In the beginning of January, a self-described Saudi Arabian hacker known only by the handle 0xOmar claimed he had posted details of 400,000 Israeli credit cards online. The target was commercial assets, but the message of the attack was political: In online statements he stated that he belonged to “the largest Wahhabi hacker group of Saudi Arabia,” that counted among its targets credit card accounts used to donate to “Israeli Zionist Rabbis.” It was the first salvo in a series of attacks the regional press has come to describe as “cyber warfare” between Arab and Israeli hackers this month.
Days after his first leak, 0xOmar posted online another information batch of 11,000 Israeli credit cardholders, though Israeli banks said altogether only 20,000 credit card accounts had been compromised. Soon after, an Israeli hacker calling himself ‘0xOmer’ went online to announce he had posted names, email addresses, phone numbers and credit information of 217 Saudi Arabian credit cardholders. 0xOmar promptly released online the information of another 200 Israeli cardholders, and upped his rhetoric.
More Arab credit card accounts were posted online in response, and the hacking then moved on to larger commercial targets, as the websites of the Tel Aviv Stock Exchange, El Al Airlines and several Israeli banks were disrupted. Israeli hackers responded, attacking the Abu Dhabi Securities Exchange and Tadawul, Saudi Arabia’s exchange, then the United Arab Emirates’ Central Bank website and that of the Arab Bank Palestine. The Israeli hackers said their actions were also politically motivated. “You can call this a Zionist revenge,” the hackers told Israeli newspaper Yedioth Ahronoth.
The incidents highlight the ability of cyber criminals to carry out attacks across borders, even when corporations are aware of their threats. They also demonstrate how digital disruptions could become a tool in state conflict. The Middle East is considered a boom market for cyber security; according to RNCOS research, the regional market for IT security software is expected to grow at a CAGR of over 34% from 2010 to 2013. But the mixing of historical political disputes with cybercrime and cyber vandalism gives online threats in the region a distinct tinge.
“The question that then arises is how can organizations and individuals protect themselves,” says Gurpreet Dhillon, professor of information security at Virginia Commonwealth University. “It is no longer the question of buying an ever so complex lock. It is more about ensuring that the key to the lock is not compromised. Part of the exercise is about awareness. Many of the social engineering attacks go unnoticed because individuals do not know about the nature and scope of the attack. Many organizations are also ill-prepared to deal with cyber threats.”
A Binary Explosion
Former Central Intelligence Agency and National Security Agency director Michael Hayden was the main guest speaker at a recent conference on cyber security in the United Arab Emirates capital of Abu Dhabi. He too noted how forces from the online world had intertwined themselves with the region’s politics, reflecting on the experience of Egypt’s social media-fueled protests that led to the ouster of then-President Hosni Mubarak.
“Omar Suleman [the former head of the Egyptian intelligence service] was a very good intelligence officer,” Hayden said. “Omar Suleman was so good at his job that he was able to keep Mubarak in power against all opposition for more than three decades. And yet, the immolation of a fruit merchant in a small Tunisian city set in motion a revolution enabled by the cyber world, enabled by social media.
“A few weeks later there were a million people in Tahrir Square in Cairo, calling for the overthrow of the Egyptian government. In other words, all of Omar’s skills he used to maintain support for Mubarak were insufficient to meet the volume, and the velocity of what was coming at him, enabled by this domain.”
In the modern world, Hayden said, few countries don’t perform espionage. And the role of the NSA, he said, was to do that electronically. “It’s the American intelligence organization that does what we call computer network exploitation. Which means, getting on someone else’s network where we are not welcome and extracting information from that network.”
“I can tell you American policy. We steal secrets, you bet. But we steal secrets essential for American security, safety and liberty. We don’t steal secrets for American commerce, for American profit. There are many other countries around the world, that do not self-limit so.”
Hayden dwelled upon another instance of cyber subterfuge coupling with real world politics in the Middle East — the development of the Stuxnet computer virus in 2010, which was allegedly deployed by the U.S. and Israel to hobble Iran’s nuclear weapons program, crashing entire cascades of uranium enriched centrifuges.
“Someone, almost certainly a nation state, felt it was a legitimate act of self-defense or counter-proliferation, to use a cyber weapon to create physical destruction in something that another nation would almost certainly describe as their critical infrastructure.
“A cyber weapon was used to destroy a nation’s critical infrastructure. That’s a big deal. To use an example from history, that’s an army crossing the Rubicon. That’s a legion on the wrong side of the river. Our world is different now. Someone just moved us into a new era. Someone just used ones and zeros to make something go bang.”
Still Cyber Thieves
Computer security experts and analysts say that despite the politics on display with many of these cyber threats in the region, the goal for many attacks is still simple thievery. Getting a handle on how much is going on varies wildly. According to the United Nations Interregional Crime and Justice Research Institute (UNICRI), cyber criminals netted an estimated US$240 million globally in 2007. But Symantec, the publishers of the Norton security software, released a report last September pegging the cost of global cyber crime at US$114 billion a year.
Nevertheless, organized crime has adopted the technique for its operations, and the online threat to businesses and individuals will continue its sophistication, says Francesca Bosco, project officer with UNICRI. “Cyber crime is very profitable, with low infrastructure costs, and readily available attack tools,” she says. “Cyber crime has become an integral part of the transnational threat landscape.”
Bosco notes that cyber thieves around the world largely engaged in the sort of information theft displayed by the Arab and Israeli hackers in their online battles. An entire online underground has spawned, she said, devoted to selling clusters of data such as credit card numbers, or Facebook accounts. “If you steal money, once its spent, its gone,” she says. “But data can be used and reused in so many different ways.”
VCU’s Dhillon says hacking tools are as easy to acquire, so much so that even governments have taken avail of them. “For instance [one website] sells password “cracking” services for major email services for as little as US$150,” he says. “Many nation states systematically make use of such like services. A Paris court [last November] fined the French energy giant, Électricité de France, nearly US$1.9 million for directing a hack into Greenpeace computers.”
Middle East malware (malicious software) authors know that most countries in the region filter websites based on religious content and pornography, says Christian Beek, principal consultant at McAfee Foundstone Services EMEA. Instead, he says, malware in the region is largely spread through file sharing and USB drives. He pointed out that Microsoft online security analysts had discovered over 60% of every 1,000 computers in Qatar had been infected with malware, a rate far higher than anywhere else in the world.
For these reasons and others, Middle East consumers remain wary of going online to make purchases. According to a recent survey of e-commerce in the Middle East by online payment service OneCard, fraud and theft of personal information is still the biggest concern preventing more regional customers from making purchases online.
Caution is warranted, says Ken Baylor of Gladius Consulting. Cyber thieves regularly exploit seemingly secure financial transactions even in the U.S., he said. “It’s an innovation battle between banks and criminals,” he notes.
Baylor has worked on a number of online security issues for banks, and says that cyber criminals largely relied on software that hid itself in other programs, and allowed them remote access to a user’s sensitive information on their computer, such as their bank account, often without their knowledge. Such programs, referred to as ‘Trojans,’ have become harder to detect, and more complex over time, he says.
One such type of cyber attack being perpetrated increasingly in the Middle East, according to KCS Group, an international security firm, in an interview with Abu Dhabi-based newspaper The National, is the technique of holding bank account access for ransom, where users or institutions are told by cyber criminals to pay up or see sensitive information about them published online.
But so much information is readily available online without requiring any sophisticated tools to access it, said web security professional and blogger Jamal Bandukwala. Instead, it’s just a matter of knowing where to look. “It’s a good idea to see what information your company is putting out there,” Bandukwala said.
A number of government intelligence agencies have already caught onto the fact, Bandukwala noted, and cull the Internet for data in a method he called ‘open source intelligence.’ By constantly collecting sources of information online, he said, including media, web content, satellite imaging, public documents and academic journals, governments can search the web very deeply. “It’s all fair game,” he said.
One of the sites favored for trading information, he added, started out as a simple tool for developers to share source code online via text snippets. “Now it is used to leak information anonymously,” Bandukwala said. A quick run through the site reveals credit card numbers, leaked databases, compromised websites, employee lists, even passport numbers and travel itineraries that were electronically intercepted and posted. The same website, incidentally, is used by 0xOmar and his Israeli opponents to post their latest hacks.
“In spite of decades’ worth of work, organizational security policies still represent reactions to the latest slew of attacks; reactive approaches do not work,” Dhillon adds. “As a society we need to understand the limits of technological advances and its appropriate uses. Just like one would not hand out the key to the house to a stranger, similarly sharing passwords or using a credit card in an untrusting environment should be avoided.”