Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

BRIEF FOR SO1 IT ON CYBER ATTACK

advertisement 
CONFIDENTIAL
DHQ/COMMS/309/1/C
BRIEF FOR SO1 IT
CYBER ATTACK ON KDF TWITTER HANDLE
INTRODUCTION
REMARKS
1.
The KDF twitter handle (@kdfinfo) and that of Defence Headquarters
Protocol/Liaison Officer (@MajEChirchir) were hacked into in the morning of
22 Jul 14 by a group known as anonymous. Though the two accounts were
recovered successfully later that evening, they were hacked into again almost
immediately and still remain under the control of the attackers.
TIMELINE
2.
On the morning of 22 Jul 14, discussions from morning shows of media
houses suggested that the KDF twitter handle had been hacked into and was
under the control of an anonymous group. This was confirmed to be true by DHQ
Public Affairs Office (PAO) which operates the account.
3.
The response taken by DHQ Comms/IT was to immediately delink the
twitter handle from the new MOD website. This was to avert possibilities of
screen shots of the website displaying the attackers’ tweets being captured and
used to cause further harm.
4.
Having ascertained that the MOD mail and Web had not been
compromised, the NetAdmin went through the access logs for the mail and Web
servers to check for attempted attacks. The logs revealed that indeed a brute
force attack on the web server had been attempted by IP addresses mostly with
Chinese origin (See Table 1 and 2).
Table 1
Failed logins from:
1.93.33.227: 714 times
23.97.214.90: 9 times
61.174.50.163 (163.50.174.61.dial.wz.zj.dynamic.163data.com.cn): 18 times
61.174.51.217 (217.51.174.61.dial.wz.zj.dynamic.163data.com.cn): 135 times
61.174.51.226 (226.51.174.61.dial.wz.zj.dynamic.163data.com.cn): 95 times
198.74.103.2 (2-103-74-198-dedicated.multacom.com): 13 times
202.170.136.247 (user.nova.net.cn): 25 times
203.81.22.35 (mail.ckgsb.edu.cn): 2 times
221.179.89.90: 2 times
222.163.192.149 (149.192.163.222.adsl-pool.jlccptt.net.cn): 284 times
1
CONFIDENTIAL
CONFIDENTIAL
Table 2
Authentication Failures:
unknown (211.45.70.165): 1948 Time(s)
root (222.163.192.149): 468 Time(s)
root (125.65.245.146): 185 Time(s)
root (server.hsproperty.net): 150 Time(s)
root (61.174.51.202): 108 Time(s)
root (211.45.70.165): 67 Time(s)
unknown (server.hsproperty.net): 43 Time(s)
bin (125.65.245.146): 36 Time(s)
tomcat (211.45.70.165): 16 Time(s)
unknown (125.65.245.146): 16 Time(s)
webmaster (211.45.70.165): 15 Time(s)
unknown (61.174.51.202): 4 Time(s)
Invalid Users:
Unknown Account: 2030 Time(s)
Unknown Entries:
service(sshd) ignoring max retries; 6 > 3: 97 Time(s)
5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.202
: 3 Time(s)
service(sshd) ignoring max retries; 5 > 3: 2 Time(s)
4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.202
: 1 Time(s)
5.
IP addresses of similar characteristics were blocked from accessing MOD
network having been responsible for a denial of service attack a fortnight ago
that led to a 6 hour outage of the new website. The outage was as a result of
database overload from too many requests coming in at the same time. It is
possible for these addresses to appear as coming from China but in real sense
originate from Kenya through use of international proxy servers.
POSSIBLE CAUSES
6.
The following are possible causes of the successful twitter attack:
a. Social engineering – whereby the attackers obtained the password
from the personnel working at PAO either through friendship or retired
solders.
b. Weak Passwords – It is possible that the Passwords in use were not
strong enough to withstand a brute force attack.
c. Password Re-use.
d. Autos save Programs available in web browsers – This can be
compromising whenever one logs on in a public place living the
credentials behind.
2
CONFIDENTIAL
CONFIDENTIAL
RECCOMMENDATIONS
7.
The following is recommended:
a.
All log-in accounts related to MOD (mail, web, twitter, servers) be
protected by strong passwords that should be frequently changed.
b.
Public accounts be accessed only from safe networks and managed
centrally.
c.
Necessary cyber skills, equipment and infrastructure should be put
in place to facilitate cyber warfare.
8. Sir, forwarded for your information and guidance.
Jul 14
F O LAJAH
Capt
NetAdmin
3
CONFIDENTIAL
Related documents
Collaboratory Grand Rounds poll results: 3/21
Collaboratory Grand Rounds poll results: 3/21
Click here for Sasha Emmons` presentation
Click here for Sasha Emmons` presentation
What Facebook and Twitter mean for news
What Facebook and Twitter mean for news
The media and Richard III
The media and Richard III
NtregaBusinessPlanExpress 1.1 MB
NtregaBusinessPlanExpress 1.1 MB
Model Template Agency Release of Information Form
Model Template Agency Release of Information Form
Opt Out - Coastal Medical Group
Opt Out - Coastal Medical Group
Employee Confidentiality Agreement
Employee Confidentiality Agreement
Proprietary Information And Confidentiality Policy
Proprietary Information And Confidentiality Policy
Table Top Twitter
Table Top Twitter
KDF Dealer Application Bulletin
KDF Dealer Application Bulletin
PC-1 FORM - PLANNING & DEVELOPMENT DEPARTMENT
PC-1 FORM - PLANNING & DEVELOPMENT DEPARTMENT
Download
advertisement