Anonymous Attacks On Tunisian Government
28
Anonymous attacks on Tunisian Government Haythem EL MIR, CISSP
-
Upload
positive-hack-days -
Category
Technology
-
view
1.722 -
download
2
Transcript of Anonymous Attacks On Tunisian Government
Anonymous attacks on Tunisian Government
Haythem EL MIR, CISSP
About Presenter
+10 year of security experienceTechnical Manager of the National Agency for computer Security of TunisiaHead of the Incident Response Team tunCERTNational Cyber Space protection coordinatorSetting-up of Incident Response unitsConsultancy and training in Africa
Introduction
Computer Emergency Response Team are one of the main today tool to enhance cyber security.A CERT have to ensure:
• A centralized coordination for IT security issues (Trusted Point of Contact)
• Centralized and specialized unit for incident response.
• Technology and security watch.• Cyberspace monitoring.• The expertise to support and assist to quickly
recover from security incidents.• Awareness of all categories of users.
Who are Anonymous?
Anonymous is a decentralized network of individuals focused on promoting access to information, free speech, and transparency. The group has made international headlines by exposing The Church of Scientology, supporting anti-corruption movements in many emerging countries.Anonymous are considered as a group of hacktivist, trying to act anonymously to hack information systems belonging to freedom enemies.
Anonymous favorite targets
Tunisian Anonymous
Since the Tunisian operation in January 2011, Anonymous did not stopped to fascinate young Tunisian hackers and cyber activist.Small groups started to be constituted, and may anonymous initiatives was run to gather all these groups under the same organization and adopt the same objectives
Tunisian Anonymous { Elite Attack}
On facebook (About 110k)
Anonymous TN On facebook (About 20k)
AnoNYmOus On facebook (About 50k)www.anonymous-tunisia.orgAnonTunisia (Twitter)
Tunisian anonymous groups: main objectives
Internet freedom (anti-censorship)Guarding the revolution objectives
• Fighting the old regime• Investigating on corruption• Leaking confidential information
Interfering with politics• They have their own political ideas• Fight some special political parties
Biggest attacks and breaches
Tunisian anonymous groups: in the media
The government position
The Minister of ICT announced on the national TV that the National Information Security Agency and the Tunisian CERT will be fighting Anonymous: A declaration of War.Anonymous reacted by announcing a special operation against the security Agency www.ansi.tn on the 28th of April 2012 and another operation against the government for the 1st of May.
The main anonymous attack: dDos
The main anonymous attack: dDos
Low Orbit Ion Cannon (loic) Web Stress Tool.Can be used in a stand-alone mode or it can be synchronized using an IRC Server.This software needs to be installed
HOIC: Hight Orbit Ion Cannon
The main anonymous attack: dDos
With LOIC, Anonymous succeeded to cause a denial of service on many servers within few minutes
Very strange behaviour to be analyzed
Analysis steps1. Log analysis for a DDoSed servers Surprising2. LOIC traffic analysis3. DoS simulation in lab4. dDos simulation in lab5. Server Analysis
The default configuration of web servers is the problem
6. Developing a new tuning and hardening guide for apache server to resist to such attacks
The main anonymous attack: dDos
Apache
1
TCP Connection: Three way handshake
2
HTTP sessions: GET HTTP 1.0
The main anonymous attack: dDos
The main anonymous attack: dDos
IRC ServerC&C
The main anonymous attack: dDos
Proxy Server
Good news: it cannot be used with proxy
The online LOIC: JS LOIC
http://pastehtml.com/
http://f**kati.yolasite.com/
http://anoon.mypressonline.com/
IRC communications
#optunisia- Channel Topic: Operation Tunisia | Target: www.ati.tn | Discuss further actions | English only in channel | DO NOT USE HIVE | Anonymity http://piratepad.net/ep/pad/view/ro.sEBJTH2Q/latest | www.anonnews.org | wikileaks.yunicc.org | over9000.splinteredsanity.com | forscherliga-rof.eu | news.pinky-and-brain.com |
<Greeny> Hey im new what should i do before ddosing ?
<@Ismael> inside Tn --> get on the streets and portest
<GZ3r0> SQL Injection Vulnerability Detection
<GZ3r0> http://www.tn.gov/<medo> fire 193.95.67.22 port 53 udp
#optunisia- Channel Topic: OperationTunisia | TARGET: 193.95.67.22 port 53 (UDP) | HIVE IS UP: irc.hiddenaces.net:6667 #loic | KEEP FIRING UNTILL TOPIC SAYS OTHERWISE | Setup GUIDE: herpderp01.byethost7.com | Join #operationfreedom for more government ass-whooping | ENGLISH ONLY
IRC communications
<zargos> how can i do a fire with you<Mouwaten> please how to fire ? <VforTunisia> how can I help?<claude> 4anyone have a tutoriel how to ddos<lek> how can i join the attack ?<feh> i wonder how you can deface a website<mib_idlwgn> wait how do you do 64GB ping?<C0DeR> how can we enjoy the ddos attack ?<mib_yjp5ph> how can I change my MAC adress? <tunisianow> how to learn ddossing ?
I was not only for Hacking<@Ismael> YOU have to RIOT on the STREETS<purpleleaves> people in tunisia get out on the streets and protest<op-Tunisia> pepolle in tunisia attacking in streets now<@Ismael> tunsians you have to get you asses on the street and end this <@Ismael> getb the f**k on the streets and RIOT!<@Ismael> Leave you computers the F**K alone and RIOT on the streets1<Merovingien>: Some say a DDOS is the same as a street protest
IRC communications
<zorro> ansi is not a gov.tn !!!<zorro> Do not target ansi ; it is not a gov.tn<zorro> ansi is a media web site<zorro> To All : be carefull about LOIC ; some versions are infected !!<zorro> Stock exchange is not Governmental !!<zorro> Do not target stock exchange<F_Youth> zorro => are u kidding? <zorro> But Indonesia would be a good target also LoL<zorro> No freedom in Indonesia !!<zorro> Tunisia is a very sunny country<zorro> DDoS in not efficient at all ; what a lot of energy spent in the wind !!<zorro> international pressure should go where really people suffer (palestine, afghanistan, iraq, ...)<@p2cv> zorro: then stop complaining and invite people to your cause<zorro> don't miss real causes : poverty, real oppression, lack of education, lack of health, child explotation<zorro> wikileaks does NOT provide food for african people<zorro> with DDoS, u r spending ur energy in the wind !!<@p2cv> !k zorro * zorro was kicked by Chuck (Requested (p2cv))
The main anonymous attack: dDos
Country IP nb
France 15208
United States 8891
Algeria 4762
Germany 3144
Egypt 3115
Morocco 3028
Russia 2874
Saudi Arabia 2853
Brazil 2387
Canada 2346
Italy 2023
Taiwan 1917
China 1716
United Kingdom 1431
Belgium 1223
Romania 1054
Country IP nb
Switzerland 934
Libya 794
Japan 738
Spain 717
Argentina 707
India 703
Hungary 693
Poland 677
Ukraine 647
Netherlands 561
United Arab Emirates 554
Qatar 486
Bulgaria 486
Total Country Total IP
186 77272
Total number of targets Attacks
44DoS, DDoS,
Defacement
The defense strategy
The Tunisian CERT was the main coordinator to handle these attacks.Activation of the national reaction plan.Activation of the crisis mode.Incident coordination:
• With local IS, Telco, and Critical infrastructures.• With international partners.
Action taken• Watching hackers and studying their behavior.• Anticipating attacks.• Analyzing Millions of log lines and developing blacklist.• Sharing blacklist.• Neutralizing IRC servers.• Securing and Hardening vulnerable servers.
Role of the CERT: National coordination
Inform all stakeholders (ISPs, Telcos, Defense, National Security, Financial Sector, Energy Sector, …).Monitor all critical Web Sites, and inform companies about any abnormal behavior.In case of attacks, collect and analyses log files.Identify the list of IPs participating to the attack, and develop a temporary black-list.Continuously update the black-list, until the end of the attack.
Role of the CERT: International coordination
The LOIC was synchronized using 3 different IRC servers (1 in Russia, 2 In USA).7 IRC server for communication (Canada, 3 Germany, Netherland, Austria) Taking down theses server will end the attack.Collaboration with FIRST network and international partners to take down these servers.International assistance to mitigate the attack (exchanging list of IPs to filter).
Conclusion
Anonymous is not a common group of hacker:• They are not hackers but they are a huge number of
activist.• They do not use very sophisticated hacking
techniques.• They can be assister by hacking groups (LulzSec,
TeamPoison, …) and also local groups.Facing anonymous attack, can only be done through coordination.Anonymous will be one of the main threat for the next period:
• Their number is increasing.• They start to be organized.• They start to learn hacking and recruit hackers.
Thank you!
