HOW THEY WATCH AND WHAT THEY KNOW

Palestinian supporters are using a combination of hacking tools and viruses to gain what appears to be the upper hand in the Middle East’s ongoing cyber war. How Palestinians hackers watch and what they know will determine the success of this cyber war for them.

They are distributing the tools and viruses for destroying Israeli sites using a recently created attack site. Visitors to the site are greeted with the message, “I swear that I will not use these programs on anyone but Jews and Israelis.” The site comes complete with a list of directions on how to use the attack tools.

LoveLetter, CIH, and the Melissa Virus (along with 12 Word macro viruses) form the arsenal for attacking Israeli sites. Apparently, it’s an effective system.

According to sources at iDefense, an international security firm monitoring the situation, pro-Palestinian hackers are using a variety of tools to orchestrate a well-organized attack against the 100 or more Israeli Web sites that have been hit during the conflict. It is hard to say for sure who is winning. But it appears that the pro-Palestinian hackers have successfully affected more sites.

The pro-Palestinians have been much more aggressive in scope. Instead of just targeting specific sites, they’ve been methodically working through all the sites, thus broadening their agenda.

Over 226 Web sites have been targeted by both sides for denial-of-service attacks, attempts to gain root access, system penetrations, defacements, and a variety of other attacks. Many sites have been indirectly affected, due to the strain that the attacks have placed on the Net infrastructure in the Middle East.

The conflict began on October 6, 2000, when pro-Israeli hackers created a Web site to host FloodNet attacks. Since then, both sides have sustained blows to vital-information and financial-resource sites such as the Palestinian National Authority site and the Tel Aviv Stock Exchange.

Sixteen tools have been identified as those actively distributed among attackers, with many others being discussed or suspected of already being deployed. One such tool is called the EvilPing, believed to have been created especially for this war. The tool launches a “ping of death attack” that, when utilized by several users against the same target, crashes the system.

Then there is QuickFire, an attack tool that sends 32,000 e-mails to the victim from what appears as the same address. Used simultaneously by multiple attackers, the tool crashes an e-mail server.

QuickFire strength is that it does not relent, continually firing off thousands of e-mails until the server is shut down and the address blocked. It is believed to be the tool used for hack attacks on the Israeli Foreign Ministry site and its Webmaster’s e-mail address.

A group called “Hackers of Israel Unite” originally used another popular tool called WinSmurf, which also uses mass pinging to bring down a site. Borrowing amplifying power from broadcast sites, the hackers send out pings that are boosted 10,000-fold, or more. According to the group, they were able to shut down Almanar.org using one computer with a 56K modem and an ADSL line.

According to Netscan.org, a site that provides a list of broadcast sites with an average amplification of times five, a dial-up user with 28.8 Kbps of bandwidth, using a combination of broadcast sites with an amplification of 40, could generate 1152.0 Kbps of traffic, about two-thirds of a T1 link. With tools like these, a 56K can become a powerful weapon and your bandwidth is irrelevant.

Netscan.org creators call themselves a small group of concerned network administrators who got fed up with being smurfed all day. But they recognize the fact that their site has also become a hacking tool.

Pro-Palestinians recently turned the tables by using broadcast-site attack tools against Israeli sites. Although the leaders in the war (groups such as UNITY, DoDi, and G-Force Pakistan) remain in the limelight, many previously unknown hackers are taking the cyberwar to another level.

Hackers are making moves to gain root access to Israeli computers and servers. Root access is the ultimate possession, it means doing whatever you want with a system. In essence, a hacker who gains root access control of a computer can scan, delete, and add files, use it as an attack tool against others, and even view and hear users whose computers are equipped with cameras and microphones.

With no end in sight to the Middle East cyberwar, talk of targeting U.S. interests on the Web has been popping up in chat rooms and IRC channels frequented by pro-Palestinian hackers. Recent aggression against Lucent.com, coupled with hits on cnn.com in 2000 and other mainstream sites, has many high-profile companies watching their backs for the next wave of attacks.

Hackers such as DoDi have come out and said that the current war isn’t just against Israeli, but the U.S. as well. But Arab activists such as Mustapha Merza believe the American media continues to portray Arabs as terrorist aggressors, even in cyberspace.

The irony of the matter is that the number of times that Israelis have targeted U.S. government sites are more numerous than those times they were targeted by pro-Palestinians. Yet, the American media fails to identify its real perpetrators and victimizes the Arabs as usual. For its part, the National Infrastructure Protection Center (a division of the FBI concerned with cyberwarfare, threat assessment, warning, and investigation) lists both Israeli and Arab sites that promote the cyberwar.

How Israelis Watch and What They Know Too

A group of self-described ethical hackers are taking the reins of the Israelis’ Web networks into their own hands in the Middle East’s cyberwar. Known as the Israeli Internet Underground, the coalition of anonymous on-line activists from various Israeli technology companies has set up a Web site to disseminate information concerning the ongoing battle in cyberspace.

According to the IIU mantra, they are dedicated to the Israeli spirit and united to protect Israel on the Internet against any kind of attacks from malicious hacking groups. The site claims to provide a comprehensive list of sites that were hacked by Arab attackers since the cyberwar went into full swing in October 2000.

Listed are over 50 Israeli sites that have been defaced and vandalized by various hacking groups. The number coincides with estimates provided by officials at iDefense, an international private intelligence outfit in Washington that is monitoring the ongoing war. IIU also provides a list of Israeli sites that they believe run services with commonly known security holes such as BIND NXT overflow, IIS 4 holes, and FTP format string bugs.

Examples of defacements by Arab hackers such as the one perpetrated on the homepage of Jerusalembooks.com, one of the largest Jewish booksellers on the Web, serve as a warning to those Israeli sites with suspect security.

The Jerusalembooks.com text and graphics were recently replaced with the word “Palestine” in flaming letters and with text asking Israelis if the torah teaches them to kill innocent kids and rape women. The site is currently under construction due to the attack.

Taking credit for the attack is the group “GForce Pakistan,” a well-known activist group that has joined forces with Palestinians and other Arab hackers in fighting the cyberwar against Israeli interests.

Working alongside the group is the highly skilled Arab hacker named DoDi. On November 3, 2000, DoDi defaced an Israeli site and stated he could shut down the Israeli ISP NetVision, host of almost 80% of the country’s Internet traffic.

Though petty defacements and racial slurs have been the norm on both sides of the battle, Arab hackers like DoDi have promised to kick the war into high gear in the coming years, implementing what they refer to as phases three and four of their “cyber-jihad.”

The Muslim extremist group “UNITY,” with ties to “Hezbollah,” laid out a four-part plan for destroying the Israeli Internet infrastructure at the onset of the cyberwar. Phase four culminates in blitzing attacks on e-commerce sites, causing millions of dollars of losses in transactions. IIU said there is already evidence of phase-four attacks, such as the destruction of business sites with e-commerce capabilities, which they believe caused a recent 9% dip in the Israeli stock exchange.

The current onslaught of cyberattacks against Israel’s key Web sites is perhaps the most extensive, coordinated, and malicious hacking effort in history. ISPs and ebusinesses must recognize the need to install protection that goes beyond firewalls to provide real security against application-level assaults.

In order to thwart future attacks, IIU has created what they call the “SODA project” (sod is Hebrew for secret). The stated goal of the project is to inform and provide solutions wherever the IIU can and, therefore, protect their sites against political cyber-vandalism. It lists those Web sites with security vulnerabilities, making them susceptible to future attacks by Islamic groups.

The SODA project formed an alliance with the Internet security firm 2XS Ltd., which is linked to the site and agreed to provide security advice for casualties of the cyberwar. 2XS Ltd., however, does not accept responsibility for IIU actions. On November 3, 2000, IIU contacted 2XS Ltd. to share their idea of creating a site for publishing vulnerability alerts.

Another link on the SODA project is the Internet security information forum SecurityFocus.com, a resource guide to on-line security links and services based in San Mateo, California. The site is not taking any sides in the Middle Eastern war.

Typically, the odds are heavily in the attackers’ favor—the attacker can launch attacks against any number of sites for little to no cost. They only need to find one vulnerable victim to succeed, perhaps after checking thousands of potential victims.

Because both Arabs and Israelis are launching volley after volley against the others’ sites, neither faction gets to play the victim in this war. The victims end up being citizens and businesses in the affected area. Unfortunately, that’s not uncommon in that part of the world.