CYBER ATTACKS

CYBER ATTACKS

Dorothy E. Denning

Georgetown University

Nature of Cyber Attacks

How bad is it?
Who does it and why?
What do they do?
Why so many attacks?
What about the future?

Incident Trends

Riptech Threat Reports

Reports issued in Jan 02 and July 02 for preceding 6 months
Data obtained from monitoring over 400 companies in over 30 countries
Over 11 billion firewall logs and IDS alerts analyzed in 2^nd report
Over 180,000 cyber attacks investigated in 2^nd report
Events characterized by severity level

informational – scans for vulnerabilities
warning – bypassed firewall, but did not compromise system
critical – required action by Riptech or client to prevent compromise
emergency – security breach occurred

Intent of Attack

Source: Riptech, Inc.

Attack Intensity Jul 01 – Jun 02

Riptech Internet Security Threat Report, July 2002

28% higher in 2nd

6 month period

Attacks by Industry Jan – Jun 02

Riptech Internet Security Threat Report, July 2002

Severe Attacks by Industry Jan – Jun 02

Riptech Internet Security Threat Report, July 2002

Point of Attack

INTERNAL

SYSTEMS

REMOTE

DIAL-IN

INTERNET

CSI/FBI 2001 Computer Crime and Security Survey

Source: Computer Security Institute

2001: 384 Respondents/72%

2000: 443 Respondents/68%

1999: 324 Respondents/62%

1998: 279 Respondents/54%

1997: 391 Respondents/69%

1996: 174 Respondents/40%

Percentage of Respondents

Financial Losses

CSI/FBI 2002 Computer Crime and Security Survey

Of those willing and able to quantify losses:

1997: 249 respondents (59%), $ 100,119,555

1998: 241 respondents (42%), $ 136,822,000

1999: 163 respondents (31%), $ 123,779,000

2000: 273 respondents (42%), $ 265,589,940

2001: 196 respondents (37%), $ 377,828,700

2002: 223 respondents (44%), $ 455,848,000

Source: Computer Security Institute

Actions Taken in Response to Intrusions

CSI/FBI 2001 Computer Crime and Security Survey

Source: Computer Security Institute

2001: 345 Respondents/64%

2000: 407 Respondents/63%

1999: 295 Respondents/57%

1998: 321 Respondents/72%

1997: 317 Respondents/56%

1996: 325 Respondents/76%

Percentage of Respondents

Attacks Against Critical Infrastructures

Swedish hacker jammed 911 in central Florida in 1997
Juvenile hacker penetrated and disabled a telco computer servicing Worcester Airport in March 1997

phone service to FAA control tower, airport fire department, airport security, … cut off for 6 hours

Brisbane hacker used radio transmissions to create raw sewage overflows on Sunshine coast in 2000
Hackers broke into Gazprom’s system controlling gas flows in pipelines in 1999

world’s largest as producer and supplier to Western Europe

Hackers got into California Independent Service Operator (ISO) development network for regional power grid in spring 2001
Numerous denial-of-service attacks against ISPs – some shut down

Attack on Sewage System

Australian man (49) hacked into waste management system of Maroochy Shire, Queensland
Laptop used to access and control the system
Caused raw sewage overflows

millions of litres of sewage spilled into local parks, rivers, and hotel grounds
marine life died, creek turned black, stench unbearable

Made at least 46 attempts in March, April 2000
Attacks response to being rejected for job
Was employed by firm that installed software
Sentenced to 2 years in prison

Potential Attackers

Hackers and script kiddies
Insiders
Criminals
Activists
Terrorists
Governments

Perceived Threats

CSI/FBI 2001 Computer Crime and Security Survey

Source: Computer Security Institute

2001: 484 Respondents/91%

2000: 583 Respondents/90%

1999: 460 Respondents/88%

1998: 428 Respondents/83%

1997: 503 Respondents/89%

Percentage of Respondents

Hacker Quotes

“It’s really just a bunch of really smart kids trying to prove themselves. I know I was.”

– Splurge, sm0ked crew

“It’s power at your fingertips. You can control all these computers from the government, from the military, from large corporations. … That’s power; it’s a power trip.”

– anonymous

“You do get a rush from doing it – definitely.”

“I’m like your nosy neighbor on steroids, basically.”

– Raphael Gray (aka Curador)

[stole and posted 26,000 credit card numbers]

Types of Attack

Confidentiality

host penetrations (user and root)
network sniffers

Integrity

computer viruses, worms, and Trojan horses
Web defacements
domain redirection (DNS hacks)
sabotage of information and systems

Availability

denial and disruption of service

Incident Types

Types of attack or misuse detected in the last 12 months (by percent)

CSI/FBI 2001 Computer Crime and Security Survey

Source: Computer Security Institute

2001: 452 Respondents/85%

2000: 581 Respondents/90%

1999: 405 Respondents/78%

1998: 458 Respondents/89%

1997: 492 Respondents/87%

Percentage of Respondents

Dollar Amount of Losses by Type

CSI/FBI 2001 Computer Crime and Security Survey

Source: Computer Security Institute

2001: 196 Respondents/37%

Confidentiality Breaches Against DoD

Dutch Gulf War hackers

tried to sell stolen documents to Iraq

Rome Labs hackers

UK teens looking for UFOs and cyber trophies

Masters of Downloading

member of an Indian militant terrorist organization tried to buy stolen material from Chameleon and others for $1,000

Solar Sunrise

Iraq? Nope - California teens and Israeli mentor

Moonlight Maze / Storm Cloud

ongoing for over 3 years
Russian hackers – state sponsored?

Russian Extortionists

FBI announced in March 2001 that ongoing computer hacking by organized criminal groups in Russia and the Ukraine had resulted in more than 1 million stolen credit card numbers.

More than 40 U.S. computer systems associated with e-commerce or e-banking firms located in 20 states were attacked.

The Eastern European groups, after successfully hacking into a company, then attempt to extort the company offering services to solve the computer vulnerability.

Maxus Extortion Case

18-year-old Russian hacker
Stole 300,000 credit card numbers in Jan 2000
Numbers taken from CD Universe website
Demanded $300,000 to fix security problem
Offered 25,000 on own website
AntiOnline claimed complex fraud operation

2 Russians Arrested in FBI Sting

FBI lured 2 Russian hackers linked to credit card number theft & extortion to US with job offers in fictitious company
Russians came, used computers to access accounts back home
FBI got account names and passwords with sniffer
FBI downloaded evidence of crimes using technique of extra-territorial seizure
Russia started criminal proceedings against FBI agent
One hacker sentenced to 3 years; other pled guilty

Computer Viruses and Worms

E-mail viruses/worms

macro viruses
executable attachments
embedded scripts in body - BubbleBoy
often spread by e-mailing themselves to everyone in address book

Active worms as autonomous intrusion agents

spread from computer to computer on own by exploiting vulnerability in server software, file sharing

Instant messaging worms
Even hoaxes can be damaging

SULFNBK.EXE Warning – users unwittingly delete important file

Sample Payloads

Magistr - trashes the primary hard drive controller, overwrites CMOS RAM, erases flash memory (BIOS), attaches random file when spreads
VBS_HOMEPAGE.A - randomly opens certain pornographic Web sites using Internet Explorer.
PrettyPark – sends victim’s name, address book, password files to IRC chat channels
DoS.Storm – infects vulnerable servers running MS software and then launches DDoS attack against MS website (Code Red similar, but attacked whitehouse.gov)
INJUSTICE.TXT.VBS – sends pro-Palestinian messages to 25 Israeli organizations
Timofonica – sends SMS (Short Messaging Service) message to random cell phone customer of Movistar SMS gate
911 worm – dials 911 and erases hard drive

Virus Options

“Check in”
Download additional code
Mutate intentionally to foil detectors
Install back doors
Support a command interface

E-Mail Virus Infection Rate

Forecast

1 in 100 in 2004

1 in 10 in 2008

1 in 2 in 2013

3 of 4 in 2015

Source

MessageLabs

www.messagelabs.com

scans e-mail for >500,000 users

Infection Rate per 1,000 Computers

Cost $8.75 billion

Computer Economics

VBSWG – VBS Worm Generator

http://www.virii.s5.com/Engle/Imvm2.htm

Code Red Worm

Worm probes random IP addresses and infects web servers vulnerable to IIS exploit
Defaces English websites hosted on server with message:

Welcome to http://www.worm.com! Hacked by Chinese!

On July 19 over 359,000 hosts infected in 13-hour period

over 2,000 hosts infected per minute at peak
at 5:00 pm, worm attempted DoS attack against 198.137.240.91 (www.whitehouse.gov)
David Moore – www.caida.org/analysis/security/code-red/index.xml

Estimated 975,000 servers infected by end of August with losses of $2.4 billion – Computer Economics
Shut down Japan Airline computer affecting ticketing & check-in, delaying 55 flights and 15,000 passengers 1-2 hours

Spread of Worm

July 19 01:05:00 2001

19 Hours Later

July 19 20:15:00 2001

Code Red Activity

Source: Riptech, Inc.

Nimda worm

Spreads via 4 methods to Windows PCs and servers

e-mails itself as an attachment (every 10 days)

runs once viewed in preview plane

scans for and infects vulnerable Web servers running MS IIS

creates guest account with administrator privileges

copies itself to shared disk drives on networked PCs

file Riched20.dll, text editor for Word etc.

appends JavaScript code to Web pages

surfers pick up worm when they view the page.

'Nimda fix' Trojan disguised as security bulletin

claims to be from SecurityFocus and TrendMicro
comes in file named FIX_NIMDA.exe

TrendMicro calls their free Nimda removal tool FIX_NIMDA.com

Cost of Viruses & Worms

Future Worms

Warhol Worms

infect all vulnerable hosts in 15 minutes – 1 hour
optimized scanning

initial hit list of potentially vulnerable hosts
local subnet scanning
permutation scanning for complete, self-coordinated coverage

see paper by Nicholas Weaver

Flash Worms

infect all vulnerable hosts in 30 seconds
determine complete hit list of servers with relevant service open and include it with the worm
see paper by Stuart Staniford, Gary Grim, Roelof Jonkman, Silicon Defense

Web Defacements

Website Incidents

CSI/FBI 2001 Computer Crime and Security Survey

Source: Computer Security Institute

2001: 78 Respondents/14%

2000: 93 Respondents/14%

1999: 44 Respondents/8%

Percentage of Respondents

1996

Denial & Disruption of Service

E-mail bombing/flooding
Web sit-ins - flooding
Server bombing/flooding

DoS and DDoS attacks

Transaction overload

shopping cart overload
bogus credit card orders

Computer crashes

WinNuke and AIMrape

NY-based site hosted by IGC

Protestors claimed supported ETA

Demanded site be taken down

Protestors e-mail bombed IGC (1997)

and clogged site with bogus credit card orders

IGC gave way to hacktivists and pulled site

Mirrors established, but some taken down

Illustrated power of hacktivists to cause change ...

and power of Internet as a tool for free speech

Shadow Scan

Shadow Hack and Crack

Mail bomber

QFZ 3.0 E-mail Flooding Tool

# times to send 

Distributed by

Chinese hackers

in cyber skirmish

over spy plane

Web Sit-Ins

Objective

Thousands of people visit a site at once, each generating a lot of traffic

Tools

First sit-in was manual – Strano Network
Electronic Disturbance Theatre (EDT) automated

FloodNet software – java applet
go to website to participate

Later software more sophisticated

can download and install on PC
may require active participation
techniques to make more effective

Strano Network

Organized 1-hour Net’Strike on December 21, 1995 against French government Web sites
Protesting French government policies on nuclear and social issues
Announced strike in advance
Participants from around the world pointed their browsers to the sites
Used manual reloads to flood sites with traffic
Some sites allegedly knocked out for period

Denial-of-Service (DOS) Attacks

client

target

client

target

broadcast host

host

LAN

Smurf

ping flood

ICMP storm

ping

WinNuke

syn flood

UDP packet storm

Land

Teardrop

Bonk

spoofs as

target

SSL-enabled server may be worse-off -- even with a crypto accelerator!

master

agent

client

target

Stacheldraht (Barbed Wire)

Distributed Denial-of-Service (DDOS) Attack Tool

combines features of trinoo and Tribe Flood Network (TFN)

encrypted

thousands of compromised systems (buffer overflows)

agent

SYN flood

ping flood

UDP flood

smurf

UDP Flooder 2.00

WinNuke Attack

February 2000 DDoS Assault

Targets: Yahoo, CNN, E-Trade, Amazon, Buy.com, ZDNet, eBay …
Yankee Group estimated losses at $1.2B

market capitalization losses: > $1B
revenue lost in sales & advertising: >$100M
security upgrades: $100M - $200M

Targets downplayed losses

May 2001

DoS Attacks

David Moore, Geoffrey M. Voelker, and Stefan Savage, “Inferring Internet Denial-of-Service Activity,”

http://www.caida.org/outreach/papers/backscatter/usenixsecurity01.pdf

Estimated 4,000 DoS attacks per week! 90% < 1 hour, 2% > 1 day

Transaction Overload

eToys.com tried to buy domain name of EToy.com (conceptual art group) for $500,000
eToys.com filed suit against EToy.com and got injunction prohibiting it from using name
RTMark protestors used DoS scripting tools

Web sit-ins
killertoy.html filled cookies-based shopping carts to brim without buying (>100,000 items/day)

Tried to harm eToys market valuation

stock plunged from $67 in late Nov 99 to $10 in Mar 00

eToys.com dropped suit and reimbursed EToy.com $40,000 in legal fees

Why So Many Attacks?

Systems are complex and vulnerable
More targets and attackers owing to Internet growth
Attackers are organized and communicate

teach each other and novices
exchange tools and information

Attackers developing increasingly powerful tools

exploitation scripts and sophisticated toolkits
build on each other’s work and work of security community

Attacks easy, low risk, hard to trace

investigations difficult; often international

Lack of security awareness, expertise, or priorities

.0025 percent of revenue spent on information security [Forrester]

System Vulnerabilities

Vulnerabilities arise in

products – OS, network services, applications
product configuration and operation – bad defaults, not installing patches
user practices - bad passwords

Product vulnerabilities are increasing

systems are complex

Most attacks exploit known vulnerabilities – maybe 99% of attacks
Same types of vulnerabilities occur over and over again
Many vulnerabilities give attacker “root” access
Disclosure is big issue

Internet Auditing Project

Scanned Internet (36 M hosts)
3 week period in Dec 98
Used Bulk Auditing Security Scanner (BASS)

can download source code from www.securityfocus.com

Scanned for 18 known Unix vulnerabilities
Ran scan from 8 Unix boxes in Brazil (2), Israel, Japan, Mexico, and Russia (2)
Found 450,000 vulnerable hosts (1.25%)
Scanners used SSH to communicate securely
Scanners experienced some attack-backs

one 18-hr. DOS attack against one of the Russian machines

switched to backup

Vulnerability Trends

OS Vulnerabilities
1997 – early 2001 [Securityfocus.com]

Software Complexity

SANS/FBI Top 20 List 2002 – www.sans.org

Weak Passwords

Survey of 1,200 CentralNic employees found

1/2 used passwords with family connections
1/3 used passwords based on celebrities, fictional characters or sports teams
1/10 used self-laudatory, fantasist passwords

“password” was the most common password in DoD

Times digitally edited out

names of participants

Cryptome found that names

could be read by freezing the

page just before full loading

(on slow computer)

Vulnerabilities

can be subtle

Vulnerability Disclosure

Full disclosure

publish all information about vulnerability, including exploit tools

Benefits

bad guys will figure it out; good guys need to know for defense
vendors won’t pay attention unless pressured by disclosure

Drawbacks

disclosure, especially of exploit tools, leads to increase in exploits
makes it easier for hackers to develop more sophisticated tools

Initiatives to develop responsible standards for handling vulnerabilities

IETF draft Responsible Disclosure Process
Organization for Internet Safety (OIS) – major companies

“Windows of Vulnerability: A Case Study Analysis,”

William A. Arbaugh, William L. Fithen, and John McHugh,

IEEE Computer, vol. 33, no. 12, December 2000.

Intuitive but wrong

Vulnerability/Exploit Life Cycle

Attack Tools – More Powerful and Easy to Use

Challenges and Trends

Growing number of attacks
Growing number of attackers
Faster attacks and propagation over network
Growing complexity of products and networks
Growing number of vulnerabilities

insider vulnerabilities cannot be eliminated

Growing use of information technology and IP networks
Pervasive, grounded, and mobile computing
Growing power and sophistication of attacks and tools
Impossible to prevent all attacks

Safeguards

pre-set secret codes

encrypted data

limits on # changes at once

Hope for The Future

Increased security awareness
Increased priority
Growing number of information security experts
Growing security industry, with new and better products and services
Growing number of public and private sector security initiatives, including joint public/private initiatives
Attention from Congress and the Administration, backed by $$$ for research and education/training

President's proposed FY-03 budget includes 64% increase for network security

New laws to facilitate investigations
International cooperation to fight cyber crime

Security Priority in Federal Govt

Federal CIOs say protecting Internet infrastructure takes priority over e-government after September 11
Infosec needed to protect against terrorism and to enable e-government
Security Priorities

securing the Internet against terrorist acts.
integrating "appropriate data" to better fight terrorism.
ensuring Internet content does not aid terrorists.
ensuring a "robust" infrastructure with particular emphasis on telecommunications.

Security Priority in Microsoft

Bill Gates memo on 1/15/02 stating security as a priority:

“Trustworthy Computing is the highest priority for all the work we are doing.”
“We must lead the industry to a whole new level of Trustworthiness in computing.”
“So now, when we face a choice between adding features and resolving security issues, we need to choose security.”
“Our products should emphasize security right out of the box, and we must constantly refine and improve that security as threats evolve.”

Microsoft announced on Feb 1 a month-long moratorium on new coding as part of its Trustworthy Computing Initiative

Contact Information

Dorothy E. Denning

Computer Science Department

Reiss 238

Georgetown University

Washington DC 20057

Ph: 202-687-5703, Fax: 202-687-1835

denning@cs.georgetown.edu

http://www.cs.georgetown.edu/~denning