Embed Size (px)
Citation preview
1
CSCD 434
Lecture 6 Spring 2012
AttackersProfile, Motives, Skills
Topics
• Motivation for us• Identification of Them
– Skills - Hierarchy– Motives– Notable Individuals and Groups - History
• Impact of Them on us• Resources
Motivation
• We need to study attackers– Why?– Need to know our adversaries– How else can we determine the risk to
ourselves and our systems– And, devise defense strategies
Motivation
• Sun Tzu on The Art of War, oldest military treatise
“If you know the enemy and know yourself, you need not fear the
result of a hundred battles.
If you know yourself but not the enemy, for every
victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you
will succumb in every battle”
5
Identification of Attackers
• Questions– Who are they?– Why do they want to attack us?– What do they have to gain?– What is our risk?
Level of Attacks
• Recall, point of Computer Security – Protect assets from some threat– So, detailed knowledge of threat helps to
create good protection
• Average Attacks– You as individuals won't likely have top-level
hackers attacking you• Someone has to pay them!!!!!
– But, you will have script kiddie level to moderate level hackers trying to gain credit card or private data
7
Identification of Attackers• Who are they?
• Many groups can threaten your systems• Not easy to classify them
–Typical way ... by skill level or potential for damage–Can rank them from lowest to highest in skill but doesn’t always correlate with damage potential–Good example, virus/worm writers
• Do a lot of damage but not necessarily the most skilled
8
Identification of Attackers
• Loosely classify them by skill level and motive– Elite Hackers – White Hat
• Hackers in this group are skilled• Often belong to a hacker group
– L0pht, Masters of Deception ( old groups …)
– Anonymous, Zeus Gangs• Feel they have a mission to improve the
security of the computer world• Avoid damage to network and systems• Inform and educate system administrators
about fixes to their security
9
Identification of Attackers• Elite Hackers – White Hat
– Supposedly subscribe to “Hacker Code of Ethics”http://courses.cs.vt.edu/cs3604/lib/WorldCodes/Hackers.Code.html
– It said ...“ Ethical duty of the hacker to remove
barriers, liberate information, decentralize power, honor people based on their ability, create things that are good and life-enhancing through computers.”
– Another document, “Hacker Manifesto” Provides insight into punk hacker mentality Written after author's arrest, and first
published in hacker ezine Phrack
http://www.mithral.com/~beberg/manifesto.html
10
Identification of Attackers
• Elite Hackers - Black Hats• Skilled but do damage• Break-in and leave evidence of their
presence– Need to re-install software– Don’t worry about loss of private
information– Don’t buy into a Code of Ethics
• Sell their services to highest bidder– Corporate espionage, extortion, fraud
• Criminals ....
11
Identification of Attackers
• Psychological Profile of Elite Hackers• Most elite hackers ...• Different values and beliefs than society • White hats believe they are performing a
service for society by exposing poor security practices
• Sometimes have a tenuous grasp on reality because they live mostly in the cyber world
• Examples: Rob Morris, Kevin Mitnick
Hacker Timeline
http://www.focus.com/images/view/2242/
• 1970's - Age of phone phreaking– Phone phreakers, John Drapper, goal - free
phone calls
• Early 1980's - Groups and zines formed, no laws yet– Hacking groups like Legion of Doom in US and
Chaos Computer Club in Germany– Los Alamos laboratory’s computers for developing
nuclear weapons were hacked by the 414 gang– A gang that comprised of six teenagers who were
later apprehended
Hacker Timeline
• Late 1980's - Law formed, Exploits tested– The Computer Fraud and Abuse Act was passed in
1986– 1st self-replicating worm used on government's
ARPAnet to test effect on UNIX systems • Robert T. Morris, Jr., graduate student at Cornell
University .. later spread to 6000 computers• Fined 10,000 USD, Public Service
– German hackers arrested for breaking into United States government and corporate computers and sold operating-system source code to Russian KGB
Hacker Timeline• 1990's - Gov'ment targets hackers, Internet begins
– Kevin Mitnick was arrested for breaking into computers
– Vladimir Levin and other Russian crackers siphoned 10 million USD from Citibank and transfer it to bank accounts in Finland and Israel
• 2000 - Intenet worms and DDoS takes off– Attacks launched on Yahoo, Amazon and eBay,
denial of service for users - Mafiaboy responsible– Break-ins on Microsoft, for latest versions of their
products• 2001 attack led to prevention of millions of
users from reaching Microsoft Web pages for two days.
Mafiaboy
Hacker Timeline
• 2010 - Internet worms and DDoS takes off– Sophistication of attacks grows,
• Storm Botnet, Conficker, Stuxnet is latest– Hacking for profit is the norm– Spam, phishing, corporate blackmail is
profitable– Data breaches common– Botnets are common too
Hacker History
• 1970's Phone Phreakers– Learn as much as possible about
telephone system without getting caught – Use knowledge to their advantage
• Free phone calls
– Most famous - John Draper - Captain Crunch
– Why was he called that?
Phone Phreakers
• Captain Crunch - 1971– Discovered a toy whistle found in a box of
Captain Crunch cereal• Emitted a tone, 2600 Hz tone• Exact frequency need to tell phone system
to hang up the call, but used other tones then to call numbers - result was free phone call
• Late 60's and Early 70's, all toll trunks were sensitive to this tone,
• ATT did fatal cost cutting measure, designed system so that signaling and voice used the same circuit
Phone Phreakers
• Others Discovered Secret
• Made devices to emit signal, “blue boxes”
• Worked until phone companies replaced old switches with newer electronic switching systems
• History of the boxes and morehttp://www.webcrunchers.com/
19
Famous Elite Hackers• Eric Corley (also known as Emmanuel Goldstein)
• Long standing publisher of 2600: The Hacker Quarterly and founder of the H.O.P.E. conferences.
• Been part of the hacker community since the late '70s.
• Kevin Mitnick• A former computer criminal who now speaks, consults, and authors books about social engineering and network security.
• Robert Morris• Now a professor at MIT• The son of the chief scientist at the National Computer
Security Center — part of the National Security Agency (NSA)
• Cornell University graduate student accidentally unleashed an Internet worm in 1988 (oops ….)
• Thousands of computers were infected and subsequently crashed.
Famous Hacker Groups
• CULT OF THE DEAD COW, also known as cDc or cDc Communications, computer hacker and DIY media organization founded in 1984 in Lubbock, Texas– Produce an ezine called, Cult of the Dead Cow http://www.cultdeadcow.com/cms/textfile_index.php3– Practiced Hacktivism
• Combined Hacking with Social justice• Targeted Google in allowing China to filter Internet
traffic– Well Known Tools
• Back Orifice - Remote control of others computers• Whisker - IDS evasion
"Goolag - exporting censorship, one search at a time"
Famous Hacker Groups• L0pht Heavy Industries was famous hacker collective
active between 1992 and 2000, physically in Boston, Massachusetts area
– 1998, all seven members of L0pht (Brian Oblivion, Kingpin, Mudge, Space Rogue, Stefan Von Neumann, John Tan, Weld Pond) testified before Congress that they could shut down the entire Internet in 30 minutes
– 2000, L0pht Heavy Industries merged with startup @stake, transitioned from an underground organization into "whitehat" computer security company
• Symantec bought @stake in 2004
– L0pht produced L0phtcrack a password cracker program
Famous Hacker Groups• Chaos Computer Club (CCC) One of biggest and most influential hacker organizations
– CCC based in Germany and currently has over 4,000 members, http://www.ccc.de/?language=en
– CCC more widely known for public demonstrations of security risks
• In 2008, CCC published fingerprints of German Minister of Interior Wolfgang Schäuble
• Also included fingerprint on film that readers could use to fool fingerprint readers
23
Identification of Attackers• Virus Writers
• Another group with some skilled and unskilled members
• Been around a long time and have been studied the longest
• This group has been evolving too• Sarah Gordon gained fame for profiling this
group • She maintains archive of articles on the Web
site http://www.badguys.org"Not all people who write computer viruses
are criminals because writing computer viruses is not (necessarily) illegal.”
24
Attacker Groups
• Virus Writing – Easy?– Searched with string, “How to write a
virus”– Got 8,200,000 hits– Among them, the following …
25
Reasons for Writing Viruses• “Virii are wondrous creations written for the sole
purpose of spreading and destroying the systems of unsuspecting fools.
– This eliminates the systems of simpletons who can't tell that there is a problem when a 100 byte file suddenly blossoms into a 1,000 byte file.
– Duh. These low-lifes do not deserve to exist, so it is our sacred duty to wipe their hard drives off the face of the Earth.
– It is a simple matter of speeding along survival of the fittest.
• Why did I create this guide? After writing several virii, I noticed that virus writers generally learn how to write virii either on their own or by examining the disassembled code of other virii
– There is an incredible lack of information on the subject. Even books published by morons such as Burger are, at best, sketchy on how to create a virus.
• This guide will show you what it takes to write a virus and also will give you a plethora of source code to include in your own virii.” Dark Angel
http://vx.netlux.org/lib/static/vdat/tuda0001.htm
26
Attacker Groups
• Hacktivism Groups– Fusion of hacking and activism– Hacking for a political cause– A clinical definition of hacktivism is:
• Hacktivism: a policy of hacking, phreaking or creating technology to achieve a political or social goal
http://www.thehacktivist.com/
27
Attacker Groups• Hacktivism Groups• Examples
– In 1998, several targeted events in which computer intrusion and defacement used to protest injustice
– Milw0rm broke into computer systems at India's Bhabha Atomic Research Centre, Bombay (BARC) in protest against nuclear weapons tests
http://www.wired.com/news/technology/0,1282,12717,00.html
28
Attacker Groups
• Hacktavism continued– 1998 LoU members Bronc Buster and Zyklon
disabled firewalls in order to allow China's Internet users uncensored access to Internethttp://www.wired.com/news/print/0,1294,16545,00.html
– 1998 X-Ploit defaced the websites of Mexico's Finance Ministry and Health Ministry to protest government of President Ernesto Zedillo and show solidarity with the Zapatista rebellion
http://thehacktivist.com/archive/news/1998/MexicanHackers-Reuters-1998.pdf
29
Hacktivism – Final Examples
• 1998, Electronic Disturbance Theater, experimented with early forms of virtual sit-ins– Group created software, FloodNet and has
invited mass participation in its virtual sit-ins against Mexican government
• EDT members Carmin Karasic and Brett Stalbaum created FloodNet to direct a "symbolic gesture" against an opponent's web site
30
Hacktivism• FloodNet, Java applet that repeatedly
sends browser reload commands– In theory, when enough EDT participants
are simultaneously pointing the FloodNet URL toward an opponent site, critical mass prevents further entry
– Actually, this has been rarely attained• FloodNet's power lies more in simulated
threat!
31
Hacktivism
http://www.fraw.org.uk/ehippies/index.shtml
• Mission - to assist the process of change towards a more fair and sustainable society using only electrons
• Actions being protested must be reprehensible to many, not just small group– Democratic accountability - people vote with
modems
• Event used to justify DoS attack must provide focus for debate (e.g., World Trade Organization conference)
Current Hacktivism
• Wikileaks• Publisher of leaked government documents
about wars, environmental crimes and other news “they” don't want us to know
• Latest, emails from Stratfor, political strategy corporation which will be published soon
http://www.wikileaks.org
Current - Hackers and Climategate• E-mails, cover decade of correspondence ...
suggest scientists colluded and manipulated data to support their global warming viewpoints ... released about 2009
• Bloggers highlight a statement in one 1999 e-mail from Phil Jones, director of the research center:
“I’ve just completed Mike’s Nature trick of adding in the real temps to each series for the last 20 years (i.e., from 1981 onwards) and from 1961 for Keith’s to hide the decline”
• Climategate 2.0, 2011 - another 5000 emails leaked showed evidence of deception of scientists– http://newsbusters.org/blogs/noel-sheppard/
2011/11/22/climategate-20-5000-new-emails-confirm-pattern-deception-and-collusion
Current Hacktivism• Anonymous
http://en.wikipedia.org/wiki/ Timeline_of_events_involving_Anonymous
– Gained worldwide press for Project Chanology, protest against the Church of Scientology
– 2008, a video produced by Church featuring an interview with Tom Cruise was leaked to Internet and uploaded to YouTube
– Church of Scientology issued a copyright violation claim against YouTube requesting removal of video
– Anonymous formulated Project Chanology... said action was Internet censorship
• DoS against Scientology websites, prank calls, etc
36
Impacts of Hacker Groups
37
Low-Skilled Attacker Groups• Script Kiddies
• Skilled hackers put their tools on-line • They appear to want others to use
and benefit from their experience – Goes along with ethic of sharing
information– Allows people with limited technical
knowledge to do lots of damage since there are lots of them
– Following quote from a 2002 article where Ed Skoudis discusses damage from low-skilled Kiddies
38
Low Skilled Attacker Groups
• Low-Skilled Script Kiddies = Low Damage?
• “Script Kiddie is typically young male, usually not by any means computer expert, who exploits weaknesses in security systems discovered by someone else
Higher Skilled Attacker Groups
• Hacking for Profit• Famous examples• 1999, Maxim broke into CD Universe and stole 300,000
credit card numbers• 2001, FBI and NIPC warned that Russian and Ukranian
hackers had stolen over 1,000,000 credit cards• 2001, Playboy.com was cracked and cards were stolen• 2002, World Economic Forum had DB broken into and
1400 cards were stolen among them Bill Clinton, Bill Gates, Yassar Arafat and Shimon Perez!
40
Higher Skilled Attacker Groups• Credit Card Theft – Growing problem
– 2005 - More than 40 million credit card numbers belonging to U.S. consumers were accessed by computer hacker, at risk of being used for fraud, MasterCard International Inc.
– 2007- TJX Cos. (NYSE:TJX) revealed that information from least 45.7 million credit/ debit cards was stolen over an 18-month period
– 2008 - Security breach East Coast supermarket chain exposed more than 4 million card numbers led to 1,800 cases of fraud, Hannaford Bros. Grocery
Database of Credit Card Breaches
http://www.privacyrights.org/data-breach
41
Higher Skilled Attacker Groups
• Hacking for Profit• Fraud in Credit Cards is 3 times rate
online than same purchases offline• Seems to be growing worse with time
– Theft of Trade Secrets• Worth great deal of money• If sold to the right group• Example: New Intel Chip design, what’s it
worth?Many examples of cyber related Trade
secret theft
42
Higher Skilled Attacker Groups
• Trade Secret Loss– Fortune 1000 companies reported losing
proprietary information and intellectual property valued at between $53 and $59 billion dollars during the period beginning July 1, 2000 and ending June 30, 2001.
http://news.zdnet.com/2100-9595_22-110360.html
SecureWorks Uncovers $2 Million Russian Hacker Scheme
• 2007 SecureWorks Security Research Group– Discovered new trojan that searches for and captures
credentials used by several Internet banking and e-commerce websites
– Trojan, Gozi, forwards captured credentials to online database where they being sold to the highest bidder
– Security Research Group uncovered a cache of stolen information holding over 10,000 account records containing everything from online banking user credentials to patient healthcare information and even employee login information for confidential government and law enforcement applications
– Further investigation revealed data was being offered for sale by Russian hackers for over $2 million.
43
Latest in Skill Levels
• How about controlling 100's of 1000's of computers? What skill level does that take?
– For example, Jeanson Ancheta, a 21-year-old hacker and member of a group called the “Botmaster Underground”, reportedly made more than $100,000 from different Internet
Advertising companies who paid him to download specially-designed malicious adware code onto more than 400,000 vulnerable PCs he had secretly infected and taken over
– He made tens of thousands more dollars renting his 400,000-unit “botnet herd” to other companies that used them to send out spam, viruses, and other malicious code on the Internet
– In 2006, Ancheta was sentenced to five years in prison
Bots are Highly Profitable
• Some botnet owners reportedly rent their huge networks for $200 to $300 an hour, weapon of choice for fraud and extortion
• Newer methods evolving for distributing “bot” software that may make it even more difficult future for law enforcement to identify and locate originating“botmaster” – Some studies show that authors of software for
botnets are increasingly using modern, collaborative methods or software development
– P2P architecture makes it very difficult to completely shut down some botnets
Stuxnet Sophistication at the Highest Level
• What is stuxnet?– Computer virus/worm that can manipulate
and damage real-world physical equipment– Target were nuclear plants in Iran– Different from previous malware
• Authors had a specific facility or facilities in mind and extensive knowledge of system they were targeting.
• Who created it?– Guesses. Israeli Mossad and USA– Can't be proved (yet)http://www.informit.com/articles/article.aspx?
p=1686289
Conficker Family• Conficker is a family of “worms” (malicious
computer software programs)• Purpose infect computers and then spread
itself to other computers without any human interaction.– Currently, there are at least three known
variants of Conficker: A, B and C/D.
• Conficker has been created as a two-stage threat
1. Conficker responsible for the infection of as many computers as possible.
2. Second stage has yet to materialize
Conficker Family
• However, conficker infected machines– Capable of becoming huge botnet if
necessary
– Infected about 10 million computers
• Authors?– Unknown ... speculation on China
– Microsoft has a $250,000 bounty out for author
49
Computer Crime
• One reason people break into computers for the thrill of it
• Do people break into banks or homes in the
real world just to see if they can do it?– Not too likely• So, what deters criminals in the real world?
50
Computer Crime
• What deters real-world criminals?– Likelihood of being caught– And, prosecuted if caught
• How likely are you to be caught in the cyber world?– It depends …
51
Computer Crime
• Depends on …• In cases where a lot of damage or
something valuable is stolen, more incentive to catch you and prosecute
• Average break-in with little or no damage, unlikely you will be caught or prosecuted
• Difficult to collect evidence and link your activity to scene of the crime
What is Current Risk
• Given monetary incentives of cybercrime, what does this say for risk from cyber threats?
• Would the risk be different depending on who you are?– Government, Banks, Large Corporations
Books, Conferences and Movies
54
Hacker Conferences• Reference Link
http://en.wikipedia.org/wiki/Hacker_culture– The hobby and network hacking subculture is
supported by regular gatherings, called cons
• These have drawn more and more people every year including SummerCon (Summer), DEF CON, HoHoCon (Christmas), PumpCon (Halloween), H.O.P.E. (Hackers on Planet Earth) and HEU (Hacking at the End of the Universe) http://www.defcon.org http://www.shmoocom.org http://ww.summercon.org http://www.2600.com/hopes.html
55
Hacker Books
• Books on Hackers– Steven Levy
•Hackers: Heroes of the Computer Revolution– Michelle Slatalla and Joshua Quittner
•Masters of Deception: The Gang That Ruled Cyberspace, HarperPerennial, 1995
– Bruce Stirling•The Hacker Crackdown, Bantam, 1992
– Paul Taylor•Hackers, Routledge, 1999
http://www.amazon.com/Books-about-computer-hackers-hacking/lm/26UXHC7HABWSY
56
More Hacker Books• Cuckoo's Egg - 1995
• Clifford Stoll• Clifford Stoll becomes, almost unwillingly, a
one-man security force … 75-cent accounting error in a computer log is eventually revealed to be a ring of industrial espionage
• The Art of Deception - 2003• Kevin D. Mitnick, William L. Simon
• Takedown - 1996–Tsutomu Shimomura and John Markoff
• Account of Kevin Mitnick’s arrest
Hacker Websites
• Hacker hall of Famehttp://www.francesfarmersrevenge.com/stuff/misc/hack/hall.htm
• Shmoo Grouphttp://www.shmoo.com
• Attritionhttp://www.attrition.org
• Oldest hacker group - Chaos Computer Clubhttp://www.ccc.de
• Underground Newshttp://www.undergroundnews.com
Journals
• Phrack– http://www.phrack.com/
• 2600– http://www.2600.com/
• Hakin9– http://hakin9.org/
• Hackbloc– https://hackbloc.org/
Movies• War Games - 1983
– Starring Matthew Broderick
• Link to 20 Recommended Movies– http://www.linuxhaxor.net/?p=432– The Net to Sneakers to Many others
• Takedown - 2000 – About Kevin Mitnick from Their point of view
• Freedom Downtime - 2001– Movie about Kevin Mitnick by his friend
Emmanuel Goldstein ... its onlinehttp://video.google.com/videoplay?docid=-
6746139755329108302#
60
Conclusion• Many hacker groups out there with a
wide range of skills and motives– Lowest level – script kiddie will launch
attacks from others• Motive – See if I can do it, thrill of it
– Medium level – can create own attacks, customize other’s attacks
• Motive – Still see if I can do it, plus monetary reward
– Highest Level – Both use and create own attacks
• Motive – Economic espionage, theft, nation states infiltration activity
61
Conclusion
• Having knowledge about the potential types of crimes and groups – Leads to more effective defense!!!
62
The End
• Next Time. More on specific attacks
• Reading and background for Lab, Metasploit
• Introduction - http://vimeo.com/26943860
• Metasploit Unleashed
• http://www.offensive-security.com/metasploit-unleashed/Main_Page
•Several Tutorials from Ethical Hacking site
Metasploithttp://www.ehacking.net/p/metasploit-tutorials.htmlBacktrack http://www.ehacking.net/p/backtrack-5-tutorial.html
