The Security Blog

Alternative Title: "Just because it involves computers does not mean it’s a cyberwar"

While Reuters crowned these, events of the last week, as a "cyberwar", and reported that South Korean government accused the North (DPRK) of engaging in hostile activities, I do not believe in this being a Cyberwar.

Let’s take a closer look:

1. The attacking code was woefully simple – and not sophisticated.
2. The attacking technology, Distributed Denial-of-Service (DDoS) attack was The Simplest – no active attempts at true "Hacking", no attempts to hide the sources.
3. Once started, we did not see an attempt to "reinforce" it towards the 70% of systems/networks it was "aimed" at which did not fail.
4. And the final point, which unlike the points above is not technical – there was no retaliation.

So:

Cyber-attack – Sure.   Cyberwar – No.

First Datum about Effecting Infrastructure:

20:06 patrickodowd Ayatollahs Call for New Elections, Telephone Cut Off Tehran, Mousavi Arrested – http://bit.ly/E1fTM <– first report of Telephone shutdown

Cyberwar Begins

And while report of Iran government attacks using DDoS against Mousavi started 3 days before the elections, the first report of DDoS attacks after the elections and against government sites started only at 18:00 GMT on June 14:

#iranelection Web-based DDoS of www.ahmadinejad.ir not a great idea if you still want there to be net for tweets out of Iran

And that was followed by a twitter-wide "call for action" to attack sites at Iran, just about an hour later:

@nzanjani: help crash iran’s leading hardline newspaper! click http://tinyurl.com/nlkkxu and leave open! #iranelection DDoS 4 freedom

and

mediamadam: http://is.gd/11Pyy Iranian adm website hacked Please, where´s my reverse engineers worldwide? HackIran.. <– examples of network Hacktivism

Lest we think this is all one sided, here is reported attack from Iran against TehranBureau.com. TB is hosted by GoDaddy, according to Whois reports. And they Tweeted the following:

00:26AM @tehranbureau ‘webmaster says Iranian govt overloading us w/ requests to disable our site: "denial of service attack"’ #iran

Cyber Misinformation

StopAhmadi: "I am reading tweets from ppl that most likely just want to spread misinformation. Plz easy w/ RT’ing those. #iranelection"

And example of reported account hacking:

xxx My twitter was hacked. am back in again. they are shutting down all internet services. #Iranelection

The instructions are getting more and more specific (xxxx are mine to remove reference to tools):

zerodamage: There’s a bit of a cyber war taking place in Iran right now. People are using xxxx.com with 1 second refreshes to DDOS. #iranelection

While some more … thinking.. minds are writing:

kenschafer: Before you get caught up in the "hey let’s DDOS Iran" mania sweeping Twitter, please read this: http://su.pr/7lfI3d

And yes… it would be that easy to use tools. Just click and point. This is a report, not my own thoughts on the subject. And now, at 01:00AM 6/15/2009, there is a name to the phenomenon:

davepaye: Take down Iran’s UN website: http://tinyurl.com/n75ml4 (expand) Support Freedom! #DDOS #iranelection <– Called the Green Revolution (a la the Velvet Revolution of Prague)

Permalink