The Rapid Evolution of the Internet – and Related Dangers

John A. Copeland

Electrical and Computer Engineering

Georgia Institute of Technology

KOCSEA 13th Annual Technical SymposiumDec. 15, 2012 – Atlanta, GA.

Updated 1/9/2015

1960's -Computers come into widespread use in government and companies.

Attacks

The "Logic Bomb" - program installed by computer technician that would wipe out memory after a time period (if not reset).

This may be retaliation for a firing. In one case the culprit called the company and said he heard about their disaster, and said that fortunately he had backup tapes at home that he would sell (he went to prison).

Defenses

Better off-site data backup systems.

2

3

1970's -Computers became accessible from remote terminals.

Attacks (Insiders only, or Burglars)

Guess other user's passwords, or write "Trojan Horse" programs for others to use which would write passwords and other information into the hacker's file.

Defense

Better passwords (educate users - still an ongoing battle today).

Trojan Horse programs are still a problem today. Only install programs from trusted sources. Government "Trusted” computers" check permissions on every read and write.

1980's -Computers became accessible from telephone voice lines by using a modem.

"Bulletin Board" servers downloaded files, mostly text files for printout.

Attacks

Demon Dialers - rapidly dialed telephone numbers in sequence to find lines with a modem. Then password guessing, if a password was even needed.

Defenses

Better passwords and challenge-response

1983 Movie, Teen hacks into US Air Defense Command computer WOPR, and almost starts World War 3 .

4

authentication. [RSA, Inc. dongles provide one-time passwords, but their basic code was temporarily stolen by hackers in 2010].

1982, Computer innards portrayed as a virtual world where protagonists compete.

Thanks to the movies, computer hacking (breaking in) becomes a sport for high-school age males. They can find "exploit" programs on the Internet from "hacker" Bulletin Boards, and instructions on how to use them.

Many of these young men claim they are doing good by exposing weak security in corporate and government computers. They did damage, even without meaning too, by deleting files and crashing mainframes.

Who writes the exploit programs? Could it be professional hackers who want the network noise to cover their own tracks?

5

In the mid 1980’s, private data networks joined with the NSFNET (nee ARPAnet) to form the Internet, joining government organizations, universities, and corporations. Internet Service Providers began connecting individuals to file download sites such as America on Line.

1990's - The World Wide Web is born.

Web servers, which work with Web Browsers using the HTTP protocol and HTML formatted pages, download all manner of files: email, images, articles, music.

7

Attacks

Email messages encouraged people to download executable files, that would install root kits and back doors. "Viruses" (computer programs that replicate and spread) have different payloads.

Defenses: “Do not ‘click’ on attachments.” Anti-virus software. Software and operating system updates were continually coming more often and becoming larger.

The Dawn of the Worm.

In Nov. 1988, the Morris "Worm" (a Virus that spreads through network connections) spread through email servers. Not intended to be malicious, it infected servers multiple times, crashing the Internet email service.

In 2001, the "Anna Kournikova" spreads as an email attachment ("click here"). "Code Red" attacks 360,000 PC's over the Internet. The infected number doubled every 37 minutes. The Sapphire worm later spread 100 times faster,

8

infecting almost every computer that was susceptible worldwide within 10 minutes.

In 2004, the "Witty" worm is targeted at certain network security products: ISS "Black Ice" and "Real Secure." Every available system worldwide was infected within 45 minutes.

Code Red spread

A “worm” is a malicious program that spreads through network connections.

Computer “viruses” were spread by content in floppy-disk files. Later they were spread mainly by email. The line between a virus and a worm blurred.

Spread of Sapphire virus, after 38 minutes.

10

Late 2000's - The Worm Evolves into the "Bot" (for Robot).

A Botnet is a sparse network of compromised computers. They communicate with only a few other members to hide the "Command and Control" points. These could be Web servers whose URL belongs to the Bot Master. The Bot Master can provide services such as Spam mailing, phishing email, Denial of Service flooding attacks (for extortion or damage to competitors). Botnets are sometimes controlled by criminal organizations (e.g., Russian Mafia).

In Nov. 2008, the "Conficker" bot infected over 10 million computers. It could send over 10 billion spam and phishing emails a day.

11

Cell phones will become the primary access to the Internet (shopping and banking), and a way to access short-range networks like point-of-sale payment systems and auto access.

Wireless Networks have a checkered history. Early AMPS cell phones were cloned. WiFi cryptographic methods WEP and WPA were broken very quickly.

Attacks - All previous, and spoofing.

Defense - Using network characteristics to "fingerprint" wireless nodes to detect intruders. Use “challenge authentication.”

2010's - Wireless Networks are Everywhere

Ref. 3

The “Advanced Persistent Treat” APT

March 21, 2008

In a Nov. 28, 2007, a confidential report from Homeland Security's U.S. CERT obtained by BusinessWeek:

"Cyber Incidents Suspected of Impacting Private Sector Networks," the federal cyber watchdog warned U.S. corporate information technology staff to update security software to block Internet traffic from a dozen Web addresses after spear-phishing attacks. "The level of sophistication and scope of these cyber security incidents indicates they are coordinated and targeted at private-sector systems," says the report.

"Phishing," one technique used in many attacks, allows cyber spies to steal information by posing as a trustworthy entity in an online communication. The term was coined in the mid-1990s when hackers began "fishing" for information (and tweaked the spelling).

The e-mail attacks on government agencies and defense contractors are called "spear-phishing" because they target specific individuals. They are the Web version of laser-guided missiles. Spear-phish creators gather information about people's jobs and social networks, often from publicly available information and data stolen from other infected computers, and then trick them into opening an e-mail [which the installs a “root kit” or “bot”].

BusinessWeek, March 21,2008

Spear Phishing – the Most Common Attack

Kimi Werner, 2008 Women’s National Spearfishing Champion

YearStrength (Gbps)

2003 1

2005 10

2007 24

2009 46

2011 60

2013 309

2014 329

Denial of Service

Flood Attack – Overwhelms victim’s connection to Internet.

Used for extortion, and political statements.

15

Stuxnet spread around the world by accident in 2010, and was detected. It did no harm except to a specific combination of Siemens controllers and P-1 centrifuges found only in Iranian uranium processors.

It contained five previously unknown (Day-0) vulnerabilities in Windows worth $250,000 each on the hacker market.

Defense against new bots with Day-0 exploits: none. Air-gap did not work.

Stuxnet - The first computer worm aimed at destroying specific physical facilities (Iran's uranium-purifying centrifuges). The attack by the U.S. and Israel started in 2007 and may have slowed the Iranian program by as much as two years [2].

Cyber Warfare – Attacking Physical Infrastructure

2008 – Oil Pipeline in Turkey exploded by cyber attack.2012 – Attack on Saudi Aramco that wiped out 30,000 of the oil company’s computers (Iran ?)

“China and "one or two" other countries are capable of mounting cyber attacks that would shut down the electric grid and other critical systems in parts of the U.S.” -Adm. Michael Rogers, head of NSA and U.S. Cyber Command. 11/20/14

BW, July 25, 2011

17

Cyber War

The commercial Internet in Estonia was disrupted for several days by Russian hackers unhappy because a WW2 monument was moved.

Thousands of computers in South Korea were destroyed in what was thought to be a test by North Korea.

The U.S. government has developed thresholds for a Cyber Attack that would warrant a counter Cyber-War attack, or a conventional military response.

Defense: None, not even MAD*.

* Mutually Assured Destruction

Current Defensive Strategies – 1Identifying Known Enemies

“Honey Pots” are computers that have unpatched operating systems or applications and appear ripe for compromising. They are used to capture the attacker’s “exploit” software.

Exploit software is analyzed to discover what vulnerabilities being used, particularly “day zero” vulnerabilities. Also to try to attribute responsibility for the malicious activity.

Signatures are developed when possible, to allow future detection. Clearing houses for collecting and codifying elements of attack code have been set up, to update email-server filters and analysis of Web-server downloads. 18

Current Defensive Strategies - 2 Identifying Abnormal Behavior

When a computer is compromised, a root kit can hide indications of the problem from users – but network activity is necessary (other than for a “logic bomb”).

A network Intrusion Detection System can look for:

Signatures - known patterns of behavior or bit patterns, or

Abnormal Network Behavior (e.g., StealthWatch),or

New devices on the network, detected by timing or protocol variations*.

*”GTID: A Technique for Physical Device and Device Type Fingerprinting,” Raheem Beyah, this afternoon at this conference.

19

Current Defensive Strategies - 3 Monitoring infrastructure Control Systems

Supervisor’sComputer

ControllerComputer

Faster, Faster,

Everything’sOK

PassiveMonitor

ALARM !

20

What Does the Future Hold?

21

There is no doubt that the Internet has become critical to our economy, and our way of life. >75% of the world’s population is connected. It carries >90% of e-information.

There was an effort in 2012 to get congress to pass a law requiring privately-owned critical infrastructure companies to meet network security standards. The power industry successfully lobbied to keep self-regulation.

Will losses reach the point that all users and all servers will be required to have “Certificates,” like those used by the large e-commerce servers today? This would require a trustworthy “Certificate Authority,” perhaps better than those built into browser software today, and governed by global regulations.

References

[1] Joseph Menn, “Fatal System Error: The Hunt for the New Crime Lords Who Are Bringing Down the Internet,” Public Affairs, 2010.

[2] David E. Sanger, “Confront and Conceal,” Crown, New York, 2012.

[3] "Cyberwar: Countdown to Day Zero: Stuxnet and the Launch of the World's First Digital Weapon," Kim Zetter, (Nov. 2014).

22

Author Contact Information

John A. Copeland, Weitnauer Prof, GRA Eminent Scholar

  Georgia Tech, Elec. & Computer Eng. – 0765

  Atlanta, GA 30332-0765

  office 404 894-5177, cell 404 786-5804

  Home Page: http://www.csc.gatech.edu/copeland/

  PGP Public Key: http://www.csc.gatech.edu/copeland/jac/PGP_Key.html

Dir., Communications Systems Center,

  Home page: http://www.csc.gatech.edu/