#OPPETROL AND WHAT WE HAVE SEEN SO FAR

I reckon the whole IT security community, specifically here in the Middle East entered the weekend a bit in anxiety and fear of what we would experience over the days off.
Needless to say the oil economy is big here and when Anonymous announced that they were targeting oil-producers as well as government within oil producing countries our backyard was suddenly a high profile target.
Although having worked many years in the security industry even I was worried about what kind of bad stuff would be unleashed, and if that one security loophole which was not tightened would be found.

Today we are coming out of the whole oppetrol campaign, and at least the days where anonymous promised the bulk of attacks have passed.
What is the status then? Were they succesfull in achieving what they wanted and who was the targets?
As always Anonymous have been posting the targets as well as victimslist on a number of websites and one of them who seems to have been tracking it quite well is Hackers New Bulletin, where you can see the victims list under the following post: http://hackersnewsbulletin.com/2013/06/1911.html
From this list you will see that a number of websites were defaced (meaning content replaced on the website) – A number of Saudi Government as well as some indonesian government websites were succesfully defaced and then a whole bunch of non-government and non-oil company based websites were targets.
Some data was leaked to pastebin from some of the big oil companies, but it is still difficult to see exactly how much or the quality of the data.
Needless to say the reports on defaced websites and issues experienced are highly dependent on rumors – But again from what I can read I would say that oppetrol was not that successful in achieving what they wanted – generating electronic havoc for the oil economy.
What they did achieve was to get a lot of attention – And I know for a fact that everyone were holding their breath on what would happen.
When looking at anonymous and the kind of centralized hacking campaigns for political messaging it is important to understand that anonymous is not necessarily scary when it comes to sophistication of attacks, but simply to the sheer scale.
This time it looks like we dodged the bullet, but I would recommend everyone to understand that they are a target and take the correct countermeasures.

• Understand that you are a high profile target and it is cool to place a political message on your site:  Therefore make sure you do something actively about defacements.
• Understand that DDOS and specifically Application Level DDOS is something you need to make sure you can handle in your application stack
• Understand that you need to make sure you have an understanding about your vulnerabilities and fix them when they are reported.

As always a post like this may be wrong the minute it is posted as new information may surface – I reckon this is part of our industry.