Transcript Slide 1
Cyber Terrorism: Strategic Problem Solving and Fresh Insights
Yu Chien Siang Ministry of Home Affairs Singapore
Agenda
• Introduction • Cyber-terrorism – why be concerned?
• Some Attack Scenarios • Singapore Experience Sharing and Insights • Conclusion
Cyber-terrorism: Why be concerned?
The main targets have been the websites of: – the Estonian presidency and its parliament – almost all of the country‘s government ministries – political parties – three of the country‘s six big news organisations – two of the biggest banks; and firms specializing in communications
Cyber-terrorism: Why be concerned?
• DDoS attack involved systems: –
More then 300 Systems worldwide
–
There is one System, coordinating the DDOS attacks - 65.19.154.94, known as a US Spamserver
–
Russian Systems seems to be involved as Command Server
• Impact Assessment –
Cyber attack on Estonia was significant - the first time that a country’s Internet system had been attacked over a period of time, and users were not able to access the Internet across a range of functions and services.
–
Impact on real world - simultaneous disruption to various parts of society, causing some inconvenience and probably financial costs. However, there have been no known direct fatalities or permanent loss of information or data so far.
Cyber-terrorism: Why be concerned?
SCADA
Supervisory, Control And Data Acquisition Sys
• Or Industrial Control System (ICS) • Critical Infrastructure –
Traffic control system (air, land, sea)
– – – –
The MRT The water in your country The energy generators and distribution …
SCADA Incidents
• Incident Worcester Air Traffic Communications –
In March 1997, a teenager in Worcester, Massachusetts disabled part of the public switching network using a dial-up modem connected to the system. This knocked out phone service at the control tower, airport security, the airport fire department, the weather service, and carriers that use the airport.
SCADA Incidents
• Incident Davis-Besse –
In August 2003, the Nuclear Regulatory Commission confirmed that in January 2003, the Microsoft SQL Server worm known as Slammer infected a private computer network at the idled Davis-Besse nuclear power plant in Oak Harbor, Ohio, disabling a safety monitoring system for nearly five hours.
–
In addition, the plant’s process computer failed, and it took about six hours for it to become available again. Slammer reportedly also affected communications on the control networks of at least five other utilities by propagating so quickly that control system traffic was blocked.
SCADA Incidents
• Incident CSX Train Signaling System –
In August 2003, the Sobig computer virus was blamed for shutting down train signaling systems throughout the east coast of the U.S. The virus infected the computer system at CSX Corp.’s Jacksonville, Florida headquarters, shutting down signaling, dispatching, and other systems
SCADA Threat Simulation Report
It’s a Digital LifeStyle!
Social Networks
Cyber security – Why be concerned?
• • • • •
Mobile Devices
– lost and stolen notebooks, PDAs, storage devices (e.g. USB devices)
VOIP
– eavesdropping of communications, backdoor into our network
Spam/Phishing
– never-ending emails!
Wireless Network
– unauthenticated devices, spoofed APs, MITM-attack, theft of credentials
USB Devices
– proxy for data theft and propagation of malwares
Example of Trojan
• Poison Ivy – –
‘Remote Administration’ software (Trojan?) Free for download
• Capabilities –
Bypass of Anti-virus & Firewall
– – – – –
Monitoring of User’s Screen Key logging File Transfer Killing of Processes Cleaning of traces
Demo …
Mpack – New Generation of Malware
• Malware kit produced by Russians, DTC (Dream Coders’ Team), and sold as commercial software –
First released in December 2006, currently version 0.94
–
Approximately US$500-1000
–
Technical support & regular updates of exploit codes.
–
Customised exploits, e.g. evade AV software (US$50-150)
• Built-in intelligence –
Selective attacks, based on targeted country domain
–
Highly efficient. No brute-force, target browser type
–
Systematic. Keep track of its victim (e.g. compromised websites)
Layered Attack (Demo)
2 1
Victim MPack
3 4 5 & 6 1. Victim visits YouTube video recommended by unknown person.
2. He finds the video interesting and decides to click on one of the links to a blog site that has more to say about the video.
3. This blog turns out to be injected with an iframe that points to an MPack server.
4. Without his knowledge, the iframe will request for a page from the MPack server.
5.
A downloader file is pushed to the victim’s web browser.
6. Downloader file will then download a malicious payload from MPack Server.
Attacks on Legitimate Websites
MITM Attack
• New Phishing Attacks using “
Man in the Middle (MITM)”
technique
– WSNPOEM are the new Generation worm – Successful attacks against Banks like ABN Amro – All these Banks used 2 Factor Authentication with Hardware token
MITM Attack
Original Flow Redirected Network Traffic Bank Server Victim Attacker
Implications
• Can terrorist groups make use of malware to their advantage?
– –
Gather funds Build up botnets (cyber-army?) for DDoS against critical networks
–
Hack into critical systems
• SCADA • Financial systems • Etc –
Many other unthinkable possibilities
• Underground economy making it easy to acquire capabilities – –
Hackers for hire Malware toolkits for sale $
Singapore Experience
• IT Security Masterplan –
Formulated to combat cyber-threats
• Hacking, • Virus attacks, • Cyber-terrorism –
Some Key Initiatives
• National Cyberthreat Monitoring Centre (NCMC) • National Authentication Framework (NAF) • National Infocomm Security Awareness Programme • Critical Infocomm Infrastructure Surety Assessment (CII-SA) • Business Continuity Readiness Assessment Framework • http://www.ida.gov.sg/Programmes/infrastructure .aspx
Innovative Problem Solving
• Economics of Security • Post Regulatory State • Personal Security System and Responsive Regulation • Training and Security Awareness
Economics of Security
• People have realized that security failure is caused at least as often by bad incentives as by bad design. Systems are particularly prone to failure when the person guarding them is not the person who suffers when they fail.
• Is this like the Global Warming problem?
http://www.cl.cam.ac.uk/~twm29/science-econ.pdf
•
Government cannot micromanage the information security business, most of which is in any case outside the UK. What it can do, and should do, is to ensure that people and companies have the necessary incentives to take responsibility for the consequences of their actions, online as well as offline.
Ross Anderson, Cambridge, 23 2006
Lose-lose
• As the network is interdependent, a successful attack on one system is then likely to succeed on other systems as well since they typically share the same vulnerabilities via a common platform. This means that one organization’s security is negatively affected by the poor security behaviour of another member of the network.
• Companies could never achieve 100% security on their own because their risks are often created by the behaviors of others who also lack the incentive to heighten security. Theoretically, it follows that an organization’s “perverse incentives” not to invest drive others to underinvest as well.
Perverse Incentives
• An incentive that has an unintended and undesirable effect. E.g. –
In Hanoi, under French colonial rule, a program paying people a bounty for each rat pelt handed in was intended to exterminate rats. Instead it led to the farming of rats.
–
Internet airline tickets sale via credit card promotes air travel, but allows a Sep 11 attack to be executed quasi-free.
• Users are encouraged to use long passwords that are difficult for an attacker to guess. However, such strong passwords are hard to remember, leading users to write them down rather than memorizing them.
• Digital Rights Management schemes are often used to discourage illegal piracy by preventing copying of content, which also has the effect of reducing its utility to paying customers who want to play their purchased material on multiple machines, or make backups. Since pirated content usually does not contain DRM, user who do not want DRM restrictions on their content will then pirate it.
Post Regulatory State
• Law’s capacity is limited. Control based on law is marginal. State law is only effective if linked to other processes.
• People do what they do, not because of the law but because of : education, training, habit and incentive etc. Regulations can’t work if against economic benefits.
• Form: variety in norms, control mechanisms, controller, controllees.
• Colin Scott,
Regulation in the Age of Governance: The Rise of the Post Regulatory State,
June 2003, http://www.anu.edu.au/NEC/NEC%20EVENTS/Events%202003/scott1.
Personal Security System
• Digital Online Registration and Identification System (DORIS) –
Our first vision of a Personal Security Device in hardware.
–
The core of DORIS is a smart chip that supports tri-interface, meaning contact, contactless and USB.
–
Multi form factor - plastic cards, watches, key fobs, flash drives, SIM overlay and other handheld devices such as mobile phones.
–
Provides
• Authentication • Digital Signature • Stores personal records (eg. Medical) • etc
Personal Security System
• Dynamic Isolation of Virtualised Applications (DIVA) – – – –
The enhanced vision of a Personal Security System that can support soft or hard tokens like DORIS Trusted applications auto run from any storage media under a ‘sandbox’ environment No requirements for administrator privileges Compatible with any flash storage
Responsive Regulation
• The Personal Security strategy is a clever way of exercising Responsive Regulation by bringing in a new key actor, namely the citizen user. • When the citizen becomes a principal part of the regulatory community, it creates –
the opportunity of contractual agreements with negotiated but enforceable conditions, and
–
his need for diverse public services like e government would create the possibility of a hierarchy of sanctions, to match the degree of infringement, which could be cost effectively monitored using electronic means based on government standard protocols.
• Ian Ayres and John Braithwaite, Oxford University Press,
Responsive Regulation, Transcending the Deregulation Debate.
Training & Security Awareness
• Training –
Annual Governmentware Seminar
• Into its 16 th year • Brings together professionals from government, academia and industry • Raises awareness of latest security threats –
CXO Training
• Instil within senior management the need for security • First-hand experience of cyber threats
Conclusion
• Issues of Cyber-terrorism are related to: –
Infocomm convergence, hence dependency increases
–
Transnational cybercrime, new forms e.g. cyber attacks leading to cyber-extortion, cyber espionage which could be the prelude to discovering infrastructure weaknesses and social engineering, credit card attacks which could lead to a massive financial system assault, money laundering via electronic payments etc.
• Signals a need for greater cooperation and knowledge sharing between countries • A good way to network would be Governmentware 2008 –
Theme: Positive Security: Empowering Business Models for the Future
– –
Venue: Singapore See you there!