CS423523

1
CSCD 396Essential Computer SecurityFall 2009
Lecture 3 - Attackers, Cyber Terrorism
Reading Chapter 1
2
Overview

• Attackers
• Definitions
• Who are they?
• Are they out to get you?
• How much are you at risk?

3
Terms Again

• Hacker Defined
• People engaged in circumvention of computer
  security, unauthorized remote computer break-ins,
  but also includes those who debug or fix security
  problems
• Its earliest known meaning referred to an
  unauthorized user of telephone company network, a
  phone phreaker

4
Terms Again

• Other Definitions of Hacker
• In the computing community, the primary meaning
  is a complimentary description for a particularly
  brilliant programmer or technical expert
• For example, Linus Torvalds, the creator of
  Linux, is considered by some to be a hacker
• So is ... Bill Gates and Steve Jobs

5
More Definitions

• Cracker or Criminal
• Breaks into computers with malicious intent
• Distinguished from ethical Hackers who break into
  computers for publicizing security problems
• Members of this group, destroy data, disrupt
  services and wreck havoc on computers and users
• Another name ... Blackhat

6
More Definitions

• Script Kiddies
• Wannabe hackers
• Little knowledge of what they are doing
• Often indiscriminately target a range of
  computers hoping one will be vulnerable to an
  automated exploit
• Exploits they use, have typically been written by
  others more knowledgeable

7
Definitions

• Cyber Terrorists
• Cyber security experts have long worried about
  cyber terrorists wrecking havoc on our critical
  infrastructure systems
• Has not happened yet on widespread basis, doesnt
  mean it wont
• Cyber security experts are divided over whether
  it is possible
• More on this later

8
Hackers

• Have gotten treatment from the press
• Everyone thinks hacker is the same as criminal
• Its not!
• Hackers have a subculture that appears to be
  non-mainstream
• Dress in black, spend a lot of time in front of
  their computers, are fascinated with technology,
  can potentially do scary things to people's data
• All of this creates a mistrust and fear of them
• Like to hang out in groups too
• Have strange group names Cult of the Dead Cow,
• Demon Industry, Hell of Web etc.

9
Hackers

• Who are they really?
• Seem to be comprised of groups of people
  intensively interested in technology and how it
  works
• Have been around for a long time
• Phone phreakers, Captain Crunch (John Draper) to
  high profile types, Robert Morris and Kevin
  Mitnick
• Started out by being interested in telephone
  systems but in reality they were interested in
  any technology based system

10
Phone Phreaking

• Toy whistle packaged in boxes of Cap'n Crunch
  cereal could emit a tone at 2600 hertz same
  frequency used by ATT long lines to indicate
  that a trunk line was ready and available to
  route a new call
• Experimenting with this whistle inspired Draper
  to build blue boxes electronic devices capable
  of reproducing other tones used by the phone
  company.
• The phone company is a System. A computer is a
  System, do you understand? If I do what I do, it
  is only to explore a system. Computers, systems,
  that's my bag. The phone company is nothing but a
  computer.

11
Hackers

• People have tried to counter certain popular
  myths about hackers
• Hackers Heroes of the Computer Revolution, is
  a book by Steven Levy about hacker culture
• Was published in 1984

12
Hacker Ethics

• Levi's book spelled out certain principles by
  which they live
• In Levy's own words, the principles dictate
• 1. Access to computersand anything which
  might teach you something about the way the world
  worksshould be unlimited and total.
• 2. Always yield to the Hands-on Imperative!
• 3. All information should be free.
• 4. Mistrust authoritypromote
  decentralization.
• 5. Hackers should be judged by their hacking,
  not bogus criteria such as degrees, age, race or
  position.
• 6. You can create art and beauty on a
  computer.
• 7. Computers can change your life for the
  better.

13
Hackers

• Interviews with hackers who mostly thought they
  were doing good...
• Hacking for difference reasons than money
• Interviews from PBS Frontline, Hackers
• Go to this link for interviews, video excerpts
• http//www.pbs.org/wgbh/pages/frontline/shows/hack
  ers/
• interviews/reidcount.html

14
Hackers

• Reid and Count Zero, members of the Cult of the
  Dead Cow, Developed "Back Orifice," a computer
  program which allows the user to remotely view
  and control any computer running Windows 95 or
  later
• They say they developed the program to
  demonstrate the weak security in Microsoft
  products
• REID Back Orifice is a program that comes in two
  parts. It allows someone sitting at one computer
  to control everything going on at a computer at
  the other side of the internet. So you can be
  sitting at a local machine and you could see
  what's happening on a remote machine
• You have control over that machine as if you were
  there. In fact, you have more control over that
  machine than the person sitting at the keyboard
  does, because we expose more power through the
  Back Orifice tool than Windows 98 Desktop does

15
Hackers

• REID Ultimately, we were trying to get Microsoft
  to admit that they were encouraging people to
  join this global community with a completely
  insecure product, and then hopefully people will
  not store their credit card numbers on their hard
  drives. They would not keep their diary there.
• They wouldn't conduct business with this
  computer. Or, even more optimistically, we were
  hoping that maybe they would implement a strong
  security model in Windows.
• Neither of these things actually happened, so
  it's a failure on that count. But those were
  pretty high goals, I think

16
Hacker

• One more example of hacker altruism stemming from
  the Hacker ethic ... free software
• Richard Stallman
• Who is he?
• In 1983, launched GNU Project to create a free
  Unix-like operating system, and has been the
  project's lead architect and organizer ... he
  initiated the free software movement and set up
  the Free Software Foundation
• Stallman pioneered the concept of copyleft and is
  the main author of several copyleft licenses
  including the GNU General Public License, the
  most widely used free software license .. Which
  compiler do we use at EWU?
• http//www.gnu.org/

17
Hacktivism

• Motivation might not be pure criminal but also
  political
• Something called hacktivism is political
  motivation combined with cyber activism
• Example Defacing certain web sites to embarrass
  a country or agency
• FBI and the CIA had their web sites defaced
  numerous times

18
CIA.gov defacement example
19
A turkish group, known as turkguvenligi.info,
managed to exploit a SQL injection flaw and
insert a record that redirected the "events" page
to an image with their site name.
20
Hacktivism

• The most notable incident of regional Hacktivism
  were the Distributed Denial of Service (DDoS)
  attacks against government and corporate websites
  in Estonia in 2007, which actually began a
  worldwide dialog on the real threat of Cyber
  Attacks and the impact on national
  infrastructure
• In fact, Hacktivist incidents stretch back over
  20 years, but only in the past couple of years
  have they become more frequent, and more
  devastatingly malicious.

21
Criminals

• As we mentioned already, motivation here is
  mostly money
• Criminals want to make money typically by illegal
  means
• Extortion, blackmail, theft, are all alive and
  well in the cyber world
• Even physical security can be compromised if we
  include cyber stalking
• May be other motivation such as malice against a
  company or government agency

22
Exploit Users Through Social Network Sites -
Statistics

• http//www.bmighty.com/security/showArticle.jhtml?
  articleID208402877
• Unsuspecting individuals frequently download
  data, could contain malware such as viruses and
  Trojan horses
• National Cyber Security Alliance (NSCA) found
• 83 of users downloaded unknown files from other
  people's profiles
• Potentially opened their PCs to attack
• 57 of people who use social networking sites
  admit to worrying about becoming a victim of
  cybercrime
• Many divulge information that could put them at
  risk
• Three out of four users give out personal
  information
• e-mail address, name, or birthday that can be
  used to perpetrate identity theft
• According to the NCSA. Amazingly, 4 have even
  listed their Social Security numbers somewhere on
  their social network page

23
Cyber Crime

• http//www.out-law.com/page-7791
• Cybercrime has become a profession and the
  demographic of your typical cybercriminal is
  changing
• Was geek, now more organized gangster
  traditionally associated with drug-trafficking,
  extortion and money laundering

Guillaume Lovet Author
24
Cyber Crime

• Example Marketing a stolen online bank account
• Sell the information to gain authorized control
  over a bank account with a six-figure balance
• Cost to obtain this information is about 400

25
Cyber Crime

• The probable marketplace for the sale
• A hidden IRC (Internet Relay Chat) chatroom
• 400 fee will most likely be exchanged in some
  form of virtual currency such as e-gold
• Several different protagonists may be involved in
  this crime

26
Cyber Terrorism and Cyberterrorists

• Cyberterrorism is defined
• The premeditated use of disruptive activities,
  or the threat thereof, against computers and/or
  networks
• With the intention to cause harm or further
  social, ideological, religious, political or
  similar objectives
• Is Cyberterrorism possible? Do these people
  exist?
• What do you think?

27
Hype of Cyberterrorism

• http//en.wikipedia.org/wiki/Cyber-terrorism
• As 2000 approached, there was fear and
  uncertainty
• Millennium bug promoted interest in potential
  cyberterrorist attacks
• Acted as a catalyst in sparking fears of a
  possibly devastating cyber-attack

28
Hype of Cyberterrorism

• Some disagree with labeling a cyber attack as
  terrorism
• Unlikely to cause significant physical harm, or
  death in a population using electronic means,
  considering current attack and protective
  technologies
• A common belief when predicted disasters fail to
  occur, it only goes to show how lucky we've been
  so far
• Is this true?

29
Example of Cyberterrorism

• http//news.cnet.com/8301-10784_3-9721429-7.html
• In May 2007, Estonia subjected to mass
  cyber-attack in wake of removal of Russian World
  War II statue
• Attack was distributed denial of service attack
  in which selected sites were bombarded with
  traffic in order to force them offline
  successfully
• Nearly all Estonian government ministry networks
  plus two major Estonian bank networks were
  knocked offline
• Plus, political party website of Estonia's
  current Prime Minister featured a counterfeit
  letter of apology for removing the memorial
  statue
• Is this Cyberterrorism?

30
Example of Cyberterrorism

• At the peak of the crisis, bank cards and
  mobile-phone networks were temporarily frozen,
  setting off alarm bells in the tech-dependent
  country
• Russia is suspected for the attacks and various
  groups have claimed responsibility ... no-one
  knows for sure!
• Is this Cyberterrorism?

31
References Cyber Terrorism

• Cyber war article Tech News World
• http//www.technewsworld.com/rsstory/64494.html?wl
  c1223043413
• Downplay Threat of Cyber Attack National
  Defense Magazine
• http//www.nationaldefensemagazine.org/ARCHIVE/200
  7/JULY/Pages/ExpertsDownplay2581.aspx
• Experts say U.S. companies need to take the
  increasing use of cyberwarfare tactics and tools
  very seriously
• - Information Week
• http//www.informationweek.com/news/security/cyber
  crime/
• showArticle.jhtml?articleID200900812

32
Risks from Attack Real vs. Cyber

• As a private individual, who is likely to target
  you and what is their motivation?
• Ideas

33
Risks from Attackers

• Credit cards, SSNs, bank information, medical
  records
• Home users are most at risk from
• Criminals want to profit from getting and
  selling your personal data
• Phishing, Fake virus infections,
• Social networking sites are danger

34
Summary of Risks

• Home Users
• Risk of loss from personal data breach
• ID theft, bank account compromised, Credit card
  data stolen
• Could be targeted form of attack or
• Automated infection from Web site, successful
  phishing attempt
• Loss is on personal level
• Computer could be part of a botnet

35
Summary of Risks

• Enterprise or Company Users
• More at risk from deliberate targeting
• Know something about company, at least its assets
  and defenses
• Use a variety of techniques, technical, social
  engineering, and phishing to gain access
• Want user or customer data, company secrets
• Loss is potentially more severe
• Direct loss of assets and loss from law suites

36
Summary of Risks

• Government, military site or critical
  infrastructure sites
• Huge attraction for outside hackers
• Motivation includes financial but also just pride
  especially if sophisticated security
• Hacktivism against the US policy
• Could be nation states involved at this level
• Meaning very skilled attackers trying to get
  classified information
• Or, trying to incapacitate Energy or
  Communications sector cyber terror
• Loss can potentially be devastating

37
References

• Captain Crunch Web Site
• http//www.webcrunchers.com/crunch/
• Cult of the Dead Cow
• http//www.cultdeadcow.com/
• 2600 Magazine
• http//www.2600.com/
• Hacker Hall of Fame
• http//www.francesfarmersrevenge.com/stuff/misc/ha
  ck/hall.htm

38
References

• Who's Hacking your PC
• http//www.techradar.com/news/world-of-tech/who-s-
  hacking-your-pc611122

39
Hacker Resources

• Wikipedia site for Hackers has
• Books, Movies, other sites
• http//en.wikipedia.org/wiki/Hacker_(computer_secu
  rity)?
• One other movie on Kevin Mitnick, Freedom
  Downtime by Emanual Goldstein
• http//video.google.com/videoplay?docid-674613975
  5329108302
• Another movie, Hackers in Wonderland
• http//video.google.com/videosearch?qhackersinw
  onderlandhlenemb0aqf

40
The End

• Next Time
• See Assignments page New assignment
• Start reading Chapter 2