e-SPIONAGEe-SPIONAGE

Ankur BansalAnkur Bansal

CS-575CS-575

April 26April 26thth,2008,2008

“ “ The U.S. military created the The U.S. military created the internet. Now the web may be internet. Now the web may be turning against its maker.”turning against its maker.”

Business Week, Business Week, April 21April 21stst 2008 2008

OverviewOverview

What is EspionageWhat is Espionage Spy-wares Spy-wares Espionage as National IssueEspionage as National Issue

EspionageEspionage

EspionageEspionage or or spyingspying involves a involves a human being obtaining information human being obtaining information that is considered secret without the that is considered secret without the permission of the its holder. permission of the its holder.

The ancient writings of Chinese and The ancient writings of Chinese and Indian military strategists such as Indian military strategists such as Sun-Tzu and Chanakya contain Sun-Tzu and Chanakya contain information on deception and spying. information on deception and spying.

Espionage (Contd..)Espionage (Contd..) Chanakya's student Chandragupta Maurya, Chanakya's student Chandragupta Maurya,

founder of the Maurya Empire, made use of founder of the Maurya Empire, made use of assassinations, spies and secret agents, which assassinations, spies and secret agents, which are described in Chanakya's are described in Chanakya's ArthasastraArthasastra..

The ancient Egyptians had a thoroughly The ancient Egyptians had a thoroughly developed system for the acquisition of developed system for the acquisition of intelligence intelligence

Japan often used ninja to gather intelligence. Japan often used ninja to gather intelligence. Spies played a significant part in Elizabethan Spies played a significant part in Elizabethan

England England USA and Russia used spies extensively during USA and Russia used spies extensively during

cold war periodcold war period

Spy-waresSpy-wares

SpywareSpyware is computer software that is computer software that is installed surreptitiously on a is installed surreptitiously on a personal computer to intercept or personal computer to intercept or take partial control over the user's take partial control over the user's interaction with the computer, interaction with the computer, without the user's informed consent. without the user's informed consent.

Spy-ware (Contd.)Spy-ware (Contd.) Functions of spyware extend well beyond simple Functions of spyware extend well beyond simple

monitoring monitoring Spyware can collect various types of personal Spyware can collect various types of personal

information, Internet surfing habit, sites visited information, Internet surfing habit, sites visited It Can interfere with user control of the computer It Can interfere with user control of the computer Can installing additional software.Can installing additional software. Can redirect Web browser activity.Can redirect Web browser activity. Access websites that can cause viruse infections.Access websites that can cause viruse infections. Can change computer settings, resulting in slow Can change computer settings, resulting in slow

connection speeds, loss of Internet or other connection speeds, loss of Internet or other programs programs

History of Spy-wares History of Spy-wares

The first recorded use of the term spyware The first recorded use of the term spyware occurred on October 16, 1995 in a Usenet occurred on October 16, 1995 in a Usenet post that poked fun at Microsoft's business post that poked fun at Microsoft's business modelmodel

SpywareSpyware at first denoted at first denoted hardwarehardware meant meant for espionage purposes.for espionage purposes.

In 2000 the Zone Labs used the term in a In 2000 the Zone Labs used the term in a press release. Since then, "spyware" has press release. Since then, "spyware" has taken on its present sense. taken on its present sense.

Spyware/ Adware/ Virus Spyware/ Adware/ Virus

AdwareAdware refers to software which displays refers to software which displays advertisements, whether or not the user advertisements, whether or not the user has consented has consented

Example - Eudora mail client display Example - Eudora mail client display advertisements as an alternative to advertisements as an alternative to shareware registration fees shareware registration fees

Most adware is Most adware is spywarespyware as they displays as they displays advertisements related to what they find advertisements related to what they find from spying.from spying.

Unlike viruses and worms, spyware does Unlike viruses and worms, spyware does not usually self-replicate not usually self-replicate

kaZaa – an examplekaZaa – an example

kaZaa is one of the most popular kaZaa is one of the most popular softwares today.softwares today.• It’s free – downloadable in minutesIt’s free – downloadable in minutes• Allow people to share/ exchange filesAllow people to share/ exchange files• Millions of users Millions of users

247 Millions as of July,2003247 Millions as of July,2003

kaZaa (contd.)kaZaa (contd.)

But there is a catchBut there is a catch When installed you get more than just When installed you get more than just

kaZaa; you also get:kaZaa; you also get:• Cydoor – a tracking advertising softwareCydoor – a tracking advertising software

Displays pop-up adsDisplays pop-up ads Tracks web surfing habitsTracks web surfing habits

• Gator – ad-driven backdoor softwareGator – ad-driven backdoor software• Altnet – a hidden p2p softwareAltnet – a hidden p2p software• Many others that kaZaa wishes to includeMany others that kaZaa wishes to include

Routes of infectionRoutes of infection Spyware does not directly spread in the manner Spyware does not directly spread in the manner

of a computer virus or worm: generally, an of a computer virus or worm: generally, an infected system does not attempt to transmit the infected system does not attempt to transmit the infection to other computers. infection to other computers.

Spyware gets on a system through deception of Spyware gets on a system through deception of the user or through exploitation of software the user or through exploitation of software vulnerabilities.vulnerabilities.

3 common ways:3 common ways:• PiggybackingPiggybacking on a piece of desirable software on a piece of desirable software• Trojan horseTrojan horse method: Tricking user to installing it. method: Tricking user to installing it.• Posing as Posing as anti-spyware programsanti-spyware programs, while being spyware , while being spyware

themselves. themselves.

ExamplesExamples CoolWebSearchCoolWebSearch::

• Directs traffic to advertisements on Directs traffic to advertisements on coolwebsearch.comcoolwebsearch.com..• Rewrites search engine resultsRewrites search engine results• Alters the computer's hosts file to direct DNS lookups to ad pages.Alters the computer's hosts file to direct DNS lookups to ad pages.

Internet OptimizerInternet Optimizer, also known as , also known as DyFuCaDyFuCa• When users follow a broken link or enter an erroneous URL, they see a page of When users follow a broken link or enter an erroneous URL, they see a page of

advertisements. advertisements. • Since password-protected Web sites use the same mechanism as HTTP errors, Since password-protected Web sites use the same mechanism as HTTP errors,

Internet Optimizer makes it impossible for the user to access password-protected Internet Optimizer makes it impossible for the user to access password-protected sites.sites.

ZangoZango (formerly (formerly 180 Solutions180 Solutions) ) • Transmits detailed information to advertisers about the Web sites which users Transmits detailed information to advertisers about the Web sites which users

visit. visit. • Alters HTTP requests for affiliate advertisements linked from a Web site.Alters HTTP requests for affiliate advertisements linked from a Web site.

Zlob trojanZlob trojan, or just , or just ZlobZlob• Downloads itself to your computer via an ActiveX codecDownloads itself to your computer via an ActiveX codec• Reports information back to Reports information back to Control ServerControl Server. . • Some information can be as your search history, the Websites you visited, and Some information can be as your search history, the Websites you visited, and

even Key Strokes.even Key Strokes.

ProblemsProblems

These softwares often run silently in These softwares often run silently in background, without user’s background, without user’s knowledge!knowledge!

It is very hard to detect these non-It is very hard to detect these non-destructive but intrusive activitiesdestructive but intrusive activities

Undesirable features are closely Undesirable features are closely integrated with desirable featuresintegrated with desirable features

StatsStats

According to a 2005 study by AOL and the According to a 2005 study by AOL and the National Cyber-Security Alliance:National Cyber-Security Alliance:

61 % of surveyed users' computers had 61 % of surveyed users' computers had some form of spyware. some form of spyware.

92% of users with spyware reported that 92% of users with spyware reported that they did not know of its presence.they did not know of its presence.

91% percent had not given permission for 91% percent had not given permission for the installation of the spyware the installation of the spyware

Security practicesSecurity practices

Install anti-spyware programsInstall anti-spyware programs Use a web browser other than IE, Use a web browser other than IE,

such as Opera or Mozilla Firefox. such as Opera or Mozilla Firefox. Sharewares are a big source of spy Sharewares are a big source of spy

wareswares Download only from reliable source.Download only from reliable source.

Innocent e-mailInnocent e-mail

The e-mail message addressed to a Booz Allen The e-mail message addressed to a Booz Allen Hamilton executive was mundane—a shopping Hamilton executive was mundane—a shopping list sent over by the Pentagon of weaponry India list sent over by the Pentagon of weaponry India

wanted to buywanted to buy Beneath the description of aircraft, engines, and Beneath the description of aircraft, engines, and

radar equipment was an insidious piece of radar equipment was an insidious piece of

computer code known as "Poison Ivy"computer code known as "Poison Ivy" designed to designed to suck sensitive data out of the $4 billion consulting suck sensitive data out of the $4 billion consulting

firm's computer network.firm's computer network. The Pentagon hadn't sent the e-mail at allThe Pentagon hadn't sent the e-mail at all

The innocent e-mailThe innocent e-mail Authors knew enough about the "sender" and "recipient" to Authors knew enough about the "sender" and "recipient" to

craft a message unlikely to arouse suspicioncraft a message unlikely to arouse suspicion

Had the Booz Allen executive clicked on the attachment, his Had the Booz Allen executive clicked on the attachment, his every keystroke would have been reported back to a every keystroke would have been reported back to a mysterious master at the Internet address mysterious master at the Internet address

cybersyndrome.3322.orgcybersyndrome.3322.org

Innocent e-MailInnocent e-Mail The e-mail was more convincing because of its apparent The e-mail was more convincing because of its apparent

sender: Stephen J. Moree, who reports to the office of Air sender: Stephen J. Moree, who reports to the office of Air Force Secretary Michael W. WynneForce Secretary Michael W. Wynne

Moree's unit evaluates the security of selling U.S. military Moree's unit evaluates the security of selling U.S. military aircraft to other countries. aircraft to other countries.

There is little reason to suspect anything seriously in There is little reason to suspect anything seriously in Moree's passing along the highly technical document with Moree's passing along the highly technical document with "India MRCA Request for Proposal“ as title "India MRCA Request for Proposal“ as title

The Indian government had just released the request a The Indian government had just released the request a week earlier, on Aug. 28, and the language in the e-mail week earlier, on Aug. 28, and the language in the e-mail closely tracked the request. closely tracked the request.

It referred to upcoming Air Force communiqués and a It referred to upcoming Air Force communiqués and a "Teaming Meeting" , making the message appear more "Teaming Meeting" , making the message appear more crediblecredible

It was sent by an unknown attacker, bounced through an It was sent by an unknown attacker, bounced through an Internet address in South Korea, relayed through a Yahoo! Internet address in South Korea, relayed through a Yahoo! server in New York, and finally made its way toward server in New York, and finally made its way toward Mulhern's Booz Allen in-box.Mulhern's Booz Allen in-box.

The digital trail to The digital trail to cybersyndrome.3322.orgcybersyndrome.3322.org, leads to one of , leads to one of China's largest free domain-name-registration and e-mail China's largest free domain-name-registration and e-mail services called 3322.orgservices called 3322.org

Poison Ivy – can steal information in access.Poison Ivy – can steal information in access. RAT – remote administrative toolRAT – remote administrative tool

Government agencies reported Government agencies reported 12,986 cyber security incidents to 12,986 cyber security incidents to the U.S. Homeland Security Dept. the U.S. Homeland Security Dept. last fiscal year last fiscal year

Many of the new attackers are Many of the new attackers are trained professionals backed by trained professionals backed by foreign governments foreign governments

Major AttacksMajor Attacks

Solar Sunrise – Feb 1998Solar Sunrise – Feb 1998 Air force and Navy computers are hit by Air force and Navy computers are hit by

malicious code while U.S. was preparing malicious code while U.S. was preparing to attack Iraqto attack Iraq

Moonlight Maze – March 1998–1999Moonlight Maze – March 1998–1999Defence Dept., NASA, Energy Dept., Defence Dept., NASA, Energy Dept.,

Weapon’s LabWeapon’s Lab

Large packets of unclassified data was Large packets of unclassified data was stolenstolen

Titan Rain – 2004Titan Rain – 2004Classified data on computers of defence Classified data on computers of defence

cotractorscotractors

Lockheed Martin, Sandia National labs Lockheed Martin, Sandia National labs and NASAand NASA

Byzantine Foothold – 2007Byzantine Foothold – 2007Lot of corporations – state depts to boeingLot of corporations – state depts to boeing

Paul Kurtz, former national security Paul Kurtz, former national security officer, explains how the U.S. officer, explains how the U.S. government and its defense government and its defense contractors have been the victims of contractors have been the victims of an unprecedented rash of similar an unprecedented rash of similar cyber attacks over the last two yearcyber attacks over the last two year

VideoVideo

ReferancesReferances

http://www.cs.wisc.edu/wisa/http://www.cs.wisc.edu/wisa/presentations/2003/0722/spyware/presentations/2003/0722/spyware/spyware.03.0722.pdfspyware.03.0722.pdf

WikipediaWikipedia Business Weak – April 21Business Weak – April 21stst 2008 2008 http://www.businessweek.com/http://www.businessweek.com/

magazine/content/08_16/magazine/content/08_16/b4080032218430.htmb4080032218430.htm

DiscussionDiscussion

Has Internet become too unwieldy to Has Internet become too unwieldy to be tamed?be tamed?