Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

4/30/2010
09:37 AM
Gadi Evron
Gadi Evron
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Al Qaeda Implicated In Cyberattacks

Some papers recently became publicly available in the case of terrorism suspect Mohamedou Ould Slahi, accused of being one of Al-Qaeda's top recruiters. The papers revealed Al-Qaeda hacking activity, which demonstrates what proof of accountability in Internet attacks is, and how many of us jump to conclusions about countries, such as China, without it.

Some papers recently became publicly available in the case of terrorism suspect Mohamedou Ould Slahi, accused of being one of Al-Qaeda's top recruiters. The papers revealed Al-Qaeda hacking activity, which demonstrates what proof of accountability in Internet attacks is, and how many of us jump to conclusions about countries, such as China, without it.It also tells us that one of Al-Qaeda's targets before 2001 was Israel.

The heavily redacted court records don't offer much detail, but they are nonetheless critical. They are the first public record showing us -- if these records are to be believed and are not taken out of context -- that Al-Qaeda, indeed, does engage in computer attacks and information warfare. So we can show a clearly defined enemy engaging us in cyberspace.

Up until now, while it seemed clear to us ("Come on! We all know they do it!"), we had no public proof of their involvement, and we know that such assumptions proved to be false in the past. Thus, the cyberterrorism that we can prove has been limited to defacements of websites, and we can't prove who was behind those unless we believe their claims of responsibility.

This emanates from the fact that it is extremely difficult to prove from technical data alone who is behind an attack due to various reasons including IP allocation records and usage, IP spoofing, VPNs, using proxies, and Trojan horses to pass our communication through, as well as the fact that a third party could be using the computer to wage a covert attack.

This case teaches us that those in power have some proof (intelligence) that indicates the threat of Al-Qaeda as a cyberwarfare player, and that public discussion of who does what without proof is meaningless. The potential risk is calculated the same way, and any information on actual threat is pure guesswork.

We need evidence, such as we have of Germany's operations with the German Trojan horse, before we can make any public claims. When it comes to national security, security experts shouldn't be consulted, but rather, intelligence analysts.

The second matter under discussion is the information on Al-Qaeda's attacks. There's a glimpse of data from two of the paragraphs in this U.S. News article by Alex Kingsbury:

Slahi told interrogators that al Qaeda "used the Internet to launch relatively low-level computer attacks." Al Qaeda "also sabotaged other websites by launching denial-of-service attacks, such as one targeting the Israeli prime minister's computer server," court records show. The Israeli embassy in Washington had no comment on the information published in the court records.
And
Slahi told interrogators that bin Laden's group posted hacking instructions "on specific websites that directed the date and time of the attack."
This is interesting because it shows that, if the information is correct and attributed in context, Al-Qaeda coordinated some of their operations via forums on the Internet. And maybe (pure guesswork) at least some of the websites and online forums used by terrorism supporters on the Internet may be used by actual terrorists associated with Al-Qaeda.

Last, it tells us that an attack was launched in 2001 against the website of Israel's prime minister, which shows a clear online enemy Israel can point to, as well as potentially compare this intelligence with remaining technical records of attacks from that time period. This might provide us more information on sources and methods -- all that while keeping in mind that the attacks discussed are very simplistic in nature.

Follow Gadi Evron on Twitter: http://twitter.com/gadievron.

Gadi Evron is an independent security strategist based in Israel. Special to Dark Reading. Gadi is CEO and founder of Cymmetria, a cyber deception startup and chairman of the Israeli CERT. Previously, he was vice president of cybersecurity strategy for Kaspersky Lab and led PwC's Cyber Security Center of Excellence, located in Israel. He is widely recognized for ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.