3-1/66 Copyright © 2006 M. E. Kabay. All rights reserved. 09:05-10:25 INFORMATION WARFARE Part 3: Cases & Scenarios Advanced Course in Engineering 2006

3-1/66 Copyright © 2006 M. E. Kabay. All rights reserved. 09:05-10:25

INFORMATION WARFARE

Part 3: Cases & ScenariosAdvanced Course in Engineering

2006 Cyber Security Boot CampAir Force Research Laboratory Information Directorate, Rome, NY

M. E. Kabay, PhD, CISSP-ISSMPAssoc. Prof. Information Assurance

Program Direction, MSIA & BSIADivision of Business & Management, Norwich University

Northfield, Vermont mailto:[email protected] V: 802.479.7937

mailto:[email protected]


Topics

08:00-08:15 Introductions & Overview08:15-09:00 Fundamental Concepts09:05-10:25 INFOWAR Theory 10:35-11:55 Case Histories & Scenarios


Examples of INFOSEC Breaches and Failures

Electronic infrastructure growing in importance

Must expand conception of warfare in the age of ubiquitous computing

Cases intended to stimulate your imaginationSpans last decade of developments to

provide wide range of examplesVERY FAST OVERVIEW (66 slides in <90

minutes)


Cases

Breaches of confidentiality Industrial EspionageUnauthorized Access (Penetration)Unauthorized Modification

Data DiddlingSabotage, vandalismTrojan Horses

DeceptionFraudPsyops

Denial of Service (DoS)


Data Losses on BU Tapes

2005.02 Citibank loses mag tape in Japan w/ data on 120,000 customers

2005.05 Iron Mountain loses tapes in 4th incident in 4 months – 600,000 employee records

2005.02 Citibank loses box of tapes w/ data on 4M US customers

2006.05 Wells Fargo loses computer w/ unadmitted # of customer records including SSNs


Laptops Losses Compromise Customer Data2006.01-03 Ernst & Young debacle

Jan: laptop lost or stolen w/ data for Sun, Cisco, HP & BP (38,000) employees

Jan: a different laptop stolen from employee’s car:

IBM employee dataAdmitted loss in March

Feb: 4 laptops left in conference roomStolen by 2 intrudersNo details

All computers “password protected” so OK (!)


Cases



DeceptionFraud, disinformationPsyops



Industrial Espionage: Echelon

EU Parliament attacks Echelon (2000.07)Formed temporary committee to investigate

spy networkSuspicions that Echelon used to intercept

conversations of European businesses Information might be given to competitors

from Echelon operatorsUS, Canada, Australia, New Zealand

In 2001.05, report recommend more use of encryption to defeat Echelon


Industrial Espionage in Israel

Israeli Trojan Horse Keylogger2005.05 Suspicions raised by keylogger software

on PCsAuthor found his MS on ‘NetSomeone tried to steal money from his bankCreated by Michael Haephrati – ex-son-in-lawMany companies found infected by same

program – sent data to server in London2006.03 Perpetrators sent to jail

Michael Haephrati: 4 yearsRuth Brier-Haephrati: 2 years


Cases






Penetration: MitnickSept 96 — AP Kevin Mitnick indicted in Los Angeles 25 count indictment

stealing softwaredamaging computers at University of Southern

Californiausing passwords without authorizationusing stolen cellular phone codes

Readings about the Mitnick case Goodell, J. (1996). The Cyberthief and the Samurai: The True Story of Kevin Mitnick—and

the Man Who Hunted Him Down. Dell (New York). ISBN 0-440-22205-2. xix + 328. Hafner, K. & J. Markoff (1991). Cyberpunk: Outlaws and Hackers on the Computer Frontier.

Touchstone Books, Simon & Schuster (New York). ISBN 0-671-77879-X. 368. Index. Littman, J. (1996). The Fugitive Game: Online with Kevin Mitnick—The Inside Story of the

Great Cyberchase. Little, Brown and Company (Boston). ISBN 0-316-5258-7. x + 383. Shimomura, T. & J. Markoff (1996). Takedown: The Pursuit and Capture of Kevin Mitnick,

America's Most Wanted Computer Outlaw—by the Man Who Did It. Hyperion (New York). ISBN 0-7868-6210-6. xii + 324. Index.


Penetration: DISA Report

1997.03 — EDUPAGE InfoWar Division of Defense Information

Systems Agency of USRetested 15,000 Pentagon computers

had warned system managers of vulnerabilities in previous audit

90% of systems were still vulnerableRecommended emphasizing response

(immediate shutdown) instead of focusing solely on preventing penetrations


Penetration: Citibank Hack

1998.02 (events started 1994.07)Vladimir Levin of St Petersburg hacked

Citibank computersConspirator Alexei Lachmanov transferred

U$2.8M to five Tel Aviv banksAdmitted to attempting to withdraw

US$940,000 from those accountsThree other members of the gang pleaded

guiltyLevin extradited 1997.09


Citibank -- Conclusion

1998.02 -- Levin sentenced to 3 years, finedVladimir Levin convicted by NYC courtTransferred $12M in assets from CitibankCrime spotted after first $400K theftCitibank cooperated with FBIMORAL: report computer crime & help

prosecute the criminals


Penetration: 2005

2005.01: Nicolas Lee Jacobsen, 21, charged with breaking into T-Mobile computers for more than 1 yearAccess to 16.3M customer filesObtain voicemail PINs, passwords for Web

access to e-mailRead e-mail of FBI agent investigating his

own case2005.01: Hackers break into George Mason

University computers2005.03: 150 applicants to business schools

break into their own records illegally on ApplyYourself Web site


Cases






Data Diddling: Québec

Tax evasion by computer (1997.12)Québec, Canada restaurateursU.S.-made computer program ("zapper")Skimmed off up to 30% of the receiptsEvaded Revenue Canada and provincial tax$M/year


Data Diddling: LA Gas

Los Angeles gasoline-pump fraud -- 1998.10DA charged 4 men with fraudAllegedly installed new computer chips in

gasoline pumpscheated consumersoverstated amounts 7%-25%

Complaints about buying more gasoline than capacity of fuel tank

Difficult to prove initiallyprogrammed chips to spot 5 & 10 gallon

tests by inspectorsdelivered exactly right amount for them


Data Diddling: BOOM!

Employee tried to sabotage nuclear plant in UK (1999.06)Security guardTried to alter sensitive information

New measures put into place 18 months later (2001.09)


Data Diddling: GOOGLE Hacking*GOOGLE used as political ploy (2004.01)Pranksters engineer Web sites to alter GOOGLE

links and statisticsLinked George W. Bush to bad words

“unelectable”“miserable failure”

Supporters retaliated with similar ploys against Kerry

___________* Term now used to mean using search engines as

part of hacker tool kit


Cases






Sabotage? IE vs NavigatorInternet Explorer 4.0 vs Netscape Navigator

(1997.10) IE 4.0 included features from Plus! for

Windows 95anti-aliasing functionsmoothes large fonts on screen

Reportedly did not smooth fonts in Netscape Navigator

Allegedly not found to fail in any other program tested -- but updated Occam’s Razor states:

Never attribute to malice

what stupidity can adequately explain.


Sabotage? MS-MediaPlayer vs RealAudio

Several reports of software conflicts — 1998.10 Installation of MS-MediaPlayer causes

problems with other media playersMS product takes over file associationsPrevents usability of RealAudioDe-installation switches file associations to

other MS productsMS denied deliberate attack, accuses other

programs of quality problems

[Attila the Hun no doubt accused Europeans of quality problems, too.]


Web Vandalism ClassicsCIA (1996.09)USAF (1996.12)NASA (1997.03)AirTran (1997.09)UNICEF (1998.01)US Dept Commerce (1998.02)New York Times (1998.09)SETI site (1999)Fort Monmouth (1999)Senate of the USA (twice)(1999)DEFCON 1999 (!)


CIA (1996.09)


USAF (1996.12)


NASA (1997.03)


AirTran (1997.09)


UNICEF (1998.01)


US Dept Commerce (1998.02)


New York Times (1998.09)


SETI (1999)


Fort Monmouth (1999)


Senate of the USA (1) (1999)


Senate of the USA (2) (1999.06)


DEFCON (1999.07)


Cases






Trojan: Moldovan Scam

1997.11 — news wires, EDUPAGE, RISKSPornography seekers logged into

http://www.sexygirls.com (Nov 96-1997.02)Special viewer program to decode picturesTrojan program

secretly disconnected modem connectionturned modem sound offdialed ISP in Moldavia — long distance

Long-distance charges in $K/victimCourt ordered refund of $M to consumers


Trojan: Back Orifice

cDc (Cult of the Dead Cow) — 1998.07Back Orifice for analyzing and compromising

MS-Windows securitySir Dystic — hacker with L0PHT“Main legitimate purposes for BO:”

remote tech support aidemployee monitoringremote administering [of a Windows

network]."Wink.”


Back Orifice — cont’dFeatures

image and data capture from any Windows system on a compromised network

HTTP server allowing unrestricted I/O to and from workstation

packet snifferkeystroke monitorsoftware for easy manipulations of the

victims' Internet connectionsTrojan allows infection of other applicationsStealth techniques15,000 copies distributed to IRC users in

infected file “nfo.zip”


Trojan: Linux Backdoor

Linux kernel attacked (2003.11)Hacker tried to enter backdoor code into

sys_wait4() functionWould have granted rootNoticed by experienced Linux programmers


Cases



DeceptionFraud, disinfoPsyops



Deception: Holiday Inns vs Call Management

1997.01 -- APHoliday Inns uses 1-800-HOLIDAY for

reservations (note the O)Call Management uses 1-800-H0LIDAY (note the

ZEROHoliday Inns sued and lostOther firms have used phone numbers adjacent

to important commercial numbers in order to capture calls from misdealing customers

Old porn site whitehouse.com (now a respectable site) used confusion with whitehouse.gov to trick kids into visit


Disinfo: Belgian ATC Fraud

1997.01 — ReutersBelgian lunatic broadcasting false

information to pilotsAir-Traffic Control caught the false

information in time to prevent tragedySerious problem for air safetyPolice unable to locate pirate transmitterLunatic thought to be former ATC employee


Psyops: Motley Fool

1996.03 -- Iomega high-capacity removable disk drives slammed by false information

America Online's Motley Fool bulletin boardFalse informationFlaming and physical threats

Caused volatility of stock pricesPeople who know which way the stock will

rise or fall can make money on the trades


Psyops: Pairgain1999.04: Gary Dale Hoke arrested by FBI

Employee of PairgainCreated bogus Web page

Simulated Bloomberg information service Touted PairGain stock

undervalued – impending takeoverPointed to fake page using Yahoo message

boardsInvestors bid up price of Pairgain stock from

$8.50 to $11.12 (130%)13.7 M shares traded – 700% normal

volume


Pairgain – cont’d

Windfall gains & losses by investorsHoke did not in fact trade any of the stock

himselfPleaded guilty to charges of stock

manipulationSentenced to home detention, probation,

restitution


Psyops: Emulex

2000.98: Emulex lost 60% of total share value Mark Jakob, 23 years oldFabricated news releaseSent from community college computerCirculated by Dow Jones, BloombergClaimed profit warning, SEC investigators,

loss of CEOJackob profited by $240,000 in minutes


Psyops: 4-1-9 Brides

Prospective Brides Needed Money (2004.11)Russian Yury Lazarev hired women to write

flowery letters to possible partners Included sexy photographs3,000 men responded from around worldAttempts to meet met with requests for

moneyVisasAirline tickets

Net profits: $300,000One year suspended sentence in Moscow


Cases






History of DoS

1987-12: Christmas-Tree WormIBM internal networksGrew explosivelySelf-mailing graphicEscaped into BITNET

1988-11: Morris WormProbably launched by mistakeDemonstration programReplicated through Internet~9,000 systems crashed or were

deliberately taken off-line


DoS: Mail-Bombing Via Lists 1996.08/121996.08 — “Johnny [x]chaotic”

subscribed dozens of people to hundreds of listsvictims received up to 20,000 e-mail msg/daypublished rambling, incoherent manifestobecame known as “UNAMAILER”

1996.12 — UNAMAILER struck againRoot problem

some list managers automatically subscribe people should verifying authenticity of requestsend request for confirmation


DoS: Root Servers

DoS cripples 9 of 13 root servers (2002.10)Most sophisticated and large-scale assault on

root servers to dateStarted 16:45 EDT Monday 21 Oct 200230-40x normal traffic from South Korea and US

origins7 servers failed completely; 2 intermittentlyRemaining 4 servers continued to service ‘Net

requests – no significant degradation of service

Verisign upgraded protection on its servers as a result


DoS: Al-Jazeera

Al-Jazeera swamped (2003.03)Arab satellite TV network Web site

unavailableSwamped by bogus traffic aimed at US

servers for its site


DoS: GOOGLE & .com Disappear Briefly

GOOGLE disappears from Web (2005.05)Gone for 15 minutes 7 May 2005Glitch in DNSDrew attention to concerns over DNS stabilityNational Research Council issued report

criticizing state of DNS infrastructure

http://www7.nationalacademies.org/cstb/pub_dns.html

Historical note:

2000.08.23: 4 of 13 root DNS servers failedAll access (http, ftp, smtp) to entire .com

domain blocked for 1 hour worldwide

http://www7.nationalacademies.org/cstb/pub_dns.html


Future INFOWAR Scenarios

Technology for SpiesCryptography vs Parallel ComputingArchivesPermanence of Human KnowledgeRFIDDown the Road a Bit (or Byte)Flash CrowdsSmart Appliances?Direct Neural Interfaces


Technology for Spies

Cell phones becoming PDAsVictimized by virusesIdeal for spreading malwareInclude cameras and microphonesCan be remotely controlled

Flash drives make it easy to steal dataWatch out for sushi on the back of your

computer


Cryptography vs Parallel Computing

Some computers being described in Kproc (kilo-processors)

Brute-force cracking catching up with popular keylengths

Have seen PGP users change their keys from 512 bits to 1024 to 2048 in a few years

How are companies managing their keys?


Archives

Technology changing very fast1980 8” 128 KB disk unreadable1990 5¼” 768 KB disk unreadable2000 100 MB ZIP disk obsolete2002 2 GB Jaz disk obsolete20?? 700MB CD-ROM obsolete2??? 4.4 GB DVD obsolete

Changes in OS and application software make old versions unreadable too

What will happen to our archival data?


Permanence of Human Knowledge

How do we stabilize URLs?How safe are TinyURLs?Who safeguards availability of important

electronic documents?

STILL WORKS AFTER 2 YEARS… and now there are more:


RFID

Radio-Frequency IdentifiersNot only for productsCan be implanted under skinBeing used to track and identify crittersWhat about people?Privacy issues?

http://www.bibleetnombres.online.fr/image8/rfid.jpg


Down the Road a Bit (or Byte)Computer-controlled cars

Follow guides in roadsAny bets security will be minimal?Hijack a car moving at 70 mph??

SegwaysExtensive computer controls for gyroscopic

stabilizationHow long until they are hacked?


Flash Crowds

People respond to anonymous instructionsBe at specific place at specific time for no

particular reasonNews spreads through e-mail, IM

Crowds of thousands gather on command and jam available space for fun

Now think about how such obedience can be used by criminals – or terrorists. . . .


SmartAppliances?

Copyright © 1999 Rich Tenant.All rights reserved.


Direct Neural Interfaces

Direct neural interfacesWorking on reading brain activity patternsControl computersControl machinery?What about hackers?

Being proposed tocontrol prosthesesRFI interference?Hacking?DoS?

http://whatisthematrix.warnerbros.com/img/1-3d.jpg


DISCUSSION

Documents

3-1/66 Copyright © 2006 M. E. Kabay. All rights reserved. 09:05-10:25 INFORMATION WARFARE Part 3: Cases & Scenarios Advanced Course in Engineering 2006