Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

4/30/2010
09:37 AM
Gadi Evron
Gadi Evron
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Al Qaeda Implicated In Cyberattacks

Some papers recently became publicly available in the case of terrorism suspect Mohamedou Ould Slahi, accused of being one of Al-Qaeda's top recruiters. The papers revealed Al-Qaeda hacking activity, which demonstrates what proof of accountability in Internet attacks is, and how many of us jump to conclusions about countries, such as China, without it.

Some papers recently became publicly available in the case of terrorism suspect Mohamedou Ould Slahi, accused of being one of Al-Qaeda's top recruiters. The papers revealed Al-Qaeda hacking activity, which demonstrates what proof of accountability in Internet attacks is, and how many of us jump to conclusions about countries, such as China, without it.It also tells us that one of Al-Qaeda's targets before 2001 was Israel.

The heavily redacted court records don't offer much detail, but they are nonetheless critical. They are the first public record showing us -- if these records are to be believed and are not taken out of context -- that Al-Qaeda, indeed, does engage in computer attacks and information warfare. So we can show a clearly defined enemy engaging us in cyberspace.

Up until now, while it seemed clear to us ("Come on! We all know they do it!"), we had no public proof of their involvement, and we know that such assumptions proved to be false in the past. Thus, the cyberterrorism that we can prove has been limited to defacements of websites, and we can't prove who was behind those unless we believe their claims of responsibility.

This emanates from the fact that it is extremely difficult to prove from technical data alone who is behind an attack due to various reasons including IP allocation records and usage, IP spoofing, VPNs, using proxies, and Trojan horses to pass our communication through, as well as the fact that a third party could be using the computer to wage a covert attack.

This case teaches us that those in power have some proof (intelligence) that indicates the threat of Al-Qaeda as a cyberwarfare player, and that public discussion of who does what without proof is meaningless. The potential risk is calculated the same way, and any information on actual threat is pure guesswork.

We need evidence, such as we have of Germany's operations with the German Trojan horse, before we can make any public claims. When it comes to national security, security experts shouldn't be consulted, but rather, intelligence analysts.

The second matter under discussion is the information on Al-Qaeda's attacks. There's a glimpse of data from two of the paragraphs in this U.S. News article by Alex Kingsbury:

Slahi told interrogators that al Qaeda "used the Internet to launch relatively low-level computer attacks." Al Qaeda "also sabotaged other websites by launching denial-of-service attacks, such as one targeting the Israeli prime minister's computer server," court records show. The Israeli embassy in Washington had no comment on the information published in the court records.
And
Slahi told interrogators that bin Laden's group posted hacking instructions "on specific websites that directed the date and time of the attack."
This is interesting because it shows that, if the information is correct and attributed in context, Al-Qaeda coordinated some of their operations via forums on the Internet. And maybe (pure guesswork) at least some of the websites and online forums used by terrorism supporters on the Internet may be used by actual terrorists associated with Al-Qaeda.

Last, it tells us that an attack was launched in 2001 against the website of Israel's prime minister, which shows a clear online enemy Israel can point to, as well as potentially compare this intelligence with remaining technical records of attacks from that time period. This might provide us more information on sources and methods -- all that while keeping in mind that the attacks discussed are very simplistic in nature.

Follow Gadi Evron on Twitter: http://twitter.com/gadievron.

Gadi Evron is an independent security strategist based in Israel. Special to Dark Reading. Gadi is CEO and founder of Cymmetria, a cyber deception startup and chairman of the Israeli CERT. Previously, he was vice president of cybersecurity strategy for Kaspersky Lab and led PwC's Cyber Security Center of Excellence, located in Israel. He is widely recognized for ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Look Beyond the 'Big 5' in Cyberattacks
Robert Lemos, Contributing Writer,  11/25/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I think the boss is bing watching '70s TV shows again!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5423
PUBLISHED: 2020-12-02
CAPI (Cloud Controller) versions prior to 1.101.0 are vulnerable to a denial-of-service attack in which an unauthenticated malicious attacker can send specially-crafted YAML files to certain endpoints, causing the YAML parser to consume excessive CPU and RAM.
CVE-2020-29454
PUBLISHED: 2020-12-02
Editors/LogViewerController.cs in Umbraco through 8.9.1 allows a user to visit a logviewer endpoint even if they lack Applications.Settings access.
CVE-2020-7199
PUBLISHED: 2020-12-02
A security vulnerability has been identified in the HPE Edgeline Infrastructure Manager, also known as HPE Edgeline Infrastructure Management Software. The vulnerability could be remotely exploited to bypass remote authentication leading to execution of arbitrary commands, gaining privileged access,...
CVE-2020-14260
PUBLISHED: 2020-12-02
HCL Domino is susceptible to a Buffer Overflow vulnerability in DXL due to improper validation of user input. A successful exploit could enable an attacker to crash Domino or execute attacker-controlled code on the server system.
CVE-2020-14305
PUBLISHED: 2020-12-02
An out-of-bounds memory write flaw was found in how the Linux kernel’s Voice Over IP H.323 connection tracking functionality handled connections on ipv6 port 1720. This flaw allows an unauthenticated remote user to crash the system, causing a denial of service. The highest threat ...