Alan Cook: The Hacks That Made Us

financial institution of security testing team.

Um, so this is one of my favorite. It's from the top of all kinds of war out

because he says it's all about control and this was 30 years ago hacks from the last 30 years and almost all of them are related to something new in the information something from the CI confidentiality. Um so yeah

instructor talk out organiz but because there are any questions feel free to shout them out as we cover uh as mentioned about hacks the known technical details. Um, these are all from from publicly released information. So thank you for bringing us all to uh other information that might be related might not have been released might have made for uh uh some different information controls that I'm going to go over are security controls that that could have prevented the attacked the attack as well as maybe some controls that have been implemented since then attacks are vital and uh can their effects upon us are are alo effects. This is um going to be political and economic and

socials. Um with political there there's some little fuzziness there. Uh governmental could be regulatory bodies, standards bodies, economic micro issues, macro maybe specific industry which might be more macro or maybe a specific organization which might be micro and various social events. confus itself uh as a whole is is largely the apparent uh take on the movies that made us that made us. We all have seen that and uh um that kind of did the same thing that those cultural effects that are that are from those specific boys for women. Uh we're going to do these hacks. The first hack is a help. This was uh according to the the basically used to annoy others as a tool

set with it. Emo bomb do fishing other types of social engineering. act and it was initially released in 1994. The last version was released in 1995. There were various betas that were released as well. The initial set was a a bunch of macros we used. Later versions like version three were written into and it was largely impacted by the factors within the environment of the mid90s right quantities of non techchnical people going online with like AOL and as a result they release tools like AOL Well, the account creator EWC Fisher was the fishing component of this tool that could be used to attack these type of at the time was a service that paid by

the hour. Their usage was paid by the hour. Then later years after an unlimited model of just buying service monthly at the time they were using a building model that paid out. So one of these tools was the way it worked way worked was it enumerated all the window handles sent messages to show those um so that when you start detailing your time at the time if you went to a feature within AOL that was free such as billing you want to see your bill and see how you charge for your hourly hide all those other windows bring up the billing window and then it did not account for the time you spent in that

window. So, you get charged for that. Well, the way this worked was it basically hit all those other windows and AOL thought you were still looking at your building for 20 hours. Another feature of this whole set is the fake account creator. At the time, AOL was only validating the credit card number check. So if you don't know there are algorithms that are used to create credit card numbers and specific types of card numbers Visa, American Express, Mastercard have a have a certain configuration or algorithm it can be used to create a a value number uh can be validated by their check. However, they weren't validating that that credit card number was actually assigned to a user who would be build.

So, what this tool did was it created all the info you needed to sign up for account, pre-filled that info, and allowed you to set it up. Our accounts were usually good for anywhere from 10 to 30 days based on filling cycle and how long it took to realize, hey, we're not going to pay. Lastly, one of the tools or one of the features of this tool set was the PWC Fisher. This was a tool that allowed to mass IM rooms, these chat rooms, which were some of the first chat rooms and in the early uh to mid '90s that that masses of folks join. But you can these rooms with some sort of pretext.

There's suggestions to read as you say your AOL staff number and uh you need the user's credit card number to assist with account or their password saves these responses to a file on the disc that you can review later or regret through for those actual passwords or credit cards. So what controls could prevent this? Well, the free tool that could have ensured time frame started usage. You still see this the same type of tactic I guess used in attacks in web apps today where you bypass monetization, right? Um where if there was a control set up to where you you weren't able to bypass it, that would stop it. the bank account creator can verify the credit card

number that are actually active and valid with credit card companies processor which is essentially what they ended up doing to communicate this issue and user education it's always a great solution for for fishing making sure users are aware um of who should be contacting them or not contacting them detective controls all the are alerting significant variations between log on time and free time. So again, if you spend 20 hours in a month on AOL and 19 and a half of those hours are in the free billing area, that's that's an issue. Most legitimate users are not to spend approximately 95% of their time in the free area. How did it change? There were very uh

few nine uh political effects. Economic effects were unknown. Obviously, no lost some revenue. They had to pay to get some of these issues, but that was never accomplished. The biggest thing is that this is the first documented using fishing ph. I don't know if you noticed in the in the screenshot of the tool some of it referred to F uh some use this one shows it PH this this is the first documented using

war to 2000 we have the I love you virus this had spread by an email message you had it attached which is not a script, Visual Basic script, ran the script, did lots of damage. It overwrote random office files, image files, hid all your MP3 files, which thousand a bunch of them. Um, and it then copied itself, copied itself into all the email messages that were sent to all the contacts and address books. It affected outlook and targeted Windows systems. At that time, Windows was 95% of the desktop market share. So they had 95% of desktop marketing share and out was saw acquired. Default with those configuration did file extensions for known file types. And so what would happen is users would

get this email the attachment that was love letter or some variation of that text.bs and all they saw was the text in order to to try and get the user to click on it thinking it was a text file. It was a script file this thing could execute and it spread that way. There have been other notable worms prior to this such as the Morris worm that widespread impacts uh as well as other email viruses such as the Melissa virus from 1999 that also was widespread. What made this different was because of the amount of damage and the fact that it just moved in waves. It caused a very significant amount of damage caused out just due to email service

having to be taken off of people uh offline at some of these organizations like Ford, Microsoft moved in away started in Southeast Asia moved out to Hong Kong, China, US, Western Europe and so many of these organizations knew it was coming but um weren't really able to communicate in any other way than taking their servers required police in the Philippines identified a computer student that is responsible for it, the author. They were not able to prosecute. There weren't any laws at that time in the Philippines against uh controls user education. again execution of attack disabling hidden file extensions uh of the known file height antivirus detective correction obviously need some sort of signature or some way to catch

it as well the amount of damage of deleted office files significant amount of damage to small organizations who may have not response when they had good backup procedures and they lost a lot of some of the effects upon us were well one they created a law building Congress enacter public act of 8792 so they're now prosecuted for computer crimes this is estimated to have caused 10 billion dollars more than 10 billions of dollars of damage across the world and I love this this This is actually a quote from Kevin Paulson. He said the Windows users everywhere learn never ever open up let's list their attachments. This is 2000. Of course that's operation get rich or die trying great

cyber heist. This was a hack, a series of hacks really targeted mostly retail organizations in the mid 2000s to get credit card data. The group was known as the Green Hat Enterprises crew. That's what they call themselves. Not white hat or black hat or green hat led by Albert Gonzalez. the time or at least at the beginning of this, Albert Das was a Secret Service informant and participated in Operation Firewall, which was an operation by the Secret Service in conjunction with some other agencies to take down a party forum uh that was shadow proof. He moved to Miami during that time period, like right after that had happened. And many of these retail stores had locations

along kind of that that corridor the side 95 corridor there um could easily be attacked. Initial vectors included Wi-Fi weak Wi-Fi networks and SQL injection on web commerce sites. Initially there was so much data in one of these citizers

they were getting were just already expired guards so we could sell the numbers. uh SAW created the snipper program to find the data, encrypt it, and then they had a processor still trading it out. From the other slide, you can see they hit a lot of organizations. The jackpot was when they landed on Harland Payment Systems. uh Harland payment systems was was a payment processor for friends transaction and they compromised the the website by SQL the corporate website of HPS actually identified the activities shut them down had some response thought they had eradicated the attackers time goes by and they jump from the that corporate network to the payment processing network which is where they did the damage.

The take overall for these attacks, it led to compromise of millions of credit card numbers and hard numbers. There were some cash out efforts that were conducted by the crew. And I said crew, it's very a loosely organized group of individuals um that kind of shared some similar interests and um goals and objectives. Underdogs were fenced through a reseller. This is eventually how they got caught. It typically is in the lot of criminal organizations that that you get caught where something sold or fence and they work their way back up through the the hierarchy. Controls that could potentially prevented this specific Wi-Fi uh was strong encryption. I mean, this was the time of web and and you know, I guess

WPA or not WPA2 yet isolating the wireless networks that were transmitting card data. Some of the compromises included wireless networks that were trans getting card data and card holder data, changing default passwords, purging sensitive data when no longer needed, logging and monitoring and alerting for anonymous activity. This is, you know, all that stuff that Chris just talked about using a W to monitor and block HTTP requests for SQL injection. Uh, I put the WIDS down here. Of course, probably the WIS will be corrected. Political effects, this activity and and the losses during that time for those organizations, excuse me. uh actually prompted the the creation of the DCISS wireless guidelines or at least a body was stood

up to investigate wireless security as a result of some of this and that body ended up producing these guidelines. It's estimated they were around $400 million in damage. Some of these estimates are are are not very good. They're very they're very great. This estimate comes from the Department of Justice press release. There may be political motives and complaining estimates. Uh there also could be some of the compromised organizations that had costs that didn't have reported social effects really were none. Next web I call this rehearsal for so we're in the mid200s 2007. This is a distributed denial of service attack and this was an attack against Estonia. If you're not familiar with this, at the

time, Estonia was highly connected. It's an Eastern European country that was formerly part of the the Soviet Union and Indian events in in the ' 90s, I think, early 90s, and was like many of those countries moving closer and closer towards ties with with Europe at the time, join NATO. um and they were highly connected. It's estimated that at at the time of this attack 90% of their banking transactions were conducted online. So this this 15 years ago this country had 90% of their banking transactions conducted online. Most of their voting, a lot of their political uh and governmental functions were conducted online. This is the origin of Skype which is kind of a fun fact. Prior to Microsoft

and it actually got uh designed and came from a snowman. The the environment at the time that kind of led to this was this this bronze soldier here was a statue in remembrance of all of the Russian soldiers that had died fighting the Nazis in World War II. lost here. Selena was going to move this from a a central square in to a car that was somewhat nearby but didn't have the prominence the central square did. It kicked off a series of riots internally with ethnic Russians that that were in Estonian citizens that were Russian. Um they started riving there was a lot of physical damage bars overturned. Russia released a statement that warned Estonia that they removed the statue

would be disastrous for Estonia and the event seems to kind of end calm down the streets at least and then the beat off starts. The only way they found to mitigate the attack is the sheer amount of attackers. This this was several projects of hundreds of thousands of package was to cut off access around the world to internal resources within Estonia. So this is an individual effort on these individual sites. They they created denialist denial international travel to these sites after they worked with highs around the world to filter out this initial traffic and a week after this stops. The attack consisted mostly of just straight Boss attacks, but there was some other type of uh attacks conducted

commercial sites, the DNS attacks, DNS name servers that were located in Estonia. There was a mass effort of email spam got overwhelmed in the email servers that were located there by chance. One of the DNS admins for a root DNS server happened to be in Estonia and uh he was attending a distributed network operators meeting. Um and he along with two others admin servers helped the Estonian search to be able to uh kind of act as leaison between them and other ISPs around the world. They were able to win credibility to the calls because they were having issues trying to get ISPs to filter some of this traffic so they could they could get these compromised systems that

provide that around the world to filter that traffic out.

So they quieted down. There was a second wave of attacks u that began at midnight Moscow town night which is victory day in Russia. This was a day to celebrate the victory over over the axis power two. And this this is a quote from explicitly references that those who are trying to make desecrate memorial heroes tax disappear by this is a modern map of NATO is here. Um so you see you see like joining now

declines to consider an article 5 or article 4 response. So article five is a commitment from NATO members mutual defense. This this is the big factor or or commitment that NATO members make to each other. Saudi Arab

article 4 is the beginning of that formal discussion. the process for discussion about the north council and uh there was some debate over whether this attack really originated from Russia or whether it originated from other actors maybe within Russia maybe from Russian support. Um, and so declined to consider either of these. Manny Greenberg's book, Greenberg's book Sam he he proposes that this basically confirms for Russia a lack of political will within NATO to defend these organizations when there's a cyber attack. cyber attack that especially might have some plausible deniability. There were no kinetic attacks associated with this. These were all just cyber attacks. This this is why I said this is rehearsal for war. It allowed obviously it demonstrated the

capability that somebody had whether it was Russia or other actors. It also um you know ensured that our confirm that what the response will look like. There's not a lot of that you can do to prevent that amount of traffic. I guess you can have a CPN with DOS protection at some point and you have hundreds of these large botn nets back in here. It's going to be very hard for that traffic. You have detective dashboards that alert on it. Maybe before your site totally goes down, you you'll start to see an increase in in bandwidth utilization and lack of capacity. The big thing with this this hack is what I mentioned before. Um this this is

kind of the first effort that we know of. Um we there was an effort before then it had not been released at the time has been publicly released called tight ring where China attacked department of defense systems as I mentioned it was still unclear with this specifically the attack on Estonia whether Russia was behind the attack but the the attack seems to have had a purpose of punishing Estonia more disrespecting Russia or disrespecting the citizens that Russians. The issue is that we basically had the opposite effect. Uh Estonia rapidly moves even closer to the west after this event. It's kind of similar to what's happening with Ukraine right now where, you know, there's an activity that's happening and

it may have some effects that were not intended by driving other countries to support uh inclusion of Estonia and Ukraine into Western European ambassador. The Taliban manual was published by CCP COE. CCP COE was formed. This is NATO's cooperative cyber defense center of excellence. It is the organization that is responsible for creating guidance on how to defend yourself. U the manual is essentially a a guide book on uh cyber core u a law manual international law related to cyber operation. And socially we saw that now if it wasn't Russia that did this attack that didn't stop it. Uh so nation state actor could have stopped the attack gave us a better understanding of what cyber attacks conducted by nation state

actors or sanctioned indirectly by uh nation state actors look like sweep forward to operational war. This is industrial. >> I guess quick question on the previous one. So even though I guess it introduced this uh organization within NATO, is it fair to say that we still to this day even though we've had stuckset sand, not even the current conflict with Ukraine, cyber attacks against Ukraine? There's still no formal precedent for what consider like what can make a cyber attack trigger traditional warfare. Is that a fair statement to say? there, as far as I'm aware, there are no formal um treaties or agreements that have been signed that specifically detail that there are um there is precedent within

other international law that could be applied and that's what you see referenced in the colony manual is other rules of engagement for for armed conflicts as well as other international law. Um so that that is right there. Yeah, I think I think there's still room for uh specific agreement specific

some type of something published at an international level guide. This does this does go into rules of engagement cyber and kind of the tick for tat what would uh necessitate or give the ability to do a kinetic attack for a cyber attack that's listed and most of the organizations that are members of NATO probably using this at least at some point to inform their policy related to those operations. Good question. So operation, this is industrial espionage. The organizations were attacked. Some of these that are listed are ones that were reported on attack have never actually come out and said they were attacked. Uh so keep that in mind. The initial attacks started with spear fishing. very very

insecure vision that it comes likely to have access to the internet intellectual property. The attacks appear to come from a trusted source. They knew they knew who these people were receiving emails from. They knew what the format of emails like well enough to be able to conduct a very effective severe fishing attack. Once it started, the user would open a file which exploited a the internet. That was the initial report to Google. Format there may have been vectors other than I the 08 the initial vector as well. Um some reports have noted potential vulnerabilities in Adobe Reader that may have been exploited have been confirmed. Um the name actually comes from a file path where it's

loading debug symbols or was developer systems. That's where the name comes from. exploit targeted ID6. But not long after this was reported and some information got out to security research researchers, the new the new attack was created or uh the factor that was able to target IP7. Google was an attack one. Um it focused on two targets within Google email accounts of uh users that were associated with Chinese human rights activists as well as source code product. There was a second zero day that was used to access the software configuration management tool perforce which is what people were using for some of their code management at the time reboot. Um, and Google concludes the attackers in places

email didn't have access or didn't obtain their objectives. They didn't get access to the body of the email and were able to access the dates and time created the subject lines of all those emails. There is a great magic report too and their analysis of the vulnerabilities. This is a great example of these types of facts are fuzzy. They're great. Attribution is hard. The uh Mcabe called this this attack this group Aurora Semantic called Elderwood Crowd Strike Panda called Beijing group. This is the screenshot of my framework listing for that group. There were many other CD used and identified Um the goal against all those organizations the common goal seemed to be intellectual properties on

when the I1 got patched and started doing water attacks other

stop this again it's spear fishing but user education um very good running software as a nonprofit user. That's one of the vulnerabilities that seems to be an issue also to create new users um without authenticating bead encrypting data and transit. You can capture data that was being transmitted access may or may not have been used actual attacks logging and monitoring learning analysis activity. This this really kind of ties into what earlier because if you know what the specific threat actor is doing, you can do a scenario on this type of activity. Make sure you got the detection detect this increase between US and China significantly. There are other factors as well. But uh politically this uh got

even worse. Uh we had operation Aurora and later brief in half. It was attributed to the China. There's a meeting between Xiinping and President President President Obama in 2015 that it was reported this was discussed as well as a meeting between President Xiinping and President Trump in 2017 where it was reported discussed. um the activity seems to tell off at least from this specific but then there also is the reorganization of those those threat actors from China too um it's unknown the economic impact there hasn't been a lot obviously Google leaving China second largest market in the world is is significant there are other contributing facs At the time, China wanted to censor their Google

search results. It was a stiff case, a stiff market anyway. There was lots of competition or challenging market. There's a stiff competition, but overall it was very significant amount of IP stolen. It likely has uh been used for security vulnerabilities as well as could be used to benefit China or businesses within China. Socially, it's just another indicator uh really around this time of being published of China and human rights activists strong. So this is this is kind of the uh ultimate example of of cyber weapon cyber war. You got a cyber attack and that human damage cyber weapon deployed. So there were a wide array of different families of malware that were associated with stocks. some version before this,

excuse me, other versions after this. I was going to refer specifically to this uh version, the initial one that was reported on their initial attack vector into these organizations. The initial attack vector was these organizations June 2009. And we have evidence that there was a engineer from NA industrial group industrial group that posted on a forum about a problem with step 7L files. He suspected the problem was caused by a virus that was spread by a flash drive. There's no other, you know, search for something on these forums and look for a solution and you never know if they found a solution or not.

the five months later firm virus block data they're doing some analysis on now we're identified from systems that I ran some zero day it was used and the zero they used delicious link files read by flash drive plug in load an image from a link file or an icon and a link file and this this is how they exploited it and also found a malicious use of a organization real sign some of the drivers that were used targeted windows uh by a four zero day attacks which still still to this day is is a significant amount burning of zero days for any type of cyber we really wanted it to spread besides this there were other techniques

used as well as well

the malicious link file I mentioned zero days of privilege escalation by an owner key forward file, Windows printer vulnerability and Windows task scheduling were all used to this attack. Once it could spread and get to a Windows system, it payload would target step project files in order to be able to

check those PLC's. that would uh specific criteria say modified frequency of the motor to change the location. Essentially what these PLC did uh they control

yeah and there were motors that extend this gas really fast and and we were um what would happen was they would speed them up slow down speed up it led to actually damaging the motor itself and it led also to Um it should be in effect they're not doing it should have done not uh some of the controls we put in the stadium used for this guitar in that that was a air gap system contractor have folks that are coming in that need to find a way to move data back and forth you have to move it in some way anyway secure Harden all devices by disabling the necessary services execution including host based detection

systems logging and monitoring activity honeyots. So there had been honey bots that had been there and they were able to find that data from those honeys the desktops and or the you know devices themselves devices environ but would have been effective against some of the other types of attacks. So politically this didn't slow the advancement of Iran's nuclear program. How effective it was is still maybe unclear socially. There was multiple references in this all sorts of popular media, TV shows movies books. It's estimated damage wise that it caused 20% damage damage to 20% of our centrifuges. So that's that's a talk I'm taking a link here. Um I'm going to post the slides of this talk on

GitHub. Are there any questions? So lastly, thanks to the organizers of this event. Thanks to y'all. I love going to these events as a speaker. um because these events are communitydriven. You know, we're the folks that come to stuff like this on a Saturday. So, thank you because you make THIS