The Threats

Lesson 2

Some Definitions

ThreatAny circumstance or event with the potential to cause harm to an asset.

RiskThe possibility of suffering a loss.

VulnerabilityA weakness in an asset that can be exploited by a threat to cause harm.

From Security+ Certification by White et al.

Threats

Threat Agent

Exploits… Resulting Risk

Virus Lack of antivirus SW Virus infection

“Hacker” Unpatched services Unauthorized Access

Users Misconfigured systems System malfunction

Fire Lack of FD/FS equip. Facility & system damage

Employee Lax access controls Damage HW & SW

Contractor Lax access controls Steal trade secrets

Intruder Lack of guard Theft of equipment

Employee Lack of auditing Fraud, theft

“Hacker” Incorrect security settings

DoS, Intrusion

Nature Environment Loss of power, water damage, electrical damage

Adapted from “CISSP Certification Exam Guide” by Shon Harris

A Sampling of Cyber ActivityMarch 1999 - EBay gets hackedMarch 1999 - Melissa virus hits InternetApril 1999 - Chernobyl Virus hitsMay 1999 - Hackers shut down web sites of FBI, Senate, and DOEJune 1999 - Worm.Explore.Zip virus hitsJuly 1999 - Cult of the Dead Cow (CDC) releases Back OrificeSept 1999 - Hacker pleads guilty to attacking NATO and Gore web sitesOct 1999 - teenage hacker admits to breaking into AOLNov 1999 - BubbleBoy virus hitsDec 1999 - Babylonia virus spreadsFeb 2000 - several sites experience DOS attacksFeb 2000 - Alaska Airlines site hackedMay 2000 - Love Bug virus ravages netJul 2001 – Code Red WormSept 2001 – Nimda WormJan 2003 - Slammer

Computer Crime

Surveys of Computer CrimeCSI/FBINCSA/ICSA Labs (survey of computer virus incidents)CERT-CC Summaries

Computer CriminalsVaried skills, background, motives

What is a computer crime?Is breaking into a system without theft, vandalism, or obvious breach of confidentiality a crime?

Who are you asking – Law Enforcement? Hacker?How does this apply to virus writers?

Computer Crime – 1996 surveys

Some numbersDan Gelber testified at Senate hearing that commercial and financial services sector lost $800MAccording to Federation of Communication Services, fraud cost phone industry $332M in UK aloneUSA Today survey of 236 major corporations, more than half have been victimized by computer break-ins, 18% said loss exceeded $100K. >20% were industrial espionage.On a related note (abuse of system by insiders)

Nielsen Media Research survey reported 13,048 person-hours spent visiting Penthouse WWW site in a single month at IBM, Apple, and AT&TAt Compaq in Houston 12 employees were fired for logging more than 1000 hours each to sex sites while at work

Computer Crime – 1997 surveys

Compaq in London found 82 percent of respondents chose passwords as follows:

“a sexual position or abusive name for boss” 30%Partner’s name or nickname 16%Name of their favorite holiday destination 15%Sports team or player 13%Whatever they saw first on their desk 8%

Survey of 333 integrators, resellers, and consultants indicated only half had implemented any network security policies.Japanese police reported 25% increase in hackingCSI survey reported 75% of respondents lost money because of computer crimes in the past year

Computer Crime – 1998 surveys

Australian CERT reported previous year number of computer hacking attacks doubled.Japanese Ministry of Posts and Telecommunications reported in previous year number of viruses was worst ever (353 incidents)Communications Week reported that many of the Fortune 1000 companies had experienced a break-in.CSI/FBI reported 520 U.S. companies reported a total loss of $136M from computer crime in previous year.

Computer Crime – 1999 Surveys

Xinhua news agency reported computer crime had exploded in China. One estimate indicated that 95% of all PRC web sites had been penetrated.In Japan, the National Police Agency reported computer crime was up 58% in previous year.CSI/FBI survey reported in U.S. that

System penetration by outsiders increasedThose that reported Internet connection was point of attack rose from 37% in previous year to 57%32% of companies (as opposed to 17% in previous year) reported serious computer crimes to law enforcement

Computer Crime – 2000 surveys

CSI/FBI survey reported total losses to computer crime by respondents in U.S. was $265M.

90% of respondents reported security breaches74% acknowledged financial loss due to breach59% reported Internet connection as most frequent point of attack

In another interesting study, Reciprocal Inc. reported on a study which indicated that sales of recorded music had declined in the vicinity of college campuses in the last 2 years while rising everywhere else.

Computer Crime – 2001 Survey

CSI/FBI Computer Crime and Security Survey

538 security “practitioners” in the U.S.91% reported computer security breaches within the previous 12 months 70% reported their Internet connection as a frequent point of attack (up from 59% in 2000)64% suffered financial losses due to breaches, 35% could quantify this loss.Losses due to computer security breaches totaled (for the 186 respondents reporting a loss) $377,828,700Average loss $2,031,337

2002 CSI/FBI Computer Crime & Security Survey

503 security “practitioners” in the U.S.90% detected computer security breaches40% detected penetrations from the outside80% acknowledged financial losses due to breaches$455,848,000 in losses due to computer security breaches totaled (for the 223 respondents reporting a loss) 26 reported theft of proprietary info ($170,827,000)25 reported financial fraud ($115,753,000)34% reported intrusions to law enforcement78% detected employee abuse of internet access privileges, i.e. pornography and inappropriate email use

Computer Crime – 2002 Survey

Computer Crime –2003 Survey

530 security “practitioners” in the U.S.30% of those who said they suffered an incident in the previous 12 months reported it to law enforcement 78% reported their Internet connection as a frequent point of attack (up from 70% in 2001)75% suffered financial losses due to breaches, 47% could quantify this loss.Losses due to computer security breaches totaled (for the 251 respondents reporting a loss) $201,797,340

Computer Crime examplesIn April 2001, Chinese crackers conducted a campaign of web defacements against U.S. Web sites. Reportedly in retaliation for the collision between the Chinese fighter aircraft and U.S. reconnaissance aircraft.March 2001, NIPC warned community of extortion attempts by Eastern European computer criminals against e-commerce and e-banking sites.Sites broken into at several sites and customer credit card data stolen (Western Union’s Internet Web site, CD Universe web site…)“Love bug” virus reportedly caused estimated $1-$8B in damage.

Anonymity, Aggression, and Computer Crime

Stanley Milgram’s study in which participants were instructed to administer painful shocks to other participants (actually a confederate of Milgram) in increasing amounts every time a mistake was made in a memory test. Study showed:

Ordinary individuals can be manipulated into egregious acts of violence (even when the confederate faked screams, pleaded, and eventually “passed out”).Higher shocks were administered when individuals placed in separate room so person “receiving” the shock was not visible.

Obvious application to cyberspace where computer criminals commit aggressive acts against individuals they do not see.

Social Presence and Computer Crime

Social psychologist Sara Kiesler examined social presence in computer-mediated interactions.

Research suggested that lack of social-context cues in computer interactions affects behavior.

Group members communicating via computers, when compared with face-to-face members, were

More hostileTook longer to reach decisionsRated group members less favorably

According to some researchers, the lack of social context cues and physical presence on the Internet leads to aggressive behaviors.

We can probably all think of a “flame” from a person who we would never have expected it from in person.

Deindividuation and Computer Crime

Deindividuation is “a loss of self-awareness that results in irrational, aggressive, antinormative, and antisocial behavior.”

Traditionally used to describe individuals in large riotous and hostile crowds.Psychosocial factors associated with anonymity, arousal, sensory overload, loss of responsibility, and mind-altering substances lead to a weakening of self restraints in individuals.

Many of the variables in deindividuation are associated with computers and the Internet

Anonymity (especially when using “handles”)Web sites/programs can be considered “sensory arousing”Internet can be viewed as a large crowd

Ethics and Computer Crime

Some researchers have theorized that computer criminals may have an underdeveloped sense of ethics or moral maturity – this may lead to a belief that many of their activities are justified and ethical.

All information should be “free”Unused CPU cycles and bandwidth would be wasted otherwiseBlame victim for not securing their system

Often fail to realize or understand repercussions associated with their actions.Lack of social/ethics teaching in computer/network environments

Classification of Computer Criminals

Early ClassificationsNicolas Chantler (Australian Army Intel Analyst)

“Lamers”, primarily motivated by revenge or theft of services/property“Neophytes”, more knowledge, activity centered around increased info/access“Elite”, high level of knowledge, intellectual challenge and thrill

Donn Parker (security consultant, formerly from SRI)“Pranksters”, characterized by their mischievous nature“Hacksters”, motivated by curiosity“Malicious hackers”, motivated by need for destruction“Personal problem solvers”, commit activities for personal gain“Career criminals”, purely for financial reasons“Extreme advocates”, strong ties to religious, political, or social movements“Malcontents, addicts, and irrational individuals”, suffer from some form of psychological disorder, such as addiction or anti-social disorders

Classification of Computer Criminals

Roger’s New Hacker Taxonomy“Newbie/toolkit”, use prewritten scripts and tools“Cyber punks”, novice programmers, limited experience“Internals”, disgruntled/former workers“Coders”, advanced technical knowledge/skill, write exploit code used by others“Old guard”, not criminals in traditional sense, have relaxed sense of ethics regarding privacy and intellectual property.“Professional Criminals”“Cyber terrorists”

Virus CreatorsThough often we think of computer penetrations when we refer to computer crime, by far the biggest problem are the viruses we experience.So, why do people create viruses?

Nonspecific malice, employee revenge, ideological motives, commercial sabotage, Information WarfareDark Avenger, interviewed by Sarah Gordon, suggested that “it is human stupidity, not the computer, that spreads viruses” – victim blamingSome seem to be motivated by nothing more than the intellectual challenge of trying to defeat the virus countermeasures that vendors have created.

Sophistication of Attackers

“Script Kiddies”(85-90%)

“Hackers”(8-12%)

“Elite Hackers”(1-2%)

Rising Attack Sophistication

1990 1992 1994 1996 1998 2000 2002

Social Engineering

Sniffers/Spoofing

Hijacking

AutomatedProbes/Scanners

WidespreadDoS

GUI-basedtools

DistributedAttack Tools

“Stealthy”Scanning

Windows-basedRemote ControlledTrojans (e.g. BO)

Levels of ThreatsUnstructured

Individuals or small, loosely coupled groupsShort term attacks (weeks to months)Little financial resources to back the attack

StructuredOrganized crime, organized “hacking” groupsMore lead time for attacks (months to a year)More financial resources (bribing of insider possible)

Highly StructuredNation states or terrorist organizationsTremendous lead time for attacks (years)Ample resources (may attempt to plant insider)

Levels of SafeguardsAlpha

Designed to address unstructured threatMost folks have implemented or at least understand theseGenerally accepted “Best Practices”

BetaDesigned to address structured threatLeading edge security practices or technology

Beginning to read about these in trade publications

Will become “tomorrows” best practices

GammaDesigned to address highly structure threatsMost folks don’t know about these or understand themWill become Beta countermeasures eventually

Information Warfare

Sources of Threats and AttacksNation-statesCyberterroristsCorporationsActivistsCriminalsHobbyists

What are the motives of each?What is the technical capability of each?

Information Warfare

Tools (weapons) of IWDOS and DDOSMalicious CodeCryptographyPsychological OperationsPhysical Attacks, weapons of Mass DestructionWeapons Inadvertently provided (computer system vulnerabilities, protocol attacks)

What are our defenses against each?

Email Flooding

Attacker

Attacker sends spoofed emailwith error to 100’s of systems

Systems return email to system thatappears to have sent emails.

Target system goesdown (or inbox becomesfull) under load oftoo many emails.

SYN Flooding

ICMP Flooding

Attacker

Broadcast request

PingBroadcast request

Multiple Ping requests

Multiple Ping replies

System or networkbecomes overloaded

DDoS Attack

DOS and DDOS defenses

Avoidance/elimination versus mitigationUser and Sysadmin actions – hard to defend against at the host level. You can help keep your system from becoming part of a DDOS network. Keep updated on patches.Local Network actions – egress filtering, block incoming packets addressed to broadcast network, consider blocking ICMP. Load balancing at site where possible.ISP actions – look for obviously “bad” packets, pay close attention to high profile systems, check source address on packets to see if they match actual source.

E-commerce vulnerabilities

Client-side risks – malicious mobile code (e.g. web scripts, ActiveX controls, hostile Java applets), loss of privacy and spyware.Network protocol risks – primarily arise from sending confidential information over InternetBusiness Application risks – how safe is the SW you are attached to and doing business with? (e.g. CGI scripts)Database security risks – is the DB made available on the Internet?Platform security risks – traditional security issues here (default accounts, poor passwords, deactivate unnecessary services, …)

Need email on…Your ability to travel during

WeekdayWeekend(do you have car or can you go but would need transportation)

Your technical security backgroundYour team preferences

Internal (may need to travel, technical)External (probably no travel, technical)Policies/Procedures/Training/Social Eng (part of team may travel, non-technical)

Would you like to (or be willing to) serve as class project leader? (would need to be able to travel)Email robert.kaufman@utsa.edu

Summary

The ThreatComputer Crime SurveysCategorizing HackersCommon Exploits