720 likes | 744 Vues
IS CYBERTERROR COMING?. Dorothy E. Denning Georgetown University. Outline. Incident trends Technology trends Terrorists in cyberspace Cyber terrorism. Incident Trends. Source: Computer Emergency Response Team Coordination Center, www.cert.org. Riptech Threat Reports.
E N D
IS CYBERTERROR COMING? Dorothy E. Denning Georgetown University
Outline • Incident trends • Technology trends • Terrorists in cyberspace • Cyber terrorism
Incident Trends Source: Computer Emergency Response Team Coordination Center, www.cert.org
Riptech Threat Reports • Reports issued in Jan 02 and July 02 for preceding 6 months • Data obtained from monitoring over 400 companies in over 30 countries • Over 11 billion firewall logs and IDS alerts analyzed in 2nd report • Over 180,000 cyber attacks investigated in 2nd report • Events characterized by severity level • informational – scans for vulnerabilities • warning – bypassed firewall, but did not compromise system • critical – required action by Riptech or client to prevent compromise • emergency – security breach occurred
Intent of Attack Source: Riptech, Inc.
Attack Intensity Jul 01 – Jun 02 28% higher in 2nd 6 month period Riptech Internet Security Threat Report, July 2002
Attacks by Industry Jan – Jun 02 Riptech Internet Security Threat Report, July 2002
Severe Attacks by Industry Jan – Jun 02 malicious attacks that require action to remedy weakness or recover from incident Riptech Internet Security Threat Report, July 2002
Aggressive Attacks by Industry Jan – Jun 02 based on number of signatures triggered, number of companies targeted, & attack duration Riptech Internet Security Threat Report, July 2002
E-Mail Virus Infection Rate Forecast 1 in 100 in 2004 1 in 10 in 2008 1 in 2 in 2013 3 of 4 in 2015 Source MessageLabs www.messagelabs.com scans e-mail for >500,000 users
David Moore, Geoffrey M. Voelker, and Stefan Savage, “Inferring Internet Denial-of-Service Activity,” http://www.caida.org/outreach/papers/backscatter/usenixsecurity01.pdf Estimated 4,000 DoS attacks per week! 90% < 1 hour, 2% > 1 day
Why So Many Attacks? • Systems are complex and vulnerable • More targets and attackers owing to Internet growth • Attackers are organized and communicate • teach each other and novices • exchange tools and information • Attackers developing increasingly powerful tools • automated, exploitation scripts and sophisticated toolkits • build on each other’s work and work of security community • Attacks easy, low risk, hard to trace • investigations difficult; often international • Lack of security awareness, expertise, or priorities • .0025 percent of revenue spent on information security [Forrester]
Technology Trends • Ubiquity • Power • Vulnerabilities
Ubiquity • More attackers and targets to attack • Attacks increasingly have real-world consequences • 3,000 SCADA systems, many with poor security • Extended security perimeter • portable devices – PDAs, laptops, cell phones, etc. • web, e-mail, IM, P2P at office, home • wireless nets vulnerable to “war driving” • 7 month audit by ICC found 92% of 5,000 nets in London vulnerable to casual attacks
Power • General trends • processors: 2x every 18 months (Moore) • storage: 2x every 12 months (1.5 x Moore) • network: 2x every 9 months (2 x Moore) • More powerful attack tools • Nimda worm spread by 4 methods • tools for developing attack tools
QFZ 3.0 E-mail Flooding Tool # times to send Distributed by Chinese hackers in cyber skirmish over spy plane
Code Red Worm • Worm probes random IP addresses and infects web servers vulnerable to IIS exploit • Defaces English websites hosted on server with message: • Welcome to http://www.worm.com! Hacked by Chinese! • On July 19 over 359,000 hosts infected in 13-hour period • over 2,000 hosts infected per minute at peak • at 5:00 pm, worm attempted DoS attack against 198.137.240.91 (www.whitehouse.gov) • David Moore – www.caida.org/analysis/security/code-red/index.xml • Estimated 975,000 servers infected by end of August with losses of $2.4 billion – Computer Economics • Shut down Japan Airline computer affecting ticketing & check-in, delaying 55 flights and 15,000 passengers 1-2 hours
Code Red Worm Spreading July 19 01:05:00 2001
19 Hours Later July 19 20:15:00 2001
Code Red Activity Source: Riptech, Inc.
Nimda worm • Spreads via 4 methods to Windows PCs and servers • e-mails itself as an attachment (every 10 days) • runs once viewed in preview plane • scans for and infects vulnerable Web servers running MS IIS • creates guest account with administrator privileges • copies itself to shared disk drives on networked PCs • file Riched20.dll, text editor for Word etc. • appends JavaScript code to Web pages • surfers pick up worm when they view the page. • 'Nimda fix' Trojan disguised as security bulletin • claims to be from SecurityFocus and TrendMicro • comes in file named FIX_NIMDA.exe • TrendMicro calls their free Nimda removal tool FIX_NIMDA.com
Future Worms • Warhol Worms • infect all vulnerable hosts in 15 minutes – 1 hour • optimized scanning • initial hit list of potentially vulnerable hosts • local subnet scanning • permutation scanning for complete, self-coordinated coverage • see paper by Nicholas Weaver • Flash Worms • infect all vulnerable hosts in 30 seconds • determine complete hit list of servers with relevant service open and include it with the worm • see paper by Stuart Staniford, Gary Grim, Roelof Jonkman, Silicon Defense
System Vulnerabilities • Vulnerabilities arise in • products – OS, network services, applications • product configuration and operation – bad defaults, not installing patches • user practices - bad passwords • Product vulnerabilities are increasing • systems are complex and getting more so • Most attacks exploit known vulnerabilities that could have been fixed • maybe 99% of attacks • Same types of vulnerabilities occur over and over again • Many vulnerabilities give attacker “root” access • Critical infrastructures said to be vulnerable to attack • Disclosure is big issue
Vulnerability/Exploit Life Cycle Intuitive but wrong “Windows of Vulnerability: A Case Study Analysis,” William A. Arbaugh, William L. Fithen, and John McHugh, IEEE Computer, vol. 33, no. 12, December 2000.
Terrorists in Cyberspace • Internet • e-mail, instant messaging, chat rooms, Web • Information hiding tools • cyber cafes, libraries, Kinkos • anonymous accounts • code words, encryption, maybe steganography • Software development • Aum Shinryko cult • Some cyber attacks
Terrorists and Email • Sept 11 hijackers sent e-mail • used public sites - libraries, cyber cafes, Kinkos • used anonymous accounts – Hotmail, Yahoo! • Shoe bomber sent e-mails before his flight • Kidnappers of Wall Street Journal reporter Daniel Pearl sent demands via e-mail
Terrorist Web Browsing • Use Web to find information, book tickets, research crop dusters, etc. • al Qaeda used Web to gather information and software relating to critical infrastructures, including utilities • information acquired could support physical or cyber attacks • searched for information on SCADA systems used to control power, water, waste, etc • prisoners at Camp X-Ray in Cuba said there were plans to use switches to attack U.S. • Computers linked to al Qaeda had access to hacking tools in Islamic chat rooms • Four SF Bay Area cities shut down and cleaned websites after getting unusually high level of traffic from Mideast
Terrorist Websites • Spread information • Post messages • Advocate jihad and terror • “slaughter American soldiers” • Recruit members • Appeal for donations – money, weapons • money to buy dynamite to “blow up Israeli Jews” • Sites move around – often kicked off servers • Example sites • Center for Islamic Studies and Research ran al Qaeda news etc • drasat.com, alneda.com (someone hijacked and set up sting) • almuhajiroun.com • azzam.com
Tracking Terrorists on Web Guido Rudolphi Swiss operator of Netmon Inc tracking terrorists on Internet Found Web site of Ould Slahi Slahi had been tied to millenium bomb plot at LAX September 11 attacks Slahi also operated an Internet cafe Slahi had guestbook on his Web site guestbook may have been used by terrorists to communicate Activity on site peaked right before 9-11 Ould Slahi
Ould Slahi’s Website http://www.cnn.com/2002/US/03/06/al.qaeda.internet/index.html
Terrorists and Encryption • Ramsey Yousef • mastermind of 1993 WTC bombing & bin Laden associate • encrypted files on laptop held plans for additional attacks • Wadih El Hage • convicted in 1998 E. Africa Embassy bombings • sent encrypted e-mails to associates of al-Qaida • Aum Shinryko cult • conducted 1995 sarin gas attack on Tokyo subway • encrypted files had plans to use WMD against US and Japan • UK-based Sakina Security Services Ltd • website offered Islamic military training, had terrorist connections • site gave out PGP public key to users • al Qaida computer acquired by reporter • 40-bit encryption broken • found information on chemical weapons program
Images on azzam.com • 580 images on http://66.197.135.110/~azzam • Stegdetect got 70 hits (12%) • running on miscellaneous images yielded about 1% • most for stego tool called jphide • Tests run by Brian Ristuccia <brian@ristuccia.com>
Terrorist Cyber Attacks • Khalid Ibrahim, a member of the militant Indian separatist group Harkat-ul-Ansar, tried to buy military information and software from hackers in late 1998 • Chameleon (Marc Maiffret) cashed $1K check • Provisional IRA hired hackers to penetrate British government computers to get home addresses of law enforcement and intelligence officers. • planned to kill officers in “night of the long knives” if British government didn’t meet terms for cease-fire • Aum Shinryko cult wrote software for 80 firms and 10 government agencies (including police) • but no reported attacks • Few known cyber attacks by “terrorists” • but attacks by “hacktivists” sympathetic to causes
Internet Black Tigers offshoot swamped Sri Lankan embassies with 800 e-mail messages/day for 2 weeks Characterized as first known attack by terrorists against a country’s computer systems
Mideast Cyberwar • From start in October 2000 - January 2001 [iDefense] • Attackers from 23 countries hit 8 governments • 16+ tools used – posted on supporting websites • 30+ Pro-Palestinian attackers hit 166+ sites • commercial sector hit hardest (51%) • Unity, Muslim extremists with ties to Hezbollah • al-Muhajiroun, Muslim extremists with ties to bin Laden • 4-phases: 1) Israeli government sites, 2) Tel Aviv stock exchange and Bank of Israel, 3) Israeli ISP infrastructure, 4) Zionist e-commerce sites • 10+ Pro-Israeli attackers hit 34+ sites • terrorists/extremists (Hamas, Hezbollah) hit hardest (39%)