).
Measures taken by MELANI and SWITCH
Since the end of November 2010, the Swiss domain name registrar SWITCH has acted more intensively against Swiss websites that spread malware and infect computers of Internet users with malware when surfing.12 SWITCH now verifies reports of websites spreading malware and contacts affected owners and providers with the request to remedy the problem. If nothing is done within one business day, SWITCH blocks the Internet address for up to 5 business days, cancels allocation to the name server during this time, and informs MELANI. If the malicious code is not removed, MELANI may apply for an extension of these measures for 30 days.13
As already described in Chapter 3.5 of the last MELANI semi-annual report14, these measures are primarily intended to protect Internet users and to notify providers of websites that they have been compromised. Blocking of domain names is available as a last resort if the provider does not clean the website and the danger can thus not be averted in any other way. Experience shows that most providers are grateful for the information and restore their websites within a useful time period. In this connection, MELANI has never had to apply to block a site and will continue to use this option only as a last resort and when a substantial circle of users is in fact at acute risk.
Measures taken by other organizations
Since the problem of compromised websites is increasing as a whole and not every registrar is intervening as actively as SWITCH, more and more Internet players are engaged in this field, seizing measures and making products available to protect users. Especially browser manufacturers have introduced mechanisms to warn users about visiting potentially malicious websites. For instance, when a user attempts to visit such an Internet address, a page is first displayed informing the user of the danger if the site is accessed. Google recently has started indicating potentially malicious websites already in its search results. Moreover, various anti-malware manufacturers offer products that mark search results as harmless or problematic and that warn of malicious websites before they are accessed.
12 http://www.switch.ch/about/news/2010/malware-nov2010.html (as of 10 January 2011). 13 http://www.admin.ch/ch/d/sr/784_104/a14bist.html (as of 10 January 2011). 14 MELANI Semi-annual report 2010/1, Chapter 3.5: http://www.melani.admin.ch/dokumentation/00123/00124/01119/index.html?lang=en (as of 10 January 2011). 11/42 MELANI – Semi-annual report 2010/II
Information Assurance – Situation in Switzerland and Internationally
In principle, all these initiatives and functions are welcome. Especially the protection measures included in browsers and activated as a default certainly help prevent infections in the case of less experienced Internet users. The recognition rate of malicious websites varies considerably, however, and relying solely on individual products may give users a false sense of security. As is the case with all defensive measures against malicious Internet content, no solution offers 100% protection, since the attackers' methods are constantly changing, in order to make detection of smuggled-in malicious code more difficult. In addition to the various "built-in" protection mechanisms offered by various suppliers in browsers, Internet pages or toolbars, installing an anti-malware programme (anti-virus scanner) continues to be indispensable, as is regularly updating the operating system and applications to minimize the risk of infection.
France's anti-phishing initiative
The same is true of phishing filters: In the case of phishing websites surfacing on short notice, rapid reaction is key. Typically, the first few hours after e-mails containing links to phishing websites are sent are the critical time period. Most browsers contain a reporting function that can be used to report phishing sites. There are also toolbars (supplied by anti- malware manufacturers and specialized providers) that warn of such sites. Here again, users have the option of reporting discovered phishing sites. The reports are then analyzed, and the product typically begins warning of the site shortly thereafter. At the beginning of 2011, Microsoft launched an initiative focused on French-language phishing in cooperation with PayPal and the French CERT-LEXSI. Reports can be made by the public on a specialized website.15
Since the reaction time of website and hosting providers differs greatly, every opportunity to protect Internet users must be taken advantage of. The faster the warnings are issued, the fewer potential victims there are. The large number of suppliers entails, however, that not all products warn of all dangerous websites, since not all suppliers gain knowledge of a specific website. It can therefore not be assumed that all phishing websites will be caught simply because an anti-phishing product is being used. It is more efficient to ignore all e-mails requesting the recipient to enter a password. As before, one should be critical in general if one is asked in an e-mail to enter personal data such as passwords or credit card information on a website or to "verify" such information.
An entry of one's own website in malware or phishing filters can be very unpleasant and may keep potential clients away. After restoring the website, the problem arises that the entries in these filter and warning lists must be removed again. This is difficult in that one does not know in how many and in which lists the address is included, and also because contacting suppliers efficiently often is only possible by using the relevant product. This means that after one's website has been compromised, considerable effort must be invested in following up on the incident. While suppliers regularly check that their filters are up to date, it may take quite some time to remove entries again.
To prevent one's own website from being compromised, it is indispensable to always keep one's web application updated. It is also recommended to monitor one's own website continuously, so that any abusive changes can be remedied immediately even before the Internet address has been entered in the filter and warning lists.
15 http://www.phishing-initiative.com (as of 10 January 2011). 12/42 MELANI – Semi-annual report 2010/II
Information Assurance – Situation in Switzerland and Internationally
3.10 27C3: we come in peace – and hack your website
From 27 to 30 December 2010 the 27th Chaos Communication Congress took place in Berlin under the motto "we come in peace".16 As part of this event hosted by the Chaos Computer Club (CCC), the participants checked various websites for vulnerabilities. They found such vulnerabilities on the website of the Grasshopper Club Zurich, for instance. The logo of the club was replaced by that of FC Zurich for a short while, and databases of the webshops and information on registered users were extracted and made available online.
This is what the GC website looked like in the night from 28 to 29 December:
Figure 2: Modified GC website.
After their action, the hackers sent an e-mail to all GC newsletter subscribers (whose addresses were stored in one of the databases), in which they drew attention to the insufficiently protected website.
16 http://events.ccc.de/congress/2010/wiki/Welcome (as of 10 January 2011). 13/42 MELANI – Semi-annual report 2010/II
Information Assurance – Situation in Switzerland and Internationally
Figure 3: E-mail from the hackers to all GC newsletter subscribers.
Since the affected database contained unencrypted passwords, MELANI recommends that the registered users change their passwords immediately.
MELANI recommends using different passwords for different web services in order to prevent one's entire online identity from being abused by hackers after such a data mishap. In particular, logins consisting of e-mail addresses and passwords should NEVER use the same password as the e-mail account itself. If attackers do not "come in peace" as in this case, the e-mail account will be the first target in which a login will be attempted using the stolen password; the second attempted target will be access to various social networks.
Other vulnerabilities were found on the websites of political parties, right-wing extremist groups, airports, media, government offices, and many others.17 The hackers pulled a special stunt with German broadcaster ARD, on whose website the following bogus report was displayed:
Figure 4: Compromised website of German broadcaster ARD with bogus report about an owl struck down by the wrath of God in the Cologne Cathedral.
17 http://events.ccc.de/congress/2010/wiki/Hacked (as of 10 January 2011). 14/42 MELANI – Semi-annual report 2010/II
Information Assurance – Situation in Switzerland and Internationally
3.11 Anti-Botnet Initiative Switzerland evaluation study
Botnets can be rented already for just a few US dollars a day; the final price depends on the capacity and duration of use of the desired botnet. It is therefore not astonishing that botnets are nowadays used for most of the criminal activities on the Internet.
A successful fight against botnets requires intensive collaboration between Internet providers, the state, and potentially also investigation authorities. For this reason, MELANI commissioned the Zurich University of Technology at the end of December 2010 to conduct an evaluation study. The goal of the study was to show the way in which such collaboration is possible, and to what extent initiatives existing abroad (e.g. botfrei.de18) might be adapted to Switzerland. The study should be completed by the end of June 2011.
3.12 Cyber Defence Project Leader
On 10 December 2010, the Federal Council held consultations on the threat to Switzerland by attacks from cyberspace and on potential countermeasures. The Federal Council decided to strengthen the protective measures against such attacks on Switzerland. For that purpose, it has appointed Kurt Nydegger, formerly Chief of the Armed Forces Command Support Organisation, as the temporary Cyber Defence Project Leader. The Project Leader will head an expert group tasked to develop a comprehensive federal strategy against cyber threats by the end of 2011.19
3.13 OpenX server
Last year, various website infections were registered that were traced to vulnerabilities in ad servers. For instance, the open source ad server software OpenX was affected by vulnerabilities for an entire year, allowing attackers to obtain administrator privileges20. Since the updates for closing such vulnerabilities are not automatically incorporated, web administrators must take special care in this regard. In June 2010, security experts increasingly warned of obsolete OpenX versions, since updates were in some cases incorporated only hesitantly.21
Also in Switzerland, OpenX vulnerabilities were the cause in summer 2010 of numerous infections, including on the website of a major Swiss newspaper. In this case, the advertising of the online edition was attacked with a website infection. Clearly, an infection on such a website has substantially more impact than on a private website (see also Chapter 5.5).
18 The German Anti-Botnet Advisory Centre is a service of eco, the Association of the German Internet Industry, with support from the Federal Office for Information Security (BSI). https://www.botfrei.de/ (as of 10 January 2011). 19 http://www.news.admin.ch/message/?lang=de&msg-id=36731 (as of 10 January 2011). 20 http://www.heise.de/security/meldung/Ein-Jahr-alte-Luecke-gefaehrdet-OpenX-Ad-Server-1077941.html (as of 10 January 2011). 21 http://news.softpedia.com/news/OpenX-Based-Malvertising-Attack-Discovered-145903.shtml (as of 10 January 2011).
15/42 MELANI – Semi-annual report 2010/II
Information Assurance – Situation in Switzerland and Internationally
Figure 5: Connection protocol of a web infection in the online edition of a Swiss newspaper.
As can be seen in the connection protocol, visitors accessing the newspaper's website were redirected to the server "dhfyjrud321.com", where various vulnerabilities in browsers and applications were then exploited. Additionally, a cookie was set so that the infection would be visible only when the site was first visited. This makes it more difficult for security experts to analyze the site and also for errors to be identified and remedied on web administration pages.
Website infections are currently the most popular vectors for spreading malware. Central servers making content available to different websites play a key role in this regard. A single act of compromising especially online advertising, but also statistics services, can result in far-reaching consequences. In the case of providers of Internet advertising, but also other content, the proper usage of the software employed plays an important role. Here again, all programmes must always be kept updated. In the case of such services, a website is in the end only as secure as its weakest link. Often, these are offers by third parties that are included in the website and are thus difficult for website operators to control.
4 Current International ICT Infrastructure Situation
4.1 Stuxnet attack on industrial control systems
In mid-June 2010, a new computer worm was discovered which was capable of infecting a fully patched Windows 7 system via a USB stick. This worked in part because two drivers with rootkit functions were integrated in the worm, containing regular but probably stolen digital signatures of two different companies, and therefore could be installed in the system without warning. At the time, no one suspected that this would become the most-discussed malicious programme of the year.22 Analysts showed that vulnerabilities already used by the Conficker worm as well as several other Windows vulnerabilities that had not yet been patched were exploited. The worm named "Stuxnet" can travel via printer spoolers and network shares and also has a peer-to-peer component, which makes mutual updates of infected systems within the same network possible. In this way, Stuxnet can also update itself in networks that are not connected to the Internet as soon as a newer version has been introduced.
22 http://www.heise.de/thema/Stuxnet; http://www.spiegel.de/thema/stuxnet/; (as of 10 January 2011) .http://topics.nytimes.com/top/reference/timestopics/subjects/c/computer_malware/stuxnet/index.html; (as of 10 January 2011) http://www.symantec.com/business/theme.jsp?themeid=stuxnet; (as of 10 January 2011); http://www.langner.com/en/blog (as of 10 January 2011). 16/42 MELANI – Semi-annual report 2010/II
Information Assurance – Situation in Switzerland and Internationally
In addition to these extraordinarily diverse infection vectors for Windows, Stuxnet also contains code for manipulating applications that serve to programme industrial control systems (i.e. programmable logic controllers, PLCs). These applications are also infected by Stuxnet and are used to spread it and to infect PLCs. Stuxnet is then close to its goal, which is to interfere with the functionality of certain PLCs. Only if a system meets specific criteria does Stuxnet manifest its planned effect, manipulating the running process. Stuxnet conceals its presence not only on Windows systems, but also in the other infected components. In this way, the original configuration of the PLC is stored, for instance, so that if the configuration is edited, the seemingly intact configuration is shown in the editing programme instead of the changed code. Also the data outputted by the PLC to the monitoring systems during operations are changed in such a way that the manipulation of the affected industrial facility is not displayed.
The highly complicated functionality of this malware is considered unique to date. A further unusual feature of Stuxnet is that not as many systems as possible, but rather only systems with specific characteristics are infected – Stuxnet is very choosy. The programming is not intended to misuse hijacked computers for any sort of Internet crime or to cause damage to IT systems; instead, Stuxnet attempts to locate very specific systems via which precisely defined PLCs can be infected and manipulated. Stuxnet was used to carry out a very targeted attack.
4.2 Wikileaks
Not only since the second half of 2010 has the whistleblower platform Wikileaks caused a stir. Since 2007, Wikileaks has given people from all around the world the possibility of transmitting confidential, censured, or other non-public documents anonymously. According to its own information, Wikileaks then subjects these documents to a review guided by ethical and journalistic principles and, in addition to preparing them journalistically or providing a simple commentary, also makes the raw data available to the public. The idea behind this approach is relatively simple: by simultaneously publishing the article and the basic material, transparency is to be maximized. Accordingly, Wikileaks does not engage in any internal selection with respect to the information complexes provided, but rather publishes everything after an initial review. In this way, readers are to decide for themselves whether to believe the presented information or not. Readers are accordingly not to be exposed to the arbitrariness of a medium functioning according to classical principles, which undertakes a pre-selection of the materials and decides itself – whether on the basis of journalistic, ethical or commercial considerations – which of these stories should ultimately be published in what way.
The events over the past six months surrounding the ongoing publication of about 250,000 US State Department dispatches by Wikileaks gave rise to several independent clusters of problems. On the one hand, a debate concerning media ethics once again erupted, focusing primarily on the question of whether simply making classified documents available to the public according to a de facto principle of full disclosure can be justified. The question concerning the intentions and motives of Wikileaks (co-)founder Julian Assange played a role in this regard as well. An assessment of the focus of Wikileaks' activities on the person of Assange, the prioritization of information undertaken by Wikileaks – contrary to its proclaimed credo – as well as the selective choice of collaborating media outlets and those granted exclusive rights, and the associated inherent contradiction of the ideals underlying Wikileaks, is a purely media-ethical and media-philosophical discussion that goes beyond the scope of this report.
17/42 MELANI – Semi-annual report 2010/II
Information Assurance – Situation in Switzerland and Internationally
Two other aspects in this connection have a clear relationship with information assurance, however. First, the question of how 250,000 classified embassy documents could fall into the hands of Wikileaks in the first place. It is still unclear whether a single person or several sources provided these and other documents to Wikileaks. However, it does appear corroborated that cluster risks were taken into account by US government offices in the interest of better and more efficient networking. In this context, documents with very different classifications appear to have been stored on the same secured network with relatively broad access privileges for a large number of users. Should this be confirmed, the theft of these documents would be a classical example of a misguided information assurance strategy as has already been discussed on several occasions in the MELANI semi-annual reports23. The focus in this regard should be not only to ensure the security of information channels, storage media, and networks, but also to introduce more far-reaching security measures within the framework of an informed risk management process, in light of the specific value of the individual pieces of information. A purely technical "one size fits all" strategy without specific restrictions and access rights also in the physical and personnel domains, adjusted to the actual value of a specific piece of information, must necessarily lead to the total loss of such information.
A second incident in connection with Wikileaks was the mobilization by "Anonymous Operation" to – in their words – punish alleged Wikileaks opponents virtually. This incident is described in Chapter 3.2.
The incidents surrounding the publication of documents by Wikileaks exhibit the entire spectrum of problems in the field of information assurance. The disclosure of classified documents to third parties is a growing problem in the world of information and communication technologies. Often, too little is done to secure the information "in depth", since the focus is often limited to technical perimeters that are as sophisticated as possible. Unfortunately, this approach mainly creates a cluster risk and fails to take account of the problem of insiders as well as of the fact that not every piece of information has the same value, so that comprehensive protection must primarily focus on the information to be protected and not on the network on which it is stored.
Also the "retribution attacks" carried out in the wake of the Wikileaks affair show once again how vulnerable institutions and private individuals are to attacks and how cyber attacks almost inherently entail the danger of collateral damage, as was also the case in earlier actions such as against the sex-site operators in Switzerland24. Especially the clearly criminally relevant attacks on PostFinance have plainly shown that there is still a great lack of awareness and sense of justice among those involved. In this sense, intervention by prosecution authorities in individual countries against co-perpetrators is welcome.
23 MELANI Semi-annual report 2009/1, Chapter 5.1: http://www.melani.admin.ch/dokumentation/00123/00124/01093/index.html?lang=en (as of 10 January 2011) or MELANI Semi-annual report 2009/2, Chapter 5.1 http://www.melani.admin.ch/dokumentation/00123/00124/01109/index.html?lang=en (as of 10 January 2011). 24 MELANI Semi-annual report 2009/2, Chapter 3.3 http://www.melani.admin.ch/dokumentation/00123/00124/01109/index.html?lang=en (as of 10 January 2011) . 18/42 MELANI – Semi-annual report 2010/II
Information Assurance – Situation in Switzerland and Internationally
4.3 SSL and two-factor authentication – security for customers
In October 2010, programmer Eric Butler published a rather interesting extension for the Firefox browser on his own website: Firesheep25. On the occasion of the Toorcon conference in San Diego, Butler analyzed26 the threat posed by providers of the Web 2.0 and especially Facebook. When accessing a website such as Facebook, the server creates a cookie containing the name and password of the user.
The connection between the user and the recipient is not encrypted if the user uses a public WLAN connection. For instance, if the user uses his own laptop in a public building (e.g. hotel, restaurant, airport, etc.) or at a conference providing a connection, the cookie can be stolen and used to masquerade as the rightful user. In technical jargon, this is called sidejacking. To protect against this kind of attack, an encrypted connection between the user and the recipient must be established. Google remedied the problem in its e-mail service Gmail in January 2010. But as of 2010, the largest website – Facebook – had not.
To demonstrate how easily sidejacking works, Butler published Firesheep. After installing the extension, it suffices to connect to an open WLAN, start the application, and wait until a user logs onto Facebook. Now it is possible to steal the generated cookie and log onto Facebook with the other person's account. Using other person's accounts in this way is in principle a criminal act, which is why we recommend against the use of Firesheep.
The described scenario represents a well-known problem. Until now, however, a certain level of knowledge was necessary to steal a cookie. With Firesheep, this becomes child's play. Users must make sure that they only use sites with SSL when connecting via an open WLAN. This precaution has been made available by the companies and cannot be introduced by users themselves. At the same time, MELANI points out that more and more attacks are committed against Internet service providers who only make a single factor available for authentication. This is true for instance of online auctions, e-mail accounts, and various payment systems. Also in such cases, it should be pointed out to companies that two-factor authentication reduces the risk of being compromised. With this measure, substantial losses to companies and customers can be prevented.
4.4 Incidents related to trading in emissions rights
Already at the beginning of 2010, phishing attacks took place against emissions trading registries in which emissions rights were unlawfully transferred.27 One of the companies suffering losses thereupon sued the Federal Republic of Germany for damages with the justification that the security standards of the responsible authority had been insufficient.28 On 16 November, the German Emissions Trading Authority (DEHSt) announced that it would introduce two-factor authentication using smsTAN for the emissions registry.29
25 http://codebutler.com/firesheep (as of 10 January 2011). 26 http://codebutler.github.com/firesheep/tc12/#1 (as of 10 January 2011). 27 See MELANI Semi-annual report 2010/1, Chapter 4.9 http://www.melani.admin.ch/dokumentation/00123/00124/01119/index.html?lang=en (as of 10 January 2011). 28 http://www.heise.de/security/meldung/Datenklau-bei-Emissionsrechten-kommt-vor-Gericht-1098072.html (as of 10 January 2011). 29 http://www.dehst.de/cln_153/nn_1662430/SharedDocs/Mailings/DE/2010/10-11-16__smsTAN.html (as of 10 January 2011). 19/42 MELANI – Semi-annual report 2010/II
Information Assurance – Situation in Switzerland and Internationally
On the same day, 1.6 million emissions certificates belonging to the Romanian subsidiary of a Swiss cement manufacturer were stolen from the Romanian national registry, after criminals had spied out the access data of the company using a trojan. The trojan used, "Nimkey", had previously been used primarily against clients of American banks. Its characteristics (including the theft of private key certificates, recording of keystrokes, copying of data from the clipboard) can also be used to obtain login information for other services – especially when only a username and password are required. The appearance of Nimkey in this connection entails that various European emissions trading registries suspended trading at least for a short period.
At the beginning of December, many companies then received an e-mail from the "European Climate Registry" asking the recipients to open up an account on a website or to validate the login data. The European Commission and the national registries distanced themselves from this enterprise: they said it was not an official registry, but rather a purely private Internet offering whose seriousness and utility could not be assessed – but the website continues to be online.30
The European Commission wants to increase the security standards for the emissions trading offices. In a later phase, trading is envisaged to be conducted via a single European registry.31 Until they are consolidated, the national registries must themselves provide sufficient protection and introduce more secure procedures. In some cases, this has already been done.
As already mentioned in previous semi-annual reports,32 a shift of cybercriminal attacks away from online banking toward less securely protected services and (trading) platforms has been observed. Especially those services are at risk that are protected only by a username and password and if money can be made directly or indirectly by gaining access. In addition to emissions trading, other online payment systems, auction platforms, e-mail providers and social networks are also affected.
4.5 NATO trains cyber defence and includes cyber threats in its strategic concept
From 16 to 18 November 2010, NATO conducted an exercised called "Cyber Coalition 2010".33 The exercise tested processes and coordination among the various actors who have to work together in the event of a cyber attack against NATO and its member states. This was the third exercise of this kind.
At the NATO summit in Lisbon, which took place from 19 to 20 November 2010, the heads of state and government of the member states adopted a new strategic concept of the North Atlantic Alliance according to which cyber attacks must be regarded as a serious threat. Accordingly, NATO will therefore further develop its own capacities and those of its member states in order to prevent and discover attacks on computer networks, defend against them, and recover from such attacks. The national capacities for combating computer crime are
30 An e-mail to that effect was sent by the European Climate Registry already in the summer of 2009. The domain "europeanclimateregistry.eu" has been registered to a person in Brussels since December 2008. 31 Directive 2009/29/EC of 23.04.2009, point (38). 32 See, e.g.: MELANI Semi-annual report 2008/2, Chapter 3.6 http://www.melani.admin.ch/dokumentation/00123/00124/01085/index.html?lang=en (as of 10 January 2011). 33 http://www.nato.int/cps/en/SID-70CABE49-11886860/natolive/news_69805.htm 20/42 MELANI – Semi-annual report 2010/II
Information Assurance – Situation in Switzerland and Internationally
also to be strengthened and coordinated more effectively. Additionally, the capacity is to be further developed to contribute to energy security and thus also to the protection of critical energy infrastructures.
The question of whether or when attacks on computer networks should be qualified as armed attacks and accordingly can trigger a case of collective self-defence under article 5 of the North Atlantic Treaty was not clarified at the Lisbon summit. By June 2011, a detailed NATO cyber defence policy will be developed along with a plan of action for its implementation.
Interestingly, the terms "cyber-defence" and "cyberdéfense" used in the official NATO languages English and French were translated by the German permanent mission to NATO as "Schutz vor Computerkriminalität (protection from computer crime)" in the summit declaration and the strategic concept.34 This may be an indication that the alliance partners have not (yet) agreed whether a military or perhaps instead a civilian response to a cyber attack is appropriate. Only the fact is uncontested that also the military should be able to protect its infrastructures.
4.6 Trend toward USB worms
Increasingly frequently, USB data carriers are being used as a way to spread malware. Stuxnet35 and Conficker36 are only the most prominent representatives of this species. USB storage media are becoming cheaper and cheaper and are being used more and more frequently. Additionally, many computer systems are protected less effectively against USB malware than for instance against malware spread via networks or e-mail. According to the Spanish company Panda Security, 25% of the newly circulated worms in 2010 are claimed to be able to spread via USB37. This is indicated in a study conducted at 10,470 companies in Europe and North and South America. On many company computers, the file autorun.inf, which allows programmes to be launched automatically, has still not been deactivated. This function can be easily used to install malicious programmes, even already when a USB device is connected to the computer.
USB as an infection vector is therefore primarily used in combination with other infection vectors. The USB device primarily serves as a way to overcome the company's firewall. Once the malware has entered the company's network, the obstacles for dissemination are much smaller.
The consequences a private USB stick can have were shown by the malware smuggled into the Pentagon network in 2008. A soldier stuck a private USB stick infected with malware into a computer connected with the US military network in the Middle East. From there, the malware spread to and via numerous internal networks until it finally is said to have gained access to parts of the network classified as secret.38 Also the malware Conficker found its way into various corporate networks, including hospitals and military networks.
34 http://www.nato.diplo.de/Vertretung/nato/de/04/NATO__Gipfel__Lisboa__1911_Seite.html (as of 10 January 2011). 35 See Chapters 4.1 and 5.1 of the present report. 36 See http://www.melani.admin.ch/dokumentation/00123/00124/01093/index.html?lang=en, Chapter 4.2 (as of 10 January 2011). 37 http://press.pandasecurity.com/news/25-of-new-worms-in-2010-are-designed-specifically-to-spread-through-usb-devices/ (as of 10 January 2011). 38 http://www.foreignaffairs.com/articles/66552/william-j-lynn-iii/defending-a-new-domain (as of 10 January 2011). 21/42 MELANI – Semi-annual report 2010/II
Information Assurance – Situation in Switzerland and Internationally
In particular for attacks against companies, USB storage media are especially suited as carriers of malware and therefore dangerous. Every company has meanwhile installed good defensive methods on their networks, and also e-mail traffic is in most cases centrally monitored for malware. But if a malware manages to get behind the firewall into the company network, using a USB stick via the computer of an employee, then all doors are open to the malware. Particularly for targeted attacks and specially sealed-off systems, this represents a suitable attack vector. The probability that an employee may at some time connect a USB stick or other USB device such as a camera or smartphone both to his private computer and his work computer is very large. Even an upfront verification of USB sticks by several anti- virus programmes does not guarantee complete protection, since especially in the case of targeted malware employed in small numbers, anti-virus programmes generally fail.
4.7 "Here you have" computer worm – "Iraq Resistance"
On 9 September 2010, a previously unknown computer worm began to spread on the Internet, disrupting the e-mail traffic of several American companies. The worm sent e-mails with the subject line "Here you have" and the e-mail body "This is The Document I told you about, you can find it Here" or "Just For you" and the e-mail body "This is The Free Download Sex Movies, you can find it Here". The "Here" included a link to the malware. The link supposedly referred to a document or video file, but in fact clicking on it would download the malware to the computer, and the user was requested to execute the file. The worm then spread through shared drives and sent the e-mail with the link to contacts in the victim's address book. Other than spreading and causing excessive amounts of e-mail that overloaded some servers, the worm did not cause any particular damage.
Authorship was admitted by a person with the nickname "Iraq Resistance" who claimed to be affiliated with a previously unknown group "Tariq bin Ziyad Brigades for Electronic Attack (TbZBEA)". But the author's goal was not to cause as much damage as possible. Claiming responsibility on YouTube, the author said he was not a terrorist.39 The action was to be understood as a protest: firstly against the US invasion of Iraq, and secondly against the Quran burning announced for 11 September 2010 in the US (which was ultimately not carried out, however because of other reasons).
The method of picking off address books on infected systems and employing an e-mail body with a clickable link is a simple but very effective form of social engineering. These e-mails are trusted, since the sender is known, and the body of the message is general enough that it may sound plausible to many recipients. In 2000 ("I LOVE YOU" virus) and 2001 ("Anna Kournikova" virus), similar computer worms were circulated which were spread using comparable methods. An important rule in dealing with e-mails is therefore that one should as a rule treat unexpectedly received messages (even from known senders) including links or attachments with caution, and in cases of doubt one should check with the sender whether the message is legitimate. Attachments used recently as infection vectors have increasingly been PDF documents. Even by simply clicking on a link to a prepared website or by opening a file, the computer may become infected.
The "Here you have" worm used here was circulated for politically and religiously motivated cyber protest. If, in addition to its spreading mechanism, it had also included instructions to damage widespread data, then the story could have had a far worse ending for some companies.
39 http://www.youtube.com/watch?v=IkMifFGqt78 (as of 10 January 2011). 22/42 MELANI – Semi-annual report 2010/II
Information Assurance – Situation in Switzerland and Internationally
4.8 Dutch police separate large botnet from the Internet
On Monday, 25 October 2010, the Dutch police separated the command server of the botnet "Bredolab" from the Internet. Bredolab is alleged to have infected more than 30 million computers worldwide. The Dutch police separated a total of 143 servers from the Internet that had steered the botnet. At the same time, a 27-year-old man was arrested at the Yerevan airport. He is accused of being the head operator of the botnet. In the preceding weeks, the investigators had taken an in-depth look at the botnet's infrastructure.
For the operators of the botnet, the focus was primarily on disseminating malware. They used website infections for this purpose. After a computer had been infected by the malware, the malware searched for the username and password of website administrators. The located data would then in turn be used to infect other websites. This happened completely automatically. The servers that have now been deactivated were administered by the Dutch provider "Leaseweb". Normally, the server would be removed from the network immediately upon discovery, but in this case Leaseweb continued to operate the server on the police's instructions so that the network could be analyzed.
The perpetrator or perpetrators had specialized in generating a botnet that was as large as possible, in order to rent out or sell parts thereof. Since Bredolab was a "downloader", any kind of malware could be subsequently downloaded to an infected computer.
Already on 9 April 2010, MELANI sent out a newsletter drawing attention to this malware and the heightened threat of website infections40. The reason for the warning was that the recently developed check tool of the Reporting and Analysis Centre for Information Assurance, which checks Swiss websites for any website infections, had discovered a large number of websites infected by Bredolab. Operators or providers were then contacted so that they could remove the infections.
The Dutch police chose a new approach to warn the users of infected computers. For this purpose, control and command servers were used to display a pop-up warning on the monitor of the infected computer indicating that the computer had been infected by malware.
4.9 ZeuS and SpyEye – merger of two of the largest e- banking trojans?
The trojan "ZeuS" is probably the most widespread e-banking malware currently in circulation. There are numerous reports, articles and activities on this topic41.
From early 2010, another e-banking malware called "SpyEye" made a name for itself. SpyEye integrates a function with the name "ZeuS Killer Code". This function seeks to determine whether an infected computer already contains ZeuS. If it does, the rival is eliminated. This effectively led to a war between the two trojans. The author of SpyEye
40 http://www.melani.admin.ch/dienstleistungen/archiv/01107/index.html?lang=de (as of 10 January 2011). 41 For instance, the website of Brian Krebs, a journalist specializing in cyberspace crime, contained 15 articles in which ZeuS was the focus of the coverage during that half-year: http://krebsonsecurity.com (as of 10 January 2011). The website https://zeustracker.abuse.ch/ (as of 10 January 2011) contains more than 500 "ZeuS" C&Cs and an average identification of the malicious code of the largest antiviruses of 36.85%. 23/42 MELANI – Semi-annual report 2010/II
Information Assurance – Situation in Switzerland and Internationally
known by the pseudonyms "Gribodemon" and "Harderman"42 recently became famous in the underground scene when he announced in July that the author of "ZeuS" had given him the code of the malware and delegated administration of its customers to him:
Figure 6: Forum entry by Harderman, in which he announced in July that the author of ZeuS had delegated the code of the malware and administration of its customers to him.
In various subsequent messages, Harderman publically announced that version 2 of ZeuS would no longer be further developed. The community would be able to count on a new malware, however, which would be developed from the merger between SpyEye and ZeuS.
4.10 "J1 Network" money laundering organization broken up
The organization "J1 Network" became known for laundering dirty money from online crime. Its name is based on the fact that its member were primarily recruited from foreign students who had a J1 visa to live in the United States. Various criminal groups operating in cyberspace had used their services. This was particularly true of gangs employing e-banking malware to withdraw money online from bank accounts. The FBI reported that it arrested 37 people belonging to the organization43.
Figure 7: Members of the J1 Network sought by the FBI.
42 The blog "MalwareIntelligence" contains an interview with this person: http://www.malwareint.com/docs/spyeye-analysis-ii- en.pdf (as of 10 January 2011). 43 The press release of the FBI in New York is available at http://newyork.fbi.gov/dojpressrel/pressrel10/nyfo093010.htm (as of 10 January 2011). 24/42 MELANI – Semi-annual report 2010/II
Information Assurance – Situation in Switzerland and Internationally
The accused, most of whom were in the United States on student visas, opened accounts at various financial institutions. They used false IDs for that purpose. After receiving the money stolen from the online accounts, they kept a certain percentage for themselves. The rest was sent to Russia.
The organization has now been broken up by the FBI. The FBI estimates that about three million dollars in total had been laundered.
4.11 Credit card money mule
At the end of December 2010, the e-mail below was circulated. In bad German, recipients were called upon to act as "credit card money mules". They would be sent stolen or fake credit cards by mail, with which they were to withdraw money and – minus a commission – send it to the perpetrators or to other financial agents. The e-mail also provided answers to frequently asked questions and already the first sentence drew attention to the possible criminal penalties:
Example only in German!
Subject: Unternehmensfuhhrung sucht Teammitglieder
Eine Arbeit fur jemanden der sich im Klaren ist, dass falls was schief gehen sollte er im bestenfalls mit einer Bewahrungsstrafe auskommt , im schlimmsten ....
Ich bin in diesen Business seit 2002, mit mir hat eine Menge Leute gearbeitet , aber nur 2 wurden verhaftet und auch die nur wegen Ihrer Gierigkeit und Dummheit. Jeder einzelne der geschnappt wird, ist nicht nur ein finanzieller Verlust, sondern auch eine grosse Gefahr fur die gesamte Mannschaft. Deswegen sind folgende Regel zu befolgen:
1. Die Vorschriften werden strengstens eingehalten. Das Geld wird nur in den von mir bestimmten Bankautomaten zu der von mir angesagten Zeit abgehoben. Es wird nur die abgesprochene Summe abgehoben. Die Vorschriften fur das Erhalten der Kreditkarten und fur die Gelduebergabe werden strengstens befolgt. 2. Das Geld ist ehrlich abzugeben (keine Tauschungsversuche) 3. Nur anonyme Simkarten benutzen, dieses Telefon fur Anrufe der Freunde und Verwandte nicht verwenden 4. Sich nie mit *Arbeitskollegen* dieses Businesses treffen, wenn sich einer mit dir treffen moechte, arbeitet er zu 99% fur die Bullen 5. Wenn du keine Disziplin hast, die Regeln nicht einhalten kannst, bzw. mich fur paranoid haltst - dann sollen wir keine Zusammenarbeit auch versuchen.
Arbeitsbeginn Du hollst die Kreditkarte ab. Wo das sein wird gebe ich am Telefon durch ( meist bei dir in der Stadt oder in einer Grossstadt in deiner Umgebung. Zusammen mit der Karte erhalst du eine genaue Anweisung wo, wann und wie viel Geld abzuheben ist. Die Anweisung ist 100% genau auszufuhren, davon hangt unser Verdienst und auch deine Sicherheit ab. Fur die erste Karte musst du eine Pfandsumme von 300 Euro hinterlassen. Dies ist fur die Sicherheit, dass falls du alles abhebst und verschwindest, ich meine Kosten fur die Kreditkartenbeschaffung und die Transportkosten zu dir, decke. Du erhalst diese Pfandsumme bei der ersten Abhebung zurück, also bei den ersten Bankautomaten. Fur das erste mal erhallst du eine Kreditkarte und die dazugehorige Pin mit einen Abhebelimit von 1500 Euro. Hebst so viel ab, wie es in der Anweisung angegeben wird. Aus den abgehobenen Geld erhallst du 600 Euro , - 300 als Pfandruckgabe und 300 als dein Verdienst. Das restliche Geld ubergibst du an mich, wie das geschehen soll schreibe ich dir per sms. Weiter erhallst du 2-4 Karten pro Woche (Pfand brauche ich nicht mehr). Zum Anfang werden die Karten mit einen kleineren Guthaben sein 1000 bis 2000 Euro, davon erhallst du 300 bis 600 Euro als deine Provision. Spater, wenn unsere Zusammenarbeit gut verlauft und du alle Regel befolgst, arbeitest du mit Karten mit maximalen Guthaben, wo du pro Karte bis zu 1500 Euro verdienen kannst.
Um die Arbeit starten zu konnen, brauchst du eine anonyme Simkarte die du in jeden zweiten Internetkafe oder Callcenter erhalten kannst. So bald du diese hasst, teilst du mir die Nummer an meine Email: mit. Weiter schreibe ich dir eine Sms was du weiter zu tun hasst.
Gleich die Antworten auf meisstgestellte Fragen: 1. Was fur Garantien habe ich, dass Sie mit meinen 300 Euro nicht verschwinden?
An.: Gar keine, aber anders wird es nicht gehen. Wenn du Angst um 300 Euro hasst (vielleicht ist es eine grosse Summe fur dich) dann hoere ich von dir zu 100% nichts mehr, so bald du um die 5000 Euro abgehoben hasst.
2. Ich habe keine 300 Euro, kann ich als Garantie meinen Pas, meinen Studentenausweis, mein Wort, meine Freundin , meinen Arsch, etc. hinterlassen?
25/42 MELANI – Semi-annual report 2010/II
Information Assurance – Situation in Switzerland and Internationally
An: NEIN, ich stelle jeden Tag einen neuen Mitarbeiter an, meine Ausgaben pro Kartenzubereitung und den Transport zu dir sind ca. 300 Euro und falls du mit der Karte verschwindest habe ich 300 Euro Verlust- das muss nicht sein.
P.S So lange du nicht probierst an Geld zu kommen, weisst du nicht wo fur du geboren bist. Dein Leben lang auf Hartz 4 zu sitzen bzw. fur 1000 Euro im Monat deinen Arsch aufzureissen oder einige Male deinen Mut zusammen zu nehmen und vom Leben alles zu bekommen versuchen. Die, welche Mut und Nerven genug haben, diese Arbeit an zu nehmen, werden in ca. einen halben Jahr zu wohlhabenden Menschen und kriegen mit, dass das Geld nicht alles ist. Bevor du also meinen Angebot annimst uberlege ernsthaft ob du es wirklich brauchst und durchziehen kannst!!!
Money mules or financial agents are rare among criminals and are therefore very much in demand. Normally, they are used to launder money from fraudulent bank payments. For this purpose, more or less plausible stories are invented so that the victim does not suspect that the transactions might constitute fraud or money laundering. The case described above was different, since the perpetrator openly asked the recipient to commit a crime and also gave tips on how to avoid being caught. In fact, the danger is smaller for credit card money mules to be caught. While in the case of e-banking fraud, the financial agent acts as a recipient and already becomes conspicuous after the first fraudulent payment and is withdrawn from circulation, it is more difficult to trace credit card money mules. For this reason, the e-mail was consciously not formulated to recruit innocent people, but rather was directed at people with criminal potential. It cannot be ruled out, however, that this was a variant of advance fee fraud and that the interested applicant would never hear from the "employer" again once the initiation fee of 300 euros was transferred. In such cases, the perpetrator would hardly have to fear being reported, since the victim had himself tried to become a criminal.
5 Trends / Outlook
5.1 Stuxnet – the beginning of SCADA trojans
Originally, SCADA systems had only little in common with conventional ICT; they were isolated from the computer networks, they used proprietary hardware and software, and they used their own protocols for communicating with the central computer. The widespread availability of comparatively inexpensive devices with built-in interfaces to the Internet protocol has brought about major changes in this area in recent years. Thermometers, pressure gauges, pumps, switches and other array elements today frequently have their own IP address and use TCP/IP for communicating with the central computer. The advantage of using low-cost conventional ICT is purchased by the fact that SCADA systems are now in principle exposed to the same threats that we already know from the Internet: malware and attackers (hackers). Accordingly, the goal is especially to enhance international contacts and deeper cooperation between the state and operators of critical information infrastructure in this field, so that information can be exchanged quickly regarding newly arising threats and defensive measures. MELANI is in close contact with Swiss electricity providers and participates in international information exchange, for instance as part of the European SCADA and Control Systems Information Exchange, EuroSCSIE.
Despite much speculation as to who might be behind the Stuxnet malware, the perpetrators are still unknown – and probably will stay that way. Such attacks live precisely from the advantage that they are extremely difficult or impossible to trace. A major impact can be achieved with low risk. Since the financial intention of such an attack is of subordinate interest and the motivation is more likely to be of political character, the suspicion of state intervention arises. The possibilities of electronic espionage and sabotage have been known in intelligence circles for quite some time and are also actively put to use. Stuxnet is merely the first case that has gained major attention worldwide. Unlike terrorists, states choose their targets carefully and attack only those facilities whose disruption is classified as unavoidable
26/42 MELANI – Semi-annual report 2010/II
Information Assurance – Situation in Switzerland and Internationally
to protect national interests. Where motivation is high and resources sufficient, practically any system can be infiltrated and sabotaged sooner or later. It must be assumed that similar attacks will occur repeatedly in future.
5.2 DDoS – background and motivations
Attacks on the availability of websites, or distributed denial-of-service (DDoS) attacks, are employed for various purposes in the cyberworld. Initially, attacks were perpetrated mainly as simple acts of vandalism. Meanwhile the motivations have changed, however. DDoS attacks are now being observed as tools of revenge, for instance, as a way to damage competitors or extort protection money, or as politically motivated attacks. While smaller DDoS attacks usually remain hidden and are not made public, there are recurrent larger DDoS attacks with the goal of achieving a high level of (media) attention. Websites and web servers are the preferred targets. But also mail servers, DNS servers, routers and firewalls or other kinds of Internet services may be affected. The various motivations of the perpetrators are described below.
Political attacks
Politically motivated attacks are not a new phenomenon. The hackers make use of a wide variety of illegal or at least dubious means to gain attention for their concerns. DDoS attacks or the defacement of websites are often used.
The most prominent example of a politically motivated DDoS attacks was the one against Estonia in 2007. After a dispute concerning the relocation of a Soviet war monument in the capital city Tallinn, Estonian websites were unavailable for weeks. But DDoS attacks are also used to assist warfare. During the armed conflicts involving the separatist republics of South Ossetia and Abkhazia in 2008, many official Georgian Internet sites were likewise no longer reachable or were defaced. Especially Georgian government sites were affected by the attacks. One year later, on the anniversary of the Russian offensive, DDoS attacks were observed against Twitter, Facebook and LiveJournal directed at a Georgian blogger44 called Cyxymu45, whose blog entries were critical of the Russian policies in the Caucasus.46 Another DDoS attack that was likewise probably politically motivated was directed against the US-supported Radio Free Europe in Belarus in April 2008. The attack began on the anniversary of the nuclear disaster in Chernobyl. On that day, the radio transmitted a live broadcast of a demonstration in Minsk recalling the suffering of the victims and advocating against the construction of a new nuclear power plant by the government. Allegedly, the website of the radio station was flooded by up to 50,000 hits per second during the height of the attack.
Also in Switzerland, politically motivated DDoS attacks have already taken place. The presumably first politically motivated DDoS attack in Switzerland occurred in 2007. On that occasion, the availability of the website of the parliamentary services (parlament.ch) was disrupted for several days. At frequent intervals, search queries generating long lists of results were sent, interfering with the response time of the server. The precise motive for the attacks was never discovered, but the choice of target nevertheless suggests a political or at
44 http://news.cnet.com/8301-27080_3-10305200-245.html (as of 14 February 2011). 45 http://cyberinsecure.com/distributed-denial-of-service-attack-takes-down-twitter/ (as of 14 February 2011). 46 http://wwwguardian.co.uk/world/2009/aug/07/georgian-blogger-accuses-russia (as of 14 February 2011). 27/42 MELANI – Semi-annual report 2010/II
Information Assurance – Situation in Switzerland and Internationally
least non-financial background.47 Three years later, in November 2010, the websites of four of the major parties were attacks. Here again, a political motivation was suspected, especially because the attack took place during the time before the vote on the Expulsion Initiative (see Chapter 3.1). In contrast, the motivation is clear for the DDoS attack against PostFinance in December 2010 after the account of Wikileaks founder Julian Assange was closed. What was special about this attack was that the Wikileaks sympathizers were able to download a programme called Low Orbit Ion Canon and use to it to trigger a flood of queries against PostFinance (see Chapter 3.2). This kind of approach was already observed during the DDoS attack against Estonia. At the time, a script was circulated in Russian forums that flooded the IP addresses and DNS servers of about 18 Estonian websites with pings.
Extortion and damaging of competitors
For companies conducting a large part of their business via the Internet, a breakdown of the Web infrastructure can mean major financial losses. These losses may range from several days of outages to an existential threat. This is where criminals turn the screws, using their botnets to extort money from companies active on the Internet. The approach strongly recalls the extortion of protection money. The following example illustrates what such an extortion letter can look like.
Figure 8: Extortion letter to a webshop owner.
The operator of the webshop then has the option to pay or to let the attack occur and try to stop it with the help of his provider. Depending on the size of the underlying botnet, however, this can be very difficult and may end with cancellation by the provider. In Switzerland, DDoS attacks have so far primarily been observed against sex sites. Already in autumn 2007, several such sites were attack, including using a botnet. Although the owners have switched providers several times, the portal was not reachable for several months. The major providers Swisscom and Cablecom have likewise also been affected by DDoS attacks. The
47 MELANI Semi-annual report 2007/2, Chapter 4.1: http://www.melani.admin.ch/dokumentation/00123/00124/01048/index.html?lang=en (as of 14 February 2011).
28/42 MELANI – Semi-annual report 2010/II
Information Assurance – Situation in Switzerland and Internationally
attacks here were not directed against the provider, however, but rather against their customers48.
What is dangerous about these attacks is that they may affect the rest of the network infrastructure and, in the worst case, interfere with the entire network. In the real world, this would be comparable to an attack against a specific person in a building. To get at the person, the entire building would be razed. Other persons located in the building at the wrong time would also be injured, and would be deliberately taken into account as collateral damage by the attackers.
Tool of revenge
Among cybercriminals, denial-of-service has long been a tool to keep annoying competitors at bay, or to convince potential "customers" to switch to the criminals' own networks or services. Competitors or unwanted comments are forcefully punished. In addition to competitors, mainly IT security firms are targeted by the criminals. For instance, the "Storm Worm" included a mechanism to attack and disable the pages of online virus scanners using DDoS and thus to prevent the criminals' own botnet from being discovered. Another example concerned the security firm IBM/ISS, whose experts were investigating the structure of a botnet. The Internet connection of the company was quickly disrupted by a DDoS attack for several days.49
Since the attacks are not always directed at a specific target (usually a website), but rather at the underlying infrastructure of the (hosting) providers, other websites and networks are also affected. In the best case, this only entails financial losses for those not directly involved; in the worst case, far more critical processes that depend on the attacked network may be disrupted or interrupted.
5.3 Mobile (in)security
The first smartphone virus to draw attention to itself was the "Cabir" worm in 2004, which spread via the Bluetooth interface. Except for being responsible for empty batteries, since it was constantly looking for other available Bluetooth devices, it did not cause major damage, however.
For a long time, it was assumed that the threat of viruses to smartphones was modest, since smartphones were not seen as a worthwhile target for the malware industry. Reasons included the large number of operating systems, the difficulties in spreading malware, and the lack of "computer crime business models". The increasing popularity of smartphones and mobile phones with PC-like functionality and the storage of sensitive data on these devices is making them increasingly attractive for criminals, however.
48 MELANI Semi-annual report 2009/1, Chapter 3.4 http://www.melani.admin.ch/dokumentation/00123/00124/01093/index.html?lang=en (as of 14 February 2011) and MELANI Semi-annual report 2009/2, Chapter 3.3 http://www.melani.admin.ch/dokumentation/00123/00124/01109/index.html?lang=en (as of 14 February 2011). 49 http://www.tecchannel.de/sicherheit/news/1737083/storm_worm_schlaegt_zurueck_it_security_forscher_angegriffen/ (as of 17 February 2011). 29/42 MELANI – Semi-annual report 2010/II
Information Assurance – Situation in Switzerland and Internationally
With the establishment and concentration of mobile phone operating systems that is currently taking place50, the danger of incidents with malware familiar from computers is also rising. The wake-up call was certainly a critical PDF vulnerability on the iPhone in August 2010 which attracted a lot of media interest. If a prepared PDF file was opened with the Safari Mobile browser, a jailbreak could be carried out on the Apple iPhone, iPad, and iPad Touch. That such a vulnerability is also of interest to criminals is obvious. But also on the Android operating system, the first text message trojan was discovered in August. Disguised as a media player, it sent out text messages subject to a charge after installation. Although the installation was cumbersome and required a high level of user interaction, some users did end up performing the installation. Also a malware purporting to be Angry Birds51, the game Tap Snake that is not only a game52, or recently Geinimi53 targeted Android phones.
ZeuS Mitmo: Man-in-the-mobile
There are efforts in the underground toward further innovations. For instance, there are indications that probably the most widespread e-banking trojan, ZeuS, is starting to spread to the mobile world. The Spanish security firm S21 recently published an article on a variant alleged to be attacking two-channel authentication systems that use mobile phones as the second channel54. Users of computers infected with this special version of ZeuS are asked various questions during the e-banking session about the user's mobile phone, including the telephone number. The victim is then told that the financial institution will send a new certificate to the mobile phone because of security reasons (the number is now known to the scammer), and that the certificate must be installed. With this supposed certificate, the mobile phone is now also infected. At the time of the e-banking transaction, the notice that the bank is sending the authentication code is no longer visible to the client. Instead, it is sent to the scammer, who can then perform the login.
It can be expected that e-banking users will increasingly perform their transactions using their mobile phones. This confronts financial institutions with new challenges, not only because mobile phones do not yet enjoy the same security as "normal" computers. Especially in the case of the two-channel authentication SMS-TAN, new opportunities therefore arise to deceive e-banking users, apart from the fact that this then makes it impossible to use the smartphone as an independent authentication channel. These risks are certainly not yet immediate, nevertheless such concerns must already now be included in plans for the next generation of e-banking.
Espionage applications for mobile phones
In the second half of 2010, numerous applications were published with which conversations, messages and other personal data (calendars, GPS, etc.) can be spied out on mobile phones. In addition to the already known programmes FlexiSpy and SpyPhone, new names also surfaced such as Phone Creeper and Remote iPhone Spy. The emergence of numerous applications for espionage purposes raises various questions: are these or similar functions also included in other, ostensibly harmless applications? To what extent may espionage apps even be used? A possible answer to the latter question is given by the arrest
50 http://www.zeit.de/digital/mobil/2011-02/nokia-microsoft-wp7 (as of 17 February 2011). 51 http://www.heise.de/security/meldung/Android-Luecken-ermoeglichen-heimliche-Installation-von-Apps-1134661.html (as of 10 January 2011). 52 http://www.f-secure.com/weblog/archives/00002011.html (as of 14 February 2011). 53 http://blog.mylookout.com/2010/12/geinimi_trojan/ (as of 14 February 2011). 54 http://securityblog.s21sec.com/2010/09/zeus-mitmo-man-in-mobile-i.html (as of 14 February 2011). 30/42 MELANI – Semi-annual report 2010/II
Information Assurance – Situation in Switzerland and Internationally
of 50 people in Romania who used espionage applications for mobile phones55. One of the most common motives is spying on spouses or competitors.
Not only smartphones: GSM attack and SMS of Death
Even though smartphones are heavily advertised, their share of the worldwide mobile phone market is still only 19%56. At the Chaos Communication Congress57, researchers Collin Mulliner and Nico Golde therefore presented a potential scenario for attacking "normal" mobile phones, which make up the bulk of the worldwide market. The attack is performed using a simple text message that is prepared to transport the binary attack code. This principle is also incidentally used by mobile providers to carry out configurations or set up additional services. The effect of the demonstrated attack was that the mobile phone crashed.
The attractiveness of mobile phones as a target for malware attacks and data theft is determined by two main factors: first, the more mobile phones offer the same functions as computers (Internet access, storage of sensitive data, performance of financial transactions, etc.), the more they become a lucrative target for criminals. Second, analogously to malware targeting computers, it must also be assumed in the case of mobile phone malware that the size of the "target audience" also correlates to the attractiveness of an attack. It must therefore be assumed that, as modern mobile phones become more widespread, they will become an increasingly attractive target. Because of these developments, security problems will likely be transferred from the Internet to the mobile world. Over the coming years, smartphones will develop more and more into small personal computers. Already today, the distinctions between smartphones, tablet computers, and notebooks are fluid. A difference exists, however, with respect to the security of the systems. While security programmes have become standard on computers, they are still practically non-existent on smartphones. Moreover, more than 85% of the mobile phones used worldwide are "feature phones", i.e. simple devices with limited functionality such as the ability to play mp3 files and most importantly no update possibilities58. But also in the case of other smartphones, experience shows that updates are not installed immediately, since the smartphone must be connected to the computer, unlike PC updates, which are generally installed in the background via the network.
5.4 Cloud computing – security measures
Not only since yesterday has the term "cloud" been circulating in connection with the way private individuals, companies and administration should handle their documents, applications and the like. The principle is relatively simple and in some ways recalls the beginning of the computer and network eras. Instead of fully developed client systems administering everything from operating systems and applications to documents, the computer at home or at work would primarily function as a terminal, while everything else would be in the cloud. Word processing programmes, data and other applications would be located on a central computer and made available via a network connection. The advantage of such a solution is obvious. Instead of the administrative costs for each and every computer
55 http://www.theregister.co.uk/2010/07/01/romanian_spyware_arrests/ (as of 14 February 2011). 56 http://www.gartner.com/it/page.jsp?id=1466313 (as of 14 February 2011). 57 Chaos Communication Congress (Berlin, 27-30 December 2010). 58 http://www.wired.com/threatlevel/2010/12/simplest-phones-open-to-%25E2%2580%259Csms-of- death%25E2%2580%259D/ (as of 10 January 2011). 31/42 MELANI – Semi-annual report 2010/II
Information Assurance – Situation in Switzerland and Internationally
and the programmes and data stored there, the focus in the cloud would be on the central systems. Patch cycles would then only concern a single system, and every connected user would always have the newest applications and updates. Documents would also be accessible more easily and from anywhere, since they would no longer exist locally on a network share or computer.
However, this approach has long given rise to questions and security concerns. Information ownership is de facto handed over, and the entire trust in the security of the data is in the hands of a third party. To that extent, the trend toward cloud computing is also a trend back to blind trust in the technicians and IT security experts. But especially this development went in the opposite direction in recent years, since the security of networks and IT in general has no longer been seen as a support function by businesses and administrations, but also as a strategic value. This means that in the foreseeable future, a classical conflict of goals will emerge between lower transaction costs, more efficient technical security, and the tendency to take care of information within the company by means of customized technical, personal and physical security measures.
Also on the part of cloud providers, there are currently still several problems. For instance, most of the client data and services offered are not always kept locally and statically in the same location, but rather are shifted around among various distributed data centres and compiled as needed. Accordingly, it is impossible to state clearly where exactly what document is located at what time. This also gives rise to legal questions, since different laws apply depending on the country in which a specific document is located at a specific time.
5.5 Network monopoly – a security problem?
Only few major players on the Internet are able to influence the development of the Internet and the network infrastructures59. In 2010, various records were established in this regard. The question arises in this context how such concentrations affect security.
With a share of nearly 6.4% of the entire Internet traffic, Google established a new traffic record60. If Google were an ISP, it would be the second-largest worldwide, according to Arbor Networks. The largest provider is the one primarily responsible for transit traffic at Google.
Facebook became the most visited site in the United States61, thus surpassing industry heavyweight Google.
According to BitTorrent62, which distributes the file sharing programmes BitTorrent and µTorrent, hundreds of millions of users use one of the software applications manufactured by
59 Recall, for instance, Google's initiative to set up a fibre optics infrastructure allowing the average American to surf the Web 100 times faster than before. - http://googleblog.blogspot.com/2010/02/think-big-with-gig-our-experimental.html (as of 10 January 2011). Or recall the objective of Mark Zuckerberg, the founder of Facebook, to have his platform become the gateway to the Web (http://www.wired.co.uk/news/archive/2010-11/04/facebook-mobile-platform (as of 10 January 2011) http://www.spiegel.de/wirtschaft/unternehmen/0,1518,719920,00.html (as of 10 January 2011) http://www.ustream.tv/recorded/3848950 (as of 10 January 2011) http://www.newyorker.com/reporting/2010/09/20/100920fa_fact_vargas (as of 10 January 2011). 60 http://asert.arbornetworks.com/2010/10/google-breaks-traffic-record/ (as of 10 January 2011). 61 http://www.hitwise.com/us/press-center/press-releases/facebook-was-the-top-search-term-in-2010-for-sec/ (as of 10 January 2011). 32/42 MELANI – Semi-annual report 2010/II
Information Assurance – Situation in Switzerland and Internationally
the company. The content management system (CMS) Drupal announced that already 1% of all websites are administered with its software63.
According to Twitter, more than 7,000 tweets per second were published in Japan immediately after the beginning of the year 2011. In its publication, the company impressively showed on a map how New Year's tweets were published in the various time zones of the world64.
Malware infections
A website infection on a major platform is probably the nightmare of every IT security expert. The incidents involving compromised ad servers, as described in Chapter 3.13, go in this direction. If criminals succeed in cracking the ad servers of major newspapers, a wide impact is guaranteed. The computer worm "Koobface", in contrast, specifically targeted users of the social network Facebook, where it infected countless visitors. Koobface is disseminated via drive-by infection and Facebook messages asking recipients to download and execute a file. P2P platforms are often underestimated as infection vectors. Alongside the actual document, films, music or software originating with P2P networks may also include trojans or droppers. A further danger arises in connection with the most frequently used CMSs such as Drupal or WordPress. A vulnerability in these systems (WordPress has already recorded several) would make hundreds of thousands of websites vulnerable to attacks. Also conceivable would be an attack on the domain name service (DNS) of important websites, for the purpose of sneaking prepared copies of the requested websites past users in order to infect them65.
Use of personal data
Large companies such as Facebook collect a huge amount of data. Google StreetView not only took pictures of streets for its own maps, but also collected data from wireless connections it came across66. Websites such as Groupon.com compile important data on their own users such as geolocalization and preferences. Foursquare.com knows exactly who is located where67. On the one hand, this permits it to compile the profile of a person and the person's habits on the basis of the data on just a few websites. On the other hand, only little is known about the data collected by such companies and their use thereof. Web users are increasingly willing to disseminate their own personal data on the largest websites.
The emergence of the giants on the Internet thus leads to numerous questions. These concern the security of data and users, but also the transformation of the Internet. The Internet is increasingly being shaped by groups who earn a lot of money and about whom little or nothing is known.
62 http://www.bittorrent.com/pressreleases/2011/01/03/bittorrent-inc-grows-to-over-100-million-active-monthly-users-massive- user- (as of 10 January 2011). 63 http://buytaert.net/drupal-7.0-released (as of 10 January 2011). 64 http://www.flickr.com/photos/twitteroffice/5330386295/ (as of 10 January 2011). 65 A famous case concerned Twitter at the end of 2009 (http://www.wired.com/threatlevel/2009/12/twitter-hacked-redirected/ (as of 10 January 2011). If, in that case, a copy of the Twitter website had been displayed instead of an announcement of the defacement, the attack could have had serious consequences. 66 MELANI Semi-annual report 2010/1, Chapter 4.5 http://www.melani.admin.ch/dokumentation/00123/00124/01119/index.html?lang=en (as of 10 January 2011). 67 http://www.zdnet.com/blog/feeds/foursquares-privacy-loopholes/2607 (as of 10 January 2011). 33/42 MELANI – Semi-annual report 2010/II
Information Assurance – Situation in Switzerland and Internationally
6 Glossary
This glossary contains all terms in italics in this semi-annual report. A more detailed glossary with more terms can be found at: http://www.melani.admin.ch/glossar/index.html?lang=en.
Ad server Ad servers are employed for the placement and success measurement of Internet advertising. Both the physical server itself on which the ad server software runs as well as the software may be called ad servers.
Application A computer programme that performs a given task. Word processing and internet browsers are examples of applications.
Binary file A binary file is a file that, unlike a pure text file, also contains non-alphanumerical characters. It may thus contain any byte value. Files in binary format tend to be used to store data.
Blog A blog is a diary or journal kept on a website and usually publically viewable, in which a person – the weblogger or "blogger" – keeps records, documents occurrences or writes down thoughts.
Bluetooth A technology for wireless communication between two terminals and which is mainly used in mobile phones, laptops, PDAs and input devices (e.g. computer mouse).
Bot / Malicious Bot Comes from the Slavic word “robota” meaning work. Refers to a program that automatically carries out certain actions upon receiving the command. So-called malicious bots can control compromised systems remotely and have them carry out arbitrary actions.
Browser Computer programmes mainly used to display Web content. The best-known browsers are Internet Explorer, Opera, Firefox und Safari.
Cloaking Cloaking is a search engine optimization technique in which a different page with the same URL is presented to the search engine's webcrawler than to the user. Cloaking serves to improve the ranking in search engines and indexing.
Cloud computing Cloud computing (synonym: cloud IT) is a term used in information technology (IT). The IT landscape is no longer operated/provided by the provider himself, but rather obtained via one or more providers. The applications and data are no longer located on a local computer or corporate computing centres, but rather in a cloud. These remote systems are accessed via a network.
Computer Emergency CERT (also CSIRT for Computer Security Incident Response Response Team (CERT) Team) refers to a team that coordinates and takes measures
34/42 MELANI – Semi-annual report 2010/II
Information Assurance – Situation in Switzerland and Internationally
relating to incidents in IT significant to safety.
Content management A content management system (CMS) is a system that makes system (CMS) possible and organizes the joint preparation and processing of content, consisting of text and multimedia documents,
generally for the World Wide Web. An author may operate such a system even without programming or HTML knowledge. The information to be displayed is referred to as "content".
Cookie Small text files stored by a web page when viewed on the user’s computer. For example, with the assistance of cookies, user preferences for a web site may be stored. However, cookies can also be abused to compile an extended user profile about one's surfing habits.
Critical Infrastructure Important component in national security policies and defence Protection / Critical planning. Generic term to describe concepts and strategies to Information Infrastructure protect critical infrastructures / critical information Protection (CIIP) infrastructures.
(Distributed) Denial of Have the goal of causing a loss of a specific service to users service (DDoS) attack or at least to considerably restrict the accessibility of the service.
Digital signature Verifies the affiliation of a public key to a topic (person or computer).
DNS amplification attack A denial of service attack (DoS) that exploits publicly accessible DNS servers and uses these as amplifiers.
Domain Name System With the help of DNS the internet and its services can be (DNS) utilised in a user-friendly way, because users can utilise names instead of IP addresses (e.g. www.melani.admin.ch).
Drive-By Infection Infection of a computer with malware simply by visiting a website. Often the websites concerned contain reputable offerings and have already been compromised beforehand for the purposes of spreading the malware. The infection occurs mostly by trying out exploits for vulnerabilities not yet patched by the visitor.
Financial Agent / A financial agent works as a legal money broker and thus Moneymule engages in financial transfers. Recently, this term has been used in connection with illegal financial transactions.
General Packet Radio General Packet Radio Service is a packet-oriented service for Service (GPRS) data transmission that is used in GSM (mobile communication) networks.
Hidden text Hidden text on websites that cannot be read by human beings, even though it exists. For instance, the font colour may be transparent.
35/42 MELANI – Semi-annual report 2010/II
Information Assurance – Situation in Switzerland and Internationally
Hypertext Hypertext is text which, with the help of a network-like structure of objects, links information between hypertext nodes using hyperlinks. Hypertext is written in markup languages which, in addition to formatting instructions, also include commands for hyperlinks. The best known is HyperText Markup Language (HTML) for Internet documents.
IP-Address Address to uniquely identify computers on the Internet or on a TCP/IP-network (e.g.: 172.16.54.87).
Jailbreak Jailbreaking is used to overcome the network restrictions on Apple products by using suitable software.
Keyword stuffing Keyword stuffing is considered an unethical method for search engine optimization. Using superfluous and frequently repeated keywords in the meta tags or in the content of the website, an attempt is made to deceive the search engine.
Link farm A link farm is a collection of websites or entire domains on the Web that primarily serve to establish as many hyperlinks as possible to another website.
Malware / Malicious Code Comes from the terms "malicious" and "software". Generic term for software which carries out harmful functions on a computer. This comprises amongst others viruses, worms, Trojan horses.
Network share A network share is a device or information on a computer that can be accessed remotely from another computer via a network.
Nickname A nickname is a (generally short) name used by computer users as a pseudonym in forums and chats.
Open source Open source is a range of licences for software whose source code is publically available. Further developments are encouraged by the licence.
Peer to Peer (P2P) Peer to Peer Network architecture in which those systems involved can carry out similar functions (in contrast to client- server architecture). P2P is often used for exchanging data.
Phishing Fraudsters phish in order to gain confidential data from unsuspecting Internet users. This may, for example, be account information from online auctioneers (e.g. eBay) or access data for Internet banking. The fraudsters take advantage of their victim's good faith and helpfulness by sending them e-mails with false sender addresses.
Pop-up A pop-up is a visual element of a computer programme. Elements "pop up" and cover other parts of the programme.
Programmable logic A programmable logic controller (PLC) is a digitally controller (PLC) programmed device used to control or regulate a machine or facility. For some years, it has replaced hardwired control 36/42 MELANI – Semi-annual report 2010/II
Information Assurance – Situation in Switzerland and Internationally
elements in most domains.
Proof of Concept (PoC) Proof of Concept Brief, not necessarily complete proof that an idea or method works. For example, exploit codes are often published as PoC so as to underline the effects of a weak point.
Resolver Resolvers are simply structured software modules installed on the computer of a DNS member that can access the information of name servers. Resolvers constitute the interface between application and name server.
Rootkit A collection of programs and technologies which allow unnoticed access to and control of a computer to occur.
SCADA systems Supervisory Control And Data Acquisition Systeme. Are used for monitoring and controlling technical processes (e.g. in energy and water supply).
Scareware Scareware is software designed to scare the user or make the user uncertain. It is an automated form of social engineering. If the victim falls for the trick and believes to be under threat, an offer is often made to the victim to remove the non-existent threat in return for payment. In other cases, the victim is made to believe that an attack has already been successful, causing him or her to perform actions that make the attack possible in the first place.
Secure Sockets Layer Secure Sockets Layer Protocol that provides secure (SSL) communication on the internet. SSL is used today, for instance, in online financial transactions.
Security holes A loophole or bug in hardware or software through which attackers can access a system.
Sidejacking When a session is sidejacked, the attacker reads the network traffic between two parties in order to steal the session cookie.
Smartphones A smartphone is a mobile phone that offers more computer functionality and connectivity than a standard advanced mobile phone.
Social engineering Social engineering attacks take advantage of people's helpfulness, credulity or lack of self confidence in order to gain access to confidential data or to prompt them to perform certain actions, for example.
Three-way handshake A three-way handshake is a method for establishing loss-free data transmission between two instances. Although predominantly used in network technology, three-way handshakes are not restricted to that field.
Toolbar A graphical bar in a computer programme on which buttons, symbols, menus and other elements are placed.
37/42 MELANI – Semi-annual report 2010/II
Information Assurance – Situation in Switzerland and Internationally
Top-Level-Domains (TLD) Every name of a domain on the Internet consists of a sequence of character strings separated by periods. The term "top level domain" refers to the last name in this sequence, constituting the highest level of the name resolution. If the full domain name of a computer or website is de.example.com, for instance, the right-most member of the sequence (com) is the top level domain of this name.
Transmission Control TCP/IP is a family of network protocols which, due to its great Protocol / Internet Protocol importance for the Internet, is also called the Internet protocol (TCP/IP) family.
Trojan horses Trojan horses (often referred to as Trojans) are programs that covertly perform harmful actions while disguised as a useful application or file.
Two-factor authentication For this at least two of the following three authentication factors are required:
1. Something you know (e.g. password, PIN, etc.) 2. Something you have (e.g. a certificate, token, list of codes, etc.) 3. Something you are (e.g. finger print, retina scan, voice recognition, etc.)
Universal Serial Bus (USB) Universal Serial Bus (with a corresponding interface) which enables peripheral devices such as a keyboard, a mouse, an external data carrier, a printer, etc. to be connected. The computer does not have to be switched off when a USB device is unplugged or plugged in. New devices are for the most part automatically identified and configured (depending on the operating system).
USB Memory Stick Small high capacity data storage devices, connected to a computer via the USB interface.
Virus A self-replicating computer program with harmful functions that attaches itself to a host program or host file in order to spread.
Web 2.0 Web 2.0 is a slogan referring to a number of interactive and collaborative elements on the Internet and especially the World Wide Web. Drawing on the version numbers of software products, the term postulates a new generation of the Web, distinguishing it from earlier types of use.
WLAN WLAN stands for Wireless Local Area Network.
Worm Unlike viruses, worms do not require a host program in order to propagate. Instead, they use vulnerabilities or configuration errors in operating systems or applications to spread by themselves from one computer to another.
38/42 MELANI – Semi-annual report 2010/II
Information Assurance – Situation in Switzerland and Internationally
7 Appendix
7.1 DDoS – Analysis of an increasingly frequent phenomenon
The objective of a denial-of-service (DoS) attack is to make a specific service unavailable to its users or at least to substantially curtain the availability of the service. A "distributed" denial-of-service (DDoS) attack occurs when a victim is attacked by many different systems simultaneously and in a coordinated manner. The attacking systems are usually infected computers organized within a botnet. Chapter 5.2 discussed the motivations behind a DDoS attack. This Chapter will take a more detailed look at the technology behind such attacks and the main tools employed to limit the damage caused by such an attack.
DoS attacks – methods and functionality
In general, two different types of DoS attacks can be distinguished. One type aims to shut down a system by overloading its computer and storage resources (protocol-based and application-based). The other type tries to saturate the network using (junk) queries so that the legitimate data traffic is impeded (flood-based). According to Arbor Networks. 45% of the attacks identified in 2009 were flood-based, and 49% were application-based.68
In the case of application-based or protocol-based attacks, the following techniques are used among others:
SYN flood attack A SYN flood attack uses the process of establishing a TCP/IP connection, called a handshake. To establish such a connection – for instance to request a website from a server, a user sends a "SYN" request to the server. The server responds with a "SYN-ACK" message, which normally is followed by the user response "ACK". At that point in time, the connection is established69. Both parties thus use a "three-way handshake". If the computer of a user does not complete the three-way handshake with an "ACK", then the server continues to expect the response, thereby using memory resources. A DoS attack takes place when the attacker sends thousands of SYNs without completing the connection with an ACK. Consequently, the server must use memory space to sustain all the connections. This happens until the memory is full and is no longer able to accept – even legitimate – requests.
Process flooding That even modest network resources can be used to disable a web server is shown by the following approach, which works for instance on the web servers Apache 1.x and Apache 2.x. Every time a website is requested, a process is started on the web server which is only completed once the request is terminated, i.e. once the website has been completely loaded. If an attacker now tries to open up as many connections as possible and keep them open as long as possible, at some point the maximum permissible number of parallel processes is
68 “Worldwide Infrastructure Security Report”, Arbor Networks 2009, http://www.arbornetworks.com/dmdocuments/ISR2009_EN.pdf (as of 10 January 2011). 69 We have simplified the system for establishing a connection. "Computer Network” by Andrew S. Tanenbaum is a recommended and interesting read. 39/42 MELANI – Semi-annual report 2010/II
Information Assurance – Situation in Switzerland and Internationally
reached, and no more requests can be permitted, so that the site becomes unavailable.70 This approach is particularly attractive, since it does not require much bandwidth. Moreover, programmes such as Slowloris are available on the Internet that carry out this kind of attack and are easy to use (also via proxy or gateway)71.
Ping of death and Smurf attacks A well-known technique is the "ping of death", in which a malformed ping packet72 is sent. In a Smurf attack, the attacker sends pings (ICMP echo requests) to the broadcast address of a network. The sender is falsified and the address of the victim is entered. Depending on the configuration of the router, the request is directed into the network and a response of all the connected computers to the victim is forced. Routers permitting this behaviour are also called Smurf amplifiers. Depending on the number of computers in the affected network, a single request can be amplified by several orders of magnitudes.
Application attack Another type of attack targets the functions on web servers requiring a lot of resources. This is true for instance of the search function within a website or the operation of a content management system (CMS) such as WordPress or Drupal, which create the page at the time it is requested (unlike static pages that are always available on the server). An attack on such sites is of course considerably more efficient.
In the case of flood-based attacks, the requests are sent from many different computers. (They are generally infected computers belonging to a botnet. Others are deliberately employed with the specific goal of carrying out an attack.) In this case, requests are sent that use up the entire upstream bandwidth of the server, so that the server can no longer send the page or can no longer deliver the requested service. How efficient this type of attack is depends on the bandwidth of the server. In general, it is assumed that a large botnet is capable of larger attacks. However, there are various techniques to amplify such an attack, so that even smaller or medium-size botnets can be used for larger attacks.
DNS-based attacks A DNS request can be answered in accordance with three different procedures: • authoritative: the server obtains the file from the local zone file • recursive: the server obtains the data from a different name server • iterative: the server responds with a reference to a different name server In the case of recursive requests, the resolver thus sends a recursive request to the name server assigned to it. If the name server does not have the desired information in its own data set, it contacts further servers until it receives a positive response or a negative response from an authoritative system. A name server should actually only accept requests from local or authorized clients. In fact, however, many DNS servers accept requests from any source. In such cases, they are called open resolvers73. In an attack, requests may now be sent to such open resolvers, in which the address of the victim is indicated as the reply address. Consequently, the victim is flooded with DNS responses that the victim did not request. This also means that only the IP address of the name server is visible, but not the IP address of the attacker. This anonymization of the attacks make an effective defence more
70 http://www.securityfocus.com/archive/1/456339/30/0/threaded (as of 10 January 2011). 71 http://vimeo.com/7618090 (as of 10 January 2011). 72 http://insecure.org/sploits/ping-o-death.html (as of 10 January 2011). 73 The following text by Randal Vaughn and Gadi Evron on “DNS Amplification Attacks” is certainly an interesting read, http://www.isotf.org/news/DNS-Amplification-Attacks.pdf (as of 10 January 2011). 40/42 MELANI – Semi-annual report 2010/II
Information Assurance – Situation in Switzerland and Internationally
difficult. A technique used to amplify this attack is called DNS amplification. In certain cases, name servers react to short request packets with very long packets. A 60-byte long request may provoke a response of more than 4,000 bytes. The amplification factor in such a case would thus be more than 65. Additionally, substantial computing resources are needed due to IP fragmentation. Only the DNS extension EDNS has made this type of attack practicable, since previously the maximum length of a DNS packet was limited to 512 bytes (which corresponds to an amplification factor of less than 10). A meanwhile somewhat obsolete survey (2005)74 showed that 75% of external DNSs permit unauthorized requests and consequently poisoning attacks75 or DoS attacks.
An expansion effect can also be achieved thanks to the use of P2P networks. In such cases, the server of the victim is indicated as the only source of a known file (film, album or the like), so that the users of the P2P network request the desired file from that IP address. Various researchers are dealing with this issue76.
It is also being observed that attacks perpetrated by botnet are becoming increasingly efficient. For instance, attackers no longer use all the computers in the botnet at the same time. A stronger and more lasting effect is achieved if machines with modest traffic are employed on a random basis that belong to different subgroups of the botnet (originating from different providers and different geographical regions). This delays the process for the filtering of IP addresses on the part of the victim.
DoS attacks – countermeasures
Recently, the CERT of the Dutch government published a document listing several useful measures to protect oneself against DoS attacks77. The first point does not refer to a technical aspect, but rather to the organizational aspect of corporate communication: What a company communicates and how it does so is indisputably a crucial factor. A communication strategy may serve as a first measure against DoS attacks or may also be the trigger of a DoS attack. This is clearly seen in the example of PostFinance in December 2010: the communication that Julian Assange's account had been blocked triggered a reaction by the Anonymous movement, resulting in a DDoS attack. The risks and consequences of a communication to the general public must therefore be assessed in advance.
Technical measures can be taken at the network entry point or directly at the provider: Analyze the traffic carefully. This is a first measure to understand what traffic reaches the servers. Consequently, it can be determined what needs to be filtered out. The most frequently used applications for analyzing netflow data include open source tools such as NFSen78 and NFDump79.
74 http://dns.measurement-factory.com/surveys/sum1.html (as of 10 January 2011). 75 See Chapter 7.3 of the MELANI 2008/2 report: http://www.melani.admin.ch/dokumentation/00123/00124/01085/index.html?lang=en (as of 10 January 2011). 76 http://www.pank4j.com/research/p2pddos.pdf (as of 10 January 2011) und http://ieeexplore.ieee.org/Xplore/login.jsp?url=http%3A%2F%2Fieeexplore.ieee.org%2Fiel5%2F5254891%2F5273826%2F0 5273837.pdf%3Farnumber%3D5273837&authDecision=-203 (as of 10 January 2011). 77 http://www.govcert.nl/english/service-provision/knowledge-and-publications/factsheets/protect-your-online-services-against- ddos-attacks.html (as of 10 January 2011). 78 http://nfsen.sourceforge.net/ (as of 10 January 2011). 79 http://nfdump.sourceforge.net (as of 10 January 2011). 41/42 MELANI – Semi-annual report 2010/II
Information Assurance – Situation in Switzerland and Internationally
Packet filtering and request limits: Determine80 and filter out malicious packets so that the server only responds to legitimate requests. Limit the number of requests per IP in time, in order to prevent that every bot can generate hundreds of requests per second.
Scrubbing Implementation of a complex and distributed server system that can also process traffic peaks. Alternatively, CDN (content delivery network) services such as Akamai can be used81.
Use load balancing and caches. Use different servers that are connected to several networks (several providers) and that divide up the incoming traffic. Additionally, the cache function of reverse proxy servers such as nginx82 or squid83 can be used.
Use dynamic rerouting. With this method, the attacking computers are told that no valid route exists to contact the victim's computer (null route or black hole route).
Allow only traffic authorized by the protocol. If the authorized requests to a web server are TCP:80 and TCP:443, then UDP:80 can be blocked, since this protocol is not used by the HTTP protocol.
Ask the provider whether solutions such as IDMS84 or RTBH (Remotely Triggered Black Hole85) are available to defend against the DoS attack.
80 The attack by Anonymous against various targets used the tool LOIC (Low Orbit Ion Cannon). This tool sent the message “wikileaks.org” as the payload of the TCP and UDP packets. This made it possible to set up filtering rules. 81 http://www.akamai.com (as of 10 January 2011). 82 http://nginx.net/ (as of 10 January 2011). 83 http://www.squid-cache.org/ (as of 10 January 2011). 84 http://www.arbornetworks.com/en/docman/the-growing-need-for-intelligent-ddos-mitigation-systems/download.html (as of 10 January 2011). 85 http://www.google.ch/url?sa=t&source=web&cd=1&sqi=2&ved=0CBcQFjAA&url=http%3A%2F%2Fwww.cisco.com%2Fen%2 FUS%2Fprod%2Fcollateral%2Fiosswrel%2Fps6537%2Fps6586%2Fps6642%2Fprod_white_paper0900aecd80313fac.pdf&r ct=j&q=remotely%20triggered%20black%20hole&ei=1iMwTZPZO4ztsgbq8P2lCg&usg=AFQjCNEZ- kPQ3RiLBBecuEFuKAQ2fQO4OQ&cad=rja (as of 10 January 2011). 42/42 MELANI – Semi-annual report 2010/II