It was about 16:00 on Friday, the 7th of November when I received a call from my University [Nottingham Trent] requesting an interview with a local BBC Station on the news that the Nottinghamshire Police web site had been defaced. Immediately I began my investigation of the incident. First, I looked at the site, which at the time was displaying a blank page. However pulling back some previous cached information, I was able to see the problem – it had been compromised and was displaying an image along with some misspelt text:
“We are here to punish you ! since you have been suporting israel because we are the voice of Palestine and we will not remain silent!”
Fig 1 – The Hacked Nottinghamshire Police Site
This of course is yet one of many security issues, compromises, and systems failures that are now becoming commonplace. Granted this was an isolated attack that, as it turned out, was carried out by the hacktivist Group AnonGhost. But nevertheless this does tend to beg the question, why would a Pro-Gaza Group waging cyber war on Israel attack this target? Given that AnonGhost do not always see eye-to-eye with Anonymous, it could have been a case of one group setting the other up. Or was it simply a case of a deficient security profile that was simply too juicy to ignore by passerby attackers? After all, it did make the news?
When we consider the specific case explained above, let us consider its overall implications. In this example, it is highly unlikely that any data of value was accessed. But then again, in an attack targeted against the Royal Navy URL on 5th November 2010 [note the proximity of the date], a hacker gained access to the target using an easy SQL injection exploit and subsequently published some stolen information, which included user names and passwords of the site’s administrators. Here we see a similarity in the MO between these two attacks..
But all that said let’s focus on past events, all of which does tend to attest that when it comes to Cyber Security, and the tipping point where it meets the Cyber Threat, it would seem we can, and must do better if logical stability and trust is to be maintained in an era in which we have adopted technology as what appears to be the prime supporter for most of our social life, businesses, and just about everything else we rely on to survive in the age of ‘bits-and-bytes’. We have experienced the Bank of England Chaps critical-system off-line for almost a day for some unknown reason impacting millions of transactions, and for that real-lives. And we have observed yet more multiples of security breaches and compromises occur which have again exposed millions of sensitive records relating to clients and big businesses to the world of the Cyber Criminality – events which once would have shocked, yet now do not even make the evening news. It would seem we have become desensitised to the fact that insecurity is to be expected.
When we consider the factors surrounding the defacement of the web site which occurred on the 7th of November, let us return to that topic and consider the overall implications. In this example of a Cyber Compromise it is highly unlikely that any data of value was accessed, and thus we are assuming on this occasion at least here we may enjoy some solace. But as with another event which impacted the Royal Navy URL on 5th November 2010 [note the proximity of the date] when a hacker gained access to the target using an easy SQL injection exploit. On that occasion the attacker known as TinKode published details of the recovered information, which included user names and passwords of the site’s administrators so here we see a similarity in the MO.
Fig 2 – Royal Navy Hack 2010
The current event impacting the Nottinghamshire Police comes at a very bad time as senior officers have already admitted their capabilities in the arena of Cyber are not adequate, and so the impact in this area is more reputational and embarrassing in relation to the UK Police capabilities. However, the underlying issues here, as with the previous Royal Navy defacement would seem to relate to the maintenance of adequate and robust security profiles which close off the known points which may be leveraged for purpose of exploitation, which in the case of this current attack are still hosting interesting surfaces of Open Source Intelligence [OSINT] providing additional titbits of information to the potential attacker to support their mission of adversity. And just to add a little credibility to the statement, even without any form of direct hack or incursion against the Nott’s Police site, it is still possible to identify Administrator Accounts, Users Names, Generic Accounts, and a host of other materials containing subliminal information of potential intelligence interest. AKA the unknown published artifacts which serve attackers so very well in their mission of preplanning and footprinting.
The absolute bottom line must now be that if we are to evolve our services, public agencies, and commercial organisations to leverage the Internet in pursuit of the organisational interests, security must not be considered as an area which is only applicable when it is proven not to work – we must be proactive, engaged, identify the potential areas of unknown unknowns, and embrace security with the same imagination and gusto as to our adversaries who would seem to be so very successful in their mission of researching and maximising on insecurities.
http://www.bbc.co.uk/news/uk-england-nottinghamshire-29951605
John is the Principle at Shadow-Intelligence (Si), partnering with PALISCOPE, BreachAware and iStorage. He is a Visiting Professor at the School of Science and Technology, Nottingham, Trent University (NTU) and holds the appointment of Editor in Chief for the International Journal of Cyber Forensics and Advanced Threat Investigations (CFATI). For the last decade he has delivered training courses in the Middle, and Far East to Commercial, Industrial, the Financial Services Sector, and Military Agencies, including the UAE, US, Pakistan, Saudi Arabia, Malaysia (KL), Singapore, Argentina, and Sao Paulo
He served in the Royal Air Force 22 years’, specialising in Counterintelligence, working with UK Agencies such as GCHQ/CESG, and others in the fields of SIGINT, COMINT and Satellite Communications, holding appointments such as System ITSO for a CIA SCIF.
In the commercials sectors of IT/Cyber he has worked for/with Logica, Bae, T5, GM, Experian, Betfair, Palace of Westminster, House of Lords/Commons, TSol (Treasury Solicitors) and provided Consultancy to the Saudi Arabian MOD, TRA (Telecommunications Authority (Dubai) and the Military Academy of Malaysia (KL) on SOC, CSIRT, Digital Forensics and OSINT. Within the last 5 years he has focused on Geopolitics, with global expertise around the UAE and Russia, Anti-Terrorist Operations (ATO), Cyber-Warfare, Dezinformatsiya (Disinformation) and Maskirovka (Military Deception).
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.