Israeli, Saudi Hacker Battle Escalates

By Mathew J. Schwartz   InformationWeek

After several days of credit card breaches and payback hack attempts, Anonymous chimes in, purportedly releasing access credentials and URLs for Israeli industrial control systems.

A war of words and website hacks is escalating in Israel over the purported hack of credit card data by a hacker from Saudi Arabia.

Last week, a hacker known as xOmar 0, who claimed to be part of the Saudi hacking group Group-XP, released credit card numbers and other sensitive information he'd stolen, saying it affected 400,000 Israelis. The Israeli banks affected, however, said the total number of people involved was only about 14,000.

The hack led Israel's deputy foreign minister, Danny Ayalon, to declare Sunday that such breaches of Israeli cyberspace should be treated as terrorism, and would be grounds for Israel to use its cyber strike-back capabilities. "No agency or hacker will be immune from a response," said Ayalon.

[ Could cyberattacks take utilities offline? See Feds Seek Stronger Security For Power Grid. ]

In retaliation for the Group-XP hack, a group of Israeli hackers said Monday that they'd hacked into multiple Saudi e-commerce websites and stolen credit card details on thousands of customers. "At the moment, we're holding on to the information and waiting for the right moment to publish it," according to a statement released by the group. But it said that "if the leaks continue, we will cause severe damage to the privacy of Saudi citizens," reported China Radio International.

By Tuesday, however, Ayalon's warning against anyone who hacked Israeli organizations had led a group of self-described Arab hackers--one hailing from the "Gaza HaCKeR Team"--to deface Ayalon's personal website Tuesday with protest images, reported China's official Xinhua news service, based on an interview with Ayalon's media advisor, Ashley Perry. Perry said the non-defaced site was restored in less than an hour.

Interestingly, the Israeli credit card details may have been stolen by a 19-year-old hacker who's not from Saudi Arabia, but rather the United Arab Emirates, and who's now based in Mexico and works in a cafe when he's not studying computer science at a local university. At least, that's the theory of Israeli blogger Amir Fadida, reported Haaretz Newspaper in Israel. "The not-so clever hacker, to put it mildly, made many mistakes," said Fadida on his blog, detailing how he'd traced the attacks back to an individual based in Mexico.

In other Israel-related information security news, an Anonymous and AntiSec affiliate Tuesday purportedly released password details for 10 Israeli supervisory control and data acquisition (SCADA) systems. A Pastebin post purporting to be "from Anonymous with love" listed the URLs of what it says are 10 SCADA systems based in Israel, and said that they could be accessed using default credentials, with the password in question being "100." While the veracity of that assertion couldn't be fully verified, at least one of the provided IP addresses resolved to an Edimax wireless broadband router that listed its default credentials on the log-in screen, and which appeared to be located near Tel Aviv, Israel.

In terms of authenticity, a tweet from the Twitter account of TheRealSabu, aka the former leader of LulzSec, had instructed his followers to watch the Twitter channel that was used to publicize the attack, not long before a link to the Pastebin post was publicized.

Unauthorized access to SCADA systems is a concern, because such systems can control dangerous or sensitive manufacturing environments, ranging from chemical centrifuge controls and nuclear power stations to water utility treatment plants or prison cell doors. From a security standpoint, numerous SCADA systems have been built with hardcoded--and publicly known--access credentials. While that's useful from a safety perspective, for example if there's a plant accident and the control system must be quickly accessed and disabled, such credentials create enormous information security risks if the control systems should be Internet-connected and not properly secured.

New slow-motion DoS attack


Qualys Security Labs researcher Sergey Shekyan has created a proof-of-concept tool that could be used to essentially shut down websites from a single computer with little fear of detection. The attack exploits the nature of the Internet's Transmission Control Protocol (TCP), forcing the target server to keep a network connection open by performing a "slow read" of the server's responses.

The Slow Read attack, which is now part of Shekyan's open-source slowhttptest tool, takes a different approach than previous "slow" attacks such as the infamous Slowloris—a tool most notably used in 2009 to attack Iranian government websites during the protests that followed the Iranian presidential election. Slowloris clogs up Web servers' network ports by making partial HTTP requests, continuing to send pieces of a page request at intervals to prevent the connection from being dropped by the Web server.

Slow Read, on the other hand, sends a full request to the server, but then holds up the server's response by reading it very slowly from the buffer. Using a known vulnerability in the TCP protocol, the attacker could use TCP's window size field, which controls the flow of data, to slow the transmission to a crawl. The server will keep polling the connection to see if the client—the attacker—is ready for more data, clogging up memory with unsent data. With enough simultaneous attacks like this, there would be no resources left on the server to connect to legitimate users.

Shekyan said in his post about the tool that this type of attack could be prevented by setting up rules in the Web server's configuration that refuse connections from clients with abnormally small data window settings, and limit the lifetime of an individual request.


Actual Test Example:


Protection Strategies....Taken from the source found here:

To protect your Web server against slow HTTP attacks, I recommend the following:

  • Reject / drop connections with HTTP methods (verbs) not supported by the URL.
  • Limit the header and message body to a minimal reasonable length. Set tighter URL-specific limits as appropriate for every resource that accepts a message body.
  • Set an absolute connection timeout, if possible. Of course, if the timeout is too short, you risk dropping legitimate slow connections; and if it’s too long, you don’t get any protection from attacks. I recommend a timeout value based on your connection length statistics, e.g. a timeout slightly greater than median lifetime of connections should satisfy most of the legitimate clients.
  • The backlog of pending connections allows the server to hold connections it’s not ready to accept, and this allows it to withstand a larger slow HTTP attack, as well as gives legitimate users a chance to be served under high load. However, a large backlog also prolongs the attack, since it backlogs all connection requests regardless of whether they’re legitimate. If the server supports a backlog, I recommend making it reasonably large to so your HTTP server can handle a small attack.
  • Define the minimum incoming data rate, and drop connections that are slower than that rate. Care must be taken not to set the minimum too low, or you risk dropping legitimate connections.


Server-Specific Recommendations


Applying the above steps to the HTTP servers tested in the previous article indicates the following server-specific settings:



  • Using the <Limit> and <LimitExcept> directives to drop requests with methods not supported by the URL alone won’t help, because Apache waits for the entire request to complete before applying these directives. Therefore, use these parameters in conjunction with the LimitRequestFields, LimitRequestFieldSize, LimitRequestBody, LimitRequestLine, LimitXMLRequestBody directives as appropriate. For example, it is unlikely that your web app requires an 8190 byte header, or an unlimited body size, or 100 headers per request, as most default configurations have. 
  • Set reasonable TimeOut and KeepAliveTimeOut directive values. The default value of 300 seconds for TimeOut is overkill for most situations.
  • ListenBackLog’s default value of 511 could be increased, which is helpful when the server can’t accept connections fast enough.
  • Increase the MaxRequestWorkers directive to allow the server to handle the maximum number of simultaneous connections.
  • Adjust the AcceptFilter directive, which is supported on FreeBSD and Linux, and enables operating system specific optimizations for a listening socket by protocol type. For example, the httpready Accept Filter buffers entire HTTP requests at the kernel level.


A number of Apache modules are available to minimize the threat of slow HTTP attacks. For example, mod_reqtimeout’s RequestReadTimeout directive helps to control slow connections by setting timeout and minimum data rate for receiving requests.


I also recommend switching apache2 to experimental Event MPM mode where available.  This uses a dedicated thread to handle the listening sockets and all sockets that are in a Keep Alive state, which means incomplete connections use fewer resources while being polled.





  • Restrict request verbs using the $HTTP["request-method"] field in the configuration file for the core module (available since version 1.4.19).
  • Use server.max_request-size to limit the size of the entire request including headers.
  • Set server.max-read-idle to a reasonable minimum so that the server closes slow connections. No absolute connection timeout option was found.





  • Limit request attributes is through the <RequestLimits> element, specifically the maxAllowedContentLength, maxQueryString, and maxUrl attributes.
  • Set <headerLimits> to configure the type and size of header your web server will accept.
  • Tune the connectionTimeout, headerWaitTimeout, and minBytesPerSecond attributes of the <limits> and <WebLimits> elements to minimize the impact of slow HTTP attacks.


What’s Next


The above are the simplest and most generic countermeasures to minimize the threat. Tuning the Web server configuration is effective to an extent, although there is always a tradeoff between limiting slow HTTP attacks and dropping legitimately slow requests. This means you can never prevent attacks simply using the above techniques.


Beyond configuring the web server, it’s possible to implement other layers of protection like event-driven software load balancers, hardware load balancers to perform delayed binding, and intrusion detection/prevention systems to drop connections with suspicious patterns.


However, today, it probably makes more sense to defend against specific tools rather than slow HTTP attacks in general. Tools have weaknesses that can be identified and and exploited when tailoring your protection. For example, slowhttptest doesn’t change the user-agent string once the test has begun, and it requests the same URL in every HTTP request. If a web server receives thousands of connections from the same IP with the same user-agent requesting the same resource within short period of time, it obviously hints that something is not legitimate. These kinds of patterns can be gleaned from the log files, therefore monitoring log files to detect the attack still remains the most effective countermeasure.

Pastebin shut down twice in a week by DDoS attacks, a favorite venue for hacktivists, was shut down twice this week by distributed denial-of-service (DDoS) attacks.

On Tuesday, the site tweeted that it was under DDoS attack. Then, on Thursday, the site tweeted, “Pastebin is under DDoS attack again guys, working on it.” The site was back up on Friday with no explanation about what had happened.

Pastebin was developed for programmers to store pieces of source code or configuration information, “but anyone is more than welcome to paste any type of text”, the site said on its webpage. “The idea behind the site is to make it more convenient for people to share large amounts of text online”, it added.

Pastebin has been used by Anonymous and its spinoffs, such as LulzSec, to post controversial documents and “manifestos” about their activities. It was also used by the Comodohacker to detail his exploits in compromising certificate authorities, such as the Comodo affiliates and DigiNotar.

Comodohacker also announced on Pastebin that it had attacked Belgian certificate authority GlobalSign, which prompted the company to halt new certificate issues for a week in September. The company resumed issuing certificates after concluding that Comodohacker had not compromised its certificate-issuance infrastructure. This initial assessment was confirmed by a more detailed report issued last month.

Ramnit worm switches focus from financial to Facebook, steals 45K logins

Ramnit, a worm accustomed to the financial industry, has been targeting Facebook accounts recently. Reports say that at least 45K accounts have been compromised.

If you happen to be on that Facebook website, you might want to be a little more careful about the links you click. A new worm is traversing the social networking service and is called Ramnit. The worm has already laid claim to the data of at least 45,000 Facebook users.

According to Seculert, which has been tracking the worm, Ramnit has mostly been focusing on users in the United Kingdom and France, but has been attacking accounts all over the world. Seculert believes the motive behind the stolen credentials may be to magnify the malware’s spread by sending links to the friends of compromised accounts.

The Microsoft Malware Protection Center (MMPC) defines the worm as a “multi-component malware family which infects Windows executable as well as HTML files.” Ramnit seems to be slumming in social media, as previous incarnations have shown the worm being capable of financial fraud.

Trusteer previously reported in August of last year Ramnit gained the ability to “bypass two-factor authentication and transaction signing systems, gain remote access to financial institutions, compromise online banking sessions and penetrate several corporate networks.” Seculert, using Sinkhole, found that 800,000 machines had been infected with the worm in the last quarter of 2011.

Seculert has alerted Facebook to the stolen credentials, and PC Mag says that Facebook has acknowledged the problem in a statement. Apparently, the social networking service has notified those affected, but says the majority of the credentials were outdated. Although Facebook probably sees a good number of accounts compromised on a regular basis, Seculert believes the 45,000 compromised by the Ramnit variant is a sign of hackers becoming more sophisticated and are learning to use social networking’s viral power for bad. So watch what you click, and try not to use the same password for multiple services.

Wikileaks Spy Files Target Forensic Companies

Earlier this month, Wikileaks revealed what it has dubbed “the Spy Files,” a collection of 287 documents that include information about companies that provide different types of surveillance methods including cell phone forensics, spyware, and Wifi interceptions.

“Over a year or longer, SSL certificates have been penetrated by various organized crime groups and intelligence agencies. The entire SSL system, which is the mechanism that guarantees security and anonymity online, has been compromised. SSL is beyond repair,” says Wikileaks founder Julian Assange.

The ACLU also has listed a very detailed account of what they consider illegal domestic spying in America. “The FBI, federal intelligence agencies, the military, state and local police, private companies, and even firemen and emergency medical technicians are gathering incredible amounts of personal information about ordinary Americans that can be used to construct vast dossiers that can be widely shared with a simple mouse-click through new institutions like Joint Terrorism Task Forces, fusion centers, and public-private partnerships. The fear of terrorism has led to a new era of overzealous police intelligence activity directed, as in the past, against political activists, racial and religious minorities, and immigrants.”

Source: Z6Mag


The Spy Files by Wikileaks:


Selling Surveillance to Dictators

When citizens overthrew the dictatorships in Egypt and Libya this year, they uncovered listening rooms where devices from Gamma corporation of the UK, Amesys of France, VASTech of South Africa and ZTE Corp of China monitored their every move online and on the phone.

Surveillance companies like SS8 in the U.S., Hacking Team in Italy and Vupen in France manufacture viruses (Trojans) that hijack individual computers and phones (including iPhones, Blackberries and Androids), take over the device, record its every use, movement, and even the sights and sounds of the room it is in. Other companies like Phoenexia in the Czech Republic collaborate with the military to create speech analysis tools. They identify individuals by gender, age and stress levels and track them based on ‘voiceprints’. Blue Coat in the U.S. and Ipoque in Germany sell tools to governments in countries like China and Iran to prevent dissidents from organizing online.

Trovicor, previously a subsidiary of Nokia Siemens Networks, supplied the Bahraini government with interception technologies that tracked human rights activist Abdul Ghani Al Khanjar. He was shown details of personal mobile phone conversations from before he was interrogated and beaten in the winter of 2010-2011.


How Mass Surveillance Contractors Share Your Data with the State

In January 2011, the National Security Agency broke ground on a $1.5 billion facility in the Utah desert that is designed to store terabytes of domestic and foreign intelligence data forever and process it for years to come.

Telecommunication companies are forthcoming when it comes to disclosing client information to the authorities - no matter the country. Headlines during August’s unrest in the UK exposed how Research in Motion (RIM), makers of the Blackberry, offered to help the government identify their clients. RIM has been in similar negotiations to share BlackBerry Messenger data with the governments of India, Lebanon, Saudi Arabia, and the United Arab Emirates.


Weaponizing Data Kills Innocent People

There are commercial firms that now sell special software that analyze this data and turn it into powerful tools that can be used by military and intelligence agencies.

For example, in military bases across the U.S., Air Force pilots use a video link and joystick to fly Predator drones to conduct surveillance over the Middle East and Central Asia. This data is available to Central Intelligence Agency officials who use it to fire Hellfire missiles on targets.

The CIA officials have bought software that allows them to match phone signals and voice prints instantly and pinpoint the specific identity and location of individuals. Intelligence Integration Systems, Inc., based in Massachusetts - sells a “location-based analytics” software called Geospatial Toolkit for this purpose. Another Massachusetts company named Netezza, which bought a copy of the software, allegedly reverse engineered the code and sold a hacked version to the Central Intelligence Agency for use in remotely piloted drone aircraft.

IISI, which says that the software could be wrong by a distance of up to 40 feet, sued Netezza to prevent the use of this software. Company founder Rich Zimmerman stated in court that his “reaction was one of stun, amazement that they (CIA) want to kill people with my software that doesn’t work."

Most users have not installed security software on their smartphones, survey finds

Nearly three-quarters of Americans have never installed data protection applications or security software on their smartphones to protect against data loss or malware, according to a survey sponsored by the National Cyber Security Alliance (NCSA) and McAfee.

In addition, 70% of smartphone owners surveyed said they feel their device is safe from hackers, malware, and other types of cybercrime, according to a survey of 2,337 US adults conducted by Zogby International for NCSA and McAfee.

“It is clear that people aren’t viewing their mobile devices as incredibly valuable digital assets that are in need of protection. They don’t seem to be making the connection that their smartphone is the equivalent of their computer”, said Michael Kaiser, executive director of NCSA.

“Consumers need to protect these devices; they need to protect the information that is on them. Most of these devices have incredibly valuable information”, Kaiser told Infosecurity.

The survey also found that more applications are being developed and downloaded to meet a variety of user interests and needs. In the last six months, the applications most smartphone owners say they have added to their phones are games (46%), followed by social networking apps (37%).

Only 26% of smartphone owners said they always read the developer policy on the use of personal information when downloading an app and a third (31%) said they never read the policy.

“People don’t fully understand how these devices function – that they have the potential to know where you are and that they contain enormous amounts of personal information about you”, Kaiser said.

Smartphone users are split as to whether they have ever abandoned downloading an app over security or safety concerns (50% to 45%). Of those who have decided not to download an app over a security or safety concern, most said they did so because they were unsure of what data about themselves was being collected and how it would be used (71%).

“So that is a good sign. On the other hand, they probably downloaded other apps that shared information that they weren’t aware of”, Kaiser observed.

NCSA advised mobile users to adopt better security practices. These practices include keeping mobile anti-virus and other security software current and automating the updating process. In addition, users should enable password protection on their phones and ensure these passwords are long and strong.

Consumers should read app policies and understand what data on the device can be accessed through the app. Users need to update their apps because they may have security fixes in them.

Also, users should be cautious of WiFi hotspots, especially free ones that do not require any type of password or authentication to connect with. “WiFi is a more risky internet connection than direct access through your cell phone”, Kaiser warned.

“The threat landscape in the mobile world is mirroring the threat landscape for the desktop….People need to implement the same security measures for their smartphone to address the threats”, he said.

Subscribe to our Newsletter

Search ALL Articles

Managed V. Non-Managed


US-CERT Latest Warnings

Latest US-CERT Released Warnings

Posted Articles