INFOWAR part 2 -- Case Histories
Download
Report
Transcript INFOWAR part 2 -- Case Histories
INFORMATION
WARFARE
Part 2: Cases
Advanced Course in Engineering
2005 Cyber Security Boot Camp
Air Force Research Laboratory Information Directorate, Rome, NY
M. E. Kabay, PhD, CISSP
Assoc. Prof. Information Assurance
Program Direction, MSIA
Division of Business & Management, Norwich University
Northfield, Vermont
mailto:[email protected]
V: 802.479.7937
1
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Topics
08:00-08:15 Introductions & Overview
08:30-09:00 Fundamental Concepts
09:05-11:55 Case Histories
13:15-15:15 INFOWAR Theory
15:30-16:00 Project Assignments
2
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Examples of INFOSEC
Breaches and Failures
Electronic infrastructure growing in
importance
Must expand conception of warfare in the age
of ubiquitous computing
Cases intended to stimulate your imagination
Spans last decade of developments to
provide wide range of examples
Provide ideas for your INFOWAR
attack/defense projects
3
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Cases
Breaches of confidentiality
Industrial Espionage
Unauthorized Access (Penetration)
Unauthorized Modification
Data Diddling
Sabotage, vandalism
Trojan Horses
Deception
Fraud, disinformation
Psyops
Denial of Service (DoS)
4
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Cases
Breaches of confidentiality
Industrial Espionage
Unauthorized Access (Penetration)
Unauthorized Modification
Data Diddling
Sabotage, vandalism
Trojan Horses
Deception
Fraud
Psyops
Denial of Service (DoS)
5
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Breaches of Confidentiality:
GAO vs IRS
GAO blasts IRS (1997.04)
IRS “misplaced” 6,400 computer records
1,515 cases unauthorized browsing in 1994-5
Only 23 employees fired for browsing
Sen. John Glenn introduced bill
establish criminal penalties
against unauthorized access
by employees
6
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Eavesdropping: Gingrich
1997.01 -- Newt Gingrich cellular call
monitored
FL couple using police scanner
sent tapes to Democrats
1997.04 -- Gingrich wiretappers charged
John & Alice Martin
federal charges
fines up to $10,000
MORAL
don’t talk about sensitive stuff on cell
phones without activating encryption
7
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Eavesdropping: Easy
1997.02 -- Billy Tauzin (R, LA) demonstrated
scanner modifications to Subcommittee
modified off-the-shelf scanner in 2 minutes
eavesdropped on cell-phone call
1997.02 -- French high court examined
unauthorized wire-tapping by government
anti-terrorism unit
8
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Eavesdropping: AT&T
Insider Job
AT&T WorldNet Sniffer Scandal (1997.05)
Reports that WorldNet subject to packet
sniffing from external site
captured user IDs and passwords
much fuss and bother
Hoax
discovered misrepresentation
packet sniffer was on internal LANs, not on
TCP/IP circuits
9
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Eavesdropping: NJ Pagers
Pager eavedropping in NJ (1997.08)
Content sold to news organizations
Senior New York City officials
mayor's office
top police and fire department officers
Authorities used pagers believing them more
secure than phones
Nov: Steven Gessman, Vinnie Martin and
Robert Gessman
admitted illegal eavesdropping
scheduled for sentencing on March 3, 1998
10
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Eavesdropping: White House
White House pagers (1997.09)
Hacker posted transcripts of WH pager
messages on Net
Include sensitive information about First
Family movements
Traffic analysis dangerous
flurry of messages before President (etc.)
move from one site to another
problem even if message encrypted
11
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Eavesdropping: Wireless
Phone
Blabbermouth criminals arrested (1998.06)
Saratoga County, NY woman
overhead crooks on wireless phone
planned to beat and rob old woman
reported to police
Police arrested three men and charged them
with conspiracy
Woman refused to reveal her identity
illegal to intercept wireless communications
illegal to communicate content
12
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Man-in-the-Middle: Pager
Teenager intercepts doctor’s pages (2001.01)
Inova Fairfax Hospital, VA
Teenager forwarded physician’s number to
his own pager
Responded to nurses’ requests with fake
medical instructions
Blood tests
Administer oxygen
About a dozen orders in all
13
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Potential Connectivity:
HealthSouth
Digital Hospital? (2001.03)
HealthSouth hospitals to have Internet
connections at each bed
Doctors and nurses can access and update
patient records
14
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Data Leakage: Spy Data on
TV
Live broadcasts from spy satellites on TV
(2002.06)
European satellite TV viewers can watch live
broadcasts of peacekeeping and anti-terrorist
operations
US spyplanes over the Balkans
Broadcast through a Telstar 11 satellite over
Brazil
US spyplane broadcasts not encrypted
Anyone in Europe with satellite TV receiver
can watch surveillance operations
Satellite feeds connected to the Internet
15
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Cases
Breaches of confidentiality
Industrial Espionage
Unauthorized Access (Penetration)
Unauthorized Modification
Data Diddling
Sabotage, vandalism
Trojan Horses
Deception
Fraud, disinformation
Psyops
Denial of Service (DoS)
16
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Industrial Espionage: Davy
Intl vs VA Technologie AG
Dow Jones News Service (1996.06)
UK Davy Intl
Lost lucrative Saudi-Arabian contract
alleged industrial espionage
Sued Voest-Alpine Industrial Services
UK branch of Austrian firm VA Tecnologie AG
Obtained court order for seizure of evidence
Received 2,000 pages & disks with info
belonging to Davy Intl from VA Technologie
17
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Industrial Espionage: Boehringer
Mannheim Corp vs Lifescan
1996.06
US subsidiary of Boehringer Mannheim Corp
(pharmaceuticals) vs Johnson & Johnson unit
Accused Lifescan Inc of encouraging industrial
espionage for 18 months
Supposedly stole prototype blood sugar monitor
Allegedly presented "Inspector Clouseau" and
"Columbo" awards to employees for stealing
secret info from BMC
Lifescan countersued with equivalent accusations
BMC had Lifescan Competitive Kill Team
Hired private detectives to spy on Lifescan
18
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Industrial Espionage: Intel &
AMD
1996.06 -- Reuters
Argentinian national Guillermo Gaede
Admitted he sent videotapes about Intel chipmanufacturing to AMD
AMD immediately notified police
Industrial spy sentenced to 33 months in
federal prison
19
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Espionage: CIA vs Europe
1996.08-- Sunday Times, RISKS 18.30
US CIA allegedly hacking into European
Parliament & European Commission
computers
Stealing economic and political secrets
Supposedly used info in GATT
20
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Industrial Espionage: Interactive
Television Technologies
1996.08 -- PR Newswire
4 yr R&D project for TV interface to Net
Top secret -- moving to high-security facility
Before move, thieves stole computers and
storage media
Estimated $250M value
Looks like industrial espionage
Reconstructed data from backups
But patenting prematurely to protect property
21
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Industrial Espionage:
Owens Corning & PPG
PPG & Owens Corning (1996.12)
Major manufacturers & competitors
Cleaning contractor stole operational
documents at night from PPG
Offered to Owens Corning for $1,000
Some years ago PPG had informed OC of
similar scam — also resulted in arrests
Owens Corning notified PPG
Informed FBI, worked with LEOs to build case
Perpetrator arrested by FBI
22
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Industrial Espionage: GM
Opel vs VW
1997.01 — news wires
GM alleged industrial espionage (Oct 96)
former purchasing chief, Jose Ignacio Lopez
de Arriortua
left GM to join VW in 1993
allegedly stole 3 crates confidential
documents
GM claimed stolen documents included highly
confidential info
future product plans, parts prices &
manufacturing techniques
unfairly allowed VW to reduce costs
caused unspecified financial damage
Settled out of court (1997.01)
23
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Industrial Espionage:
Bristol-Myers-Squibb
Taiwanese arrested for espionage (1997.06)
Attempted to bribe Bristol-Myers Squibb
scientist
Wanted production details for Taxol
ovarian cancer drug
worth $B
Employee reported to employer; then FBI
arranged sting
Both agents arrested
Face 35 years and 10 years in jail,
respectively
25
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Industrial Espionage:
DEC/INTEL
Battle of the Giants: DEC vs Intel
1997.05 — DEC sues Intel, claiming theft of
chip designs
1997.05 — Intel sues DEC, demanding return
of proprietary information
1997.06 — DEC demands former employee
now at Intel remain silent about proprietary
DEC information
1997.07 — DEC accuses Intel of anti-trust
1997.10 — out of court settlement
26
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Industrial Espionage:
Law Firm
Legal firm accused of espionage (1999.11)
1st lawsuit involving industrial espionage by
lawyers
Moore Publishing (Wilmington DE) sued Steptoe
& Johnson (Washington DC)
allegedly breaking into computer systems
750X
stolen user-ID & password
Systematic cyberwar
misinformation posted on newsgroups
HotMail account traced to defendants
Damages at least $10M
28
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Industrial Espionage:
France vs UK
French Intelligence Service Targets UK Businesses
(2000.01)
James Clark writing in Sunday Times of London
Spent $M on satellite technology for listening
stations & upgraded SIGINT
Aimed at British defense firms, petroleum
companies and other commercial targets
Surveillance includes GSM phones
UK officials warned not to discuss sensitive
issues on mobile phones
29
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Industrial Espionage:
Oracle vs Microsoft
Oracle Dumpster®-Dives vs MS (2000.06)
Bill Gates complained about Dumpster® Diving
of trash of organizations supporting MS in
antitrust case
CEO Larry Ellison of Oracle admitted using
private detectives to go through trash of
Association for Competitive Technology
Independent Institute
Citizens for a Sound Economy
Suggested he would happily ship Oracle trash
to MS in spirit of full disclosure.
30
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Industrial Espionage:
Echelon
EU Parliament attacks Echelon (2000.07)
Formed temporary committee to investigate
spy network
Suspicions that Echelon used to intercept
conversations of European businesses
Information might be given to competitors
from Echelon operators
US, Canada, Australia, New Zealand
In 2001.05, report recommend more use of
encryption to defeat Echelon
31
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Industrial Espionage:
Datang vs Lucent et al.
Chinese nationals arrested (2001.05)
Two citizens of PRC worked at Lucent
Highly respected scientists
Worked with a Chinese business partner
Sent proprietary information to Beijing’s Datang
Telecom Technology Co.
Pathstar Access Server -- “Crown jewel”
Arrested by FBI
Conspiracy to commit wire fraud
Max penalty 5 years in prison & $250K fine
In 2002.04, charged with additional espionage
Theft from Telenetworks, NetPlane Systems,
Hughes Software Systems, and Ziatech
32
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Industrial Espionage: Short
Notes
2001.07: EMC sues former employees for data
theft to help competitor Network Appliance
2002.09: 32-year old Chinese national working
for (PRC) China National Petroleum Corp
arrested for trying to steal seismic-imaging
software from 3DGeo of Mountain View, CA
2003.05: 3 charged in Ericsson spy case in
Sweden. Sold secrets to Russian intelligence
agent.
2005.01: IBM selling PC business to PRC
Lenovo Group for $1.75B – US Ctee on Foreign
Investments investigating implications.
33
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Industrial Espionage:
Scandal in Israel
Trojan Horse scandal rocks Israel (2005.06)
Author Amon Jackont target of attacks
Parts of current novel MS posted on Web
Attempted theft from bank account
Police found keystroke logger on Jackont’s
computer
Suspicion fell on stepdaughter’s ex-husband,
Michael Haephrati
Discovered Haephrati apparently installed
Trojan programs on big industrial firms’
computers (HP, Ace Hardware…)
Confidential info sent to server in London
Allegedly selling secrets to other companies
Dozens of arrests at highest levels (CEOs)
34
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Industrial Espionage:
Interloc vs Amazon
Lawsuit over intercepted e-mail (1999.11)
Interloc admitted intercepting & copying 4,000
e-mail messages sent to Amazon.com
Went through own ISP Valinet
To gain competitive advantage against
Amazon?
Interloc's business managers denied any
wrongful intention
failed to explain why they copied e-mail
Alibris company bought Interloc & paid $250K
fine on behalf of their new acquisition
This is called a failure of due diligence in
mergers and acquisitions practice
35
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Cases
Breaches of confidentiality
Industrial Espionage
Unauthorized Access (Penetration)
Unauthorized Modification
Data Diddling
Sabotage, vandalism
Trojan Horses
Deception
Fraud, disinformation
Psyops
Denial of Service (DoS)
36
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Penetration: Library Systems
June 96 — NCSA IS/Recon
Public and corporate library systems being
used to train apprentice criminal hackers
May also be used by more experienced
criminal hackers
Isolate library network from rest of network
37
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Penetration: San Francisco
High Schoolers vs PBX
July 96 — RISKS 18.26
High-school students in the San Francisco
area
Broke into local manufacturing firm PBX
Attacked voice-mail
erased information
changed passwords
created new accounts for own use
crashed system through overuse
Company spent $40,000 on tech support
38
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Penetration: Scotland Yard
PBX
Aug 96 — Reuters
Scotland Yard's PBX hacked by phone
phreaks
U$1.5M of fraudulent calls
Used direct inward services access (DISA)
Moral
disable DISA
no limit on liability when using DISA
use phone service cards instead
limit on liability if card stolen or account
abused
39
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Penetration: Mitnick
Sept 96 — AP
Kevin Mitnick indicted in Los Angeles
25 count indictment
stealing software
damaging computers at University of Southern
California
using passwords without authorization
using stolen cellular phone codes
Readings about the Mitnick case
Goodell, J. (1996). The Cyberthief and the Samurai: The True Story of Kevin Mitnick—and
the Man Who Hunted Him Down. Dell (New York). ISBN 0-440-22205-2. xix + 328.
Hafner, K. & J. Markoff (1991). Cyberpunk: Outlaws and Hackers on the Computer Frontier.
Touchstone Books, Simon & Schuster (New York). ISBN 0-671-77879-X. 368. Index.
Littman, J. (1996). The Fugitive Game: Online with Kevin Mitnick—The Inside Story of the
Great Cyberchase. Little, Brown and Company (Boston). ISBN 0-316-5258-7. x + 383.
Shimomura, T. & J. Markoff (1996). Takedown: The Pursuit and Capture of Kevin Mitnick,
America's Most Wanted Computer Outlaw—by the Man Who Did It. Hyperion (New York).
ISBN 0-7868-6210-6. xii + 324. Index.
40
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Penetration: Danish Criminal
Hackers
Dec 96 — AP
6 criminal hackers from Denmark
Attacked Pentagon & business computers
Sentenced to minor jail terms
Ordered to pay fines, perform community
service
One sentenced to 90 days in jail, second to 40
days
Defense lawyers: criminals had “done the
hacking victims a favor by exposing the
vulnerability of their computer systems.”
41
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Penetration: Ex-Employees
1997.02 -- Computer Sciences Corporation
Warn that many organizations attacked by exemployees
Ex-employees of outsourcing firms a threat
Cited example of Big Six firm where exemployee used e-mail and voice-mail for one
year after termination
Recommend use of single-logon system
Token-based authentication also useful in
centralizing control of I&A
42
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Penetration: Croatian
Hackers Attack Pentagon
1997.02 -- RISKS, Reuters
Teenagers in Croatia broke into US military
systems
Pentagon asked Croatian police for
cooperation
Arrested kids, searched homes
Confiscated computer equipment
Preliminary estimates of losses running in
$500K range
43
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Penetration: DISA Report
1997.03 — EDUPAGE
InfoWar Division of Defense Information
Systems Agency of US
Retested 15,000 Pentagon computers
had warned system managers of
vulnerabilities in previous audit
90% of systems were still vulnerable
Recommended emphasizing response
(immediate shutdown) instead of focusing
solely on preventing penetrations
44
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Penetration: Cloverdale Two
Multiple assaults on military & research sites —
1998.01
Attacks on 11 military computer systems
several universities
federal laboratories
“Most organized and systematic [attack] the
Pentagon has seen to date. . . .” BUT . . .
. . . Actually teenaged criminal hackers
Suburbs north of San Francisco
Caught with cooperation of ISP — 1998.02
provided facilities for FBI monitoring
Punished by 3-year exclusion from computing
by themselves
45
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Penetration: Hungarian ISP
1997.03 -- RISKS
Hungary's main ISP, MATAV
Assigned 1,200 IDs whose passwords were
the billing ID itself
Published list of these IDs -- as a warning to
change the passwords
USENET postings announced the breach of
security
46
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Penetration: Netherlands
Hackers vs Pentagon?
1997.03 -- EDUPAGE
Criminal hackers penetrated Pentagon
systems during Gulf War
Claimed that hackers approached Iraqi
intelligence with stolen information
Iraqis said to have rejected info, fearing a
disinformation campaign
Rop Gongrijp of HacTic
extremely skeptical of whole story
traces what he thinks is an urban myth to
an article that never claimed anything
about Iraqis at all
47
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Penetration: Datastream
Cowboy Fined
UK teenager cracked military computers
(1994; trial 1997.03)
Richard Pryce attacked US Air Defense
System in 1994 (was 16 years old)
Broke into Griffiss AFB, NY
Cracked Lockheed network in CA
Was described as “#1 threat to US security”
in Senate Armed Forces Committee hearings
Fined equivalent of $1,915
Pryce now working hard on getting to play
bass fiddle in a London orchestra
48
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Swedish “Demon Freaker”
Fined a Pittance
Phreak placed 60,000 calls at US telco expense
(1996; trial 1997.05)
Racked up $250K of charges
Repeatedly linked US emergency lines to
each other, causing havoc
Caught by rapid trace while claiming his
penis was glued to a wall
History of alcohol abuse and glue-sniffing
Fined equivalent of $350
Interned in psychiatric institution
49
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Penetration: Private-School
Naughty Boys
Brockville teens crack RipNet (1997.06)
16-year-old A+ student + 4 accomplices
Broke into RipNet ISP in Brockville, ON
Stole 1300 user IDs + passwords
Distributed for free access
Quickly discovered
RipNet and police agreed to let posh school
handle punishment
ringleader out of computer class for 1 year
all have to write essays on what bad boys
they were
50
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Penetration: “Mr Nobody”
Cracks Netcom
15-year-old boasts of exploits to Interactive
Week (1997.06)
Cracked PBX in 1995 (age 13)
Listened to voice-mail messages
boxes had “Joe” passwords -- same as
extension itself (stupid default)
Phreak and friends placed long-distance calls
at Netcom expense
51
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Penetration: ON 14-year-old
1997.09 -- Burlington, ON
>500 attempts to penetrate systems
all over North America
evidence of malicious hacking
Attacked US military computers
caused downfall
military tracked him down
cooperated with local police
52
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Penetration: NTT Hacked
Nippon Telephone & Telegraph -- 1997.10
Stole proprietary programs for software
development
Used internal ID -- possibly social engineering
Had or found number of modem
did it bypass the firewall?
53
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Pentration: Citibank Hack
1998.02 (events started 1994.07)
Vladimir Levin of St Petersburg hacked
Citibank computers
Conspirator Alexei Lachmanov transferred
U$2.8M to five Tel Aviv banks
Admitted to attempting to withdraw
US$940,000 from those accounts
Three other members of the gang pleaded
guilty
Levin extradited 1997.09
54
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Citibank -- Conclusion
1998.02 -- Levin sentenced to 3 years, fined
Vladimir Levin convicted by NYC court
Transferred $12M in assets from Citibank
Crime spotted after first $400K theft
Citibank cooperated with FBI
MORAL: report computer crime & help
prosecute the criminals
55
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Penetration: Voice Mail
1998.05: Cincinnati Enquirer reporter breaks law
Michael Gallagher broke into voice mail of
Chiquita Fruits
Stories in paper accused Chiquita of illegal
activities
Reporter fired
Enquirer paid
$10M to Chiquita in damages
published front-page apologies 3 days in a
row
56
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Penetration: U Colorado
U. Colorado student arrested -- 1998.03
Joshua Gregory Pearson, 18
computer science major
Allegedly provided stolen passwords and
access codes to Israeli hacker “Heavy Metal”
may have used packet sniffer
intercepted passwords and access codes
Israeli broke into U.CO computer system
also denial of service
unauthorized programs flooded U.CO email accounts with error messages
58
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Penetration: MOD redux
New MOD crows about exploits -- 1998.04
Masters of Downloading instead of Masters of
Deception
Claimed penetration of US military networks
DISN (Defense Information Systems
Network)
DEM (DISN Equipment Manager)
controls military Global Positioning
Satellites (GPS)
59
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Penetration: AOL Techs
ACLU site on AOL vandalized -- 1998.05
Intruder simply asked AOL help-desk staffers
for a “new” password for Web site control
Success may be function of size
1000s of staffers
many new and poorly trained
Birthday problem:
P{at least one failure} = 1 - (1-p)n
p=probability of one failure and
n=number of independent units
60
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Penetration: SLAC Attacked
Stanford Linear Accelerator Center -- 1998.06
Intruder logged in with a password
guessed? sniffed? borrowed?
later posting indicated LAN sniffers
implies inside job
Evidence
new zero-length file
50 files accessed
Results: SLAC off the Net entire week
30 people worked overtime
possible interdiction of foreign logins
61
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Penetration: John the Ripper
Decryption of password files -- 1998.08
UC Berkeley Sys Admin
discovered someone cracked his password
running “John the Ripper” decryption prog
successfully cracked about 48,000 pws from
a list of 186,126 encrypted passwords
Cracker broke into systems at
noted Silicon Valley company
Indiana ISP
other UC Berkeley systems,
Caltech, MIT, and Harvard
Used Swedish ISP Telenordia then went
through England, Denmark, South Korea
62
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Automated Shoulder-Surfing (1)
Newmarket, ON customers surfed -- 1998.04
Thieves in cahoots with a gas-station
employee
installed minicam for debit-card PIN pad
Make fake debit cards to pillage accounts
used ATMs at midnight to steal 2 days’ max
Total thefts > $100K
Arrested just before a planned expansion to
five more gas stations
63
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Automated Shoulder-Surfing (2)
Finland: extra card-reader on ATM -- 1998.10
Small black card reader glued onto regular
card slot
Collected debit- and credit-card codes
Standard shoulder-surfing to garner PINs
Made 60 counterfeit cards
Stole 180 000 FIM (~U$36,600)
64
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Penetration: 2000
2000.01: Global Hell member, 16 yrs old, arrested
in Eldorado, CA for stealing userIDs and
passwords for 200,000 accounts on Pacific Bell
ISP. Cracked 63,000 & boasted about it in chat
room.
2000.03: Max Ray “Max Vision” Butler, 27, of
Berkeley, CA indicted on charges of penetrating
systems as NASA, Argonne Natl Labs,
Brookhaven Natl Lab, Marshall Space Center,
and DoD facilities.
2000.07: Raymond Torricelli, 20, of New Rochelle,
NY arrested and charged with breaking into
NASA, Georgia Southern U, San Jose State U
computers & stealing credit card #s used for
$10K of theft
65
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Penetration: 2000
2000.09: 16-yr-old Florida boy “cOmrade”
sentenced to 6 mo detention in federal prison
for penetrating NASA & Pentagon computers
2000.10: 21 cyberthieves arrested in Sicily in
process of stealing $500M from Banco de
Sicilia. Included members of the Mafia,
computer specialists and bank employees.
2000.12: Netherlands hacker penetrated U
Washington Medical Center in Seattle. Stole
admissions records for 4,000 cardiac
patients. No firewalls or encryption.
66
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Penetration: 2001
2001.01: Jerome Heckenkamp, 21, indicted for
allegedly hacking computers at eBay, Exodus,
Juniper, eTrade, Lycos, and Cygnus and
causing a total of more than $900,000 in
damage in 1999.
2001.05: Chinese hackers in Guandong
penetrated California Independent System
Operator’s flow-control computers during an
electrical-power crisis.
2001.07: Lee Ashurst, 22, of Manchester,
England, hacked into UAE only ISP and
crashed entire country’s access to Internet.
Fined £2000 and faced civil tort for £500K
67
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Penetration: 2002
2002.02: Adrian Lamo [sic] claimed he hacked
NY Times computers and demonstrated how
to alter news stories on Yahoo.
2002.05: Experian loses 13,000 credit reports
to hackers.
2002.05: Criminal hackers steal financial
information about 265,000 CA state personnel
2002.08: Princeton admissions personnel
hack into Yale University admission records
2002.08: ForensicTec Solutions of San Diego
brags about breaking into Army, Navy, NASA
computers – gets raided by FBI
68
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Penetration: 2003
2002.02: Contractor for VISA and
MASTERCARD penetrated by hackers
2003.03: Hackers gain full access to AOL
customer database with 3.5 million users.
Access requires a user ID, two passwords
and a SecurID code;
Hackers obtained all of these by spamming
the AOL employee database with phony
security updates, through online password
trades, or by "social engineering" attacks
over AOL's Instant Messenger (AIM) or the
telephone.
69
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Penetration: 2003
2003.03: U Texas Austin loses control to hackers
over 59,000 records about students, alumni,
faculty, staff. Police charge 20-yr-old student
Christopher Andrew Phillips.
2003.04: GA Tech computers 0wn3d by hackers
from Feb 4 to Mar 14; 57,000 database records
copied included credit-card data for about
40,000 people
2003.04: “Blaster Ball” Trojan allows hacker in
former Soviet Union to penetrate William Bee
Ririe Hospital in Ely, NV
2003.07: French hackers break into KY govt
computers, gain root
70
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Penetration: 2003
2003.08: Diebold e-voting company’s Web
servers cracked
2003.11: Hackers access top-secret files at
Australian DoD.
2003.12: Hackers attack VoteHere systems
71
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Penetration: 2004
2004.03: Allegiance Telecom notifies 4,000
users of hack attack that released their
userIDs and passwords [what? Not
encrypted??]
2004.04: TeraGrid supercomputer network
funded by NSF disrupted by hackers
2004.09: DoE auditors report 199 hacks
penetrating 3,541 systems in 2003
2004.10: Purdue University systems hacked
72
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Penetration: 2005
2005.01: Nicolas Lee Jacobsen, 21, charged
with breaking into T-Mobile computers for
more than 1 year
Access to 16.3M customer files
Obtain voicemail PINs, passwords for Web
access to e-mail
Read e-mail of FBI agent investigating his
own case!
2005.01: Hackers break into George Mason
University computers
2005.03: 150 applicants to business schools
break into their own records illegally on
ApplyYourself Web site
73
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
BREAK
5’12”
74
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Data Diddling: NYC Tax
Fraud
Nov 96 -- AP
3 NYC tax department employees
Bribed by property owners from 1992 onward
Removed records of taxes owing
Fraudulently entered legitimate payments
from innocent victims to wrong tax accounts
Used bugs in software to cover tracks
Stole $13M in taxes owing + $7M in interest
Over 200 arrests expected
Face 10 years prison per count
75
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Data Diddling: Thick Salami
at Taco Bell
1997.01 -- RISKS
Willis Robinson (22 years old) reprogrammed
Taco Bell cash register
registered each $2.99 item as costing $0.01
pocketed $2.98 cash per transaction
stole $3,600
Management assumed error was hardware or
software
Idiot was caught because he bragged about
his theft to co-workers
Sentenced to 10 years in prison
76
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Data Diddling:
Embezzlement
London & Manchester Assurance (1997.01)
Jamie Griffin
21 years old
clerk
altered records to steal £44,000
gambled it all away
claimed extortion by IRA
Sentenced to 7 months imprisonment
77
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Data Diddling? or QA?
Brisbane, Australia (1997.09)
Three men charged with hacking
Transferred A$1.76M
from Commonwealth Bank
to Metway Bank
Claimed they were victims of QA error
blame Commonwealth Bank
allege CB placed A$50M into practice
account
for learning how to use online system for
direct payments
78
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Data Diddling: SANS
SANS Security Digest hacked (1997.10)
Satirical, misspelled, vulgar nonsense
Acutely embarrassing
79
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Data Diddling: Québec
Tax evasion by computer (1997.12)
Québec, Canada restaurateurs
U.S.-made computer program ("zapper")
Skimmed off up to 30% of the receipts
Evaded Revenue Canada and provincial tax
$M/year
80
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Data Diddling: SSA
Social Security Administration -- 1998.10
Employee become angry with woman
argued in an Internet chatroom
Used fellow-employee's terminal
Filled in death date for woman in SSA records
Victim applied for loan at bank
she was "cyberdead”
Jorge Yong admitted culpability
resigned
paid $800 in fines and damages
81
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Data Diddling: LA Gas
Los Angeles gasoline-pump fraud -- 1998.10
DA charged 4 men with fraud
Allegedly installed new computer chips in
gasoline pumps
cheated consumers
overstated amounts 7%-25%
Complaints about buying more gasoline than
capacity of fuel tank
Difficult to prove initially
programmed chips to spot 5 & 10 gallon
tests by inspectors
delivered exactly right amount for them
82
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Data Diddling: X.COM
Free money (2000.01)
X.COM online bank
Transfer funds from the account of any
person at any U.S. bank
Needed only target’s account number and
bank routing information
83
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Data Diddling: BOOM!
New security measures at UK nuclear plants
(2001.09)
Employee tried to sabotage nuclear plant
(1999.06)
Security guard!
Tried to alter sensitive information
New measures put into place 18 months later
84
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Data Diddling: Cisco
Cisco accountants stole stock (2001.11)
Oct 2000-Mar 2001: schemed to issue stock
Abused access to computer systems
Created forged stock-disbursal records
Total theft: $7,868,637
Sentences
34 months in federal prison
Complete restitution of theft
3 years supervised release
85
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Data Diddling?
GOOGLE Bombs
GOOGLE used as political ploy (2004.01)
Pranksters engineer Web sites to alter
GOOGLE links and statistics
Linked George W. Bush to bad words
“unelectable”
“miserable failure”
Supporters retaliated with similar ploys
against Kerry
86
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Data Diddling:
Making the Grade
California high school student arrested
(2004.05)
Corona del Mar High School, Newport-Mesa
Unified School District
17 years old
Accused of felony
Allegedly hacked school system to change
grades
Altered grades of 6 juniors and 1 senior
Faces up to 3 years in prison
87
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Cases
Breaches of confidentiality
Industrial Espionage
Unauthorized Access (Penetration)
Unauthorized Modification
Data Diddling
Sabotage, vandalism
Trojan Horses
Deception
Fraud, disinformation
Psyops
Denial of Service (DoS)
88
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Sabotage? IE vs Navigator
89
Internet Explorer 4.0 vs Netscape Navigator
(1997.10)
IE 4.0 includes features from Plus! for
Windows 95
anti-aliasing function
smoothes large fonts on screen
Reportedly does not smooth fonts in
Netscape Navigator
Allegedly not found to fail in any other
program tested -- but updated Occam’s Razor
states:
Never attribute to malice
what stupidity can adequately explain.
09:05-11:55
Copyright © 2005 M. E. Kabay. All rights reserved.
Sabotage? MS-MediaPlayer
vs RealAudio
Several reports of software conflicts — 1998.10
Installation of MS-MediaPlayer causes
problems with other media players
MS product takes over file associations
Prevents usability of RealAudio
De-installation switches file associations to
other MS products
MS denied deliberate attack, accuses other
programs of quality problems
[Attila the Hun no doubt accused Europeans
of quality problems, too.]
90
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Hactivists: Pentagon Meets
Monty Python
“Electronic Disruption Theater” hacker group
whine about unfair tactics — 1998.10
Criminal hackers attacke DoD DefenseLink
1998.09.09
DoD allegedly used offensive information
warfare techniques
allegedly posted hostile Java applet
criminals downloaded it
supposedly crashed their systems
Criminals complained about illegal response
Some legal minds agreed (!)
91
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
“Hactivism” on the Rise
Political action by criminal hackers — or
criminal hacking by political activists?
“HACKING BHABA” article in FORBES
attack on Bhaba nuclear research facility in
India (1998.05)
interviews with teenaged perpetrators
Attacks on Chinese censorship (1998.11)
WIRED
graduate student disabled Chinese content
filters
vandalized pro-censorship site in China
92
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Sabotage: Reuters
Hong Kong
Nov 96 -- RISKS 18.65
Reuters in Hong Kong
market information crucial for trading
logic bombs at 5 investment-bank clients
36 hours downtime in networks
no significant effects on their work
embarrassed by the incident
Caused by disgruntled computer technician
Costs
1,700 person-hours for recovery
HK$1.3M (~$168K)
93
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Sabotage: CA Dept Info Tech
1997.01 -- San Francisco Chronicle, RISKS
Fired subcontractor arrested
accused of trying to cause damage the
California Department of Information
Technology
Spent six hours online before being
detected
Crashed system
Data restored from backups
System management did not know the
accused had been fired
Did not alter security after his dismissal
94
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Sabotage: Gateway2000
1997.01 -- EDUPAGE
20,000 copies of promotional video
30 seconds of pornography in mid-video
Investigators thinking focusing on likelihood
of disgruntled employee of Gateway2000 or at
video production company
95
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Sabotage: US Coast Guard
DP worker goes ballistic -- 1998.06
Shakuntla Devi Singla
civilian data processing worker
reported possible crime by contractor
Warnings disregarded
Wiped out personnel database
Crashed system
Recovery (where were their backups?)
115 Coast Guard employees
1,800 hours to restore data
Sentenced to 5 months jail then 5 months
home detention
Fined $35,000 restitution
96
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Sabotage: Telecast Fiber
Former Employee Destroys Files (2003.08)
John Corrado broke into Telecast Fiber
Systems Inc, Worcester MA
Used modem
Destroyed R&D files and demos used by
sales reps
Pleaded guilty, agreed to pay $10,360
restitution
Possible penalties:
max 1 year prison
$100K fine
97
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Web Vandalism
CIA (1996.09)
USAF (1996.12)
NASA (1997.03)
AirTran (1997.09)
UNICEF (1998.01)
US Dept Commerce (1998.02)
New York Times (1998.09)
SETI site (1999)
Fort Monmouth (1999)
Senate of the USA (twice)(1999)
98
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
CIA (1996.09)
99
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
USAF (1996.12)
100
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
NASA (1997.03)
101
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
AirTran (1997.09)
102
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
UNICEF (1998.01)
103
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
US Dept Commerce
(1998.02)
104
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
New
York
Times
(1998.
09)
105
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
SETI (1999)
106
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Fort Monmouth (1999)
107
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Senate of
the USA
(1) (1999)
108
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Senate of
the USA
(2)
(1999.06)
109
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
DEFCON (1999.07)
110
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Vandalism: 2000
2001.01: “Lamers Team” deface Library of
Congress Web site
2000.03: Gallup site defaced with misleading
pointers to AntiOnline
2000.04: 16-year-old in Sweden arrested for
defacing Web side of Swedish National Board
of Health and Welfare
2000.09: “fluxnyne” defaces OPEC Web site
111
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Vandalism: 2001 & 2003
2001.01: MS Web pages defaced by “Prime
Suspectz” hacker group
2001.05: Chinese security experts report
14% of worldwide hacker attacks aimed at
PRC Web sites
2003.05: Hackers attack Denver Internet
radio station hosting security conference
2003.06: Hijacker switched registration of LA
County Web site by calling ARIN and then
stole 65,000 Web site addresses for use in
sending pornographic spam
112
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Vandalism: 2003 & 2004
2003.07: Sudanese hacker destroys Websites
of Sudan Airlines, Khartoum University, Aptec
Computers, Sudanese Internet Company.
2003.12: 13 NASA Websites defaced by
Brazilian hackers “drwxr” with antiwar
sentiments
2004.06: Silicon Valley Land Survey Web site
used to post videos of Paul Johnson (victim
of Al Qaeda terrorists)
2004.06: Hackers infest 60 computers at
South Korean research institutes and
government agencies with Peep Trojan RAT
113
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
BREAK
5’02”
114
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Cases
Breaches of confidentiality
Industrial Espionage
Unauthorized Access (Penetration)
Unauthorized Modification
Data Diddling
Sabotage, vandalism
Trojan Horses
Deception
Fraud, disinformation
Psyops
Denial of Service (DoS)
115
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Trojan: Moldovan Scam
1997.11 — news wires, EDUPAGE, RISKS
Pornography seekers logged into
http://www.sexygirls.com (Nov 96-1997.02)
Special viewer program to decode pictures
Trojan program
secretly disconnected modem connection
turned modem sound off
dialed ISP in Moldavia — long distance
Long-distance charges in $K/victim
Court ordered refund of $M to consumers
116
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Trojan: Back Orifice
cDc (Cult of the Dead Cow) — 1998.07
Back Orifice for analyzing and compromising
MS-Windows security
Sir Dystic — hacker with L0PHT
“Main legitimate purposes for BO:”
remote tech support aid
employee monitoring
remote administering [of a Windows
network].
"Wink.”
118
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Back Orifice — cont’d
Features
image and data capture from any Windows
system on a compromised network
HTTP server allowing unrestricted I/O to and
from workstation
packet sniffer
keystroke monitor
software for easy manipulations of the
victims' Internet connections
Trojan allows infection of other applications
Stealth techniques
15,000 copies distributed to IRC users in
infected file “nfo.zip”
119
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Trojan: Open Source
Contaminated
TCP wrapper infected with Trojan (1999.01)
Early on 21 Jan 1999 someone inserted Trojan
code into distribution site
Trapdoor access to contaminated systems
Sent e-mail indicating which sites
contaminated
120
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Trojan: Palm PDA
“Pirated” Gameboy software infects PDAs
(2000.08)
Deletes applications on Palm Pilot
Proof of concept?
121
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Trojan: MS a Victim
QAZ Trojan invaders Microsoft (2000.10)
Company passwords sent to e-mail address
in St Petersburg, Russia
“Deplorable act of industrial espionage”
Investigation suggested little damage
Source files very large – probably not
transferred
122
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Trojan:
MS “Cumulative Patch”
MS Cumulative Patch a trick (2002.03)
E-mail with 160 KB attachment
Subject: “Internet Security Update”
“Eliminates MS Outlook/Express…
vulnerabilities”
Vague link to MS security site
Actually contained “Gibe” worm
123
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Reverse-Proxy Spam Trojan Migmaf
Migmaf trojan commandeers PCs (2003.07)
“Migrant mafia” takes over PCs by stealth
Not certain how it spreads
Programmer may be changing code
constantly to elude anti-malware products
Relays requests for porn sites through infected
systems
Web page passed through zombie
Impossible to locate master server
Porn sites may be traps for credit-card data
Zombies also serve as spam relay sites
124
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Trojan: Linux Backdoor
Linux kernel attacked (2003.11)
Hacker tried to enter backdoor code into
sys_wait4() function
Would have granted root
Noticed by experienced Linux programmers
125
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Trojan: Phatbot uses P2P
Phatbot attacks security (2004.03)
Extensive feature set
Controlled through P2P networks
Provides complete remote control over
system (open files, reboot, send files….)
Snoops for passwords & tries to send
them
Tries to disable firewalls and AV products
Author arrested 2004-05
Baden-Württemberg, Germany
126
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Trojan: Mac Attack
MS-Office Installer icon is Trojan (2004.05)
AS.MW2004.Trojan has icon like that of MS
Installaer for MS-Office for Mac
Actually Trojan that deletes all files in user’s
home folder
127
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Trojan: Cell Phones
“Skulls” targets Nokia 7610 (2004.11)
Appears as a “theme manager” utility
Exploits Symbian OS
Actually disables all programs on phone
Calendar, phonebook, camera, Web
browser, SMS applications, etc.
Leaves only outbound and inbound phone
calls functional
By 2005.04, researchers had found >100
Trojans affecting Symbian OS
128
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Trojan: Cellery
Cellery Worm Clogs Networks (2005.01)
Infected “Tetris” game contains worm
Reproduces throughout network
Can cause serious bandwidth saturation
Users who perceive playing games at work as
normal may not realize that the program is a
threat
129
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Trojan: Bankash-A
Trojan attacks antispyware tool,
logs keystrokes (2005.02)
Arrives in e-mail attachment
Tries to disable MS antispyware and antivirus
software
Logs user keystrokes, tries to send creditcard & banking info to receiving site
May delete files
Attempts to install yet more malware
Downloads additional code from the Internet
130
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Cases
Breaches of confidentiality
Industrial Espionage
Unauthorized Access (Penetration)
Unauthorized Modification
Data Diddling
Sabotage, vandalism
Trojan Horses
Deception
Fraud, disinfo
Psyops
Denial of Service (DoS)
131
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Deception: Holiday Inns vs
Call Management
1997.01 -- AP
Holiday Inns uses 1-800-HOLIDAY for
reservations (note the O)
Call Management uses 1-800-H0LIDAY (note the
ZERO
Holiday Inns sued and lost
Other firms have used phone numbers adjacent
to important commercial numbers in order to
capture calls from misdealing customers
Old porn site whitehouse.com (now a respectable
site) used confusion with whitehouse.gov to trick
kids into visit
132
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Disinfo: Belgian ATC Fraud
1997.01 — Reuters
Belgian lunatic broadcasting false
information to pilots
Air-Traffic Control have caught the false
information in time to prevent tragedy
Serious problem for air safety
Police so far unable to locate pirate
transmitter
Lunatic thought to be former ATC employee
133
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Disinfo: Negotiations with
Kidnappers Spoofed
1997.02 — RISKS
Colombian terrorists kidnapped soldiers
Government of Colombia decided to negotiate
through e-mail
Right-wing terrorists sent fraudulent e-mail
claiming to represent government position
134
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Disinfo: Cronkite Smeared
1997.01 — AP
Tim Hughes created Web libeling Walter
Cronkite
said WC had shrieked imprecations
spat at Hughes and wife in FL restaurant
Included falsified digital images purporting to
show Cronkite posing with KKK members
Cronkite threatened lawsuit
Hughes took down page, said it was a satire
135
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Psyops: Motley Fool
Mar 96 -- Wall Street Journal; EDUPAGE; RISKS
Iomega high-capacity removable disk drives
America Online's Motley Fool bulletin board
False information
Flaming and physical threats
Caused volatility of stock prices
136
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Psyops: Pairgain
1999.04: Gary Dale Hoke arrested by FBI
Employee of Pairgain
Created bogus Web page
Simulated Bloomberg information service
Touted PairGain stock
undervalued – impending takeover
Pointed to fake page using Yahoo message
boards
Investors bid up price of Pairgain stock from
$8.50 to $11.12 (130%)
13.7 M shares traded – 700% normal volume
137
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Pairgain – cont’d
Windfall gains & losses by investors
Hoke did not in fact trade any of the stock
himself
Pleaded guilty to charges of stock
manipulation
Sentenced to home detention, probation,
restitution
138
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Psyops: Emulex
2000.98: Emulex lost 60% of total share value
Mark Jakob, 23 years old
Fabricated news release
Sent from community college computer
Circulated by Dow Jones, Bloomberg
Claimed profit warning, SEC investigators,
loss of CEO
Jackob profited by $240,000 in minutes
139
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Psyops: Ponzi
EE-Biz Ventures steals $50M (2001.07)
Donald A. English claimed huge profits
Paid early investors with money from later
ones
Classic “Ponzi” scheme
Arrested by FBI
Most victims were sick or elderly
140
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Psyops: 4-1-9 Brides
Prospective Brides Needed Money (2004.11)
Russian Yury Lazarev hired women to write
flowery letters to possible partners
Included sexy photographs
3,000 men responded from around world
Attempts to meet met with requests for
money
Visas
Airline tickets
Net profits: $300,000
One year suspended sentence in Moscow
141
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
BREAK
4’56”
142
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Cases
Breaches of confidentiality
Industrial Espionage
Unauthorized Access (Penetration)
Unauthorized Modification
Data Diddling
Sabotage, vandalism
Trojan Horses
Deception
Fraud, disinformation
Psyops
Denial of Service (DoS)
143
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
History of DoS
1987-12: Christmas-Tree Worm
IBM internal networks
Grew explosively
Self-mailing graphic
Escaped into BITNET
1988-11: Morris Worm
Probably launched by mistake
Demonstration program
Replicated through Internet
~9,000 systems crashed or were
deliberately taken off-line
144
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
DoS: Mail-Bombing Via Lists
1996.08/12
1996.08 — “Johnny [x]chaotic”
subscribed dozens of people to hundreds of lists
victims received up to 20,000 e-mail msg/day
published rambling, incoherent manifesto
became known as “UNAMAILER”
1996.12 — UNAMAILER struck again
Root problem
some list managers automatically subscribe people
should verifying authenticity of request
send request for confirmation
145
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
DoS: Spam / Junk E-mail
1996.09
AOL began blocking all inbound mail from
junk e-mailers
Court challenges on both sides
Other ISPs beginning to revolt against
onslaught of automated spam generators
Courts have ruled that junk e-mail does not
have to be transmitted by ISPs
146
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
DoS: Spam / Junk E-mail
1996.09
Paul Engel, San Francisco stock broker
Disagreement with an employee of the SRI
Allegedly resulted in mail-bombing run on 23
September
25,000 messages consisting of the word
“Idiot”
Originated from SRI account
Prevented him from using his computer
1996.12: Sued SRI for $25,000 of damages
147
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
DoS: VineyardNET vs Spam
1997.01
VineyardNET hijacked by CV Communications
Connected directly to the ISP's SMTP server
Sent out 66,000 advertisements for spamming
services
Most victims: CompuServe and AOL
Tuned firewall to reject further input from rogue
Adjusted two-stage mail delivery software
scan and delete all junk e-mail
148
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
DoS: Miscellany 1997.01/03
1997.01 — “Rev. White” spams IRC Undernet
racist, homophobic, misogynist
threatening messages
1997.01 — Cleveland resident receives 100 calls/night
because his phone # is 1-off AOL’s
1997.03 — InterNIC loses papers for unnamed company
cut off its DNS entry
down for 20 hours
1997.03 — Sprynet suddenly terminates service to anyone
not using <name>@sprynet.com — including legitimate
customers with their own POP servers
149
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
DoS: Wasting Time On-Line
1997.06
1997.06 — employee use of Web for fun during
working hours
consumes average 2 hours of
productivity/week
other estimates range from 5% to 40% lost
also consume bandwidth
1997.06 — Pitney Bowes study from Gallup and
San Jose State University
972 top-level staff from Fortune 1000
severe damage to productivity from interrupts
50% said interruptions every 10 minutes
overwhelmed by flood of messages
150
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
DoS: Bluelister Attacks
Antispammers 1997.06
1997.06: Forged headers from Antispam sites
1 or more persons
Send large amounts junk e-mail from
antispammers home sites
Resulting floods of angry responses crashes
systems
NetHome Web-hosting service severely
compromised
151
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
DoS News 1998
1998.01: Sanford “Spamford” Wallace found
new spam-friendly ISP
offices swamped with phone calls, e-mails
and threats
1998.03: Windows NT servers crash under
hack attacks
Carnegie Mellon, MIT, NASA sites, man U.
Cal. Campuses, US Navy
1998.03: Mailstorm by National Association
of Broadcasters
instructions on how to unsubscribe
actually sent messages to list itself
152
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
DoS News 1998 (Cont’d)
1998.05: Panamsat Galaxy 4 satellite
malfunctions
10M pagers silenced
also some public radio networks
two days of disruption
1998.09: Misappropriation of resources
Aaron Blosser accused of using 2585
computers at US West
looking for prime numbers
used 10 years of processing cycles
sent response time from 3-5 seconds to 5
minutes
153
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
DoS: Worcester Hacker
Convicted
Teenager punished for hack — 1998.03
Kid broke into Bell Atlantic switch in suburb
of Boston, MA in 1997.03
crashed switch
6 hours down
Disrupted service for 600 customers & local
airport control tower
Severely sentenced as example to others
2 years probation
loss of computer
250 hours community service
$5,000 restitution
154
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
DoS: MS & CERT-CC Down
Network vandal attacks MS (2001.01)
Flooded MS sites w/ packets
Down for a day
Due to putting DNS servers in single network
CERT-CC down 30 hours (2001.05)
DoS packet flood
Viewed as “just another attack” by staff
155
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
DoS: Cloud Nine
Cloud Nine ISP out of business (2002.01)
Massive DoS
E-mail
DNS servers
Shut down operations
Insurance insufficient to pay for rebuilding
systems
Decided to sell business to competitors
156
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
DoS: White House
White House site offline (2002.05)
DoS 09:00-11:15 4 May 2002
Suspect Chinese and pro-Chinese hackers
157
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
DoS: Root Servers
DoS cripples 9 of 13 root servers (2002.10)
Most sophisticated and large-scale assault on
root servers to date
Started 16:45 EDT Monday 21 Oct 2002
30-40x normal traffic from South Korea and US
origins
7 servers failed completely; 2 intermittently
Remaining 4 servers continued to service ‘Net
requests – no significant degradation of
service
Verisign upgraded protection on its servers as a
result
158
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
DoS: Al-Jazeera
Al-Jazeera swamped (2003.03)
Arab satellite TV network Web site
unavailable
Swamped by bogus traffic aimed at US
servers for its site
159
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
DoS: Akamai (E-Commerce)
Akamai Technologies goes down (2004.06)
Network vandals attacked Akamai servers
Manages 15% of total traffic on Internet
Down for 45 minutes
Serve major players in e-commerce
Microsoft
Yahoo
FedEx
XeroX, ... many others
Also FBI
Care to estimate the costs of downtime??
160
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
DoS: GOOGLE & .com
Disappear Briefly
GOOGLE disappears from Web (2005.05)
Gone for 15 minutes 7 May 2005
Glitch in DNS
Drew attention to concerns over DNS stability
National Research Council issued report
criticizing state of DNS infrastructure
http://www7.nationalacademies.org/cstb/pub_dns.html
Historical note:
2000.08.23: 4 of 13 root DNS servers failed
All access (http, ftp, smtp) to entire .com
domain blocked for 1 hour worldwide
161
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
DoS: Backhoe Attacks
1997.06 -- Republic of Buryatiya
Thief removed 60m copper cable
Shut down all external communications 5
hours
Estimated cost ~$135,000
1997.06 -- Khazakhstan
2 thieves began stealing copper from highvoltage electrical power line -- while it was
live
soon they weren’t
1997.06 -- Florence, NJ
construction crew sliced through major
UUNet backbone
162
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
DoS: More Backhoe Attacks
1997.10: Dump-truck driver leaves truck bed up,
rips telephone cables – 119,000 Sprint users out
of service for 4 hours
1998.02: Illuminet cables severed in Illinois –
phone/ISP service out all over eastern seaboard
for AT&T, Teleport, Bell Atlantic mobile
2001.03: Thieves attempted to steal copper
cable in Ontario Canada. They actually cut a
fiber-optic cable and wiped out Internet service
for 300,000 users. Then while workers were
repairing the damage, rodents attacked the
exposed cable and eliminated service once
more.
163
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
DoS: Tunnel Fire Derails
Internet Service
Train derailed in Baltimore tunnel (2001.07)
Damaged fiber-optic cables
Affected Internet service, telephony across
USA
WorldCom, PSINet, AboveNet
Delays on eastern seaboard
Problems even in Seattle, Los Angeles
164
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
DoS: What if GPS Fails?
As if 2003.04: 18 of 28 GPS satellites
Operating beyond intended lifespan or
Have equipment failure
GPS failure would affect
Civil aviation
Trucking
Shipping
Telecommunications
Internet backbone operators use GPS time
stamps
165
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
DISCUSSION
166
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55
Resume at
13:14:54
167
Copyright © 2005 M. E. Kabay. All rights reserved.
09:05-11:55