ABSTRACT:
This research paper objective is to show the massive impact that hostile action like electronic terrorism has on the internet. The paper begins by explaining some of the actors in such action and their motives. Then the paper will present, step by step, the evolution from a simple hacking technique to a strategic technique as a sample of how effective and destructive hacking could be. The paper presents a strategic hacking framework that was integrated and experienced by the research team. This framework shows how information could be used to terrorize the network operations of a company. Moreover, the effect may extend to compromise the organizations business outside its cyber borders. The threat may extend in some cases where national security is compromised. Then the paper will present simple scenarios for implementing such framework in attacking organizations that are different in nature (one is governmental and the other is commercial) as well as the motive that makes someone attacks them. The scenarios will show the impact on these organizations. Afterwards the paper will be concluded and an overview of types of counter measure will take place. Finally the recommendations for enhancing research and development in the field of computer security and increasing the awareness of the community in such field will be presented.
KEYWORDS:
E-terrorism, Commercial, Governmental, Network.
DISCLAIMER:
In the second section we will review some definitions of the actors in the cyber space. However we will refer to all attacking actors as intruders, or attacker because of the fuzziness of the subject and the possibility of offense it may cause to some entities.
The scenarios in the paper are totally imaginary and the events and entities do not refer to anything or anyone in real life. Such imaginary scenarios are a must to maintain the privacy of real entities.
TABLE OF CONTENTS:
1. Introduction.
2. Actors, Networks and Motives.
2.1. Electronic entities/services.
2.2. Motives.
2.2.1. Hacktivism.
2.2.2. Hacker-Nerd Connection.
2.2.3. For knowledge.
2.2.4. Industrial espionage.
2.2.5. E-terrorism.
2.3. Actors.
2.3.1. Hackers.
2.3.2. Crackers.
2.3.3. White hats.
2.3.4. Black hats.
2.3.5. Grey Hats.
2.3.6. Script Kiddies.
2.3.7. Lamers.
2.3.8. Cyber warriors.
3. Methodologies.
3.1. Simple attack.
3.1.1. Simple hack.
3.1.2. Gaining access through exploiting a vulnerable service.
3.1.3. Gaining access through cracking passwords.
3.1.4. Denial of service
3.2. Professional hacking.
3.2.1. Footprinting.
3.2.2. Scanning.
3.2.3. Enumeration.
3.2.4. Gaining access.
3.2.5. Pilfering.
3.2.6. Escalation.
3.2.7. Hiding traces.
3.2.8. Installing backdoors.
3.2.9. Misinformation.
3.2.10. Denial of service.
3.3. Strategic & advanced hacking.
3.3.1. Information Gathering.
3.3.2. Analysis.
3.3.3. Reliability checking
3.3.4. Planning for the attack.
3.3.5. Initiating the attack.
3.3.6. Escalation loop.
3.3.7. Accomplishing the objectives.
3.3.8. Ending the attack.
4. Scenarios and Conclusions.
4.1. Takeover scenario.
4.1.1. Actors, motives, and the targets’ assumed structure.
4.1.2. Attack scenario.
4.1.3. Impact on the organization.
4.2. Denial of Service Scenario.
4.2.1. Actors, motives, and the targets’ assumed structure.
4.2.2. Attack scenario.
4.2.3. Impact on the organization
4.3. Conclusions.
5. Countermeasures and Recommendations.
5.1. Countermeasures.
5.2. Recommendations.
6. References.
1. INTRODUCTION:
The Internet has become one of the largest investments in modern history. The Cyberspace serves many aspects of our modern life. These services include e-government, e-market, and scientific services. The growth rate of the internet is humongous but unfortunately the internet was not designed to secure such a large interactive network of interests. The threats that compromise the internet users, home users as well as organizations, varies in popularity, impact and solutions. However, no entity on the internet is one hundred percent secured.
Electronic terrorism was debated in the past years. But it was not until the 11th of September crisis that it drew huge attention to the possibility of its existence, its motives and counter measures. The purpose of this paper is to discuss the idea of e-terrorism with emphasis on how it takes place, the motives of the e-terrorists, the technical milestones in performing such an action, the possible counter measures, and a theoretical proof of concept of E-terrorism destructive impact on the cyber society.
The paper is divided into four main sections. The first section briefly goes through the various services that the internet provides, the actors of the internet warfare and their motives. The second section concentrates on the intrusion techniques and how simple techniques could propagate to cause terror on the internet. The third section is a proof of concept that intruders can terrorize Internet entities. This section will present scenarios for terrorizing both governmental and business electronic entities to conclude the research assumptions. The fourth section is a short one that will go through the countermeasures as a preface for the recommendations following it.
2. ACTORS, NETWORKS, AND MOTIVES:
In this section we will review some of the variant types of networks that could be recognized on the internet. After this brief review we will explain the different reasons that could motivate an intruder to attack a network. And to complete the vision a definition of the actors who play rules in these events will take place as the last part of this section.
2.1. Electronic Entities/Services.
Many organizations use the internet to upgrade their services. The internet itself is roughly a communication network. But a researcher could recognize some distinguished domains of services’ networks built upon it. Governmental networks, Banks or monetary networks, scientific networks, and other business networks appear to be most significant. Another important but different in nature networks are the social networks. All these networks can be hacked and all need security measures to decrease the risks that face them.
2.2. Motives.
Networks are penetrated for many reasons. An attacker could find a couple of reasons to attack a target. For example, the attacker would want to satisfy his or her ego and talk about an operation he or she performed in public or private groups to gain the respect or admiration of other internet users. But, when he or she attacks it will be the network of an organization of an enemy company or a company that refused his or her employment application.
2.2.1. Hacktivism.
Hacktivism can probably best be described as the hacking for political reasons. It’s obviously a contraction of hack and activism. The theory is that some hacker will use his skills to forward a political agenda, possibly breaking the law in the process, but it will be justified because of the political cause. An example might be a Web-page defacement of some will-selected site with related message. It might be planning a virus at some company or organization that is viewed as evil.[1](Ryan, 2000)
2.2.2. Hacker-nerd connection.
Probably the most widely acknowledged reason for hacking. It seems that a very large number of the hackers out there want some amount of recognition for their work. You can call it a desire for fame, you can call it personal brand building, you can call it trying to be “elite”, or even the oft-cited “bragging in a chat room”.[2] (Ryan, 2000)
2.2.3. For knowledge.
In a world where a person is recognized by how much he knows it’s not weird that knowledge and quest becomes a very popular. In almost every hacking website or any famous hacker lair there is a question among its FAQ section called “will you teach me how to hack?”. This question is often replied to by that the newbie should read, read, and read till he is good enough to ask new questions. We could imagine how huge the number of newbies surfing the net trying tool, script, and exploits trying to understand. Penetrating a system is an attractive thing to do for most enthusiastic technology involved people, it implies good knowledge of the penetrated system which is an appreciated quality in the information age, at least for some.
2.2.4. Industrial espionage.
The difference between competitive intelligence and industrial espionage, for example, is significant. By definition, industrial espionage refers to illegal activities - which range everywhere from outright theft to bribery and everywhere in between. Conversely, competitive intelligence collection is governed for the most part by adherence to corporate and professional ethics which preclude the use of illegal means to obtain information.”[3] (Nolan, 1996)
2.2.5. E-terrorism
How serious is the danger of Internet-based terrorism?[4] (Fisher, 2002)
Since Sept 11, terrorism is head news, and the computer world is waiting for the e-terrorism.[5] ((Winkler, 2001)
"As soon as someone uses the term e-terrorism they begin to lose credibility with me," says Graham Ingram, general manager for Internet security watch-dog AusCERT. "The whole idea of terrorism is to do something that creates terror. You need the physical realization of violence, and there is very little terror inspired by bits and bytes". ”You might have a terrorist act which involves violence and death, and somehow interrupt the 000 emergency numbers so that the authorities couldn't respond as effectively," Ingram says.
Kim Valois, security service director at IT integrator CSC not agree with Ingram. He said that e-terrorism can include the use of information systems to support terrorism.
"Any disruptions to information systems that are in public use, like banking or transport, any use of such systems to disrupt, undermine or cause damage in some way -- attacks against the power supply or the banking system -- these are all part of e-terrorism." Valois says. "However, some groups are more likely to use the Internet for information dissemination or fundraising activities."
Although internet can be used by terrorist, the occurrence of e-terrorism is still low. and this because terrorist usually need to make fear and visual image fear. If we mention Oklahoma City, with the images of buildings blown away come to mind. With Pan Am flight 103, the image of a side of a 747 comes to mind. TWA flight 847 created the image of a terrorist in a mask holding a gun to the head of a pilot. There is Samples for e-terrorism like crash of the AT&T telephone network in 1991, the power outage in the Pacific Northwest in 1998, the denial of service attacks in 2000, the Chinese "info war" and the Code Red and Nimda worms of 2001. Consider what the following mean to you personally: Code Red and anthrax. Clearly, anthrax creates a whole different level of fear. Traditional terrorists appreciate the Internet and the resources that it offers. It provides a ready way to exchange information. So the traditional terrorist won’t destroy internet. But the only exception is computer attack against companies supporting military attacks.
But there is another threat from nontraditional terrorist. They are Groups who want to damage technology or create negative effects on companies for specific reasons. For example, if someone could take down McDonald's shipping computers that are involved in getting stock to McDonald's restaurants, they could cause damage to its revenue. Any company with an international presence is a possible target for one obscure reason or another. General Marsh, the head of the now disbanded President's Commission on Critical Infrastructure Protection, declared that “banks lose billions of dollars a year to electronic thefts. Statistics about computer crimes continue to climb”. [6] (Winkler, 2001)
This all clears the danger of the new terrorism “E-terrorism” which many government officials and terrorism experts consider a serious threat to national security with the potential for causing mass confusion and loss of life. The Bush administration confirmed that it will spend $10 million to launch a newly intensive war against cyber-terrorism, "Cyberspace," said one Bush administration official "is our next battlefield. And the president has concurred that we need to be better prepared for it." President Bush will appoint Richard Clarke, the longtime coordinator of security, infrastructure protection and counter-terrorism for the National Security Council, to the position of special advisor to the president for cyberspace security. Retired U.S. Army Gen. Wayne Downing will be appointed deputy national security advisor and "national director for combating terrorism," administration officials said. [7] (Thomas, 2001)
2.3. Actors.
In this section we will go through the different actors in the information warfare in the cyberspace. Different opinions are discussed here some opinions clearly oppose each others especially when it comes to the hackers and crackers which will be shown in the following review.
2.3.1. Hackers.
A hacker is a term that means a clever programmer and someone who knows a lot about programmable systems and how to increase their capabilities. Originally a hacker was someone who makes furniture with an axe. But in the new hacker’s dictionary, which is also referred to as “the hacker’s jargon”, Eric Raymond (compiler and maintainer of the jargon) lists some of the hacker’s characteristics. The first is that hackers enjoy learning the details of programming languages and programmable systems. The second is that they really enjoy programming, in other words programming is a hobby rather than a job to perform or theoretical issue to talk about. The hacker’s ability to pick up programming quickly is considered another characteristic. Another characteristic is that they are experts in a particular language or system as in Unix hacker or C++ hacker. One of their most important characteristics that could not be described better that Raymond’s word as he describes a hacker “One who enjoys the intellectual challenge of creatively overcoming or circumventing limitations”[8] (Raymond, 2000). Finally they appreciate other hackers’ hacks.[9] (Raymond, 2000)
2.3.2. Crackers.
The cracker is the one who penetrate systems and perform malicious actions like destroying data, denying the service of some sites, or stealing data. Raymond says that they often call themselves hackers but their involvement in vandal actions is what differentiates them from hackers.[10] (Raymond, 2000) Moreover, a cracker could turn into a hacker in advanced phase of his or her cyber life. After outgrowing the desire to crack and penetrate systems crackers understand the real meaning of hacking and stick to the hackers’ ethics.[11] (Raymond, 2000)
2.3.3. White hats.
As described by “whatis.com” white hats are hackers who search for vulnerable systems and report these vulnerabilities to the owners of those systems. They don’t oppose a threat to the internet society, on the contrary, they provide a very valuable service to the internet as they help keeping systems one step ahead of malicious hackers or crackers as we discussed earlier.[12] (search security.com, 2001)
2.3.4. Black hats.
A black hat is a cracker that penetrates systems for his/her own benefit. He or she takes advantage of the revealed data by trading or by telling about the vulnerable system to others blackhats rather than telling the responsible organization itself.[13] (search security.com, 2001)
2.3.5. Grey hats.
The gray hat is mix between black and white hats. He or she has no malicious intends but as grey hats find out about vulnerable systems the alert the involved organizations as well as the hackers society. This could cause other crackers to penetrate the system and sabotage it.[14] (searchsecurity.com, 2001)
2.3.6. Script kiddies.
The script kiddies got their name from their reputation of gathering malicious software “scripts” and attacking networks with such scripts. They lack knowledge and they are destructive. As noted in whatis.com, hackers contempt script kiddies because they add nothing to the art of hacking, instead, they unleash the attacks of media on the hackers’ communities.
2.3.7. Lamers.
According to the jargon file a lamer is an annoying beginner who is late behind in his cracked software, like in warez d00dz lamer, or in his knowledge like in crackers lamer. It also means that he scams codes of other crackers rather than understanding the concepts and making his own.[15] (Raymond, 2000)
2.3.8. Cyber warriors.
“The final role that hackers may play, and the most disturbing, is that of “cyber warriors.” Yes, it sounds a bit like a video game. Unfortunately, in the not too distant future, and perhaps in the present, this may be more than science fiction. There have been too many rumors and news stories about governments building up teams of cyber warriors for this to be just fiction. Naturally, the press has locked onto this idea, because it doesn’t get any more enticing than this. Naturally, the public has no real details yet about what these special troops are.”
Nearly all types of infrastructure, power, water, money, everything, are being automated and made remotely manageable. This does tend to open up the possibilities for more remote damage to be done. One of the interesting questions surrounding this issue is how governments will build cyber warriors. Will they recruit from the hacker ranks, or will they develop their own from regular troops? Can individuals with special skills expect to be drafted during wartimes? Will hackers start to get military duty offered as a plea bargain? Also will the military be able to keep their secrets if their ranks swell with the hackers who are used to free flow of information?[16] (Rayan, 2000)
Actors in the cyberwarz are not limited to the previously mentioned. In fact there are many others which are distinct or overlapped with what was mentioned previously. Also, certain actors could claim to be of other category, for example, crackers calling themselves hackers. A very important note that must be mentioned in such content is that a person could experience many of these states as stages in his or her evolution to be a hacker. Elf Qrin[17] (Cappello, 2000) discusses this issue more deeply clarifying the shifts between stages.
3. METHODOLOGIES.
In this section we will exploit the three main levels for attacking a network. Each level contains different classes of attacks and information gathering techniques. The more an attacker sophisticates his or her attack level or methodology the more its likeliness to be a successful, clean and anonymous attack. The three methodologies are: a- simple attacks, b- professional hacking, c- strategic hacking. As we will see the attacks gets more sophisticated as we go on. And each more-sophisticated attack includes the techniques and methodologies of less-sophisticated ones.
3.1.Simple Attack.
We will now describe the elements of simple attacks which is hardly could be called a methodology because it is so simple. However it is essential to understand it as independent technique due to its popularity. Script kiddies who are least sophisticated and most spread use simple techniques to crack into systems, as we discussed earlier these techniques are designed and coded by black or grey hats.
Intruder Target host Vulnerable service Login service Exploit Brute force Figure 3.1.1: Simple hacking DOS
3.1.1. Simple hack.
A typical script kiddy will take a random alive IP address and start trying the scripts he has on. The scripts will mostly do one of two things: 1- try to DOS this system. 2- Try to gain access to the system.
3.1.2. Gaining access through exploiting a vulnerable service.
Any given programs has bugs, these bugs could impose security breaches into that system. While some exploits are just sitting there waiting to be discovered, some other exploits needs a lot of hard work to make it work. Buffer overflow exploit are a good example of a well engineered exploit. In either ways script kiddies do not design or code the scripts or programs to do the payload, they just use it. Buffer overflow exploit depends on an idea called smashing the stack. When an arbitrary binary is receiving input it saves it in its buffer in the memory, the same old buffer that is keeping the return address for the program. Some function like “strcpy” just don’t check the input size and compare it with the buffer. This cause buffer overflow because the input string will overflow the return address for the function and the binary will crash. If the input to such function is well engineered it could replace the return address for the function and make it point to another privileged binary to be run for the intruder. This way an intruder could get access to the remote server.[18] (Ryan, 2000)
3.1.3. Gaining access through cracking passwords.
Another popular way to gain access to some service is by cracking its password. Password attacks could be performed on three levels, 1- simple password guessing, 2- dictionary attacks, 3- brute force.
There is no significant difference in the technique itself, the difference lies in the passwords that would be tried on the targeted host. An intruder could simply try some passwords that he thinks could be the one like trying the same user-name or user-name123. In the second technique he tries a file called the dictionary file. Some times this file could be of much less words and called word file. The script tries every word in the file as a password. Some advanced scripts add common strings like “123” to the strings in the file. The third technique is brute force in which the script runs all possible combinations of characters as the password string.
There are cases where password discovery process exists in some intersection between password cracking by try-and-error and exploiting a bug in implementation. Windows 98 share password implementation bug decreases the time needed to brute-force.
3.1.4. Denial of service
Denial of service ”DOS” is consider relatively easier to perform than other types of attacks. All the attacker does is stopping the service of some organization. This could be done by stopping/hanging the server that provides it, by stopping/hanging the service itself, or by cutting the road to this service by tampering with the network path to it. The most significant common properties of DOS are: 1- Its destructive nature. 2- Relatively easy, 3- Very high degree of being anonymous.
Denial of service may not be the most malicious act in many cases. The evaluation of how malicious an attack is depends on the targeted organization.
3.2. Professional Hacking.
Hacking could be done in professional manner if the intruder followed a frame work that makes the attack much more effective. ”Hacking exposed” illustrated the anatomy of a hack in way that helped us a lot in writing this paper. However due to the nature of our work we face situations that are slightly different from this anatomy. Next, we will describe the Hacking exposed hack anatomy not typically as described in the book, but with the slightly different properties.
The anatomy of a hack consists of 10 process which are: a- Footprinting, b- scanning, c- enumeration, Gaining access, d- escalating privileges, e-Pilfering, f- covering tracks, g- creating backdoors[19] (McClure, 1999), and h- misinformation.[20] (Ryan, 2000)
Foot-printing Scanning Enumeration Gaining Access Pilfering Covering Tracks Creating Backdoors Denial of service Escalating Privileges Misinformation Figure 3.2.1: Professional hacking.
3.2.1. Footprinting.
Footprinting is the initial wide-scale information gathering phase. In this phase the intruder gather all possible information about the targeted network. Gathered information include network addresses, manuals and attendance sheets and maybe even passwords from the company dumpster, hidden comments in the company’s website HTML source files, network routes to the company’s assets, stock and market details, merger and administration changes details.
3.2.2. Scanning.
Step “b” the Scanning scans all the target networks’ resources in order to identify alive machines, their operating systems and the services running on these machines.
3.2.3. Enumeration.
Enumeration tries to gather more information about every service. For example: the users and groups of the service, the version, and possible passwords.
3.2.4. Gaining access.
Gaining access is the phase where the intruder uses the knowledge gathered from the previous phases to get access to the system either by cracking a password or exploiting a vulnerable service. In this phase the intruder has an actual hand in the vulnerable system that enables him to start escalating his privileges.
3.2.5. Pilfering.
Pilfering once again is an information gathering phase in which we want to penetrate trusted systems on the network. Now we could enumerate more systems and penetrate them.
3.2.6. Escalation.
The Escalating privilege phase is concerned with upgrading user privileges to administrator privileges so that intrude has full power over the system.
3.2.7. Hiding traces.
Afterwards an intruder must cover his tracks, for example by deleting the logs and hiding his binaries.
3.2.8. Installing backdoors.
At last an intruder would install backdoors so he doesn’t go into the whole path again in order to own the system.[21] (McClure, 1999)
3.2.9. Denial of service.
Two other phases are slightly different from the previous ones that are “denial of service” and “misinformation” attacks. The intruder could DOS some services to serve a certain purpose in his attack scenario or just to stop the service if this is his only target. DOS is very helpful in accomplishing some targets, like for example: gaining access to Cisco router or disabling an intrusion detection system “IDS”.
3.2.10. Misinformation.
Misinformation attacks like email relaying like DOS could be a target themselves but could also be a mean to social-engineer administrators or spoof orders to machines and destabilize operations.[22]
3.3.Strategic & Advanced Hacking.
In the previous section we have seen how an intruder could plan to and attack a network. However, sometimes these steps are not enough to attack huge networks. If an intruder is after a huge secured banking network he should dedicate a great amount of time to plan the attack. The research has made some effort in merging professional hacking methodology with destabilizing networks methodology. The concept of destabilizing networks is based on extracting information about many aspects pf the targeted network, then analyzing this information with many tools to determine the week points in the network[23] (Carley, 2001). Figure 3.3.1 illustrates the merger between professional network hacking and network destabilizing techniques. The life cycle of the advanced or strategic hacking is hardly complete but it should give a clear overview of the whole process. The life cycle begins with a piece of information, for example, a trace, a company name, or an employee name. Even small amounts of information are very useful in Footprinting a network. Unfortunately we will not be covering the details and steps of sub-phases like Footprinting because they are out of the scope of this paper, we will only emphasis on destructive effect that a framework like –what we call- strategic hacking would have on organizations. The framework is divided into eight main phases which are: 1- Information Gathering, 2- Analysis, 3- Reliability checking, 4- Planning for the attack, 5- Initiating the attack, 6- Escalation loop, 7- Accomplishing the objectives, and 8- Ending the attack.
3.3.1. Information gathering.
The information gathering phase is very important. The accuracy of the analysis, planning and all the coming phases depend on the accuracy of this phase.
3.3.1.1. Footprinting.
As pointed before, we will not describe the detailed steps of Footprinting. However, a