October 10, 2004

• EXCLUSIVE

  
  

  Cyber Terrorists Rock DMAT Servers, Cause “One of the Worst Attacks Ever Seen”

  
  

  Attack used FEMA site to take offline “over 5 million” other sites in official act of “cyber terrorism” 

  
  

   

  
  

   

  
  

  Millions of websites were reportedly brought down over an as-yet unspecified time-frame due to a security breach of FEMA’s DMAT servers, according to a recent and very reliable source where those servers were initially compromised. The site is said to have acted as the hijacked control center for numerous attacks across the web. According to my source, victims included multitudes of e-commerce and government sites. No one knows or is yet saying truly how deep the breach went. 

  
  

   

  
  

  DMAT is the Disaster Medical Assistance Team for the United States Public Health Service and is part of the NDMS (National Disaster Medical System), which serves the Department of Defense, Department of veterans Affairs, the Department of Health and Human Services and FEMA.

  
  

   

  
  

  

  
  

  According to their site, “DMATs were envisioned as being mobile, deployable teams which, under Federal auspices, manage large numbers of disaster casualties. The DMATs would be sponsored locally and become federalized assets during declared disasters (such as hurricanes, the attacks of 9/11 etc.) “ DMAT was on site giving assistance immediately following the attacks in 2001. DMAT’s work with the National Guard and are “routinely deployed to support Capitol events such as Inaugurations and State of the Union addresses.”

  
  

   

  
  

  The DMAT site was reportedly targeted because of it’s unusually “high” level of security- a departure from typical cyber attacks. But then, this one appears to be like few, if any, seen before.

  
  

   

  
  

  For a 36-hour period at some unspecified time before about two-weeks ago, more than 14,000 servers and 5 million sites were attacked and brought down by a coordinated attack launched from the compromised DMAT servers; the victims, largely e-commerce. 80% of Silicon Valley’s web presence was at one point off the map, according to that source within the investigation.

  
  

   

  
  

  “Official act of terrorism” “Our site was used as the “gateway” to access many additional sights and servers, including federal ones, with catastrophic results. The source notes that they were “prohibited” from their e-mail accounts “in an effort to help stop the attack by limiting access to other systems” through such accounts. 

  
  

   

  
  

  The source goes on to say that “while I am not yet at liberty to divulge the full details of this attack (or at least as many as are currently known to us), it has been declared by the top cyberspace security technologists in the country to be one of the worst attacks ever seen, and has officially been declared an act of terrorism,” those behind which have yet to be determined, the source said citing internal information.

  
  

   

  
  

  Attacks ongoing “The federal government was/is heavily involved in both the efforts to stop the attack (which has been slowed significantly but not yet completely contained) and in the investigation as to its source.  It is thought that our site was targeted primarily because of it’s link to the federal websites and its additional security so they could prove a point.”

  
  

   

  
  

  Since the investigation is on-going, he was not able to divulge any additional information. What will be interesting to know is how long had the DMAT severs been compromised before they were used in what sounds most like widespread DDoS (or distributed denial of service) attacks.

  
  

   

  
  

  The hows and the Whens The fact is that a direct crack of the DMAT’s web server itself may not have been the means of getting into the system, rather a variety of endless other means, less-familiar to most, could have just as easily been the open door. Any of which could effect even what we would consider one of the more secure web servers. A few examples:

  
  

   

  
  

  People sometimes e-mail the strangest things: such as passwords and usernames, dates of birth and other information that could allow an outsider to gain access to a server by spoofing the identity of a trusted person. Typically, e-mails are sent in plain text and visible to anyone on the internet as they make their journey to their final destination.

  
  

   

  
  

  Users are still opening that spam too, which can contain viruses, worms and Trojan horses that allow outsiders to gain access to servers in an organization by opening up virtual back doors. In fact, often times a poorly configured or patched Microsoft Exchange e-mail server itself can be easily compromised and the source of many company headaches.

  
  

   

  
  

  Other methods include using or manipulating someone on the “inside” to actively compromise security without even really knowing it. This is often the best strategy when security standards – and practices – are high at the IT-end, since users usually don’t think about cyber security when they’re not at their computers.

  
  

   

  
  

  Low key up till now Indications are there is much more to come in this saga, which is partly why things were kept “under wraps” until this point, and still are greatly fairly low-key as far as any public statements from DMAT. It is as yet unclear whether any medical, employee or other confidential records could have been compromised. This of particular concern since individuals or specific strategies within the organization could be targeted by terrorists.

  
  

   

  
  

  In every sense this should serve as a wake up call for everybody. We all need to take cyber security seriously both for ourselves and for our companies. When you download that little game at work or click on the link your buddy sent you in an e-mail to watch that funny cartoon, think twice. Chinese, North Korean and Islamofascists groups have promised significant cyber attacks and have been doing so on some level for the past couple of years. These people mean business and will stop at nothing to get past the guard at the gate.

  
  

   

  
  

  The way our current internet is set up allows for a single user’s bad move at one computer to cause disaster for millions more. Until that changes, we’re likely in for a bumpy ride.

  
  

   

  
  

   

  
  

   

  
  

  UPDATE:

  
  

   

  
  

  Government officials are apparently saying this one is a big deal, based on the quote I received that said “(the attack) has officially been declared an act of terrorism.” But some question I believe rather rightly that one man’s cyber terrorism is another man’s cyber-mischief.

  
  

   

  
  

  What is needed is further information to help us understand that designation, in addition to a few more questions that need answered:
  
  1. As a couple have accurately already pointed out: Why didn’t we notice all of the e-commerce sites going down at some point?
  
  2. Specifically, what day and during which hours did this happen- and in what order?
  
  3. What was the exact nature of the attacks on the outside web servers -the details on the type of the attack on the DMAT network would also be nice
  
  4. Why, in specifics, is this that much different from other incidents like it

  
  

   

  
  

  5. How long were the servers in question compromised

  
  

   

  
  

  It is also important that the source of this information says they are “not yet at liberty to divulge the full details of this attack (or at least as many as are currently known to us)” but seems to hint that more information will become available.

  
  

   

  
  

  There is also indication that up till now they have been trying to, as I mentioned, keep it a bit more low-key, “This was not publicized much as they were trying to keep the full extent under wraps (I’m sure there is much more that I do not know).”

  
  

   

  
  

  Indeed, there is much that we all want to know. But it seems self-evident as I stated earlier what we are deeply in need of in this country is a revolution in IT security as a practice and as the basis for communications technology.

  
  

   

  
  

  We still don’t know the specifics of what sort of attack was mounted against the outside web sites. The assumption that it was a DDoS attack was admittedly mine, but also seems the most logical interpretation of “At last count, over 14,000 servers were brought down, impacting and shutting down over 5 million websites, including over 80% of Silicone Valley in Los Angeles. For a 36 hour period, e-commerce was virtually at a standstill.” Now again, who’s been having difficulty accessing e-commerce sites? I haven’t either- and it is strange. Obviously those details need and will be ironed out at some point.

  
  

   

  
  

  I’ve already tried to get back in contact with that source and will update this with whatever I can find out over the coming days.

  
  

   

  
  

   

  
  

   

  
  

   

  
  

  Related cybernews:

  
  

   

  
  

  Recently in the news the FBI raided Indymedia Servers in the US and the Britain earlier this month. In the raid, several hard drives were confiscated and much of the Indymedia web presence was curtailed.

  
  

   

  
  

  Indymedia has been a popular spot for Babar Ahmad, a man recently arrested in London with Terrorist ties and who ran Azzam.com, one of the most popular Islamofascist sites on the web.

  
  

   

  
  

  Azzam.com also reportedly used the services of ev1.net, a Houston Texas-based ISP and web provider, known among many in the tech world as a refuge for spammers and such. (for the purpose of full-discloser, I must mention here that I have worked at ev1, but left on good terms with lifetime perks).

  
  

   

  
  

  Indymedia has been in trouble with Secret Service and other law enforcement in the past for playing for the other side, including divulging the names of two Swiss Intelligence officers.

  
  

   

  
  

  What’s worse is that Teresa Heinz Kerry’s Tides Foundation in part helps support Indymedia, despite its tainted past.

  
  

   

  
  

  
  

   

  
  

  

  
  

  ____________________________________________________________

  
  

   

  
  

   

  
  

  
  

  EXCLUSIVE

  • 4:57 pm
  • 3 Comments