Feeds:
Posts
Comments

Posts Tagged ‘Iran’

A commenter over at the Small Wars Council thought my theory about the possible motive of the Iranian Metasploit hijinks would make for a good movie–but, I assume, not the most credible analysis.  First, typing commands in to msfconsole is a little hard to dramatize on screen. About the closest we’ve come to making the command line sexy was having Trinity from The Matrix run an nmap scan and a fictitious SSH exploit, and Trinity did it wearing a leather outfit (see article and YouTube clip*). The real perpetrator may be doing it unshaven and in a bathrobe. At least, that’s how I do my best work. Secondly, I am, like, so totally serious about my theory of someone more interested in disrupting intelligence agencies than Iran’s nuclear program.  Here’s why:

There are certainly credible reasons why a professional intelligence agency would bang away in Iranian networks with Metasploit. If the Iranians are shutting down key parts of their network (I don’t know how vital the automation bits mentioned in Mikko’s piece are) to do forensics to figure out how the attacker is getting in, maybe blasting “Thunderstruck” is the next best thing to some fancy exploit to ruin centrifuges. Or, perhaps, some group who wants to disrupt Iran’s nuclear program is flooding them with garbage attacks to overwhelm Iranians attempts to analyze their more ‘long-term,’ targeted malware. That analysis takes time and personnel who are in short supply even in the U.S. Think of it, to borrow a phrase from one of my brilliant friends, Federico Rosario, as “a DOS attack on skilled personnel.” Others have mentioned playing “Thunderstruck” as a kind of psychological warfare on trust in terms of Iranian infrastructure.

However, these types of attacks seem every bit as likely to disrupt professional intelligence agencies’ access as help them in some way. I also am unimpressed with the PSYOPS theory, because (1) this has already been accomplished via previous malware and (2) announcing one’s presence contradicts the IC’s modus operandi in terms of being able to discretely collect information and disrupt systems.  That’s why I think there is another motive at work here. The reported worm and Metasploit hijinks may even be two separate actors.

* – Funny enough, that little 1:09 clip dramatizes pretty much every policy maker’s fear of an infrastructure attack on the US

Read Full Post »

As I tweeted a day ago, Mikko Hypponen had an interesting blog post in which he discusses an email from a scientist working at the Atomic Energy Organization of Iran.  The details are a little unclear, but the claim is that some mix of a worm, Metasploit, and hacked computers blasting AC/DC at all hours of the night has been disrupting two nuclear facilities within Iran.  The AC/DC bit–“Thunderstruck,” as a matter of fact–has attracted the most attention.

It is hard to get a clear picture of what is going on, because there’s really two separate issues:  this worm and the possible use of Metasploit. Metasploit, of course, is not a virus; it’s an exploitation framework. Download it here if you’re curious. HD Moore, Metasploit’s creator, tweeted:

definitely a confused individual, Metasploit isn’t a worm and doesn’t ship with AC/DC’s Thunderstruck :)” (source)

However, you can indeed load an MP3 with Metasploit.  Moore explained:

you can do it today (msf> load sounds) & copy mp3 (source)

If the e-mail to Mikko Hyponnen is truthful and accurate, this strikes me as the act of an amateur–not a state, much less the US. Moreover, the fact that there is no effort to be covert makes me think this is a grand middle finger to US and other intelligence agencies. It is as if the perpetrator is saying, “You developed malware and cryptographic attacks over the course of years to penetrate computers relevant to the Iranian nuclear program; I did it downloading an app freely available to anyone.” They probably even used a commonly available exploit, too. I can’t see someone burning a 0-day to blast “Thunderstruck” to some Iranian engineers just for, as the kids say, “the lulz.”

If I had to ‘profile’ the perpetrator, I would suggest a lone male with a grudge or grievance with one or more US intelligence agencies (perhaps a past applicant). If there is a political motive, I would suggest someone affiliated with Anonymous or other like-minded group who might think disrupting Iranian networks would mean disrupting any ongoing US intelligence operation. Either way, the objective in my view is disrupting or discrediting US efforts rather than Iran’s nuclear program. That’s pure speculation, but that is the impression I get.

Read Full Post »

Craig Labovitz from Security to the Core has some interesting observations on the Iranian firewall. I was most interested in what traffic isn’t filtered:

While the rapidly evolving Iranian firewall has blocked web, video and most forms of interactive communication, not all Internet applications appear impacted. Interestingly, game protocols like xbox and World of Warcraft show little evidence of government manipulation.

Perhaps games provide a possible source of covert channels (e.g. “Bring your elves to the castle on the island of Azeroth and we’ll plan the next Ahmadinejad protest rally?”)

Of course, World of Warcraft has not escaped the scrutiny of the ODNI and others in the United States. For commentary, see these posts at Danger Room (here and here) and Schneier on Security.

Check out Arbor Network’s “Security to the Core” for more.

Read Full Post »

This is from Jose Nazario of Arbor Networks:

The Democratic Voice of Burma is once again under DDoS. This one has been seen before, and it’s unfortunate that it’s happening again. I’ve been digging for information and hope to have some to share soon. At present I don’t have anything I can share.

The second bit of political hacking are reports that defacements have shut down Iranian clerics’ Web sites. I don’t see any DDoS activity around this yet but we are seeing some defacements, some apparently on sites that run buggy OSS codebases, so it’s not surprising that they got owned.

Read Full Post »

BBC News reports that a record number of bloggers were arrested in 2007 according to the University of Washington’s World Information Access (WIA) report:

Since 2003, 64 people have been arrested for publishing their views on a blog, says the University of Washington annual report.

In 2007 three times as many people were arrested for blogging about political issues than in 2006, it revealed.

More than half of all the arrests since 2003 have been made in China, Egypt and Iran, said the report.

In many cases, bloggers faced significant jail time. The average prison sentence for blogging was 15 month, and the longest sentence in the report was eight years.

Read Full Post »