The Insider's Guide to Georgia-Russia Espionage Case

An informative FAQ on the most recent nation-2-nation espionage case, David vs Goliath aka Georgia's counter-intelligence services spotting Russian military personnel performing HUMINT reconnaissance under Russia's umbrella. It answers the following questions :

- Russian spies in Georgia? I thought some of the folks in Atlanta looked a bit suspicious...
- So what's the problem this week?
- And did Georgia back down?
- What were four Russian military officers doing in Tblisi in the first place?
- Anything else they're unhappy about?
- Is the situation likely to escalate any further?

What happened actually? Russia is very interested in its post-soviet era "satellites" and their ongoing and upcoming activities with NATO, and yes, the U.S interest in breaking the ice by organizing various military exercises, even worse from Russia's point of view - opening military bases and a country's airspace to the U.S Air Force. Russia was basically underestimating Georgi's capabilities, sensitivity to the reconnaissance, and courage to go public with the findings if any, and later on acted as a wounded 800 pound gorilla feeling embarresed.

Meanwhile, who's been killing all these journalists -- 42 since 1992 -- acting as the society's watchdog, and was Anna Politkovskaya assassination on purposely done on Vladimir Putin's birthday to destabilize the public opinion on the government's capability to solve the case, and open up countless speculations on the similarities between Georgi Markov's case who was also killed on a puppet's birthday?

It's the typical Fox Mulder situation, he knows everything about you, you know everything about him, do something to him and make him a hero of a cause, so I feel organized crime isn't interested in Russia's social accountability and is destabilizing the process.

Related posts and resources:
Prosecuting Defectors and Appointing Insiders
A top level espionage case in Greece
India's Espionage Leaks
Intelligence
Espionage

Automated SEO Spam Generation

In a previous post "An Over-performing Spammer" I commented an impossible to both, read and detect scam message -- loading remote email images is both, an infection and privacy exposing vector. In case you also remember automated bots were also self-praising themselves over Ebay back in August.

Just noticed a good example ( http://hsbc-internet-banking.1st-results-links-resource-7.info/No-Anti-Virus-Software-No-E-Banking-For-You/ ) of automated SEO spam generated page out of my "No Anti-Virus Software, No E-banking For You" post :

"Welcome to the No Anti Virus Software No E Banking For You one stop website! We offer the best information, resources and links on this side of the planet, you will find no greater and more comprehensive source for all your No Anti Virus Software No E Banking For You needs! ONLY at our website, will you find every Top Quality information and knowledge resource website on the No Anti Virus Software No E Banking For You topic! Please Enjoy your stay at your #1 No Anti Virus Software No E Banking For You website, and do remember to bookmark, come again and tell all your friends!"

While it's amusing, Google seems to have already picked up the now dissapeared subdomain. I wonder when, and would Google utilize the "wisdom of crowds" concept when it comes to users signaling such search results the way it's already flaging blogs? From another perspective, web application vulnerabilities in domains Google's very found of have the potential to undermine any web site rating initiative. Such spam pages aren't the big problem, the big problem is an ecosystem that allows the author to take advantage of the "upcoming search traffic" on a topic while taking advantage of a marketing window of an event to abuse.

SCADA Security Incidents and Critical Infrastructure Insecurities

A decent article on the topic of the most hyped cyberterrorism threat of them all - direct attack on the critical infrastrcture of a country by attacking the SCADA devices -- despite increased connectivity and integration with third-party networks, for the time being misconfigurations and failures in maintainance make their impact. What is critical infrastructure anyway? In the days when it used to be a closed network, that is one isolated from the Internet and performance-obsessed top management, dealing with threats was benefiting from the controlled environment compared to the open Internet. Converging both infrastructures to maximize performance, project demand and supply, thus achieving cost-cutting and profits results in the basic truth that poluting the Internet would inevitably influence the what used to be closed critical infrastructure one -- and it already happened on several occasions. Incident in Australia :

"That was the case in Australia in April 2000. Vitek Boden, a former contractor, took control of the SCADA system controlling the sewage and water treatment system at Queensland's Maroochy Shire. Using a wireless connection and a stolen computer, Boden released millions of gallons of raw sewage and sludge into creeks, parks and a nearby hotel. He later went to jail for two years. Not surprisingly, U.S. companies are hesitant to talk about the security of their SCADA networks for fear they may give clues to hackers. But security consultants say problems with them are widespread. Allor's company, for instance, regularly does audits of SCADA systems at major installations such as power plants, oil refineries and water treatment systems.

Almost invariably, Allor said, the companies claim their SCADA systems are secure and not connected to the Internet. And almost invariably, he said, ISS consultants find a wireless connection that company officials didn't know about or other open doors for hackers. Realizing the growing threat, the federal government two years ago directed its Idaho National Laboratory to focus on SCADA security. The lab created the nation's first "test bed" for SCADA networks and began offering voluntary audits for companies."

And more security incidents courtesy of Filip Maertens - Cyber threats to critical infrastructures slides :

1992 -- Chevron -- Emergency system was sabotaged by disgruntled employee in over 22 states
1997 -- Worchester Airport -- External hacker shut down the air and ground traffic communication system for six hours
1998 -- Gazprom -- Foreign hackers seize control of the main EU gas pipelines using trojan horse attacks
2000 -- Queensland, Australia -- Disgruntled employee hacks into sewage system and releases over a million liters of raw sewage into the coastal waters
2002 -- Venezuela Port -- Hackers disable PLC components during a national unrest and general workers strike, disabled the country's main port
2003 -- U.S East Coast blackout -- A worm did not cause the blackout, yet the Blaster worm did significantly infect all systems that were related to the large scale power blackout
2003 -- Ohio Davis-Besse Nuclear Plant -- Plant safery monitoring system was shut down by the Slammer worm for over five hours
2003 -- Israel Electric Corporation -- Iran originating cyber attacks penetrate IEC, but fail to shut down the power grid using DoS attacks
2005 -- Daimler Chrysler -- 13 U.S manufacturing plants were shut down due to multiple internet worm infections (Zotob, RBot, IRCBot)
2005 -- International Energy Company -- Malware infected HMI system disabled the emergency stop of equipment under heavy weather conditions
2006 -- Middle East Sea Port -- Intrusion test gone wrong. ARP spoofing attacks shut down port signaling system
2006 -- International Petrochemical Company -- Extremist propaganda was found together with text files containing usernames & passwords of control systems

Go through the results of the Cyberstorm cyber exercise, and a previous post on The Biggest Military Hacks of All Time to grasp the big picture of what cyberterrorism and asymmetric warfare is all about.

Terrorist Letters and Internet Intentions

A juicy recently de-classified letter to Zarqawi courtesy of the Combating Terrorism Center, reveals possible intentions for Internet based communications :

"We advise you to maintain reliable and quick contact, with all the power you can muster. I am ready to communicate via the Internet or any other means, so send me your men to ask for me on the chat forum of Ana al-Muslim, or others. The password between us is that thing that you brought to me a long time ago from Herat. Then, after that, we would agree with them about e-mails, or you should instruct your men who are in the country that I live in to develop communications with us. We are ready to write to you and to consult with you regarding opinions anytime directly. “By the time, Surely man is at a loss, Except for those who believe and do good, and exhort one another to Truth, and exhort one another to patience."

Rather primitive suggestion compared to the alternatives, it sounds more of a loyal jihadist trying to demonstrate his determination of making an impact. The other day I came across to an article mentioning the possibility of "suicidal hackers", that is hackers who doesn't care whether they'll be caught or not in a possible information warfare scenario -- chinese hackers have been utilizing the power of masses, thus disinforming on the actual sophistication of the attack and directing the traceback efforts to script kiddies.

However, in this case that's an example of a suicidal jihadist.