ärev mõttelaad paanika osakonnas

Viimastel päevadel on hakanud meediasse sattuma arvamusi küberrünnete kordumise tõenäosusest aprilli lõpus – näiteks eilses EPLonline nupus jõuab Dmitri Kuznetsov riskihinnanguni 50:50, aga seda tuleks vist lugeda kui “arvamused lähevad lahku”. Kogu ülejäänud info keerleb selle ümber, et olevat mingi kuulujutt justnagu pandaks kokku botnetti jne. Vaatame siis kus see kuulujutt levib:

Kõik need keerlevad Dmitri Kuznetsovi ümber – cybersecurity.ee juures pole autorit mainitud, aga see tundub olema tema projekt, samuti sealt edasi viidatud saidid nagu hermitage.ee (ja mõistagu PIT Consulting kah). Infosecurity.ee peal kajastab teemat Dmitri, Arvutikaitse.ee viitab Dmitrile jne.

Ehk meil on üks tubli infoturbe müügitegelane, kes aktiivselt levitab “kuulujuttu” mis on tõusnud juba 50:50 riskianalüüsiks. Rääkisin Dimaga kes oli ka nii lahke ja viis mind kokku oma hinnangu allikaga – ja ma ei saanud isegi ühtegi vihjet mis viitaks sellele, et kellelgi on kusagil kunagi olnud mingisugunegi seos Mayday ja potentsiaalse rünnaku vahel.

Mul hakkas kohe kergem. Kartsin nimelt, et vahest tegin Dimale liiga kui EPLile tsitaati andes “ärevat mõttelaadi” mainisin – aga ilmneb, et mul oli õigus. Ja peavoolumeediale soovitus, et kui kolmest küsitletust kaks annavad mõistu-vastuseid jõulukuuskedest ja küünaldest, siis võiks teha loo pigem sellest miks see kolmas ekspert oma uudisega nii järsku välja ujus. Uudis saab vingem ja sellest on lugejatele ka reaalset kasu.

Postitatud rubriiki cybercrime, turvalisus. Talleta püsiviide. Kommenteerimine ja trackback-viidete lisamine ei ole lubatud.

16 Kommentaarid

  1. Lisatud 10. apr. 2008 kell 11:12 | Püsiviide

    Kui nädalapäevad tagasi lisaks Kuznetsovile ühe Eesti pärase nimega eksperdi ärevat arvamust sellel teemal lugesin, siis tekkis küll tunne, et selline “ärev mõttelaad” on just see, mida klassikalise raamatutõena iga poliitilise pahalase (sh nt terroristi) eesmärgiks nimetatakse. Süsteemi (nagu ka nt pilvelõhkuja) ründamine pole iseenesest pahalase eesmärk. Tema eesmärk on panna süsteemi omanikku käituma eba-adekvaatselt. Selle eba-adekvaatsuse põhjendamisega levitab süsteemi omanik aga paraku pahalase sõnumit ning kirjutab ta nime rasvaste tähtedega päevalehtede esikülgedele. Järgmine kord tasub pahalasel vaid sõrme liigutada, kui kõik juba “ärevaid mõtteid” viljelevad. PsyOp’ide raudvara on ju see, et levita oma vaenlaste kohta kuulujuttu ning nad söövad teineteist või iseennast ise ära ilma, et sa peaksid neid selleks sundima :-)

  2. Lisatud 10. apr. 2008 kell 13:12 | Püsiviide

    Kui nädalapäevad tagasi lisaks Kuznetsovile ühe Eesti pärase nimega eksperdi ärevat arvamust sellel teemal lugesin, siis tekkis küll tunne, et selline “ärev mõttelaad” on just see, mida klassikalise raamatutõena iga poliitilise pahalase (sh nt terroristi) eesmärgiks nimetatakse. Süsteemi (nagu ka nt pilvelõhkuja) ründamine pole iseenesest pahalase eesmärk. Tema eesmärk on panna süsteemi omanikku käituma eba-adekvaatselt. Selle eba-adekvaatsuse põhjendamisega levitab süsteemi omanik aga paraku pahalase sõnumit ning kirjutab ta nime rasvaste tähtedega päevalehtede esikülgedele. Järgmine kord tasub pahalasel vaid sõrme liigutada, kui kõik juba “ärevaid mõtteid” viljelevad. PsyOp’ide raudvara on ju see, et levita oma vaenlaste kohta kuulujuttu ning nad söövad teineteist või iseennast ise ära ilma, et sa peaksid neid selleks sundima :-)

  3. Lisatud 10. apr. 2008 kell 13:13 | Püsiviide

    … ja nagu tellitult tänane Turu-uuringute AS Eesti inimeste hirmudest:

    http://www.postimees.ee/100408/esileht/siseuudised/323022.php

    “Kõige tõenäolisemateks ohtudeks, mis Eestit lähemate aastate jooksul võivad ähvardada, peetakse ulatuslikku merereostust ning küberrünnakuid”

    m.o.t.t.

    lauri

  4. Lisatud 10. apr. 2008 kell 15:13 | Püsiviide

    … ja nagu tellitult tänane Turu-uuringute AS Eesti inimeste hirmudest:

    http://www.postimees.ee/100408/esileht/siseuudised/323022.php

    “Kõige tõenäolisemateks ohtudeks, mis Eestit lähemate aastate jooksul võivad ähvardada, peetakse ulatuslikku merereostust ning küberrünnakuid”

    m.o.t.t.

    lauri

  5. Piisavalt huvitatud leiavad ül
    Lisatud 10. apr. 2008 kell 23:13 | Püsiviide

    Siin on veel selline aspekt.

    Eelmine aasta peale aprillisündmusi kirjutas Dmitri Kuznetsov Zone-H portaali artikli küberrünnakutest, mis oli väga ühepoolne ja venemeelne. Üsna kiiresti võeti aga omaniku survel artikkel maha.

    Üldiselt on kuulujuttudega nii, et nende läbi saab tegevusi suunata ja isegi algatada. Isegi küberrünnakut, kui seda varem ei planeeritud. Jääb siis mõistatada, kelle huve ajab eestis ühe turbefirma venelasest finantsdirektor?

  6. Piisavalt huvitatud leiavad üles
    Lisatud 11. apr. 2008 kell 01:13 | Püsiviide

    Siin on veel selline aspekt.

    Eelmine aasta peale aprillisündmusi kirjutas Dmitri Kuznetsov Zone-H portaali artikli küberrünnakutest, mis oli väga ühepoolne ja venemeelne. Üsna kiiresti võeti aga omaniku survel artikkel maha.

    Üldiselt on kuulujuttudega nii, et nende läbi saab tegevusi suunata ja isegi algatada. Isegi küberrünnakut, kui seda varem ei planeeritud. Jääb siis mõistatada, kelle huve ajab eestis ühe turbefirma venelasest finantsdirektor?

  7. Lisatud 13. apr. 2008 kell 20:47 | Püsiviide

    Olgu. Siis mina olen “paha prohvet”, tont teiega, naabrid.

  8. Lisatud 13. apr. 2008 kell 22:47 | Püsiviide

    Olgu. Siis mina olen “paha prohvet”, tont teiega, naabrid.

  9. Lisatud 14. apr. 2008 kell 05:58 | Püsiviide

    Noh vaata, prohveteid võib liigitada pahadeks erinevatest lähtekohtadest. Näiteks A kuna naad toovad sovimatu sõnumi B kuna nad loovad isetäituvaid ennustusi C kuna ennustuse ainus funktsioon on prohveti reklaam.

    Palun produtseeri informatsioon mis su väiteid kinnitab. Kui sa ei saa seda mulle näidata siis esitle cert.ee omadele või pankadele – ja ma olen nende hinnagu põhjal nõus tunnistama, et eksisin Sinus ja su allikates.

  10. Lisatud 14. apr. 2008 kell 07:58 | Püsiviide

    Noh vaata, prohveteid võib liigitada pahadeks erinevatest lähtekohtadest. Näiteks A kuna naad toovad sovimatu sõnumi B kuna nad loovad isetäituvaid ennustusi C kuna ennustuse ainus funktsioon on prohveti reklaam.

    Palun produtseeri informatsioon mis su väiteid kinnitab. Kui sa ei saa seda mulle näidata siis esitle cert.ee omadele või pankadele – ja ma olen nende hinnagu põhjal nõus tunnistama, et eksisin Sinus ja su allikates.

  11. Lisatud 14. apr. 2008 kell 09:09 | Püsiviide

    Pankadest nii palju: http://www.arileht.ee/?artikkel=425105.

    Loeb? Loodan et küll :)

  12. Lisatud 14. apr. 2008 kell 11:09 | Püsiviide

    Pankadest nii palju: http://www.arileht.ee/?artikkel=425105.

    Loeb? Loodan et küll :)

  13. Lisatud 14. apr. 2008 kell 09:34 | Püsiviide

    See on jah veel üks näide loost, kus lugu räägib ühest asjast samas pealkiri hoopis toimetaja soovist arendada ärevat mõttelaadi. Ning keegi intervjueeritutest ei suuda otseselt välja öelda, et ühe konkreetse keisi fetisheerimise asemel peaks rääkima laiemast pildist.

  14. Lisatud 14. apr. 2008 kell 11:34 | Püsiviide

    See on jah veel üks näide loost, kus lugu räägib ühest asjast samas pealkiri hoopis toimetaja soovist arendada ärevat mõttelaadi. Ning keegi intervjueeritutest ei suuda otseselt välja öelda, et ühe konkreetse keisi fetisheerimise asemel peaks rääkima laiemast pildist.

  15. Lisatud 14. apr. 2008 kell 15:21 | Püsiviide

    Sul veel keegi kommenteeris, et mina kirjutasin vaenlastiku artikli. Aga ma kirjutasin seda, mis muidu läks Timesi. Kahjuks link ei tööta, ja ma ei vitsi aasta pärast sirvitseda.

    Estonian Cyber attacks – was it a war?

    The smallest former Sovet republic, Estonia has recently been the target of the largest and most sustained cyber attack recorded to date. Dmitri Kuznetsov, an Estonian and director of the Zone-H organisation which monitors digital attacks and is also based in Estonia presents his experiences of these attacks.

    Estonia with its population of less than one and a half of million of inhabitants has a very modern IT-infrastructure and is considered as one of the most wired countries in the world.

    Economists believe that much of Estonia’s economic success has been due partly to its status as an “e-society,” with paperless government and electronic voting during the first digital elections which took place in 2007.

    Russia and Estonia recently found themselves in their worst dispute since the collapse of the Soviet Union. Following the riots that filled narrow streets of beautiful Tallinn at the end of April over the Estonian’s removal of the Soviet Bronze Soldier war memorial in the centre of the capital, the tiny country has been subjected to a form of cyber warfare. The arguments that started on the streets have quickly moved onto the Internet, which in this day and age is no surprise.

    Consider that Internet users with Cyrillic keyboards represent a potential population of 300 million people, located worldwide. Imagine the traffic this group can create! It can easily block international connections that link this small Baltic country with the rest of the world.

    Let me shortly go over the chronology of the conflict and describe my feelings as advanced user of Web:

    The attacks began on April 27, a Friday, within a few hours of the war memorial’s relocation. I saw it with my own eyes and Estonian officials have confirmed that in some Russian-language Internet forums, instructions were posted on how to disable ‘targets’ – Estonian government websites – by overwhelming them with traffic. This attack was not well co-ordinated and a summary of the “battle cry” of this “first wave” of attackers can be described as “Lets ping an Estonian server!” As a result, a lot of people joined in!

    The Web sites of the Estonian president, the prime minister, Parliament, government, and a great majority of ministries, the police and digital media were quickly overloaded with traffic, causing them to shut down.

    Hackers defaced other sites, putting, for instance, an Adolf Hitler moustache on the picture of Prime Minister Andrus Ansip and posting a fake letter of apology for ordering the removal of the highly symbolic statue on his political party’s Web site.

    At this time I should point out that media around the globe was speculating that the wave of attacks was targeted from the Kremlin. If it were established that Russian officials or officers were behind the attacks, it would be the first known case of one state targeting another by cyber-warfare.

    U.S. government officials said that the nature of the attacks suggested they were initiated by “hacktivists” – technical experts who act independently from governments and are motivated by political views. Despite some traces leading to state infrastructures, several respectable NATO experts formulated, that “zombiing” of state computers in Russia was more likely to be a side-effect of the hacking and an oversight by Russian state computer security staff who in any case were involved in May 1 (Labour Day) to May 9 (Victory Day) celebrations in Russia.

    Moscow has offered a little help in tracking down people who the Estonian government believe may be involved.

    I am something of a globetrotter and was abroad at the time of the attacks. I was staying in South Africa in the beginning of May. How did I feel? Well, I had an enormous thirst for news of what was going on in my homeland. I wanted to read my emails, but could not reach my office mailserver and the public mail service was also offline. I was very frustrated at the lack of information, and that was awful.

    The second wave of attacks started around 9th May. This time, the attackers started to use a giant network of ‘bots’. However, the help, provided by Russian cyberdefenders and legal enforcement bodies made some sense. As a result of that, as many as one million computers in places as far-flung as the United States and Vietnam were involved. The botnet tactic enables attackers to amplify the impact of a malicious assault. In a sign of the financial resources available to the bad guys, there was an evidence about them paying for rented time on other so-called botnets and ordering of spamming campaigns. This can be arranged for as little as 200-300 dollars for 10 millions junk mail messages these days.

    The second wave of attacks was causing major problems to the service of two major banks in Estonia, serving the majority of the population and businesses in Estonia. Although is a very difficult to give an accurate estimate of damage, caused by suspicious activity, the largest bank – Hansabank, have said that the damage was in the region of 1 million dollars within 24 hours.

    On the afternoon of May 10, the attackers’ time on the rented servers expired, and the botnet attacks fell off abruptly. All together Arbor Networks measured dozens of separate attacks. The 10 largest assaults blasted streams of 90 megabits of data per second at Estonia’s networks, lasting up to 10 hours each. That is a data load equivalent to downloading the entire Windows XP operating system every six seconds for 10 hours. The last major attack took place on May 18.

    What about my personal experience of that time? Since I was “inside” the country, that was frequently cut off from the rest of the world I did not notice the harmful impact of the “second wave”, unless I was trying to use Internet-bank to pay my taxes, a legal requirement in Estonia every 10th day of each month. A small tax penalty for a day of delay due to problems with accessing the bank is the evidence of the damage our company suffered directly along with many others.

    We at Zone-H are in a privileged position to comment on this wave of attacks as its our mission to monitor and report on digital crime. At the time of writing, the massive attacks on the national infrastructure have subsided but current period can be described as “full of minor suspicious activities”. The struggle with assaults continues daily.

    For example, our website of http://www.zone-h.org, “an observatory of digital crime” that is hosted at Elion, the largest Estonian ISP, is constantly flooded by a significant (600 to 800MB per second) DDoS-attack and remains offline. This prevents us from achieving our main objective: to archive defacements around the world. However, this is our main headache, and we are struggling to get rid of it for the time being.

    There are also rumours about ‘botnet herders’ trying to get control over huge numbers of ordinary peoples’ computers, who could then unwittingly become part of a huge bot network.

    To summarise:

    The communications infrastructure that was originally scoped to address the network needs of 1 million users (the population of the country), needs upgrading as it was not capable of resisting these attacks. The “peak pressure” generated during the worst attacks in some cases totalled as many as four million requests per second! And the only option to stop the whole country going offline was to block all access from some countries where most of the attack traffic was coming from.

    The use of botnets in this way illustrates how a cyber attack on a single country could also “ensnare” many other countries where the attacks are generated, leading their cyberdefenders to many sleepless nights at work.

    Estonian cyberguards have become adept at filtering out malicious data and may be able to offer practical advice and experience to their colleagues around the globe.

    Many ordinary Estonians would surprise any computer journalist by understanding the meaning of a DoS-attack, and everyone in this connected society can tell you their personal story of the attack.

    Was it a ‘Cyberwar’ or ‘Cyber assault’? I would describe it as the latter. Since I am able to send this article to my colleague at NCC Group in UK, there is no complete failure of infrastructure, and although it looked like a war and felt like a war to those involved, perhaps the devastating computer attack on Estonia is just something new, that needs a new word to describe it.

    Links to interesting publications in western media that was partly used for reference in article:

    http://www.washingtonpost.com/wp-dyn/content/article/2007/05/18/AR2007051802122.html

    http://www.theinquirer.net/default.aspx?article=39714

    http://www.guardian.co.uk/russia/article/0,,2081438,00.html

    http://www.nytimes.com/2007/05/29/technology/29estonia.html?ex=1181707200&en=398fd9c56a5265b7&ei=5070

    http://www.iht.com/bin/print.php?id=5901141

    http://www.networkworld.com/community/?q=node/15717

    Kas näeb välja koledasti?

  16. Lisatud 14. apr. 2008 kell 17:21 | Püsiviide

    Sul veel keegi kommenteeris, et mina kirjutasin vaenlastiku artikli. Aga ma kirjutasin seda, mis muidu läks Timesi. Kahjuks link ei tööta, ja ma ei vitsi aasta pärast sirvitseda.

    Estonian Cyber attacks – was it a war?

    The smallest former Sovet republic, Estonia has recently been the target of the largest and most sustained cyber attack recorded to date. Dmitri Kuznetsov, an Estonian and director of the Zone-H organisation which monitors digital attacks and is also based in Estonia presents his experiences of these attacks.

    Estonia with its population of less than one and a half of million of inhabitants has a very modern IT-infrastructure and is considered as one of the most wired countries in the world.

    Economists believe that much of Estonia’s economic success has been due partly to its status as an “e-society,” with paperless government and electronic voting during the first digital elections which took place in 2007.

    Russia and Estonia recently found themselves in their worst dispute since the collapse of the Soviet Union. Following the riots that filled narrow streets of beautiful Tallinn at the end of April over the Estonian’s removal of the Soviet Bronze Soldier war memorial in the centre of the capital, the tiny country has been subjected to a form of cyber warfare. The arguments that started on the streets have quickly moved onto the Internet, which in this day and age is no surprise.

    Consider that Internet users with Cyrillic keyboards represent a potential population of 300 million people, located worldwide. Imagine the traffic this group can create! It can easily block international connections that link this small Baltic country with the rest of the world.

    Let me shortly go over the chronology of the conflict and describe my feelings as advanced user of Web:

    The attacks began on April 27, a Friday, within a few hours of the war memorial’s relocation. I saw it with my own eyes and Estonian officials have confirmed that in some Russian-language Internet forums, instructions were posted on how to disable ‘targets’ – Estonian government websites – by overwhelming them with traffic. This attack was not well co-ordinated and a summary of the “battle cry” of this “first wave” of attackers can be described as “Lets ping an Estonian server!” As a result, a lot of people joined in!

    The Web sites of the Estonian president, the prime minister, Parliament, government, and a great majority of ministries, the police and digital media were quickly overloaded with traffic, causing them to shut down.

    Hackers defaced other sites, putting, for instance, an Adolf Hitler moustache on the picture of Prime Minister Andrus Ansip and posting a fake letter of apology for ordering the removal of the highly symbolic statue on his political party’s Web site.

    At this time I should point out that media around the globe was speculating that the wave of attacks was targeted from the Kremlin. If it were established that Russian officials or officers were behind the attacks, it would be the first known case of one state targeting another by cyber-warfare.

    U.S. government officials said that the nature of the attacks suggested they were initiated by “hacktivists” – technical experts who act independently from governments and are motivated by political views. Despite some traces leading to state infrastructures, several respectable NATO experts formulated, that “zombiing” of state computers in Russia was more likely to be a side-effect of the hacking and an oversight by Russian state computer security staff who in any case were involved in May 1 (Labour Day) to May 9 (Victory Day) celebrations in Russia.

    Moscow has offered a little help in tracking down people who the Estonian government believe may be involved.

    I am something of a globetrotter and was abroad at the time of the attacks. I was staying in South Africa in the beginning of May. How did I feel? Well, I had an enormous thirst for news of what was going on in my homeland. I wanted to read my emails, but could not reach my office mailserver and the public mail service was also offline. I was very frustrated at the lack of information, and that was awful.

    The second wave of attacks started around 9th May. This time, the attackers started to use a giant network of ‘bots’. However, the help, provided by Russian cyberdefenders and legal enforcement bodies made some sense. As a result of that, as many as one million computers in places as far-flung as the United States and Vietnam were involved. The botnet tactic enables attackers to amplify the impact of a malicious assault. In a sign of the financial resources available to the bad guys, there was an evidence about them paying for rented time on other so-called botnets and ordering of spamming campaigns. This can be arranged for as little as 200-300 dollars for 10 millions junk mail messages these days.

    The second wave of attacks was causing major problems to the service of two major banks in Estonia, serving the majority of the population and businesses in Estonia. Although is a very difficult to give an accurate estimate of damage, caused by suspicious activity, the largest bank – Hansabank, have said that the damage was in the region of 1 million dollars within 24 hours.

    On the afternoon of May 10, the attackers’ time on the rented servers expired, and the botnet attacks fell off abruptly. All together Arbor Networks measured dozens of separate attacks. The 10 largest assaults blasted streams of 90 megabits of data per second at Estonia’s networks, lasting up to 10 hours each. That is a data load equivalent to downloading the entire Windows XP operating system every six seconds for 10 hours. The last major attack took place on May 18.

    What about my personal experience of that time? Since I was “inside” the country, that was frequently cut off from the rest of the world I did not notice the harmful impact of the “second wave”, unless I was trying to use Internet-bank to pay my taxes, a legal requirement in Estonia every 10th day of each month. A small tax penalty for a day of delay due to problems with accessing the bank is the evidence of the damage our company suffered directly along with many others.

    We at Zone-H are in a privileged position to comment on this wave of attacks as its our mission to monitor and report on digital crime. At the time of writing, the massive attacks on the national infrastructure have subsided but current period can be described as “full of minor suspicious activities”. The struggle with assaults continues daily.

    For example, our website of http://www.zone-h.org, “an observatory of digital crime” that is hosted at Elion, the largest Estonian ISP, is constantly flooded by a significant (600 to 800MB per second) DDoS-attack and remains offline. This prevents us from achieving our main objective: to archive defacements around the world. However, this is our main headache, and we are struggling to get rid of it for the time being.

    There are also rumours about ‘botnet herders’ trying to get control over huge numbers of ordinary peoples’ computers, who could then unwittingly become part of a huge bot network.

    To summarise:

    The communications infrastructure that was originally scoped to address the network needs of 1 million users (the population of the country), needs upgrading as it was not capable of resisting these attacks. The “peak pressure” generated during the worst attacks in some cases totalled as many as four million requests per second! And the only option to stop the whole country going offline was to block all access from some countries where most of the attack traffic was coming from.

    The use of botnets in this way illustrates how a cyber attack on a single country could also “ensnare” many other countries where the attacks are generated, leading their cyberdefenders to many sleepless nights at work.

    Estonian cyberguards have become adept at filtering out malicious data and may be able to offer practical advice and experience to their colleagues around the globe.

    Many ordinary Estonians would surprise any computer journalist by understanding the meaning of a DoS-attack, and everyone in this connected society can tell you their personal story of the attack.

    Was it a ‘Cyberwar’ or ‘Cyber assault’? I would describe it as the latter. Since I am able to send this article to my colleague at NCC Group in UK, there is no complete failure of infrastructure, and although it looked like a war and felt like a war to those involved, perhaps the devastating computer attack on Estonia is just something new, that needs a new word to describe it.

    Links to interesting publications in western media that was partly used for reference in article:

    http://www.washingtonpost.com/wp-dyn/content/article/2007/05/18/AR2007051802122.html

    http://www.theinquirer.net/default.aspx?article=39714

    http://www.guardian.co.uk/russia/article/0,,2081438,00.html

    http://www.nytimes.com/2007/05/29/technology/29estonia.html?ex=1181707200&en=398fd9c56a5265b7&ei=5070

    http://www.iht.com/bin/print.php?id=5901141

    http://www.networkworld.com/community/?q=node/15717

    Kas näeb välja koledasti?