“Never underestimate the time, expense, and effort an opponent will expend to break a code.” | ||
| --Robert Morris | ||
Before I begin discussing insider threats, I want to provide a general overview of cyber crime. This chapter will provide background on the motives, markets, perpetrators, and techniques related to cyber crime. For some, this chapter may be a refresher on cyber criminals and their means of profit; for others, this is an opportunity for exposure to a comprehensive examination of cyber crime. I will cover insider threats explicitly starting in chapter two.
The security threatscape has changed significantly. While the Internet was once a playground for government organizations, large businesses, and academic institutions, it has rapidly become an integral part of daily life for millions around the world. These millions include both individuals and businesses. Many have become dependent on the Internet and computers. Virtually every business vertical has gone global. We see this in everything from finance and technology to manufacturing and retail. Internet and information technology is at the core of globalized movement of information, supply chains, inventory management, and general productivity. Our reliance on technology—along with explosive growth—creates an attractive target for those looking for exploitation opportunities. This has brought an increased number of characters to the cyber world—from spammers and identity thieves to online extortionists and exploitation-writers for hire.
I believe that most people we see walking down the street—the same people who are plugged into the Internet—are good people. But some of them live in ethically gray areas, and a few are outright criminals. The weapons in the cyber criminal’s arsenal are different from those in the arsenal of your average thug. While you’re walking down the street, a pickpocket may steal your wallet. But a cyber criminal can—with relative anonymity—commit the equivalent crime from anywhere in the world. And he or she can do it at Internet-speed against millions of victims simultaneously. With so many potential targets, it’s a numbers game, and the cyber criminal is bound to come away with more than $17.00, a gym membership card, and a couple of photos.
So who are these cyber criminals? Are they a bunch of smart kids who are interested in hacking and have too much time on their hands? Are they curious people who are simply experimenting? The answers to these questions have changed. The new enemy is not experimenting; he is a criminal committing cyber crime for financial gain.
Elements within this section were influenced by an exceptional chronology of threat evolution in Mark Egan’s book titled The Executive Guide to Information Security. The time between the moment a criminal discovers your vulnerability and the moment he exploits that vulnerability, is shrinking. This period of time is called the vulnerability threat window. Through the 1980s and 1990s, most organizations were concerned with getting a virus, a worm, or perhaps being the target of a Denial-of-service (DoS) attack. These threats haven’t gone away, but new threats and theoretical threats have entered the mix—Blended Threats, Warhol Worms, Flash Threats, and Targeted Attacks. These newer threats do more damage and are more costly to the victims than their predecessors were.
Blended Threats use multiple paths to propagate; paths such as e-mail, file sharing, and the web. Most take days or even months to spread. That was true until Code Red and Nimda were released, and then the industry saw attacks propagating in just hours. These events were a wakeup call for organizations that didn’t have the appropriate patches or countermeasures in place.
The vulnerability in Microsoft IIS that Code Red exploited was discovered on June 18th 2001. Within the following forty-eight hours, Microsoft had a patch available for download, and the Computer Emergency Response Team (CERT) Coordination Center at Carnegie Mellon University released an advisory. As soon as the patch was applied, patched systems were safe from Code Red. Exploitation of un-patched systems didn’t begin until July 12, 2001. This vulnerability threat window was relatively large. Accumulated total cost to organizations was $1.2 billion, and worldwide, more than three hundred and sixty thousand servers were impacted.
On September 18, 2001, Nimda—“admin” spelled backwards—began spreading. Nimda was a rollup worm, which means that it used vulnerabilities in Microsoft IIS as Code Red did, and it leveraged vulnerabilities in Internet Explorer Web Browser and in the Windows Operating System as well. Within twenty-four hours, an estimated 2.2 million systems were infected at a cost of over a half-billion dollars. As with Code Red, the patches for Nimda were available well in advance of the exploit.
In 2002, Nicholas Weaver at UC Berkeley published a theoretical paper called Warhol Worms, in which he describes how the entire Internet could be brought down in fifteen minutes. The name Warhol comes from Andy Warhol’s statement, “In the future everyone will be world-famous for fifteen minutes.”
While the Internet hasn’t seen any practical representation of this type of threat yet, there have been some that were close. The Slammer Worm spread so quickly that it doubled its infection rate every 8.5 seconds, and within ten minutes, 90% of all vulnerable systems were compromised. Within only three minutes, infected systems looking for others to infect were propagating scans at a rate of 55 million scans per second. Only seventy-five thousand systems were impacted, but the Slammer Worm still caused massive outages—especially in the financial and airline industries. The worm disabled the safety systems of the Davis-Besse nuclear plant in Ohio, and those systems were down for several hours. In regard to speed and effect, Slammer spread two orders of magnitude faster than Code Red, but impacted fewer systems, primarily because faulty code limited its ability to scan for new systems. As with Code Red and Nimda, patches to protect from Slammer were available well before the exploit.
Researchers are hypothesizing that Flash Attacks will be next. These are attacks that haven’t yet occurred, but that will build on Blended Threats and Warhol Worms. Since human response time will be insufficient, only automated response can succeed in dealing with them. These attacks will spread globally and holistically within seconds to minutes, and the vulnerability threat window will be less than a day.
The size of vulnerability threat windows can be understood by considering who is writing the exploit:
So far, the smallest vulnerability threat window we’ve seen has been in the Witty Worm, with only thirty-six hours, and perhaps in the Zotob Worm which was arguably just as short.
Considering that patches for the other vulnerabilities were available months in advance but still had not been applied, chances are good that in the future, with a two day window and an equally effective exploit, the results will be devastating. The Witty Worm didn’t get nearly as much press as some of the others, but it did infect twelve thousand systems, and virtually none of these were home users. This particular attack targeted mission-critical servers running specific software. Some interesting points: Witty specifically attacked security software; of the twelve thousand vulnerable and exposed systems, all were infected; this was done within only forty-five minutes.
Targeted Attacks are aimed at a pre-determined victim. This may be a specific machine, organization, business vertical, country, etc. However, because of their focused nature, Targeted Attacks spread faster and can be more exacting within their target group.
Attacks on computer systems go back much farther than the last twenty years. The first attack may be said to date back to the early 1800s when a gentleman by the name of Joseph Jacquard developed an automated means of weaving for the textile industry. This automation solution was, in fact, the forerunner to the computer punch card. Several employees at the facility were afraid that they were about to lose their jobs. Therefore they sabotaged the technology.
Interestingly, we may then say that the first computer crime was perpetrated by insiders.
While the specific reasons for cyber attacks will differ, the motivations tend to be the same as in traditional criminal activity. Whether the perpetrator starts off with criminal intent, gradually becomes a disgruntled insider, or is an intelligence operative with a foreign government, there are common motivators.
Greed (the desire or need for money)
Power
Revenge
Politics
Fear
General malice
Excitement
In Ira Winkler’s book, Spies Among Us, he writes that there are four psychological weaknesses that individuals try to exploit when recruiting agents to betray their country. According to Winkler, the four weaknesses are: money, ideology, coercion, and ego (MICE). Money is clearly the primary motivator for most of today’s attacks—both from insiders and external entities.
In addition to these motives, there are certain general conditions that must also be met for a criminal—cyber or otherwise—to commit a crime. In a paper titled “The Insider Espionage Threat” by Richards J. Heuer, Jr. at the Defense Personnel Security Research Center, he details the conditions of opportunity, inhibitions and triggers.
The opportunity to commit the crime—access to the target or a relationship with individuals who have access to the target—must exist.
The criminal must overcome natural inhibitions to criminal behavior—loyalty, friendship, dread of the repercussions if caught, and/or religious values.
A trigger must exist to give the criminal the final push. This trigger may be a financial or family issue, work-related stress, substance abuse, gambling problems, coercion; or it may be political.
There was a time when hooliganism—such as defacing a Web site for street credibility—was the motive. In these cases, the perpetrator might leave a tag such as an individual or group insignia on the Web site, or brag to other hackers online through BBS (Bulletin Board Systems) or IRC (Internet Relay Chat). They enjoyed seeing their work displayed on Web sites like Attrition.org which, since 1995, had archived web defacements by online vandals. There were plenty of attacks of this type, so many in fact, that in May of 2001, Attrition.org announced that it would stop tracking the online graffiti because it was requiring too much time to keep up.
Today’s cyber criminals are not defacing Web sites or crashing servers for fun. (Though there may be exceptions to this, such as those online activists who correctly or incorrectly are associated with denial-of-service attacks and web defacements.)
We see an example of political motivation in the August 1999 event when Chinese and Taiwanese hackers squared off and hacked each other’s government Web sites.
Today’s cyber criminals are not looking for recognition; in fact they go to great lengths to hide their identity. They certainly aren’t going to brag about their exploits on IRC, but they do create original exploits and may share them within the underground community. They do this in order to exchange their code for other exploits and to be allowed into an inner circle of exploit writers where they may increase their own knowledge. Sharing code amongst a group also makes it harder to trace the exploit’s origin back to a specific individual.
An exploit is a “digital fingerprint.” If the fingerprint can be traced back to a few key sources, an investigation can move quickly to the point of origin. If, however, there are thousands of sources, finding the point of origin can be difficult, if not impossible.
If a cyber criminal writes an exploit and successfully uses it, eventually it will be discovered, and that may lead to his arrest. Now, if that same cyber criminal shares the exploit, which in turn is propagated to others, and so on, it makes associating a particular attack with any one person or group much harder. The drawback for the cyber criminal is that this also increases the general knowledge of these exploits, and organizations may implement more safeguards and be compelled to patch their systems more quickly. This cuts short the usefulness of the criminal’s code.
Again, the goal in most cases is to provide a safe conduit for feeding the criminal’s greed. The longer the exploit can be used, the greater the return on his investment.
Beyond these motivators, cyber criminals actually have several characteristics in common.
In his thesis, A Social Learning Theory and Moral Disengagement Analysis of Criminal Computer Behavior, Marcus K. Rogers of the University of Manitoba lists them. He says cyber criminals:
Possess skill with—and exuberance for—technical knowledge
Are morally disengaged
Are introverted—often loners and socially inept
Possess an over-exaggerated sense of self worth
Are obsessive
Are prone to emotional distress, disappointment, and disgruntlement
Possess a sense of entitlement
Are angry with authority
Are ethically flexible
Have a reduced sense of loyalty
Lack empathy
May be imitating and modeling those whom they respect
Rogers further states that people usually don’t engage in reprehensible conduct unless they have justified it to themselves. Making yourself think that what you’re doing is okay puts your conscience at ease. Blaming the victim or circumstances may also do this. Many of his interviews with convicted hackers demonstrated that the hackers were primarily concerned with fulfilling their own needs—typically money—regardless of the consequences.
There are several ways to turn cyber crime into a profitable endeavor. One way is to enter the black market.
Tracking cyber criminals as they interact in on-line black markets is difficult because, as I’ve said, the criminal can be virtually anywhere. In addition, the criminals operate anonymously and can turn their operations on and off rapidly. Some simply cash out, which means that they sell the information—over IRC for example. In many cases they sell the same information over and over again. They may even scam an organization—such as a money transfer business—into being their intermediary. And they may have mules—individuals with fake Ids—pick up the money. When interacting with black markets, a growing number of criminals use a variety of mechanisms to conceal their identities. These mechanisms may take the form of false identities, encryption, underground auction servers, and/or dial-up connections to private off-line servers. We can think of auction servers as being a malicious variant of eBay through which criminals sell and bid on-line on identity information, account information, and the like. The private off-line servers are more exclusive and harder to find. These servers generally take the form of bulletin board systems that invite individuals to dial-in and participate.
While this type of criminal behavior can be hard to track, the collection of actual money can make the criminals vulnerable. If they use any mainstream financial institutions during the process, transactions can be flagged by financial investigators. In fact, some law enforcement stings operate by paying for the information and when the criminal goes to collect the money, that’s when they arrest them. However, as with most crimes, there is no idealistic method that always works for law enforcement or for that matter, always works for the criminals.
Criminals sometimes use compromised systems belonging to legitimate businesses, but whose owners don’t realize that they are hosting illegal activity and content. Often the illegal content resides directly within these servers. For years these have been common mechanisms for exchanging computer exploits, pirated software, movies, music, pornography, and now, personal and financial information. These distribution channels are typically set up with a central navigation server that directs the client to one of the various compromised servers—depending on what they would like to download. This is an extremely dynamic method of distribution, because new servers are continually coming up while other servers are being discovered and taken down.
One thing that draws criminals to cyber crime is that one can remain anonymous while operating globally. Today, there are a number of mechanisms to help criminals remain anonymous. These mechanisms were developed to maintain privacy—not to enable criminal activity—but with the Internet, we have to take the good with the bad.
Anonymous Proxy Servers, some free and some commercial, are popular and allow anonymous web browsing. Just point a browser at the proxy server, and it will do the surfing and relay the information back to the requesting system while keeping the source information anonymous.
Anonymous File Transfer Protocol (FTP), News, IRC, e-mail, and other popular applications can also be used through available anonymizing software.
Anonymous services; for a fee, some companies provide a network infrastructure through which one can connect and travel the Internet while remaining anonymous and keeping no audit logs.
Anonym.OS LiveCD is an example of a bootable operating system complete with security, encryption, and anonymizing software that allows a user to drop in a CD, boot up, and have a variety of wired and wireless network connectivity choices for secure and anonymous activity.
Tor Onion servers are an example of a free service that can anonymize several Internet services, including web browsing, instant messaging (IM), IRC, and encrypted communication such as Secure Shell (SSH). Within the Tor community of hundreds of thousands of users, communications are distributed among several non-logging onion routers which are actually servers within the community that act as relays without keeping a history of the source or destination. The entire path of communication, from the original source to the destination, remains hidden. It is interesting to note that funding for Tor research came partly from the Office of Naval Research (ONR) and Defense Advanced Research Projects Agency (DARPA).
Another technique involves criminals’ hiding—or at least obfuscating—their identity. A West Indies company called E-gold Ltd. will not perform transactions involving national currencies or bank accounts. Since it does not process sovereign currency, this type of business slides under the radar of the Secret Service. This allows individuals to exchange goods and services for gold. However, even with this or any other framework for exchange, at some point a conversion must be made into money, and in most cases those transactions are tracked. Additionally, it isn’t clear that financial frameworks like this one and the anonymous services would fold under governmental pressure and John Doe lawsuits, thereby assisting authorities with tracking and identifying criminals.
Typically a John Doe suit, sometimes called a cyber slap, will be filed by an organization that provides the defendant’s real name as soon as that name is available. Next the organization will subpoena the owner of the financial intermediary, Web site, university, ISP, or whatever organization can trace events back to a specific person. For example, in 2005, an anonymous posting to a Yahoo message board disclosed proprietary information that belonged to another organization. The organization filed a John Doe suit and subpoenaed Yahoo. In reference to the case, Dallas attorney Michael Linz, who had handled a John Doe lawsuit for the American Civil Liberties Union, stated that Yahoo wasn’t responsible for postings, and that it was not going to do anything to protect privacy. In such cases, Yahoo’s policy is simply to notify the individual who did the posting and tell him that Yahoo has been served. It then tells him that from the date of that notification, there will be fifteen days to file a motion against the subpoena, and if it is not filed within that time, Yahoo will turn over the information the subpoena calls for.
It’s important to add a quick disclaimer in regard to the term hacker. Without getting into a philosophical debate regarding hackers and hacking, I’ll simply say that the terms were initially not related to any type of criminal activity. Rather, it defined individuals with a strong thirst for knowledge who possessed a heightened technical aptitude. A hacker was a person who enjoyed pushing the limits of technology and making something perform a function that it was not initially intended to perform. Today, the media largely uses the terms hackers, crackers, cyber criminals, and the like interchangeably. The individuals and groups that I refer to in this book are not the classical hackers, but are those who use the hacker’s skills with malicious intent. I’ll refer to these people as cyber criminals, malicious insiders, attackers, or simply as criminals who also happen to have a computer.
I’m only mentioning this group as a way of showing the juxtaposition of script kiddies contrasted against true cyber criminals. Script kiddies, when compared to the other cyber criminal groups, are technologically unsophisticated. They generally fall into the FBI’s SAM profile—Socially Awkward Male. They desperately want to belong and be acknowledged as hackers. They use scripts and applications written by others, but lack the level of skill to be considered more than a novice. They also fit the media’s stereotypical image of the rebellious teenage hacker.
From the perspective of most organizations, script kiddies are nuisances. They run port scans checking for open conduits of communication; they attempt to crash servers or even take control over them, but they typically do little more than create a lot of log files and network noise for the organization they are attacking. They spend hours launching Linux server attacks against Microsoft Operating Systems. They revel in the excitement of getting access to a system, and they brag to their friends online. Then they may find that it wasn’t a system that they had actually accessed, but rather that it was a honey pot or honey net—a server or network of servers set up as a trap to contain and monitor malicious activity. The honey pot looks interesting to a script kiddy, but it contains nothing sensitive.
A script kiddy’s primary motivation is to obtain bragging rights—which, in a way, makes him one of the few persons discussed here who is still merely looking for approval from his peers. In general, script kiddies cannot sell their limited skill for profit and are not a significant threat. I say “in general,” because they can always get lucky, and even if they do not, their incessant probing of the network can create data overload that hides real attacks among the tsunami of alerts and logs generated by network devices, servers, applications, and security products. This in turn can allow criminals to target an organization with greater stealth. Ultimately, it is these criminals, not the script kiddies, who pose real risk. However, script kiddies do sometimes make the transition to actual cyber criminal.
I’m going to be spending some time discussing organized groups of criminals, many of which span the globe. However, I don’t want to overstate the issue by ignoring the existence of the solitary cyber criminal. Not all criminals play well with others.
These individuals perform the same types of attacks as the organized groups do; they simply have fewer resources. A skilled programmer may write an exploit that he reverse-engineered in a few months, but an organized group of criminals, such as a drug cartel, may apply enough programmers, money, and technology to shorten that process to just weeks or even a few days.
Exploit writers for hire are cyber criminal freelancers. They are typically very skilled programmers with an in-depth understanding of networks, operating systems, and applications. They sell their code for financial gain and, in most cases, are indifferent to the consequences and the intentions of the person to whom they’ve sold it.
Historically, exploits such as worms and virus code were written to spread quickly and cause damage. New exploits are designed to allow additional features for the attacker by doing the following:
Turning a target system into spam or phishing relay
Turning target systems into hosts for illegal software, DVDs, music, and the like
Remotely controlling targets to leverage them to attack other targets
Installing spying software such as sniffers that monitor network traffic, keyloggers that log keystrokes, to capture sensitive information like passwords
To calculate how much the exploit writer will be paid by his benefactor, one must know a combination of things. How many targets (an estimate of patched versus un-patched devices) are there? What is the probability of the targets being patched following the exploit? Also, one must know the uniqueness of the exploit. Is the writer just reusing existing exploits to which he’s putting a new twist?
It is also worth mentioning that most security professionals agree that for every known and patched exploit there are probably two or three that aren’t yet known. Again—this new breed of cyber criminals will go to great lengths to keep their code, intentions, and tactics hidden. For them, it comes down to a return on their investment. If they spent one hundred thousand dollars to create the exploit and build infrastructure to leverage it, then they want to use it as long as possible before having to reinvest in another scam.
A good example of an exploit written for profit is the Zotob Worm mentioned earlier. Zotob was written by an eighteen-year-old programmer who was paid to write a specific exploit after the vulnerably it was to attack was identified and a vendor patch was released for Windows. His benefactor contracted him to write code that could be leveraged for financial gain. While the exploit itself wasn’t terribly interesting, some things did stand out.
The vulnerability threat window was only a couple of days.
It scanned for potentially vulnerable Windows machines before launching the exploit—and by doing so, exhibited more intelligence than many other worms.
Once a system was exploited, the system would download more code to start the entire process of scanning and exploitation over again.
It received a lot of coverage—but this was because it was the media, such as CNN and ABC, that was hit.
Once it was in the wild, within a few days there were about a dozen known variants of the exploit. Some variants would try to remove each other from the target system in battles for ownership.
Finally, the average cost to an organization hit by Zotob or its variants was estimated to be ninety-seven thousand dollars, plus about eighty hours in cleanup for the IT staff.
Not all exploit writers create code to target businesses. Some design code that can be sold to target individuals. For example, the Spyware purveyor Carlos Enrique Perez-Melara was indicted for distributing code called Loverspy. For eighty-nine dollars, anybody could purchase the exploit. The purchaser would visit a website and then choose an electronic greeting card with such options as puppies, kittens, and flowers to send to his target. Within the e-card there was hidden malware. For the eighty-nine dollars this malware e-card would be e-mailed to up to five targets. Upon opening the card, the malware was secretly installed on the target’s PC. From that point on, all activity—including e-mail, web access, and entered passwords—was captured and forwarded to the purchaser. Also, the purchaser could now remotely control the target’s PC functions—including reading, modifying, and deleting files. More than one thousand people purchased Loverspy, and it was installed on over two thousand systems. Authorities were made aware of the program by a tip from someone who received a Loverspy spam advertisement.
Exploits like these can be costly, embarrassing, and dangerous, but they don’t come close to the potential damage that groups with larger financial resources—groups such as organized crime and nation-states—can cause.
There is no doubt that cyber crime is on the rise and becoming more organized. Like any other business—legal or otherwise—by organizing, those involved can increase growth and decrease risk. With the greater resources, funding, and technology that result from combined efforts, they are more efficient and effective. By jointly focusing their efforts, they reduce risk and increase the reward—hence, increased involvement by organized crime. The methods used are typically the same in both the virtual world and the real world; fear, blackmail, extortion, and other tactics that you might expect to see in a crime movie. Examples of organized crime now involved in the cyber world are the Italian Mafia, Russian Mafia, Colombian and Mexican cartels, Asian Triads, and Nigerian Criminal Enterprises.
Gambling sites have been a major target for these organized crime groups. With over two thousand sites, a projected $11.6 billion in combined revenue for 2006, and with little legal recourse, it is obvious why they are targeted. It reminds me of the all too famous quote from Willie “The Actor” Sutton, a bank robber in the United States in the 1950s. They asked him, “Hey, Willie, why do you rob banks?” A reporter claimed that Willie’s answer was, “Because that’s where they keep the money.” While the reporter fabricated this quote, the premise—i.e., not ignoring the obvious—rings true.
Just as an aside, Willie’s actual response to the question, “Why did you rob banks?”, was quite a bit different and helped to show that excitement was really his primary motivator. His real answer to this question, outlined in his book, was that not only did he simply enjoy robbing banks, but he loved robbing banks! It made him feel alive, so much so that when he was done robbing one, he couldn’t wait to rob another. To Willy, the money was merely a trophy.
Attacking online gambling establishments is especially common before major sporting events. Why? Because that’s when potential gambling revenue is highest. Equally high is their risk of losing that money to criminal intervention. It works like this: Prior to the site’s most lucrative events, the criminals create an incident—a show of power—such as crashing a single server. Then they demand payment (also known as protection) to prevent more damage and loss of revenue. That’s a powerful incentive to pay up.
Following attacks from extortionists that have shut their sites down, online gambling sites are increasing security safeguards. BetWWTS.com paid thirty-thousand dollars in extortion money when hackers took down their site. However, they didn’t pay until the assault made it impossible for customers to bet and they were losing money. They’ve estimated a loss of $5 million. Another site, according to the president of the company, BoDog Sportsbook & Casino in Costa Rica promptly paid twenty thousand dollars when hackers took down their site to avoid a similar financial loss.
In late October of 2004, the U.S. Secret Service announced to the media that in eight states and six foreign countries, they had arrested members of organized rings of identity thieves and fraudsters known by the group affiliations, Shadowcrew, Carderplanet, and Darkprofits. Working together, officials from the U.S. Secret Service, local and federal law enforcement and their counterparts in Bulgaria, Belarus, Poland, Sweden, the Netherlands, and Ukraine, arrested twenty-eight suspects in what has been called “Operation Firewall.” The suspects had over 1.7 million stolen credit card numbers, and were responsible for over $4.3 million in losses to financial institutions.
Ralph Basham, director of the Secret Service, said, “Information is the world’s new currency. These suspects targeted the personal and financial information of ordinary citizens as well as the confidential and proprietary information of companies engaged in e-commerce.”
While identity thieves traffic in counterfeit credit cards and counterfeiting tools, even more disturbing is the theft of identification documents—passports and birth certificates—that can be used to gain access to a country under a false identity. Identity thieves have even stolen the credentials of newborns.
Sometimes identity thieves traffic in entire wallets. Wallet is an abstract for information on a specific individual used to impersonate that person. This includes address, phone numbers, mother’s maiden name, financial data, social security numbers, and the like. From a purely financial perspective, the impact of this type of fraud on a consumer may be fairly limited. Some banks will not charge the victim anything, while others may charge a fee as small as fifty dollars. But the additional issues that arise are significant.
The victim must now call all the credit reporting agencies and put fraud alerts on accounts, change credit card account numbers, change bank account numbers, pore over financial statements, make calls, send letters, and endure other similar headaches. This is far more painful than losing fifty dollars.
In some extreme cases, if an individual has exhausted all other resources, they may even opt to change their social security number. This is a difficult and time consuming process, and requires the individual to notify everybody that uses their social security number and explain the situation to them. This can be a huge list when considering areas related to healthcare, employment, finance, education and so forth. Because of the level of hassle involved, only about 1,000 people actually changed their numbers in 2005.
For the financial institution, credit card agency, retailer or whomever the information may have been stolen from, the pressures associated with notifying and placating millions of disgruntled customers can be extremely painful. In addition, the institution must now set up new accounts and reissue new credit cards costing about ten to twenty-five dollars each. Legislation is in place that applies more pressure to organizations that have had their information compromised.
California was the first state to address this issue. California Senate Bill 1386—also known as the California Information Practice Act—states that organizations that have access to the personal information of California residents (even one customer or one employee in California) must notify that person if his or her data has been, or may have been, illegally accessed. This bill specifies that that personal information has to include only the individual’s first name or first initial and last name with a combination of any of the following:
Social security number
Driver’s license number
California Identification Card number
Account numbers
Credit card numbers
Personal Identification Numbers (PINs) and passwords
About twenty other states have followed California’s lead. New York has its Information Security Breach and Notification Act, and Washington has SB-6043. The primary objective behind these notifications is to make it embarrassing and costly for the companies that become victims.
An ancillary effect of these laws is that the alerts are sometimes ignored because of false positives. I’ve talked to people who have received multiple notifications from multiple sources, sometimes in the same week. They may get these alerts immediately after verifying and changing their account information. As a result, people become indifferent—especially if they’ve received the notification and nothing malicious has happened. The law demands that an organization report the incident even if the information was only possibly compromised, not just verifiably compromised. This is analogous to false positives on network intrusion detection systems (IDSs) creating data overload. With an IDS, if an organization is getting too many false positives, it can tune out the system. With too many notification letters from a bank, the recipient might just drop the notices in the shredder.
Dropping the notification in the shredder is a bad idea. It is true that an organization may not be able to verify implicitly that sensitive information was stolen (maybe because the organization doesn’t understand what’s happening on its network, or it has poor logging practices with insufficient auditing, or its inadequate monitoring). However, individuals notified should still contact the organization and take action.
Consider a cyber criminal who has stolen ten thousand credit card numbers with corresponding information that can be used to make purchases online. In the past, it was doubtful that they could use more than a couple of hundred accounts before a pattern was discovered through financial fraud investigation or general security auditing. At this point, the criminals might think the remaining accounts too dangerous to use, so they simply discard them or perhaps sell the dead accounts to another criminal. Today, there are automated tools for leveraging a greater number of accounts more quickly. Also, the rest can still be sold off, often in auction form as discussed earlier, or through online or traditional black markets while the accounts are still alive.
There are several heated political debates over the correctness of laws like California Senate Bill 1386. I can understand the reasons for the debate. What if the organization did provide adequate protections and something bad happened anyway? Should they still be required to report the incident? Just because a company hasn’t been hacked into doesn’t mean it’s secure; maybe it’s just lucky—for now. On the other hand, a company may have had very strong security measures in place—perhaps stronger than all others—and still suffer an incident. That’s the thing about security countermeasures and safeguards; to be effective, they must work 100% of the time, while a cyber criminal needs to be successful only once.
But anyone involved in security for more then a week can tell you that there is no such thing as 100% security. Still, my perspective is that we are all consumers with sensitive information sitting on servers that we don’t control. We must hold the organizations housing this information responsible for keeping the data as secure as possible—monitoring access to that data, managing incidents efficiently and effectively, and notifying those effected promptly when something does happen. If they don’t have the means to meet these requirements, then they need to partner with somebody who does.
Regardless of my personal perspective on these state laws, they are gaining momentum with federal lawmakers, and they in turn are considering a national law. Senator Diane Feinstein introduced the Notification of Risk to Personal Data Act, a bill modeled on California’s SB-1386. She’s stated that she strongly believes that an individual has the right to be notified when there is an information compromise of a sensitive nature—because that information belongs to the individual.
There are two other acts that are being discussed. They are the Data Accountability and Trust Act (DATA) and the Financial Data Protection Act, both of which were introduced in the House. With their current language, in terms of protecting the consumer, they are a step backwards from state protections such as 1386. However, they are subject to change—rather frequent change, actually—so only time will tell if these acts will morph into something that has national consumer protection teeth equal to state legislation like California’s SB-1386.
Here is a small cross-section of events over the last few years that have to do with identity theft and the general theft of sensitive, private information about individuals.
On April 13th, 2006, it was announced that U.S. military computer drives were stolen in Afghanistan and were being sold at local bazaars outside the military base. It was reported that according to locals, this is common, and that the Afghan workers on the base commonly steal and sell the technology. Some of the recently stolen information contains data on Afghan spies informing on al-Qaida and the Taliban. In addition, drives that contained documents marked “secret,” and those describing intelligence-gathering methods were being sold for forty U.S. dollars. It was also discovered that this particular stolen material contained the social security numbers of four American generals, letters from soldiers, and training information.
On March 13th 2006, the public was told of what was possibly the largest privacy breach in U.S. history. As a result of this breach, an e-mail marketing firm had to pay New York State $1.1 million. The firm had sent unsolicited e-mails to over 6 million individuals whose names were on a database that contained information which those individuals had been assured would remain confidential. According to Attorney General Elliot Spitzer, the settlement terms also require that some of the information in the database be destroyed, that in the future, the firm must never buy information of this nature—unless expressly permitted—and that they must appoint a chief privacy officer to oversee compliance.
On January 26th 2006, it was announced that the Federal Trade Commission fined ChoicePoint $15 million for not providing effective privacy and security for customer information. In addition to the public embarrassment and fines, ChoicePoint’s shares fell 6%, and their fourth quarter profits decreased 29%. ChoicePoint wasn’t hacked in the traditional sense; fraudsters set up bogus business fronts and tricked ChoicePoint into selling them the information. ChoicePoint has now embarked on an extensive remedial program to reduce the chances that anything like that can happen in the future.
In 2005, the state of California fined a division of Kaiser Permanente two hundred thousand dollars as a penalty for a breach that affected just 150 customers.
In February 2003, a hacker gained access to 10 million Visa, MasterCard, and American Express numbers by breaking into the database of a credit processor, DPI Merchant Services of Omaha, Nebraska.
On December 14, 2002, a thief stole laptops and hard drives from Tri West Health Care that contained the names, addresses, telephone numbers, birth dates, and social security numbers of five hundred and sixty-two thousand military members and their dependents.
In April 2002, hackers broke into the State of California’s Stephen P. Teale Data Center and gained illegal access to the sensitive personal information of about two hundred and sixty-five thousand state workers. The breach was not discovered until May 7, 2002, and employees were not notified until May 21, 2002.
Often an organization’s success is in direct proportion to the failures of its competition. Since greed is one of the strongest motivators, it isn’t shocking that competitors may be potential enemies, and thus I include them here. Take for example a cyber attack from a competitor aimed at discovering a software development company’s source code, customer list, employee salaries, engineering drawings, marketing strategy, or details on a new product launch. Compromise of this information can be every bit as devastating as being targeted by identity thieves or organized crime rings.
In 2005, an Israeli couple was fined and sent to jail for selling a Trojan horse program that was used in industrial espionage between competitive organizations. The aim of the malicious software was executed through a web link or an e-mail attachment that would infect the computer once installed. The couple apparently tried to sell it to Israel’s defense agencies before deciding to sell it to private investigators representing corporations. Some of Israel’s leading telecommunications companies and several private investigators have been indicted on related charges.
An example from the somewhat distant past is mentioned in Dan Verton’s book The Insider. He mentions an interesting case with Revlon cosmetics. In the 1940s, the secret name of each item in Revlon’s new product line showed up in an advertisement for Estee Lauder’s Clinique cosmetics line in Women’s Wear Daily. Viewing this as industrial espionage, Revlon’s founder Charles Revson increased security throughout the company and became an intelligence enthusiast, trying to avoid leaks while conducting intelligence gathering—even including wiretaps—in order to battle competitors.
I’ve combined these three groups because threats associated with them are often sensationalized in the media. When compared to general crime for profit, they account for a much smaller percentage of attacks. However, as with organized crime groups, they have greater resources to put behind a cyber threat.
Activists try to bring about social or political change through action. When they do this online, they are sometimes called hacktivists. Many online activists focus on free speech, politics, human rights, and access to information. Some examples are listed below.
In 1997, activists exposed Project ECHELON to the world. An insider leaked information from the Government Communications Security Bureau (GCSB), New Zealand’s largest intelligence agency, and the details regarding ECHELON appeared in Nicki Hagar’s book, Secret Power. Although not officially acknowledged as even existing, ECHELON is said to be a highly secretive signals intelligence and analysis network run by the UKUSA Community—an alliance of English-speaking nations that includes:
Australia—Defense Signals Directorate (DSD)
Canada—Communications Security Establishment (CSE)
New Zealand—Government Communications Security Bureau (GCSB)
The United Kingdom—Government Communications Headquarters (GCHQ)
The United States—National Security Agency (NSA)
Considering that the project’s name is now public, it likely has a new name, or it may be simply considered an obsolete project. In short, it is claimed that ECHELON was designed to capture radio, satellite, telephone, fax, and e-mail from anywhere in the world. Activists tried to use the Internet to disrupt ECHELON’s surveillance capabilities and to alert the greater public to its existence.
In the past, there have been tools similar to those used by ECHELON, whose utilization by government agencies and law enforcement has created controversy. Two examples of such tools, are Carnivore (an Internet surveillance tool that has reportedly been retired), and Magic Lantern (a keystroke logger that could be remotely installed).
Insider actions and activism surrounds this next example. As with many things, whether this one was malicious or honorable depends on interpretation. Katharine Teresa Gun is a former employee of the Government Communications Headquarters (GCHQ)—a British intelligence agency; she is credited with being a malicious insider by some and righteous by others.
Gun was a translator for the GCHQ’s eavesdropping center. Just a few weeks before the Iraq War, she alleged that the US had requested help from the British government to conduct surveillance on certain members of the UN Security Council.
Katherine was an anti-war activist and had even marched in London to protest war in Iraq. Believing that the war was illegal, she leaked to the British media the request that the U.S. had supposedly made. Once the information was published in newspapers around the world, and following an internal investigation, she was charged under the Official Secrets Act with disclosing secret government information, and she confessed.
In her defense, Katharine publicly stated:
“I worked for GCHQ as a translator until June 2003. I have been charged with offences under the Official Secrets Act. Any disclosures that may have been made were justified on the following grounds:
Because they exposed serious illegality and wrongdoing on the part of the U.S. Government who attempted to subvert our own security services, and
To prevent wide-scale death and casualties among ordinary Iraqi people and U.K. forces in the course of an illegal war.
No one has suggested (nor could they), that any payment was sought or given for any alleged disclosures. I have only ever followed my conscience...”
The case was dropped in February 2004.
Two more examples of activism are expressed below.
Activists managed to break into computer systems at the Bhabha Atomic Research Center in India to protest against nuclear weapons tests.
Bronc Buster, later a member of the activist group Hacktivismo, disabled firewalls to allow Chinese Internet users uncensored access.
Nation-State threats exist in the form of traditional spies, cyber spies and otherwise. Most countries—Israel, the U.S., China, and many others—have intelligence agencies where cyber espionage, cyber warfare, and hacking are a component. In the year 2000, more than one hundred countries were putting together an information warfare capability. For example, a North Korean military academy known as the Automated Warfare Institute has been graduating about one hundred “hackers” per year for over twenty-five years. Individuals go through a five-year training program in computer warfare run by the Korean People’s Army (KPA). But again, for most organizations, the threat is smaller than that associated with criminals.
The intelligence organizations of the world have the capacity to be a more formidable cyber threat than any other. They have resources similar to a military organization with big budgets, lots of technology, and lots of people. There are several of these organizations around the world, and some countries like the U.S. and China have multiple organizations. Below are a few examples.
Chinese People’s Liberation Army (PLA)
Ministry of Public Security—Peoples’ Armed Police
Ministry of State Security (MSS)
New China News Agency—Xinhua
And many others
Directorate of Defense Protection and Security (DPSD)
Directorate of Military Intelligence (DRM)
General Directorate for External Security (DGSE)
Intelligence and Electronic Warfare Brigade (BRGE)
And many others
Government Communications Headquarters (GCHQ)
MI6 Secret Intelligence Services (SIS)
Various groups within the Ministry of Defense and Home Secretary, including MI5 Security Service and Metropolitan Police (Scotland Yard)
And many others
Central Intelligence Agency (CIA)
Defense Intelligence Agency (DIA)
Federal Bureau of Investigation (FBI)
National Security Agency (NSA)
Various Defense Department organizations including Military Intelligence and federal agencies, including the Drug Enforcement Administration (DEA) and the Department of Energy’s (DOE) Office of Intelligence
And many others
In late 2005 there was a much-publicized story about a group of Chinese hackers that the U.S. government refers to as Titan Rain. This group conducted intelligence gathering against sensitive U.S. computer systems, including those belonging to the military. The team is thought to be made up of about twenty hackers working out of the Guangdong Province in China.
Also in 2005, the U.K. announced that its Critical National Infrastructure (CNI) was a target of attacks coming from the Far East. These attacks focused on government, finance, transportation, and telecommunications systems.
In Bruce Schneier’s book, Secrets & Lies, he points out that the FBI estimates that up to twenty national intelligence organizations are partly focused on U.S. companies in the hope of successfully conducting industrial espionage. Their purpose is to relay information to companies in their own countries. China is considered the worst offender the world around, but France and Israel are also high on the list.
When addressing Nation-State threats, it is important to consider espionage and who commits espionage. Information from an unclassified database maintained by the Defense Personnel Security Research Center (PERSEREC) in Monterey, California, (now called the Security Research Center of the Defense Security Service), was used to determine espionage statistics based on one hundred and fifty unclassified cases over the last fifty years. Below are some of the results.
Over 79% of Americans arrested for espionage either volunteered to work with foreign agencies or were recruited by an American friend.
Counterintelligence groups caught 26% of Americans arrested for espionage or attempted espionage before they were successful; an additional 27% were caught within the first year.
During the past twenty years, Americans have been arrested and convicted of spying for South Korea, Taiwan, the Philippines, Israel, Greece, Saudi Arabia, Iraq, Jordan, Ghana, Liberia, South Africa, El Salvador, and Ecuador—in addition to Russia, the former Soviet Union, China, and the various formerly communist countries.
In a paper titled “Espionage by the Numbers: Statistical Overview” by Richard J. Heuer, Jr. at the Defense Personnel Security Research Center, he states that money—either the need for it or simple greed—is a motivating factor for espionage in about 69% of the cases. Further, in 56% of the cases, it was the only motivator. Heuer further states that 27% of the cases were related to disgruntlement or revenge, while 22% of the cases were related to ideology. Interestingly, 17% of the cases were based in a desire to please friends and family, 12% were for excitement, 4% were to feel important, while only 5% were coerced.
Since money—“need or greed”—as Heuer states it, is the primary motivator, a question is often posed regarding how much money can be made. It is difficult to estimate the value of information from a cyber crime. Insiders may have access to anything from a few account numbers all the way up to a source code for a missile guidance system. The value will shift depending on where they’re selling this information. In Heuer’s study, he looked at sixty-four spies who took cash payments. Note that some of these incidents happened over fifty years ago, so the numbers in some cases seem relatively small. Also, the numbers are only in regard to known payments:
11% received less than $1,000
17% received $1,000 to $9,999
26% received $10,000 to $99,999
12% received $100,000 to $999,999
4% received $1,000,000 or more.
One fact that we can take away from this study: Whether the criminal is working for an organized crime group or is an insider, the key motivations are similar, and the prevailing motivation is money.
When I started writing this book, I had many discussions with industry leaders about the terrorist threat. Unless national security or critical infrastructure organizations were involved in the conversations, the cyber risks most organizations were concerned with were less than technologically sensational. The theme of their concerns was terrorist action supported by some type of cyber terrorism enabler. For example:
A terrorist, masquerading in his e-mail as a fire chief, sends out a message to all those in an office building telling them to ignore the upcoming fire alarm because it’s a test. Then he lights the building afire.
A terrorist intercepts international travel arrangements for key executives in hope of kidnapping them and holding them for ransom.
A terrorist group steals intellectual property from a corporation in hope of selling it to a competitor and using the funds to further their cause.
In most organizations, cyber terrorism is far less likely to occur than crime for profit. But, cyber terrorism gets more hype and media coverage than all the other cyber threats put together. It is important to understand that people aren’t exactly lining up in droves to be terrorists and strapping on bombs. Regardless of country of origin, religion, political beliefs and other drivers they don’t have massive numbers; if they did have the numbers, we would simply see more terrorist activity. In fact, while it makes perfect sense in a cyber attack for a terrorist to simply recruit an insider, instead of attacking an organization head-on, they must first find an insider that is ready and willing. This is easier said than done because an insider willing to commit acts of terrorism possesses an entirely different disposition than and insider interested in making a few thousand dollars by selling secrets to competitors.
Computer networks are rarely interesting targets for terrorists because they don’t tend to represent a clear political gain. As far as the accepted definition of terror goes, hacking a network isn’t rooted in violence against civilians for political or social change. If a major Internet exchange point such as MAE-East or MAE-West went down, there would be major Internet outages, but that doesn’t have the impact on people’s psyche that suicide bombers, car bombs, and taking hostages do. But to say that it doesn’t exist and that cyber-related terrorism isn’t a potential issue for the future is naïve. The Internet makes it easier for a cyber terrorist to stay anonymous while getting mass media attention. The Internet makes such activity less expensive; makes it possible for the terrorist to operate from anywhere; and it provides more targets—targets that are literally at the terror organization’s fingertips. And the Internet can impact a larger number of people—e.g., by using worms and viruses.
Key targets for terrorism will likely be critical infrastructure such as power and energy, communication, water and sewage, as well as government, military, and financial networks.
Many of the most critical networks are air gapped today—giving them greater protection from external terrorist actions because an attacker simply can’t connect from the outside; but this isn’t the case inside an organization. Insider threats from plants, moles, agents, and so forth, working in concert with external terrorists against critical infrastructure or national security organizations, are a significant risk. A terrorist working with an insider can cause considerable damage, especially, for example, if the attack is against a major intelligence or military organization during a military campaign. Even a small hiccup in the organization’s IT operations may yield harmful and life-threatening results. For the terrorists, this stops being a technical issue and becomes an insider recruitment, plant placement and coordination issue.
Though this brief section is a primer (the next chapter is dedicated to insiders), I want to mention insiders here for completeness. In short, insider threats have the potential to be the most devastating, the easiest to perpetrate, and the hardest to detect, prevent, and manage of all threats. They are often the most politically and emotionally charged. For these reasons, insiders are the focus for all the case studies I’ll explore in the chapters that follow.
Insiders working alone are a threat for sure, but collaborative threats between an insider and an outsider can be especially difficult to prevent, detect, and manage. Working together, the insider can conceal the outsider’s actions, and the outsider can redirect suspicious attention away from the insider. Often, perpetrators are not successful without cooperation between the insider and outsider. I discuss this type of collaboration in some of the case studies to follow.
Larger organizations agree that insiders are the most critical threat. This is a fundamental shift in perception from just a few years ago. The fact is, insiders can no longer be ignored. Just a few decades back, it was common for a person to work for the same employer his or her entire life. It was equally common for multiple members in a family to work for the same employer. This isn’t the case today for most people in countries with a free market economy. Most individuals in these countries will have had more jobs by thirty years of age than both parents combined had throughout their entire careers. This means that few employees develop a sense of devotion and loyalty to an employer. Long term employee loyalty—once an important safeguard for organizations—has nearly disappeared. While lack of loyalty isn’t the only reason that insiders commit malicious acts, it certainly needs to be considered. This issue has come up a number of times with financial organizations that I’ve worked with in London.
Over the years, I have traveled to London a number of times, and on almost every trip I’ve worked with at least a few financial organizations. An interesting thing about London’s financial organizations is their tight-knit security community. The security professionals who work for them tend to be relatively close. This type of industry-specific community is extremely beneficial in terms of sharing best practices, lessons learned, and general information. Another interesting point about this community is that most of the employees, consultants, and contractors have changed jobs so often that, at one time or another, they have each worked for the other’s organization. This in and of itself is cause for concern, but because of this dynamic, they have a feel for whether their security postures have gotten better or worse over time.
On my last visit, the trends were clear. While security appears to be getting better in regard to external threats, the long-time focus on the perimeter has virtually excluded focus on insider threats, so that internal threats are now the cause of much larger issues that I’ll detail in the coming case studies. Also, most of the financials share a common concern within the community: Individuals work for organizations for a few years and then move on to a competitor within the same business vertical. This move usually comes with a more lucrative employment package—a strong motivator for employees to frequently make the change. The issue is that each time they leave, they walk out with specialized knowledge from their former employer and possibly even with sensitive and confidential information. Multiply this by the number of employees making these migrations and then by the number of former employers they’ve had, and the issue quickly becomes quite large.
These concerns are certainly not limited to financials or the U.K.; they are a global concern. Even Asian countries, which have a tradition of employees having career-long allegiance to a single organization, are experiencing this problem. When I was in Beijing, I heard the same complaints from some of their largest telecommunication organizations who worry about their intellectual property and security safeguards being exposed.
IDC conducted a survey in 2005 in which they asked organizations if they felt the most serious threats were from internal or external sources. The results of the survey showed that as organizations get larger, their concerns about internal threats increase while concerns related to external threats decrease. Roughly 30% of the very large organizations felt that the threat was about equal. This is illustrated in Figure 1.1.
The number of threats is growing at an increasing rate. Techniques used by criminals are becoming more sophisticated, faster, harder to detect, and can be much more damaging than those of the past. A discussion of all the combinations of exploits, techniques and threats from port scans, Trojans horses, viruses and worms through buffer overflows, packet sniffing, and man-in-the-middle attacks would require volumes and is outside the scope of this book. However, the increased number of threats makes it worthwhile to explore a cross-section of tools, techniques, and concepts, because they help illustrate the multitude of methods that criminals are using. Some examples of how these tools have been used and how the malicious individuals using them have been prosecuted can be found in Appendix A.
With strong security safeguards, patched operating systems, and enhanced security configurations on network gear, many attackers have moved their focus to the application-layer. These are things like web applications, instant messaging, peer-to-peer (P2P), media players, business applications, backup applications, and even security applications. Since many security solutions don’t protect these applications, it is now open season for attacks. It is worth mentioning that there are new tools appearing in the marketplace, tools that automate code vulnerability analysis—including applications. As these tools become more mature, they may offer some relief to the growing problem of application vulnerabilities as well as to vulnerabilities found in operating systems and other key components of IT.
Botnets (short for robot networks, also called bots, zombies, botnet fleets, and many other things) are groups of computers that have been compromised with malware such a trojans, backdoors and remote control software. These compromised systems are typically unprotected home-user systems connected to the Internet via broadband. Once compromised, they can be remotely controlled as a group to carry out malicious tasks. Many security professionals believe that botnets—not spam, viruses, or worms—are the biggest threat on the Internet.
Users typically have no idea that they have on their system malicious software that allows a criminal to remotely control it. These fleets of botnets can number in the hundreds of thousands, and the individual or group that controls them has its own revenue stream. In fact, a new trend is the renting of botnets as a distribution mechanism for other malicious actions. Botnets can be used for a multitude of things, such as distributing spam, phishing scams, the installation of malicious software, and conducting distributed denial-of-service attacks (DDoS). When leveraged through botnets numbering in the hundreds of thousands, these malicious activities can be particularly effective. Essentially, all the computers in the botnet fleet will flood a site with so much traffic that the servers cannot conduct business.
There are even Web sites that act as liaisons between groups of phishers, spammers, and botnet owners, putting buyers and sellers together.
For more information about how botnets have been used to perpetrate crimes, and what the legal repercussions are, see Appendix A.
One of the most common ways to exploit a system is with a buffer overflow, sometimes called a buffer overrun. A buffer is a temporary data storage area. Many exploits today rely on the ability to execute buffer overflows. Whenever a system process tries to store more data in a buffer than the buffer memory has room for because of insufficient bounds checking, the extra data will overwrite the adjacent memory. A number of things can happen as a result; systems can crash, unusual data may be returned, or arbitrary code can be executed—such as allowing an attacker to control the target system.
This is a growing technique that has been around for some years. Exploit writers hide their code in a way that compresses, encrypts, packs, or otherwise tries to conceal it from malware detectors. Some of the more popular versions of malware that use these techniques are Beagle, Sasser, and SDBot.
DoS attacks cause a loss of service typically related to system resources consumption, bandwidth consumption, a disruption in Domain Name System (DNS), routing, or other fundamentals required for transactions. Distributed DoS (DDoS) attacks are frequently related to botnets and saturation of the target network’s bandwidth. Consider thousands of malicious systems controlled by botnets trying to communicate with one web server, and each bot trying to open as many connections as possible. If the distributed fleet has greater aggregate bandwidth, it can bring down the target network. This may also happen if a site simply gets too busy and doesn’t have the server capacity or bandwidth to support the level of traffic.
Another form of DoS is DRDoS (Distributed Reflection Denial of Service.) This is essentially a DDoS attack, but with a spoofed source IP which means that the true origin of a data packet is masquerading as another system. In this case, an attacker sends packets to a sub-target, which in turn returns packets, but not to the sender. Instead, the packets are sent to the sender’s spoofed IP, which is actually the intended target. Regardless of the type of attacks in these groups, they intend to disrupt service. By taking advantage of distributed attacks with botnets, DoS can be more destructive in less time.
As discussed earlier, Blended Threats, Warhol Threats, and Flash Attacks represent a new breed of problems—smarter worms, Trojans, viruses, and the like, that are able to:
Propagate faster
Hide from detection
Cause more destruction
Assess targets for vulnerabilities before attacking
Operate in a less opportunistic fashion and be more targeted
Carry malicious payloads-encrypt data, steal data, and delete data
Install additional malware such as backdoors, remote control software, keyloggers, international dialers, and botnet code
Ransomware is another example of a crime that has been around for a while, but has now been given a new name and new media appeal. It is a form of malware that encrypts information usually for the purposes of extortion. Typically a user will accidentally execute malicious code that encrypts files. A message left by the code instructs the user to send money to a specific location in exchange for a key to unlock their information. A growing trend is hacking for profit, so ransomware fits right in with this trend. With advancements in cryptovirology, which is a field focused on using cryptology in malicious software design, it is likely that we’ll see a substantial increase in cryptovirus, cryptoworm, or cryptotrojan exploits the years to come.
Attacks are not just focused on those devices connected by wire. Wireless, infrared, and Bluetooth are also commonly used. A recently publicized problem concerns people traveling in airports. Many business people in airports are working on laptops, not realizing that their laptop’s wireless service is active and that someone else may connect to their systems. Nor do they realize that once connected, the unknown person can upload or download data. There are many other products that people don’t recognize as computers—such as mobile smart phones and PDAs. These are also becoming targets for exploits and carriers for malicious code.
Password cracking has been around since there were passwords, but it is a concept that many people don’t fully understand. There are many password-cracking tools offered for free and for sale. They are useful for system administrators and security analysts auditing user password strength. This type of tool is most useful if the attacker has gained access to a shadow file—a common file in many UNIX operating systems—or the SAM file used in Windows. Once they access one of these files, they generally copy it to another machine for cracking.
Through brute-force guessing about password length and possible characters, the program can attempt to process every permutation of those characters and compare the encrypted hash it creates with the password file. Since the password file is also an encrypted hash, once an exact match is made, the password is known. These tools can also use a dictionary attack that simply goes down a list from beginning to end encrypting every word in the list and comparing those results to the password file. There are dictionaries designed specifically for this purpose that contain all dictionary words in many languages, as well as movie titles, songs, and names of famous people, characters in books, and virtually anything one could think of to include. But both of these methods are somewhat slow for longer and more complex passwords.
Another technique is to use tables. Rainbow Tables from Project RainbowCrack address the speed issue with a general-purpose implementation of Dr. Philippe Oechslin’s faster time-memory trade-off technique. With this program, tables of plaintext and ciphertext password pairs are already computed. Some variations are multi-gigabyte tables containing hashes for passwords up to fifteen characters long with alphanumeric and special characters. Using these tables can reveal even complex passwords in just minutes.
As with most of the items in this chapter, phishing is becoming more sophisticated, reaching more targets, and doing it in less time than ever before. Phishing scams are focused almost entirely on profit by soliciting personal and financial data. While these scams are traditionally based on e-mail and Web sites, instant messaging and SMS are becoming common as well. Phishing in general plays on a person’s morality, fear, greed, or simply on a general lack of awareness.
Phishers—instead of just asking for personal or financial information—try to create a compelling event. Lately there have been e-mails more creative than the typical “billionaires in Western Africa who need to find somebody to invest their money with.” They are more targeted and are looking for specific things that they can make use of, such as a bank that always uses the same leading digits for their ATM cards. Having found such a bank, they might write a letter like this one:
Dear Mr. Smith, it appears that your ATM card starting with 546X-XXXX-XXXX-XXXX has accidentally had its PIN erased. You will no longer be able to use it until your old PIN is recreated.
We deeply apologize for the inconvenience that this may cause, and we sincerely regret the mistake. As a token of our commitment to customer satisfaction we’ve set up a secure web server that you can access by clicking on the link https://www.your-bank-information.com/ and entering in your PIN number. It should just take a few moments.
If you can help us resolve this issue by entering your PIN before close of business today, we will deposit $100.00 into your checking account as a token of our gratitude.
Best wishes and warmest regards,
Mr. Jones
President and CEO
Except for the lack of typos and grammatical errors usually found in these solicitations, this is pretty much what an e-mail phishing scam looks like. There are several ways to make the user think the URL has taken them to the bank’s official site. The fake Web site will look exactly like the official site, or the phishers may obfuscate the characters in the URL. They may register an SSL certificate that looks like a bank’s or use loopholes in the way some browsers display Internationalized Domain Name (IDN) characters, to make the victim think that the characters are in the local language when in fact they are not. For example, the lower case letter a renders similarly in English and Russian Cyrillic. So if the target of the scam expects to see aaa in the URL, and they see something that looks like aaa, they feel safe.
There are many other emerging ways to do this as well, including relatively advanced techniques such as embedded cross-site scripting (XSS) which inject scripts that capture key strokes by using that bank’s server as part of the scam. While this requires more work than some of the other methods, there is money to be made, and criminals are willing to invest whatever time is needed.
Other examples of extracting data through phishing scams are:
Offering cash to fill out a bank survey.
Telling a target that he has failed to report to jury duty.
Telling a target that she has been named in a lawsuit.
Trying to get the target to download “new secure banking software” that is likely a combination of keyloggers, backdoors, and other malicious bits of software that will keep information flowing back to the scammer.
One of the most disturbing phishing scams was one that claimed to be taking donations for Hurricane Katrina. I wasn’t so much surprised that somebody was doing this as I was about the time line. The day before Hurricane Katrina hit, phishers were watching the weather reports, and in anticipation of the devastation, were registering Web sites designed to solicit donations for the hurricane victims. Proactively betting on a natural disaster to scam people who just want to help has to be a new kind of low—even for phishers.
Phishing occurs because it still works. Many people laugh at the e-mails, consider them a nuisance, and simply delete them; but some respond. With a few hours of prep work on a web server and millions of e-mails rapidly distributed, even if the phishers only achieve a few valid replies a day, that’s a success. If they end up with more accounts than they need, they can always sell the remainder on the black market.
Common ways to conduct general reconnaissance include port scanning, vulnerability scanning, investigating DNS information, news group searches, web searches, and IP registration information such as APNIC, ARIN and RIPE. Searches can even be made in this way on the U.S. Securities and Exchange Commission and related sites.
Another technique is to use an online search engine to investigate target systems. These targets are called Googledorks because they are so poorly secured that a search engine is all it takes to reveal their sensitive information: user names and passwords, particular vulnerabilities, error messages with too much sensitive data, system logs, directory contents, and other such material. You can find out more about Googledorks in Johnny Long’s book, Google Hacking for Penetration Testers.
Rootkits allow a code’s existence and operations to be hidden from the operating system. They prevent most malware detection software from even discovering that the malicious code has been installed. In 2005, Sony was discovered to have used rootkit technology—not for maliciously taking over computer systems, but apparently as part of a digital rights management (DRM) copy protection mechanism to prevent pirating. This was highly controversial, well publicized, and public outcry finally forced them to address the problem.
Keyloggers can be either hardware or software-based. They can capture keystrokes—either from a directly attached keyboard or over a remote connection. Smarter versions of keyloggers are even equipped to look for special sequences such as passwords or custom strings like confidential, and, when certain criteria have been met, they alert the individual who planted the logger.
A good example of using keyloggers for criminal activity can be gleaned by looking at the incident that occurred in 2005 at the London branch of Sumitomo Mitsui Bank. Had it been successful, it would have been the largest bank heist in history with funds upwards of $440 million being transferred to accounts in other countries. Disguised as a cleaning crew, and with the assistance of an inside security guard, the criminals installed hardware-based keyloggers. The thieves captured the credentials of individuals responsible for wire transfers over the SWIFT (Society for Worldwide Interbank Financial Telecommunication) network. Using this information they were able to transfer roughly $440 million. They were caught, and the money was recovered.
There is also the technique called social engineering, or pretexting, (two ways of saying that someone is lying or running a con). This can be done over the phone, Internet, or face-to-face. Phishing is an example of social engineering.
People generally want to be helpful, and when someone asks something of them, they want to believe the request has an honest motive behind it. This is the point social engineers understand and exploit. The technique is easy and efficient, and criminals often prefer it to time-consuming reverse engineering and exploit writing.
I used to do penetration testing. Organizations would ask me to conduct social engineering experiments, and, armed with little more than phone numbers and addresses, I was always able to find at least one person who was willing to give me sensitive information. Here are examples of social engineering techniques that I’ve used during penetration tests.
Pretending to be the IT department and needing the user’s password
Pretending to be a traveling sales person who needs key information
Pretending to be a customer or partner
Extracting small bits of information from sub-targets (an unwitting employee who hasn’t been through training and awareness programs is prime for this) until I’d accumulated enough information to go after my primary target. In that way I could get names, travel and vacation schedules, system names, IP, and more.
Creating a sense of urgency by telling the victim that if he didn’t comply, he might be fired, systems could crash, data destroyed, revenue lost, management would be upset, and so forth
Getting inside a building in the morning or after lunch when large groups of people are entering is the most productive method. It helps to carry a large empty box that appears to be heavy; people will open doors for you and let you speed through without any questions. (And you can carry items out less conspicuously by putting them inside the same box.). Or simply walking into the building by following somebody through an access-controlled door and then plugging right into the network
Blending in with the dress code, appearing that you belong, not trying to hide, but not being overly personable; these increase the effectiveness. Once inside, simply acting busy helps. People are hesitant to confront you if you’re typing away or pretending to be having an important conversation on the phone.
Though rummaging through dumpsters for documents and media is rarely necessary, given time and persistence, even that can be invaluable.
As VoIP increases in popularity, just like mobile devices, its applications become bigger targets for phishing scams, denial-of-service attacks, and voice spam—sometimes called SPIT (SPam over Internet Telephony). Other issues related to VoIP attacks are telephone fraud and brute-force attacks on mailboxes.
In general terms, a zero-day exploit is a new attack that an organization is not prepared for and can’t stop. But there are conflicting definitions of zero-day, and different understandings regarding dates and times when an exploit becomes and/or ceases to be a zero-day exploit. The most practical definition of a zero-day exploit: An exploit that has no corresponding patch to counteract it.
Technically, if the exploit code exists before the vulnerability is made public, it’s a zero-day exploit—regardless of how long the software vendor may have been aware of the vulnerability. The zero-day exploit typically appears immediately after a security vulnerability is announced. Vendors will often publicly release news of the vulnerability and the patch simultaneously in order to keep zero-day exploits to a minimum.
It is not uncommon for the vendor to be aware of a vulnerability weeks or even months before an exploit is created or before the vulnerability is disclosed publicly. Once a potential vulnerability in a system is detected by someone other than the vendor, that vendor—and sometimes everyone else in the world—is notified. Although disclosure is ultimately left to the discretion of the individual or group that discovered the issue, the Organization for Internet Safety has set forth guidelines for communicating such discoveries. The assumption is that with notification, the software vendor will take action to remedy the issue and negate the problem expeditiously. There are even some individuals and organizations preemptively writing patches before the vendors do. This has occurred several times with Microsoft vulnerabilities. These third-party patches are controversial, and most organizations are hesitant to install them without the appropriate level of vendor testing to ensure quality.
There have been problems with genuine vendor patches sometimes breaking other services, opening up new security holes, and just causing havoc. Thus, third-party patches from unknown sources that have possibly less quality assurance, is cause for concern. To make alternative patches and downloading patches from alternative sites even riskier, there is even malicious code, such as Trojans, masquerading as patches. This further reinforces the security notion of only installing software from trusted and verified sources.
Also, software isn’t patched indefinitely. For example, a major vulnerability was discovered in Windows 98 in June 2006. However, since Windows 98 is no longer being supported by Microsoft starting in July 2006, and because of the re-engineering and quality assurance costs, it will not be patched. The lack of a patch will require all Windows 98 users to install a different operating system or upgrade their Microsoft operating system to a newer version to be safe from the discovered vulnerability. It’s not just discontinued software that doesn’t have patches. Patches can only exist when somebody knows about a problem and somebody is motivated to fix it.
Of course, a malicious exploit writer isn’t likely to notify a software vendor regarding a vulnerability, or to write a patch for what he has discovered. Groups that offer a framework for the exchange of ideas and codes for creating exploits, keep track of known vulnerabilities that haven’t yet been addressed by vendors.
In the past it would require exploit writers months or more to write an exploit for a publicly released vulnerability. But with the shrinking vulnerability threat window, these times are being reduced to weeks or days, especially when well-funded, well-motivated, and well-staffed entities such as intelligence agencies and organized crime groups are working at it.
Threats today come from a multitude of sources, including:
| Solitary cyber criminals working for profit |
| Exploit writers for hire |
| Organized crime organizations |
| Identity thieves |
| Competitors |
| Activist groups |
| Nation-states |
| Terrorist organizations |
| Insiders |
Motivations for these attacks include:
| Greed |
| Power |
| Revenge |
| Politics |
| Fear |
| General malice |
| Excitement |
Attacks have changed:
| Attacks are commonly for financial gain—not notoriety |
| Exploits are created quicker and propagate faster |
| Worms and related attacks are written to be smarter and more efficient |
| Attacks are targeted rather than being merely opportunistic |
| Phishing scams are designed to con people of out information and/or money |
| Fleets of botnets can centrally control thousands of systems for the highest bidder |
| Black markets exist to exchange information and services for payment |
| Insiders now pose the greatest risk |