Cyber wrap
19 Aug 2015|

Cyber wrap

The release of the personal information of 1,500 people by Islamic State (IS) Hacking Division was one of the more prominent cyber stories this week. IS claimed it had hacked sensitive databases to obtain the names, email addresses, passwords and telephone numbers of these individuals, mostly US Defense personnel, and posted them on Twitter in the hope of encouraging ‘lone wolf’ attacks. Interestingly, the online ‘hit list’ included the details of eight Australians, including ADF personnel and a Victorian MP. However, doubt has been cast over the legitimacy of the hack, with military officials stating that the passwords and emails don’t satisfy military security requirements. Instead, it’s suspected the list was collated from open-source information and previous hacks, casting further doubt on IS’s cyber expertise.

Saudi Arabia became the victim of a more legitimate hacking incident on Friday; however its perpetrators appear to have had ‘good intentions’. Around 24 Saudi government websites were taken down by a group called ‘Cyber Emotion’ in an attack that lasted several hours. They claim the hack was a response to the government ignoring the group’s previous warnings over the Kingdom’s poor cyber security. Cyber Emotion temporarily took over educational, municipal and health-related websites, leading visitors to a page that warned ‘had it been hacked by enemies, your personal information, emails and registration data would have been compromised’. This should be an important lesson for Saudi officials, who were the victims of ‘the biggest hack in history’, when malware brought down 35,000 computers at the state-owned Saudi Aramco oil company in 2012.

Last week, India and the US completed their formal Cyber Dialogue at the US State Department in Washington DC. Discussions took place between US Cybersecurity Coordinator Michael Daniel and India’s Deputy National Security Advisor Arvind Gupta. They addressed a broad range of issues including threat assessment, information sharing and incident management. In the process, the pair identified the potential for increased collaboration in capacity building, combating cybercrime and internet governance. In addition to government-to-government discussions, the delegations also addressed the connection between cyber security and the digital economy with representatives from the private sector. India’s ascent as one of Washington’s top cyber allies is significant by virtue of its strategic weight when compared with the US’s key cyber challengers such as China, Russia, and Iran.  This bilateral dialogue was the fourth in its series, with the next round announced to take place in Delhi in 2016.

A study by City University London scholars, released last week, reveals that the BitTorrent protocol is vulnerable to Distributed Reflective Denial of Service (DRDoS) attacks. The paper, P2P File-Sharing in Hell, explains how common file-sharing protocols can be used to amplify a cyber-attack’s impact. Popular BitTorrent clients, such as uTorrent and Vuze boast millions of users, but operate with User Datagram Protocol (UDP) that lacks address-spoofing defences. As a result, a malicious actor can send traffic to fellow file-sharers, having replaced their own sender IP address with the ‘spoofed’ address of a target computer, so that the nefarious message is significantly amplified before being ‘reflected’ onto a victim. Thus, while traditional Distributed Denial of Service attacks require hackers to have already compromised a cohort of ‘zombie’ computers, this vulnerability facilitates attacks of similar scale without the preliminary work. Instead, a would-be hacker has access to a ready-made group of vulnerable ‘reflectors’. This exploit offers substantial hacking benefits including protected anonymity and amplified traffic by up to 120 fold.

Hillary Clinton has handed over her personal email server, as well as a USB containing copies of the emails that she already provided to the FBI in December 2014. This is in response to the uproar surrounding allegations that she had used a private computer to handle classified information during her time as Secretary of State. Last week, the intelligence community’s Inspector General informed Congress that several violations of security policy had been found in Clinton’s personal computer. Intelligence officials have only assessed 20% of the 30,000 emails provided, over 300 of which have been flagged as potentially containing confidential information. This investigation has a long way to go, and the impact it will have on Clinton’s presidential aspirations remain to be seen.