Category Archives: Denial of Service

Court decision on alleged SMIT account blocker

Tor-Anonymity-Tor-path

We wrote about the case before. Here is a summary of court’s decision:

According to the first-level Harju County Court decision, Mart Pirita (45) was pleaded guilty for disrupting the remote services of Ministry of the Interior (SM). According to the verdict, he used anonymous Tor network to enter multiple wrong passwords for 14 users, thereby blocking their access to the infrastructure.

The actions were qualified according to Penal Code paragraph 207 part 1 for “Illegal interference with or hindering of the functioning of computer systems by way of uploading, transmitting, deleting, damaging, altering or blocking of data”.

Pirita’s attorney Raul Ainla challenged the qualification of the alleged crime. In county court’s opinion, the qualification was correct, since Mart Pirita entered without lawful permission wrong passwords for 14 user accounts, by which their accounts were disabled, interfering the functioning of the computer system for SM employees.

The first-level court’s decision was appealed and District Court of Tallinn made a decision, that it was not possible to certainly establish a connection between Mart Pirita and the attacks.

In the initial verdict, it was claimed that the attack was performed through three IP addresses which are known to be Tor exit nodes. Furthermore, it was established that Pirita downloaded Tor software from Debian repository (ftp.ee.debian.org). In addition, according to Pirita’s ISP Elion metadata logs, Pirita was connected to the Tor network approximately at the time of the attacks.

District court judged that the county court has incorrectly evaluated the evidence presented. Namely, the IP addresses, where the attacks were performed from, belong to the Tor exit nodes and thus the attacks were performed through Tor network. However, the county court did not consider the technology of the Tor network. Every connection through Tor network is established via random paths and are encrypted, thus it is impossible to know who is the initial source of the communication and what are the messages. Thus, even though Pirita connected to the Tor network, it is impossible to link him to the attacks from the exit nodes.

Additionally, the prosecuror Piret Paukštys claimed that, since on the Pirita’s hard drive was found file “cached-microdesc-consensus” which included the IP addresses of Tor exit nodes participating in the attack, it proves the connection between Pirita and the exit nodes. However, this claim was found to be false, since the file is a catalog of all public Tor nodes and is included in every Tor installation. Thus, every Tor user possibly could be behind the attack.

According to prosecutor, another evidence pointing to Pirita was that Pirita had Debian Linux installed in his virtual machine and attacker’s user agent “Mozilla/5.0 (Linux; U; Debian Linux; en-US; rv: 1.8.1.12) Gecko/20080201 Firefox/2.0.0.12” presented to the court has Debian Linux operating system in it.

However, Tiit Hallas, the head of information security of SMIT could not provide to the court any log file which backed the claim of this user agent being present. The claimant couldn’t even describe from which log file this user agent was given from and why the logs weren’t presented as evidence.

Finally, the court found that there is a clear discrepancy between the times in the log files provided as evidence. Firstly, according to ftp.ee.debian.org logs, Pirita downloaded Tor software on 17.08.2014 at 00:57. However, the attacks started on 17.08.2014 at 00:14. Elion’s metadata logs show that Pirita connected Tor network after attacks started. Furthermore, an independent expert from Estonian Forensic Science Institute (EKEI) Oliver Olt stated that there are no connections between Elion’s metadata logs and attacks in claimant’s logs. The expert added that he couldn’t explain how the attack could be performed which would correspond to the logs. Thus, by his opinion, the logs rather contradicted the prosecutor’s claim.

It was said that Pirita had motive to perform the attacks as he was fired from SMIT due to loss of trust. However, the management of SMIT acknowledged that he was not the only one to be fired for this reason. There were up to ten people who could have the motive to perform the attacks. Furthermore, the fact that the attacker knew correct access point is not sufficient to claim that it was performed by current or previous employee of SMIT.

Concluding these aspects, the district court decided that the indirect proof was not sufficient to claim the guilt of Pirita with high probability. According to previous National Court decision, if it is possible that there was anyone else who could have performed the attack, then the accused should not be convicted.

The district court reviewed the previous decision and acquitted Pirita. Additionally, he was compensated for the legal fees in the amount of 7500€. The fee for IT expertise was covered by the government. The disk copy of Pirita’s hard disk is to be destroyed to assure the privacy of Pirita.

The prosecutor did not appeal the district court’s decision.

Links:
https://www.riigiteataja.ee/kohtulahendid/detailid.html?id=180104716
http://www.delfi.ee/news/paevauudised/krimi/pevkuri-ja-vaheri-meilikontode-lukustamise-parast-kohtu-all-olnud-mart-pirita-oigeks-moistmine-on-nuud-loplik?id=74558039
http://www.postimees.ee/3149415/it-spetsialist-jai-ministeeriumi-arvutikontode-blokeerimises-suudi

District Court acquits alleged Ministry of the Interior user account blocker

ministry_of_the_interior_estonia

The District Court of Tallinn acquitted Mart Pirita (45), who was accused of locking down the e-mail accounts of the Minister of the Interior Hanno Pevkur and the Director General of Police and Border Guard Board (PPA) Elmar Vaher, because his guilt was not proved.

The District Court overruled the previous verdict by Harju County Court. The Harju County Court convicted Pirita and imposed a financial penalty of 270 daily rates, which is EUR 13’159.80.

The Prosecutor’s Office accused the ex-employee of IT and Development Centre at the Estonian Ministry of the Interior (SMIT) of illegal disrupting of computer systems by entering data. According to accusation, in August 2014 Pirita entered without permission different incorrect passwords for 14 user accounts in SM jurisdiction, which resulted in these user accounts being blocked. The attack was performed through TOR network which allows using the Internet anonymously and hide one’s tracks. The accusation noted that Pirita may have been motivated by the termination of his employment contract.

Presenting as a witness in the court, Tiit Hallas, the head of information security of SMIT described to the court that TOR network is used by child pornography and malware distributors. During the attack an IP address belonging to the company E-Positive.ee owned by Mart Pirita was logged into the TOR network.

The District Court found that the County Court made mistakes in evaluating the evidence and accidentally attested that the act was performed by Mart Pirita. Only the fact that Mart Pirita used the TOR network is not sufficient, as anyone using the network at that time could have performed the illegal act. The evidence collected by the prosecutor do not show direct relation to the act. The District Court admitted that several circumstances hinted that the blocker was related to SMIT but this is not enough for convicting someone. There are no direct evidence and indirect evidences are weak, found the District Court.

Links:
http://www.postimees.ee/3657891/ringkonnakohus-moistis-oigeks-hanno-pevkuri-ja-elmar-vaheri-vaidetava-meilikontode-lukustaja

DDoS attack against Omniva’s partner distrupts the work of parcel machines

omniva_parcel_machine

The DDoS (Distributed Denial of Service) attack that started yesterday (22.10) at 2.30 p.m. and is still ongoing, was directed at the Integer network of Omniva’s cooperation partner, and resulted in a global error in Integer systems. The attack was isolated and main functions of the system were restored by 7 p.m. yesterday evening. The functionality check of parcel machines was completed at 8 p.m. By now, the attack no longer jeopardizes Omniva’s systems. In addition, databases and customer data stored in Integer are definitely protected and are not affected by the attack in any way.

In connection with the attack, sending parcels from parcel machines and receiving paid parcels from the parcel machines was disrupted from 2.30 p.m. to 7 p.m. Customers were able to use parcel machines for receiving packages that were free of charge.

From the description it seems that Omniva accessed Integer’s databases from the same public channel which was attacked, but now Omniva has non-public access to Integer’s databases, which is not available to the attackers.

Links:
https://www.omniva.ee/about_us/news/all_news/parcel_machine_malfunctions_were_caused_by_a_cyber_attack
http://uudised.err.ee/v/eesti/9f133660-eb7d-4091-a199-9fa38942040b/omniva-pakiautomaadid-langesid-kuberrunnaku-ohvriks

Two Estonian companies received Bitcoin extortion letters

dd4bc_extortion_letter

According to the Police and Border Guard Board, at least two Estonian companies have become victims of the latest cyber-attack, in which they also received an email demanding Bitcoins. The cyber-criminals threatened in the emails that should they not received Bitcoins, more serious attacks will follow.

In both cases, the denial-of-service (DoS) attack was first committed against the official web pages of the respective companies. The businessmen then got an email which specified the account and deadline for transferring the Bitcoins – to avoid a more deadly ambush. According to police representative, the cyber-attack lasted for about an hour. However, the attackers have not carried through their threats, despite the entrepreneurs not giving in to Bitcoin demands. The police have started a criminal investigation.

Took a year for Estonian criminals to try out the business plan.

Its not yet known who is behind the attack and extortion. Similar cases in Estonia have not been seen before, but the rest of the world is familiar and law enforcement agencies in various countries cooperate to apprehend the criminals. The extortion letters are sent by organized criminals who call themselves “DD4BC”.

Searching by “DD4BC” shows that in the last months several organizations in various countries have received Bitcoin extortion letters from group calling themselves DD4BC. However, these might as well be Estonian criminals going under DD4BC handle.

Links:
http://news.err.ee/v/scitech/09f4d9ae-dd8e-499f-aaf1-f56d9e9188b9
http://epl.delfi.ee/news/eesti/hakkerid-noudsid-runnakutega-ahvardades-bitcoine?id=71475581
https://www.politsei.ee/et/uudised/uudis.dot?id=446825

BSc thesis: Denial of Service Attacks and Defense Solutions

smurf_attack

Student: Erki Vaino
Supervisor: Meelis Roos
Reviewer: Ljubov Feklistova

Abstract
Over time denial of service attacks have become more sophisticated and a popular method amongst attackers. This document will provide overview of different attacks and defense solutions against them. Although there are many great resources about the subject in English, there are very few of them in Estonian. Firstly there is a general overview of the attacks how they can be classified. Then descriptions of how different attacks work and which vulnerabilities or mechanics they use to stop the victim for providing service. In the last part there are descriptions how these attacks can be stopped or mitigated and also which products and solutions companies currently provide on the market at the moment. Each product is described briefly and info given how it helps to protect the network.

The thesis also contains interviews with two Estonian IT infrastructure architects.

Links:
http://comserv.cs.ut.ee/forms/ati_report/datasheet.php?id=45551&year=2015