RAAF website defaced

Atul Dwivedi, an Indian hacker paid a visit to the Royal Australian Air Force (RAAF) last Monday by defacing their website.

This accident comes amid a raise in violence targeted towards Indian native in Australia and apparently Dwivedi protested this situation by leaving a message on the website:

“This site has been hacked by Atul Dwivedi. This is a warning message to the Australian government. Immediately take all measures to stop racist attacks against Indian students in Australia or else I will pawn all your cyber properties like this one.”

Racist incident in Australia against Indian students has increased in the last months
Racist incident in Australia against Indian students has increased in the last months

This site is now up and running as per normal. Of course the webserver wasn’t connected to any internal network and didn’t contain any classified information according to a spokewoman:

“No sensitive information was compromised as the air force internet website is hosted on an external server and, as such, does not hold any sensitive information,1

Microsoft products are used in pretty much every Western armed forces. So it’s save to assume the webserver used by the RAAF is probably running IIS. Of course, IIS implies as Windows machine and a Windows Server machine means that everything is almost certainly all Microsoft based. Of course we can now verify those claims and according to David M Williams from ITWire2 the website is hosted through Net Logistics, an Australian hosting company. The aforementioned article tries to explain the hack with the use of exploits. Which might have been the way Dwivedi did it, but the analysis is quite simple and lacks depth. The site still has an excellent link to a blog detailing the WebDAV exploit, see below for the link.

It’s not impossible to think that Dwivedi might have tricked someone into giving out too much information also. Social engineering can do lots and is usually easier than technical exploits. The Art of Deception by Kevin Mitnick should convince most people of that. Someone could look up on Facebook or another social networking site for some people in the RAAF and then try to pose as them and pose as them.

Then also, why not look for the FTP server? And God knows what else the server is running; maybe a SMTP server also (and probably it does). Now I wouldn’t suggest doing this, but running a port scan would probably reveal a lot of information. Moreover, using web vulnerability tools like Nikto could help find misconfigured settings in ASP or forgotten test/setup pages/files. Up to there, only two things are important: information gathering and imagination.

See also:

Hacker breaks into RAAF website”, AAP, Brisbane Times, July 16, 2009, http://news.brisbanetimes.com.au/breaking-news-national/hacker-breaks-into-raaf-website-20090716-dmrn.html accessed on 2009-07-17

WebDAV Detection, Vulnerability Checking and Exploitation”, Andrew, SkullSecurity, May 20, 2009, http://www.skullsecurity.org/blog/?p=285 accessed on 2009-07-17


1Indian hacks RAAF website over student attacks”, Asher Moses, The Sydney Morning Herald, July 16, 2009, http://www.smh.com.au/technology/security/indian-hacks-raaf-website-over-student-attacks-20090716-dmgo.html accessed on 2009-07-16

2 “How did Atul Dwivedi hack the RAAF web site this week?”, David M Williams, ITWire, July 17, 2009, http://www.itwire.com/content/view/26344/53/ accessed on 2009-07-16

A Brief Overview of the Cyber Command

As more and more of the infrastructure of modern societies gets inter networked, the more the authorities are taking notice of the possible disasters that ought to happen if those networks would be attacked and controlled by malicious individuals. Based on that, the U.S Secretary of the Air Force announced the creation of the AFCYBER, the Air Force Cyber Command, whose mission “will be to provide combat ready forces trained and equipped to conduct sustained global operations in and through cyberspace, fully integrated with air and space operations[1]“. Let’s go deeper into that interesting new agency and try to see if it can actually matches the challenges of this century.

Origins

U.S Air Force Cyber Command Shield
U.S Air Force Cyber Command Shield

The United States government released in February 2003 a 76 pages document titled “The National Strategy to Secure Cyberspace”. This document recommended numerous solutions and actions to better protect the American cyberspace.  Among these actions, one of them recommends to “Improve coordination for responding to cyber attacks within the U.S. national security community”[2]. Based on that recommendation, the former U.S Secretary of the Air Force, Michael W. Wynne decided to establish a cyberspace command. He also stated:

“The aim is to develop a major command that stands alongside Air Force Space Command and Air Combat Command as the provider of forces that the President, combatant commanders and the American people can rely on for preserving the freedom of access and commerce, in air, space and now cyberspace[3]

It then has been decided that the 67th Network Warfare Wing and some elements of the 8th Air Force would serves as the core of the new command. It’s interesting to note that the goal of the 67th is “organizes, trains, and equips cyberspace forces to conduct network defense, attack, and exploitation.” Therefore, the Air Force already had an unit trained to conduct cyberspace operations, and more interestingly, this unit was also train to conduct attacks, not only defensive operations. Thus, in 2006 the Air Force Cyberspace Command (Provisional) unit was put into place.  but faced many difficulties. The first came as to define the term “cyberspace”, define the command’s operations, find a location to base the unit, then find the personnel and define all their functions, train them and organize the unit. Those challenges were perfectly summarized when Maj. Gen. William T. Lord answered a Slashdot user about the location of the new command:

I would hope that no matter where it was located, we would still be able to attract the talent needed to work in this exciting command and that all communities see the need to protect this domain[4].”

Attracting specialists and talented individuals is getting harder and harder. The private sector in technology is still offering, for now at least, good opportunities for graduated students.  Maybe that’s why the AFCYBER touted is creation and development with TV ads and advertisement all over the web. A great mistake, as it opened it to greater scrutiny from the public and observers, which would now be able to witness the success or the failure of the new command…

And not only did it have difficulties organizing itself, it was in competition with other similar services of the military, with the Navy (Naval Network Warfare) and Army already having such organizations, without forgetting about organizations such as the National Security Agency (NSA).

Even with the fore mentioned difficulties, “We’ve figured all that out” said General Lord in October this year, “We’ve outlined how to organize cyber forces, i.e., what capabilities fall into, or not into, a cyber organization[5]“.

Dismay

The optimism expressed in Lord’s comment was hard to share. One month earlier, the establishment of the Cyber Command was suspended and the transfers of units were halted[6]. In June, different actors were still discussing if the command should concentrate on defense and protection or if it should also conduct offensive operations[7]. The ever growing size of the command and the confusion about which operations of the unit was to conduct were slowing any progress and all this amid numerous other Air Force scandals about nuclear management, which later caused Wynne to resign from his post.

As by October 8, 2008, the Air Force decided that the Cyber Command will finally be a numbered unit under the Air Force Space Command as told by Staff Gen. Norton A. Schwartz (see previous post “U.S Air Force Cyber Command is Working on a new Roadmap“, October 24, 2008). After 2 years, it seems that very little has been accomplish. We still have no idea of the structure, the size and not even the mission of the unit. Although Colorado Springs[8] is apparently the preferred location, still no official location have been designated.

Will it work?

To be successful any cyber unit must first emphasize on constant research of new vulnerabilities in order to take the lead. It’s not just about looking at logs and waiting for an attack to occur. Any

U.S Navy Network Warfare Logo
U.S Navy Network Warfare Logo

serious cyber warfare unit must cooperate with every actor of the computer security field, not only corporations or universities, but also with hobbyist groups, hackers and phreakers in order to always have the initiative. As information is always distributed at blazing speed through out the net, and that nothing stays secret for long, constant research is needed to discover new vulnerabilities and detailed analysis. Yet, all those actors have been, as far as I know, ignored or forgotten.

Also, offensive is the best defense. Why should a military organization concentrate only on defensive operations?  It even goes against American principles of war, as it ignores the “Offensive” principle, letting the initiative to the enemy. This is clearly not a sound decision. It ignores the basic concepts or warfare. I believe this is mostly due to a certain mentality in the military leadership, which still regards technology as  support for troops instead of a fully fledge battlefield. This reasoning needs to change if we are to develop real cyber warfare operations. This is certainly something the Chinese understood.

I believe it will, if this unit becomes reality, become an administration bloated unit that will miss the point. Quantity is never a remedy to the lack of quality. A small but highly trained and skilled unit of hackers can do a lot more than a legion of technicians. The important part of cyber warfare is always to stay ahead, since that as soon as a hole or exploit is found, the enemy will patch it thus making it obsolete. and therefore, the need to find the next security vulnerability. Therefore, we don’t need a bigger bureaucracy, but more research, more cooperation with existing similar units and agencies and to develop a strong offensive capacity as the Chinese government seemed to have developed. The 67th Network Warfare unit and the Naval Network Warfare Command would be able to implement those capacities with the appropriate funding and support.

This command, which seemed like an important toward cyber warfare, now seems to have become a botched concept that will unlikely be of any use, except for other to look upon and learn from their mistakes. As the U.S Navy also has plans for a Naval Cyber Command[9], they have been a lot quieter about their project, maybe so they won’t suffer the same humiliation as their colleagues.

Conclusion

As governments are realizing the potential threats from a cyber war, agencies are organizing themselves to protect and defend their cyberspace. The U.S Air Force was based on this premise and would have been a good idea…if anyone had any idea of what they were talking about. Instead, it became or will become an administrative burden that failed and that will give no ror little results. In the end, the “Cyber Command” or what’s left of it, will be another organization which goals will be the same as the other agencies already in place, with no new value or innovative ideas…While western nations are struggling to grasp the concept of cyber warfare, others are developing a very well organized and effective effort to disrupt our systems. Cyber war is won by being a step ahead…and we’re not…


[1] Lt. Col. Paul Berg, “AFCYBER: What it will do and why we need it”, March 26, 2008, http://www.afcyber.af.mil/news/commentaries/story.asp?id=123091666 (accessed on October 24, 2008)

[2] The National Strategy to Secure Cyberspace, February 2003, U.S. Department of Homeland Security, p.13

[3] Staff Sgt. C. Todd Lopez, “8th Air Force to become new cyber command”, November 3, 2006, http://www.af.mil/news/story.asp?id=123030505 (accessed on October 24, 2008)

[4] “Air Force Cyber Command General Answers Slashdot Questions”, March 12, 2008,  http://interviews.slashdot.org/article.pl?sid=08/03/12/1427252 (accessed on October 26, 2008)

[5] Karen Petitt, “One year later: Provisional team lays groundwork for Air Force cyber mission assurance”, October 1, 2008, http://www.afcyber.af.mil/news/story.asp?id=123117666 (accessed on October 24, 2008)

[6] Bob Brewin, “Air Force suspends Cyber Command program”, August 12, 2008, http://www.nextgov.com/nextgov/ng_20080812_7995.php (accessed on October 24, 2008)

[7] Noah Shachtman, “Air Force Suspends Controversial Cyber Command”, August 13, 2008, http://blog.wired.com/defense/2008/08/air-force-suspe.html (accessed on October 24, 2008)

[8] Tom Roeder, “ Air Force regroups command’s duties”, October 7, 2008, http://www.gazette.com/articles/command_41568___article.html/air_force.html (accessed on October 26, 2008)

[9] Lewis Page, “US Navy also planning Cyberwar Command”, October 14, 2008, http://www.theregister.co.uk/2008/10/14/us_navy_cyber_too/ (accessed on October 24, 2008)

U.S Air Force Cyber Command is Working on a new Roadmap

A new roadmap will be written for the reorganization of what was once the U.S Cyber Command. The project was downgraded from a major command to a numbered unit on October 8 by Staff Gen. Norton A. Schwartz. The cyberspace mission of the Air Force will be part of the Air Force Space Command. Both organizations are now working at ways of working together to fulfill the Air Force commitment to protect the cyberspace.

“This is not an additional duty for us,” General Kehler said. “We are in this 100 percent, and we will dedicate the manpower and resources needed to make this transition work. This is not just building a cyber numbered Air Force. This is establishing a robust cyberspace capability for our Air Force, and there won’t be a huge difference in what was being presented originally — cyber being its own command — with what will be done under Air Force Space Command’s umbrella.[1]

There more I read about the Air Force Cyber Command, the more I believe it’s going to end up as it started. In the end, this is about the 67th Network Warfare unit transferring under the Air Force Space Command from the 8th Air Force. This is a wasted opportunity from the Air Force.


[1] “Air Force leaders work to develop cyberspace roadmap”, October 24, 2008, http://www.af.mil/news/story.asp?id=123121153 (accessed on October 25, 2008)