Friday 18 February 2011
This is a part of chapter "Security" of my forthcoming book "Infrastructure Architecture". Please feel free to comment using my email address stated in the right column of this website.
Computer crime has two meanings, either:
- Crime against a computer system or component or
- Crime using a computer
In this article I only describe the first one, as it is the most relevant one for IT infrastructures.
Computer crimes use some form of gaining control over - in the context of this book - IT infrastructures. First I will describe reasons why people commit crimes against computer, and then I will explain how control over infrastructure components can be gained to actually commit the crimes.
Reasons for committing crime against IT infrastructures
There are various reasons for committing crime against IT infrastructures:
- Creating damage to companies or institutions (like Microsoft or Greenpeace) to create bad publicity. For instance by defacing websites, bringing down systems or websites or making internal documents public.
- Financial reasons. For instance by holding data hostage and asking for ransom, stealing credit card data, changing account data in bank systems, stealing passwords of bank customers, selling articles without delivering them.
- Warfare. Some believe that some governments use hacking practices to perform acts of war. Since economies and societies today largely depend on the Internet, bringing the Internet down in a certain country would cause the economy to stop for a large degree (no emails, no web shops, no stock trading, no Google, no VPN connections, etc).
- Terrorism. Terrorism is the act of creating fear in a society. A well planned attack targeted at certain computer systems (for instance the computer system that manages the water supply) could result in chaos and fear amongst citizens.
- Personal exposure and prestige. In the past the hacker’s community was very keen on getting personal or group exposure by committing a hack to a secured system. When a hacker proved that he could enter a secured system and made it public, he gained respect from other hackers. Since nowadays most hacking activity is done for financial reasons, few people bother to hack for personal pleasure and are now in the business of hacking for money.
- Accidental. Some attacks happen by accident. For instance script kiddies that create a virus for fun that gets out in the open and create much damage. Common attacks to realize these crimes are performing a denial of service attack, theft of information, gaining control over systems, destruction and/or modification of data and spam.
Disruption of Service
A Denial of Service (DoS) attack is an attempt to overload an infrastructure (component) to cause disruption of a service. This overload can lead to downtime and generally disabling a company to do its business. To perform a DoS attack usually from the Internet an attacker fires off a lot of requests to a web server or a mail server, sometimes with malformed requests. Because of overloading the machine with handling all of these requests or because all requests quickly fill-up queues (like the TCP WAIT queue), the system either crashes or gets so slow that in effect it is not functioning anymore. Because usually one attacking computer alone has not enough power or bandwidth available to bring down a server, mostly a Distributed Denial of Service (DDoS) attack is used. In this case the attacker uses a lot of (end user) computers to overload the server. Since nowadays attackers are professionally organized, they use groups of computers that are infected by malicious code - called botnets - to perform an attack remotely. There is very little one can do about this kind of attack. Shutting down the connection to the Internet is no solution as this in practice has the same effect as the DoS in the first place. Rejecting incoming connections and data from a particular attacking machine only works when the amount of attacking machines is relatively limited - this does not work for a DDoS attack that has typically thousands of attacking machines. Extreme scaling using cloud technology could be a solution (where in fact the number of servers start to outweigh the amount of attackers), but that is hardly used in practice today.
Theft of information
Another reason for committing computer crime is stealing of information. Some examples are:
- With a stolen password or credit card numbers a bank account can be plundered
- Personal or company information on systems can be disclosed in public which can be embarrassing, lead to blackmail or extortion or lead to bankruptcy
- Stolen information can be used to get other information; for instance password information can lead to reading emails to gain more information
Information can be stolen in several ways:
- Key loggers maliciously installed on workstations can send information like passwords to third parties
- Network sniffers can store TCP/IP network packages that contain information
- Data on backup tapes outside of the building can get into wrong hands
- PCs or disks that are disposed can get into the wrong hands
- Infiltrates at computer repair shops can copy information from PCs, servers and disks that are sent in for repair
- Corrupt or dissatisfied staff can copy information
- Corrupt system managers (who usually have access to a large set of information) copy data for money
- End users are led to a malicious website that steals information (also known as phishing)
Gaining control over systems
Malicious software can provide control over an infected system. Most of the time this is done to steal information or to attack other systems (the infected system is then part of a botnet). The malicious software can also be used to control the system to:
- Make it part of a larger attack - the infected machine is one part of complex attack consisting of multiple steps. For instance an infected end user PC can be used to attack a mail server from the inside.
- Disrupt process systems. Process systems like communication systems, financial systems and SCADA (Supervisory Control And Data Acquisition) systems used to control and manage factory plants, water supply and electrical power/natural gas/oil grids. These attacks are typically terrorist or warfare attacks as they disrupt national physical or economical infrastructures to gain military and/or economic advantages.
One example of this was the Stuxnet worm in 2010 that spread around via USB memory sticks and infected Windows systems searching for one special type of Siemens PLC system typically used in nuclear plants in Iran. The goal of the worm was to change the programming of the PLC to cause disruption of the nuclear power plant.
Destruction and/or modification of information
Destruction and/or modification of information can be in the form of:
- Erasing data from databases or disks or making it unreadable (for instance by formatting a disk)
- Changing the content of databases, for instance changing the balance of a bank account
- Encrypting the data so it cannot be read anymore and then asking for ransom to decrypt the data.
Gaining finiancial benefits
Every day about 100 billion spam emails are sent. Although most people delete spam messages immediately, even if only 0.001% of the sent spam leads to spending money (let's assume 10 dollar), every day 10 million dollar is earned in this business. This is about 3 billion dollar every year! And this seems like a conservative estimate. 80% of all spam worldwide is being sent by not more than about 200 spammers. Most of this spam is about selling medicine (drugs). In the USA and in most other countries most medication is only available with a doctor's prescription. In Canada, the rules are a bit less strict. Therefore spammers try their victims to persuade to order medicine from Canada (some medicines - blue pills - are apparently more popular than others for some reason...). The part they don't tell you is that you can order and pay for these medicines, but they get never delivered. This way spammers make money without making costs on shipping actual products.
How to gain control over Infrastructure components
There are several ways to gain control over IT systems and infrastructure components. In this section I will discuss the use of malicious software, root kits, spam social engineering, phishing and baiting.
Malicious software are programs (such as viruses, Trojan horses and worms) that, when activated, can cause network and mail server overload by sending email messages, stealing data and passwords, deleting document files, email files or passwords, and even re- formatting hard drives. Malicious software can spread to a large group of systems in various ways because they can take the form of for instance Java Applets, ActiveX Controls, Scripting languages and Browser plug-ins. Users can also be tempted to run an application, sent to them in an irresistible format.
The best known case is that of the Anna Kournikova virus in 2001. It was designed to trick email users into opening a mail message purportedly containing a picture of Anna Kournikova, a young and attractive tennis player at the time. The Kournikova virus tempted users with the message: "Hi: Check This!", with what appears to be a picture file labeled "AnnaKournikova.jpg.vbs". However, when a user clicked on it the file did not display a picture of Anna Kournikova but launched a viral Visual Basic Script that forwarded itself to everybody in the Microsoft Outlook address book of the victim.
It is a common misconception that every encryption method can be broken. It is scientifically proven that the one-time pad cipher is unbreakable, provided the key material is truly random, never reused, kept secret from all possible attackers, and of equal or greater length than the message. Most ciphers, apart from the one-time pad, can be broken with enough computational effort by brute force attack, but the amount of effort needed may be exponentially dependent on the key size, as compared to the effort needed to use the cipher. In such cases, effective security could be achieved if it is proven that no efficient method (as opposed to the time-consuming brute force method) can be found to break the cipher. Since no such showing can be made currently, as of today, the one-time-pad remains the only theoretically unbreakable cipher. There are a wide variety of cryptanalytic attacks. Most successful attacks however are based on flaws in the implementation of an encryption cipher. It is extremely difficult to create a flawless cipher and it is therefore absolutely not recommended to create your own. To ensure a cipher is flawless, the source code is usually open source and thus open to inspection to everyone. Experience shows that open source ciphers are the most secure ones, while closed source ciphers tend to be breakable.
To perform denial of service attacks, to plant keyboard loggers, to install network sniffers or to steal data, malicious software is to be installed on computers. Because of the large amount of PCs in the world, most of the targets are (home) PCs. Since more than 90% of all PCs run on Microsoft Windows, this operating system is a very attractive platform for malicious software programmers. Almost all malicious software is therefore targeted to Windows. Most malicious code can be detected and sometimes even removed by so-called virus scanners.
In an ever enduring battle between virus writers and anti-virus software providers virus writers constantly try to find vulnerabilities in Windows operating system or in applications running on top of it. When such vulnerability is found and malicious software is set free to exploit the vulnerability, anti-virus software companies try to detect the virus to warn users and to isolate the virus from spreading.
Detecting viruses is done using a so-called signature of a virus - a unique string of bits that is part of the virus. When a file contains this string, it is assumed that the file is infected with the virus code. To be pro-active anti-virus detection software uses techniques like heuristic scanning. Heuristic scanning looks for certain instructions or commands within a program that is not found in typical application programs. It can find viruses even before they are known to the anti-virus software vendor. The best way to get malicious code installed is by using spam. Spam is already used for fraud; see the previous section on that, but the same spam messages can be used to install code on your system. Of course one needs a good IT infrastructure to send the spam, but these IT infrastructures are just outsourced by the spammers. Spammers use large botnets for sending all these billions of spam email, because of two reasons:
- Much bandwidth and CPU power is needed to send all the spam.
- Spammers don't like to be put out of business easily.
So, spammers need botnets. Because of this, criminal organizations exist that setup botnets using viruses. These organizations sell botnet services to spammers. Also they sell (stolen) email address lists to which the spam can be sent. As of 2010, every day about 1.2 million bots are created (i.e. new infected PC's that are setup to join a botnet). Bots that are used for some time are often not useable anymore, usually because the virus scanner of the particular PC switched off the bot software. On average, three days after the virus infection only half of the 1.2 million PC's are still useable. This means that new virus exploits are needed frequently to infect new PC's. The spammer does not need to create such exploits: it is the core business for yet other criminal organizations! These organizations hire crackers to find exploits. A new exploit costs about 100,000 dollar for the spammer. No problem, given the enormous year turnover the spammers make.
Another way to get malicious software installed is using social engineering. In social engineering social skills are used to manipulate people to obtain information, such as passwords or PIN numbers, which can be used in an attack. All social engineering techniques are based on specific attributes of human decision-making known as cognitive biases. In short: people want to help other people by nature. If someone from the system management department calls and asks for your help in solving a computer issue, most people tend to help the caller, without checking if he is really a system manager. When the caller asks the user to click on a link he sent via email, most users will do so, installing malicious software without them knowing it. The attacker must simply prepare answers to questions that might be asked by the victim. In some cases all that is needed is a voice that sounds authoritative, an earnest tone, and an ability to quickly handle unexpected responses from the victim.
Phishing is a technique of fraudulently obtaining private information. Typically, the phisher sends an e-mail that appears to come from a legitimate business — a bank, or credit card company — requesting "verification" of information. The e- mail usually contains a link to a fraudulent web page that seems legitimate — with company logos and content — and has a form requesting everything from a home address to an ATM card's PIN.
Baiting looks very much like a physical Trojan Horse. I uses physical media like an USB flash drive and relies on the curiosity of people to find out what is on it. For instance, an attacker leaves a malware infected DVD or USB flash drive in some location, where it will be easily found like the elevator or the parking lot of a company it wants to attack. The device is given a legitimate looking label to increase the curiosity of anyone finding it. For instance the company logo could be put on the device, or a label called “Financial year results”. The attacker hopes some employee picks up the device and brings it inside of the company. When the device is put into a company PC, malicious software is installed. The effect of this kind of attack can be mitigated by switching off the "auto-run" feature on all company PCs.