Cyber Attack Taxonomy – (unfinished draft)
script kiddies, newbies, novices
This is the least sophisticated category of adversaries, comprised of individuals with limited
programming skills. They are new to hacking and rely on pre-written scripts known as „toolkits‟ in their
exploits; examples of these include NeoSploit, WebAttacker, and IcePack (Westervelt, 2007) . The
primary motivation of these adversaries is boredom and thrill-seeking; they are often young and eager
for acceptance from the hacker subculture. Though they are attracted to deviant behavior, their overall
maliciousness level tends to be low, because of their limited skills. With the increasing sophistication of
the available toolkits, their ability to pull off larger-scale attacks is on the rise, as in the case of the
denial-of-service attacks perpetuated by „Mafia Boy‟ in Canada (Rogers, 2006).
hacktivists, political activists
These adversaries are different than the other classes in that they are motivated by a political cause
rather than a form of personal gain. Their attacks consist primarily of denial of service and defacement
attacks against the sites of rival organizations, though they have also been known to employ worms and
viruses (Denning, 2001). Their maliciousness is highly focused against the targeted organizations, though
it can still have broad-reaching consequences. Some examples of hacktivism include the „virtual sit-ins‟
perpetuated by Electronic Disturbance Theater against the Pentagon and other agencies, in protest of
perceived civil rights violations; email bombs used by the Internet Black Tigers throughout Sri Lanka to
gain publicity for the Tamil Tigers; and worm propagation by WANK (Worms Against Nuclear Killers) on
computers in NASA‟s Goddard Space Flight center, protesting an upcoming launch (Denning, 2001).
cyber punks, crashers, thugs
Adversaries in this class have similar motivations but greater skills than those in the novice category.
They are capable of writing their own (limited) scripts and engaging in malicious acts such as spamming,
defacing, and identity theft. These hackers seek attention and prestige and are most likely to be
featured in the media, often because they pick high-profile targets and come under the notice of
authorities (Rogers, 2006). Occasionally such adversaries will go on to become internet security
consultants, as in the case of Kevin Mitnick, who combined his hacking skills with social engineering to
gain access to restricted systems (Mitnick, 2002; Rogers, 2006).
insiders, user malcontents
This group of adversaries represents arguably the greatest risk to companies, and yet is often the least
publicized (Rogers, 2006; Gelles et al., 2008). Insiders are most frequently motivated by revenge, usually
in response to a negative work-related event; this frustration leads them to deliberately attack their own
company (Kowalski et al., 2008). The scope of insider damage can be extremely large, as these
individuals are often very familiar with the systems that they are attacking and often hold elevated
access privileges. Insiders often seek to sabotage systems, as in the case of Michael Lauffenberger, who
planted a logic bomb to delete data in a system that he designed and envisioned subsequently coming
to „rescue‟ his company (Shaw et al., 1998).
coders, writers
Adversaries in this category are primarily involved in writing the codes and exploits that are used by
others, especially those in the novice category. Their motivation is power and prestige: they see
themselves as the mentors to the younger hackers and like feeling important (Rogers, 2006). There is a
continuum of ability within individuals in the category, and it has been suggested that many such writers
eventually „age out‟ of this behavior (Gordon, 2006). In general, such writers can be quite dangerous, as
their software can be widely distributed and acquire a life of its own.
white hat hackers, old guard, sneakers
Individuals in this category consider themselves „purists‟ and ascribe to the flavor of hacking initially
popularized at MIT in the early days of computers. They are not malicious hackers and do not wish to
cause damage, though they often show a lack of regard for personal privacy (Rogers, 2006). White hat
hackers are primarily motivated by the intellectual challenge of testing security systems and creating
new programming. They are often hired as security analysts, paid to test a company‟s defenses by trying
to break into their system and assessing its response (Barber, 2001). The National Security Agency even
offers certification in such „ethical hacking‟ activities (Taylor et al., 2006). Although these individuals
probably should not be considered “adversaries,” we include them in our treatment for the sake of
completeness.
black hat hackers, professionals, elite
The adversaries in this category are professional criminals, who use their technical skills in pursuance of
their criminal activities. Similar to criminals outside the cyber domain, they are motivated by money and
greed. Rather than seeking fame, they prefer to lay low and evade authorities (Rogers, 2006). These
hackers are both rare and very dangerous, as they have strong technical skills and are often able to
support themselves through their criminal exploits. Such adversaries are often employed by organized
crime, and can be described as „guns for hire‟. Although this is one of the most dangerous types of
cyber adversaries, it is also the one about which the least is known (Rogers, 2006).
cyber terrorists
The most dangerous and skilled of all cyber adversary classes, cyber terrorists engage in state-sponsored
information technology warfare. Their job is to conduct attacks that destabilize, disrupt, and destroy the
cyber assets and data of an enemy nation or government organization (Rogers, 2006). Attacks by cyber
terrorists are typically well-funded and highly secretive; individuals engaging in such activities have
extremely high skills and are motivated by ideology. One of the best known examples of such terrorism
occurred in Estonia in 2007, following the removal of a Russian World War II monument; a massive
denial of service attack crippled the websites of Parliament, several national newspapers, and the
central bank (Landler & Markoff, 2007). A similarly crippling DDoS attack preceded the conflict between
Russia and the Republic of Georgia in 2008 (Markoff, 2008). Such attacks are hard to prosecute, which
makes them even more dangerous, and guarding against these attacks has become a top national
priority.
viruses
A computer virus is a program that can copy itself and infect system files without knowledge of the user.
Viruses are transferred when their host is connected with the target system, either via a computer
network, the internet, or a form of removable media. The spread of viruses is dependent on user
interaction, in particular in the execution of the corresponding virus code; for this reason many viruses
are attached to legitimate program executables. The term „computer virus‟ was first used in 1983 by
Frederick Cohen, who likened the spread of the program to a biological system (Highland, 1997).
Possibly the most destructive virus to date is the ILOVEYOU virus, a visual basic scripting virus that
originated in the Philippines and caused 10 to 15 billion dollars of damage worldwide in the year 2000
(Jones, 2006).
File Infectors
File infector viruses infect files on the victim’s computer by inserting themselves into a file.
Usually the file is an executable file, such as a .EXE or .COM in Windows. When the infected file
is run, the virus executes as well.
The Infector Virus is an example of a file infector virus obtained from [65]. The Infector Virus
infects .COM files in Windows based systems by attaching itself to the end of the target file.
Infection occurs when the infected file is run with the virus selecting one .COM file in the
current directory as the target file.
System and Boot Record Infectors
System and boot record infectors were the most common type of virus until the mid 1990s.
These types of viruses infect system areas of a computer such as the Master Boot Record (MBR)
on hard disks and the DOS boot record on floppy disks. By installing itself into boot records, the
virus can run itself every time the computer is booted up. Floppy disks are often infected as
users tend to leave floppy disks in the floppy drive. If left in the floppy drive, on reboot the
computer may boot from the floppy disk. Thus, the virus has a chance to execute. These types of
viruses were very common in the early days of personal computing. However, with the
introduction of more modern operating systems, and virus checks being enabled in the Basic
Input Output System (BIOS), few of these viruses are being created today. New means of
propagation, such as the Internet, are also much more attractive to virus creators.
Macro Viruses
Macro viruses are simply macros for popular programs, such as Microsoft Word, that are
malicious. For example, they may delete information from a document or insert phrases into it.
Propagation is usually through the infected files. If a user opens a document that is infected, the
virus may install itself so that any subsequent documents are also infected. Some macro viruses
propagate via email1, such as the Melissa virus covered in the next section. Often the macro
virus will be attached as an apparently benign file to fool the user into infecting themselves.
The Melissa virus is the best known macro virus. It was released in March 1999, and targeted
Microsoft Word 97 and 2000. The virus worked by emailing a victim with an email that appeared
to come from an acquaintance. The email contained an Microsoft Word document as an
attachment, that if opened, would infect Microsoft Word and if the victim used the Microsoft
Outlook 97 or 98 email client, the virus would be forwarded to the first 50 contacts in the
victim’s address book. Melissa caused a significant amount of damage, as the email sent by the
virus flooded email servers. ICSA estimated that Melissa could have caused damage as high as
USD $385 million. The classification of Melissa is interesting. Some consider it a virus, others
consider it a worm. Under the proposed taxonomy in Chapter 4, Melissa is considered to be a
mass-mailing worm with a viral payload.
Virus Properties
Viruses often have additional properties, beyond being an infector or macro virus. A virus may
also be multi-partite, stealth, encrypted or polymorphic. Multi-partite viruses are hybrid viruses
that infect both files and system and/or boot-records. This means multi-partite viruses have the
potential to be more damaging, and resistant. Which makes them type of blended attack. A
stealth virus is one that attempts to hide its presence. This may involve attaching itself to files
that are not usually seen by the user. Viruses can use encryption to hide their payload. A virus
using encryption will know how to decrypt itself to run. As the bulk of the virus is encrypted, it is
harder to detect and analyze. Some viruses have the ability to change themselves as either time
goes by, or when they replicate themselves. Such viruses are called polymorphic viruses.
Polymorphic viruses can usually avoid being eradicated longer than other types of viruses as
their signature changes.
worms
A computer worm is a self-replicating program that uses a host network to send copies of itself to other
computers on the network. As opposed to viruses, worms do not need to attach themselves to existing
programs and can be spread without any user interaction; moreover, they seek to infect the network
infrastructure rather than individual files. Worms spread primarily by exploiting vulnerabilities in
operating systems, most often striking unupdated systems after a major security patch. Commonly,
worms install a „backdoor‟ on infected systems to allow remote control; using this, the Sobig worms
were able to create a massive „botnet‟ of systems dedicated to sending spam (Levy, 2003). Worms can
spread very quickly, as in the case of SQL Slammer, which shut down all of South Korea‟s online capacity
for 12 hours after its launch in 2003 (Jones, 2006).
Mass-Mailing Worms
Mass-mailing worms are an interesting category as many attacks in this category could quite
easily be classified as a worm, virus or both. For the purpose of this research and the taxonomy,
a mass-mailing worm is a worm that spreads through email. Once the email has reached its
target it may have a payload in the form of a virus or trojan. Email, although it may become a file
on its journey, is more abstract than a file. Therefore, while some attacks may use email
attachments to send viruses, the attack vector2 is still email. A case could be made that a massmailing virus category would be more appropriate, but the proposed taxonomy attempts to
use the attack vector as the first means of classification. Therefore, an attack such as Melissa
should be classified first as a mass-mailing worm.
Network-Aware Worms
Network-aware worms are a major problem for the Internet. Worms such as SQL Slammer have
shown that the Internet can be degraded by a well written worm. Network-aware worms
generally follow a four stage propagation model. Although this is a generalization, most
network-aware worms will fit into this model. Four stages of network worm propagation:
The first step is target selection. The compromised host3 targets a host. The compromised host
then attempts to gain access to the target host by exploitation. For example, the SQL Slammer
worm exploited a known vulnerability in Microsoft SQL Server 2000 and Microsoft Desktop
Engine. Once the worm has access to the target host, it can infect it. Infection may include
loading trojans onto the target host, creating back doors or modifying files. Once infection is
complete, the target host is now compromised and can be used by the worm to continue
propagation.
trojans
Much like the mythical Trojan horse, trojan attacks function by concealing their malicious intent. They
masquerade as a piece of software that performs a desired function, while secretly executing malicious
content. Users can are fooled into installing the trojan via one of many vectors, most often online
downloads or email links. The most common types of trojans install a „backdoor‟ on infected systems to
allow remote access, or engage in data destruction. As opposed to viruses and worms, trojans do not
self-replicate and rely entirely on the distribution of their host program to propagate. The earliest trojan
horse dates back to 1975, when the computer game ANIMAL housed the subroutine PERVADE, which
copied itself into every directory in which the user had access (Walker, 1996). More recently, in 2008 the
Chinese password-collecting trojan Mocmex was found housed in digital photo frames (Soper, 2008).
buffer overflows
In programming, a buffer overflow occurs when a program writes more information into the buffer
(temporary memory storage) than the space allocated to it in memory. During a buffer overflow attack,
malicious users exploit this property by forcing a buffer overflow to overwrite local variables and alter
program execution, forcing the process to execute malicious code introduced by the user. Such
techniques are well-documented and most often used to gain control of host systems (Levy, 1996).
This buffer overflow technique may be used as a method of enabling other attacks such as worms to be
executed on a system. This method was used in both the Code Red and SQL Slammer worms, which
exploited overflow vulnerabilities in Microsoft‟s Internet Information Services and SQL server
respectively (Chen & Robert, 2004).
denial of service
A denial of service attack functions by making a computer network or resource inaccessible to legitimate
users. Most often this is accomplished by “flooding” the target with data, so that it is overloaded with
such requests. Common targets of these attacks include network routers (resulting in very slow network
performance), DNS servers (resulting in an inability to access websites), and email accounts (resulting in
a “mail bomb” deluge of spam). In a distributed denial of service attack, multiple systems combine to
flood the bandwidth and resources of the target. The first widely publicized distributed attack occurred
in 2000, when numerous high-profile websites (including Amazon.com, Yahoo, eBay, and CNN) were
crippled for several hours (Garber, 2000). Such attacks can also have political overtones, as in the
bombardment of Georgian government websites shortly preceding conflict with Russia (Markoff, 2008).
Buffer Overflows
Buffer overflows are probably the most widely used means of attacking a computer or network.
They are rarely launched on their own, and are usually part of a blended attack. Buffer
overflows are used to exploit flawed programming, in which buffers are allowed to be overfilled.
If a buffer is filled beyond its capacity, the data filling it can then overflow into the adjacent
memory, and then can either corrupt data or be used to change the execution of the program.
There are two main types of buffer overflows described below.
Stack Buffer Overflow
A stack is an area of memory that a process uses to store data such as local variables, method
parameters and return addresses. Often buffers are declared at the start of a program and so
are stored in the stack. Each process has its own stack, and its own heap (as explained in the
next section). Stack overflows are the most common form of buffer overflows. Overflowing a
stack buffer was one of the first types of buffer overflows and is one that is commonly used to
gain control of a process. In this type of buffer overflow, a buffer is declared with a certain size.
If the process controlling the buffer does not make adequate checks, an attacker can attempt to
put in data that is larger than the size of the buffer. This means once the buffer is full, the
remaining data being put into it overflows the buffer and overwrites the adjacent memory. An
attacker may place malicious code in the buffer. Part of the adjacent memory will often contain
the pointer to the next line of code to execute. Thus, the buffer overflow can overwrite the
pointer to point to the beginning of the buffer, and hence the beginning of the malicious code.
Thus, the stack buffer overflow can give control of a process to an attacker.
Heap Overflows
Heap overflows are similar to stack overflows but are generally more difficult to create. The
heap is similar to the stack, but stores dynamically allocated data. The difference between stack
allocated data and heap allocated data is shown below:
#include <stdlib.h>
int main(){
char stack_buffer[256];
char *heap_buffer = (char *) malloc(256 * sizeof(char));
return 0;
}
The heap does not usually contain return addresses like the stack, so it is harder to gain control
over a process than if the stack is used. However, the heap contains pointers to data and to
functions. A successful buffer overflow will allow the attacker to manipulate the process’s
execution. An example would be to overflow a string buffer containing a filename, so that the
filename is now an important system file. The attacker could then use the process to overwrite
the system file (if the process has the correct privileges).
Denial of Service Attacks
Denial of Service (DoS) attacks, sometimes known as nuke attacks, are designed to deny
legitimate users of a system from accessing or using the system in a satisfactory manner. DoS
attacks usually disrupt the service of a network or a computer, so that it is either impossible to
use, or its performance is seriously degraded. There are three main types of DoS attacks: host
based, network based and distributed.
Host Based
Host based DoS attacks aim at attacking computers. Either a vulnerability in the operating
system, application software or in the configuration of the host are targeted.
Resource Hog
Some host based DoS are designed to use up (hog) resources on a computer. Resources such as
CPU time and memory use are the most common targets. For example, a trivial resource hog is
the fork bomb. A fork bomb simply spawns child processes continually, thus over time, more
and more resources are taken up by the bomb and its children. A Unix based fork bomb4,
written in C, is shown below:
#include <stdlib.h>
int main(){
while(1){
fork();
}
return 0;
}
Fork bombs, while very effective, are usually easily detected, either through the marked
increase in processes, or through logging. They can also be easily prevented by configuring the
operating system correctly. Another type of resource hogs access memory in certain patterns, so
that thrashing5 occurs. CPU hogs such as Snork, exploit vulnerabilities in the operating system.
The Snork attack consumes 100% of the target’s CPU time. Snork also has a network based DoS
component that allows Snork to reduce network bandwidth for legitimate users by continuously
bouncing packets between hosts on the network.
Crashers
Crashers are a form of host based DoS that are simply designed to crash the host system, so that
it must be restarted. Crashers usually target a vulnerability in the host’s operating system. Many
crashers work by exploiting the implementation of network protocols by various operating
systems. Some operating systems cannot handle certain packets, and if received cause the
operating system to hang or crash. Some examples of crashers include Land and Teardrop, and
the Ping o’ Death.
Network Based
Network based DoS attacks target network resources in an attempt to disrupt legitimate use.
Network based DoS usually flood the network and the target with packets. To succeed in
flooding, more packets than the target can handle must be sent, or if the attacker is attacking
the network, enough packets must be flooded so that the bandwidth left for legitimate users is
severely reduced.
Three main methods of flooding have been identified in:
TCP Floods: TCP packets are streamed to the target. ICMP Echo Request/Reply:
ICMP packets are streamed to the target.When run on a Gentoo Linux 1.4 box, the fork
bomb caused an almost instantaneous lock up. Where more memory pages are
accessed than can fit in the physical memory. This results in writing and reading memory
pages to and from the hard disk repeatedly, which slows the system significantly down.
Essentially “pinging” the target UDP Floods: UDP packets are streamed to the target.
In addition to a high volume of packets, often packets have certain flags set to make them more
difficult to process. If the target is the network, the broadcast address7 of the network is often
targeted. One simple way of reducing network bandwidth is through a ping flood. Ping floods
can be created by sending ICMP request packets of a large size to a large number of addresses
(perhaps through the broadcast address) at a fast rate. On most modern operating systems, root
access is required to run the ping utility in that way.
Distributed
The last type of DoS attack is perhaps the most interesting. Distributed DoS (DDoS) attacks are a
recent development in computer and network attack methodologies. The DDoS attack
methodology was first seen in 1999 with the introduction of attack tools such as The DoS
Project’s Trinoo, The Tribe Flood Network and Stacheldraht. Between February 7 and 11, 2000,
DDoS attacks were put into the spotlight when DDoS attacks were launched at a number of
high-profile web-sites, including Ebay.com, Amazon.com, Yahoo.com and CNN.com. The DDoS
attacks were effective enough to disrupt the websites’ operation for several hours. DDoS attacks
work by using a large number of attack hosts to direct a simultaneous attack on a target or
targets. A number of master nodes are used to control a larger number of daemon nodes10
which launch the attack on the target. The master nodes then order all daemon nodes under
them to launch the attack. Finally, the daemon nodes attack the target simultaneously, causing
a denial of service. With enough daemon nodes, even a simple web page request will stop the
target from serving legitimate user requests.
network attacks
Within our taxonomy, a network attack is one in which network protocols are manipulated to exploit
other users or systems. Examples of such attacks include IP spoofing, in which the source IP address is
falsified (Heberlein & Bishop, 1996); web/email phishing, in which a legitimate website or email is
reproduced by a hacker (Emigh, 2005); session hijacking, in which the theft of a session cookie leads to
exploitation of a valid computer session (Xia & Brustoloni, 2004); and cross-site scripting attacks, in
which malicious code is injected into web applications (Di Lucca et al., 2004). These attacks are often
used in conjunction with other attacks in the taxonomy, such as denial of service attacks. They can also
be quite costly: an estimated $1.2 billion were lost in phishing attacks in the year 2003 (Emigh, 2005).
Spoofing
Network spoofing is the process in which an attacker passes themselves off as someone else.
There are several ways of spoofing in the standard TCP/IP network protocol stack, including:
MAC address spoofing at the data-link layer and IP spoofing at the network layer. By spoofing
who they are, an attacker can pretend to be a legitimate user or can manipulate existing
communications from the victim host.
MAC Address Spoofing
Medium Access Control (MAC) address spoofing is where the hardware address, that is, the
MAC address, is changed so that either the attacker’s computer is no longer identifiable as
theirs, or the MAC address is the same as a victim’s MAC address. This can be used by the
attacker to pretend to be someone other than themselves and potentially take over the victim’s
communications with other computers on the network In Linux for example, the procedure is
simply:
bash$ ifconfig eth0 down
bash$ ifconfig eth0 hw ether 00:00:00:00:00:00
bash$ ifconfig eth0 up
Where 00:00:00:00:00:00 is the new MAC address. In Windows, the procedure is more
complicated and involves modifying the registry. MAC address spoofing is only useful to an
attacker if their target is on the same subnet as they are. MAC operates at the data-link layer,
and so is only used locally. To spoof beyond the local subnet, an attacker must spoof at a higher
layer, for example the network layer.
IP Spoofing
Internet Protocol (IP) spoofing is similar to MAC address spoofing described above. However,
the attacker’s IP address is now spoofed. IP address ranges are often used to determine whether
or not a host has access to certain services, so through IP spoofing unauthorized access may be
obtained. IP spoofing is often used to inject commands or data into a existing stream of data
between the host and other hosts. To completely take over the data stream, the attacker must
change the routing tables so that the packets are routed to the spoofed host.
Session Hijacking
Session hijacking is the process by which an attacker takes over a session taking place between
two victim hosts. The attack essentially cuts in and takes over the place of one of the hosts.
Session hijacking usually takes place at the TCP layer, and is used to take over sessions of
applications such as Telnet and FTP. TCP session hijacking involves use of IP spoofing, as
mentioned above, and TCP sequence number guessing. To carry out a successful TCP session
hijacking, the attacker will attempt to predict the TCP sequence number that the session being
hijacked is up to. Once the sequence number has been identified, the attacker can spoof their IP
address to match the host they are cutting out and send a TCP packet with the correct sequence
number. The other host will accept the TCP packet, as the sequence number is correct, and will
start sending packets to the attacker. The cut out host will be ignored by the other host as it will
no longer have the correct sequence number. Sequence number prediction is most easily done
if the attacker has access to the IP packets passing between the two victim hosts. The attacker
simply needs to capture packets and analyze them to determine the sequence number. If the
attacker does not have access to the IP packets, then the attacker must guess the sequence
number. Sequence numbers are generated in three ways:
1. 64K rule: The initial sequence counter is incremented with a constant value every
second, usually 128 000. Which if done incorrectly could damage the Windows
installation. The spoofed host is the host which has its IP address spoofed to the victim
host’s address.
2. Time related generation: The counter is increased at regular intervals by a number of
time-units.
3. Pseudo-random generation: The counter is increased by a pseudo-random number.
Prediction is easy when the first method is used. The second is significantly harder, while the
third is so hard that most attackers would not bother trying to predict the sequence. Once a
session has been hijacked, the attacker is able to do a wide variety of malicious activities. For
example, if a Telnet session has been hijacked, the attacker may be able to access the victim’s
account.
Wireless Network Attacks
Wireless networks, especially those based on the IEEE 802.11x standards are growing in
popularity. However, there are a number of inherent weaknesses in wireless networks that are
not an issue in traditional wired networks. Most wireless networks are not configured securely
and usually only require MAC address spoofing to gain full access.
Web Application Attacks
Web application attacks are network attacks that are aimed against web applications. Essentially
the application layer of the TCP/IP protocol stack is attacked. Web applications are run through
a web browser, but are more than a simple web site. They are usually connected to a database,
or at the least have some programs or scripts controlling the web site. An example of a common
web application is Internet banking. Web application attacks are different to attacks that target
normal applications, as web applications build upon and use network protocols extensively.
Described below are a number of ways in which web applications can be attacked.
Cross Site Scripting
Cross Site Scripting involves embedding a script within a web application. Usually it occurs on
pages that allow for input, such as a guest book or a web forum. The attacker posts a message
that contains an embedded script that serves some malicious purpose. For example, the script
may prompt other users browsing that page for a user name and password. Other threats
include session and account hijacking, cookie theft, and cookie poisoning.
Parameter Tampering
Parameter tampering is a simple web application attack in which the attacker identifies
parameters used to drive a web application and modifies a URL header to manipulate the
parameters. On a poorly designed site, parameter tampering could be used to maliciously
modify stored data. To prevent a parameter tampering attack, parameters should be checked
carefully by the web application before processing them.
Cookie Poisoning
Today cookie poisoning is not a large threat, as cookies are usually encrypted. However, it still
remains a common form of attack. Cookie poisoning involves modifying a cookie so that the web
application is deceived into giving away sensitive data. It is usually used to steal the identity of a
user, so that the web application treats the attacker as the victim. Thus, the attacker can access
the web application as the victim, and can then gain, damage or delete confidential information.
Database Attacks
Database attacks are web application attacks aimed at accessing the underlying database that
drives the web application. The most common form of this type of attack is SQL injection. SQL
injection involves submitting a request to the web application with SQL commands appended in
a way that the web application passes them on to the database to be processed. For example,
suppose the script running the website used the following query (written in PHP):
$result = mysql_query
("SELECT * FROM atable WHERE login=’$user’ and password=’$password’");
If the attacker enters a valid user name in the user name field and in the password field
enters:
password’ or ’x’=x
Then the query becomes:
SELECT * FROM some_table WHERE login=’username
and password=’password’ or ’x’=x
Thus, the password has effectively been made useless, and the attacker can log on to the
database as any legitimate user without having to know their passwords.
Hidden Field Manipulation
Hidden field manipulation is a very simple way of attacking a web application. The attacker
downloads an HTML page and modifies hidden fields contained in the page. The attacker then
reposts the page to the server. Hidden fields may contain important information such as session
IDs and user data. Some hidden fields may even contain information such as prices for products
being sold through the web applications, so it is possible for an attacker to change prices so that
they can buy or sell products at a price that benefits the attacker.
physical attacks
Some of the most frightening cyber attacks are physical in nature, such as those using electromagnetic
radiation waves to disrupt or damage the electrical parts of a system or decode its signals. A high-energy
radio frequency (HERF) gun blasts a high-power electromagnetic pulse capable of physically destroying a
computer‟s motherboard and other components (Schwartau, 1996). Similar to this but even stronger is
the electromagnetic pulse transformer (EMP/T) bomb, which can generate a thousand times the
damage of HERF (Schwartau, 1996). Using a different mechanism, in a Van Eck attack the
electromagnetic signals of a computer can be hacked to reveal the signal‟s data content, using
equipment costing as little as $15 (Van Eck, 1985). The US government‟s TEMPEST component
standards are designed to mitigate the risk of all these kinds of attacks, but they do not eliminate the
problem (Russell & Gangemi, 1991).
Basic Attacks
Basic physical attacks on computers and networks can be done by almost anyone. They simply
involve using low technological means to cause damage or disruption to a computer or network.
There are many different ways an attack could be carried out in this way, for example: cutting a
network cable; damaging a computer by hitting it; or using explosives to destroy or disrupt a
computer or network. Because of the nature of these attacks, they are very simple to carry out.
However, attacks such as these are not at all subtle, and if someone carried out such an attack it
would be hard for them to remain anonymous.
Energy Weapon Attacks
There are currently three main types of energy weapon attacks that can be used to attack
computers and networks: high and low energy radio frequency (HERF and LERF) attacks and
electro-magnetic pulse (EMP) attacks. While these attacks are more general attacks in that they
target the electronics, they are devastating when used against computers and network devices.
HERF weapons focus high energy radio frequency (RF) on a narrow frequency spectrum. HERF
can be used quite accurately due to the narrow frequency spectrum. The damage caused by
HERF weapons is due to the concentration of energy on electronic components. LERF weapons
on the other hand, use a wide frequency spectrum, but with low energy RF. LERF is effective due
to the wide frequency range as it is likely that the frequencies will match the resonance
frequencies of the target’s electronic components. The Electromagnetic Pulse (EMP) effect was
first discovered when the United States was testing high altitude air burst nuclear weapons. The
nuclear blast created a very powerful, but short, electromagnetic pulse. When electronic
components are exposed to such a pulse, the pulse may create a short transient voltage. The
voltage produced can be enough to render the electronic components useless. Nuclear
explosions are not the only way to produce an EMP as explained in. EMP bombs can be
produced to achieve similar results to a nuclear explosion’s EMP.
Van Eck Attacks
The Van Eck effect16 was popularized by Wim Van Eck in a paper published in 1985. Before the
paper was published, it was thought that reconstructing electromagnetic radiation was very
difficult and would require expensive equipment and highly trained professionals. Van Eck
showed that it was possible to use a television equipped with an extended antenna and two
oscillators to reconstruct the signal from a computer monitor. This showed that it was possible
for anyone with some electronics knowledge to build such a device and use it to obtain data
from a wide range of electronics. By using the Van Eck effect, an attacker can gain sensitive
information from the target computer. However, the attacker can gain much more as a recent
paper showed. By using optical emanations, the attacker can potentially gain access to data
flowing through network equipment.
password attacks/user compromise
Password attacks have the objective of gaining control of a particular system or user‟s account. There
are three basic kinds of such attacks: guessing, based on knowledge of the user‟s personal details;
dictionary attacks, which loop through a list of dictionary words and try to find a match; and brute force
attacks, which loop through sequences of random characters. In a recent study of MySpace passwords,
fully 4% consisted of dictionary words, and another 12% were a word followed by a single number
(Evers, 2006). In a user compromise attack, the implementation of a system or program is exploited to
gain access to sensitive information, such as credit card numbers. Hackers Ian Goldberg and David
Wagner found such a problem in the random number generator used for secure sockets layer (SSL)
transactions in Netscape 1.1, allowing for easy decoding of encrypted communications (Goldberg &
Wagner, 1996).
Password Guessing/Dictionary Attack
Password guessing is the most simplest of password attacks. It simply involves the attacker
attempting to guess the password. This method succeeds more often than would be expected,
as many users are. This is often referred to as a TEMPEST attack. predictable in their password
choice. Passwords such as names of family members or pets are common. Often the attacker
will use a form of social engineering to gain clues as to what the password is. A dictionary attack
is similar, but is a more automated attack. The attacker uses a dictionary of words containing
possible passwords and uses a tool to see if any are the required password. Passwords that are
English words such as “elephant”, will be very quickly discovered with this form of attack.
Brute Force
Brute force attacks work by calculating every possible combination that could make up a
password and testing it to see if it is the correct password. Brute force attacks on passwords are
guaranteed to succeed. The only question is how long the brute force attack will take to find the
correct password. As the password’s length increases, the amount of time, on average, to find
the correct password increases exponentially. This means short passwords can usually be
discovered quite quickly, but longer passwords may take decades.
Exploiting the Implementation
Exploiting the implementation involves examining the programs that provide the password
protection and finding flaws. If the flaw is significant enough it is possible to circumvent the
password protection, or to reveal the password. For example, Microsoft Word 6.0.
info gathering/resource misuse
The last category of attacks is not inherently malicious, but is often found as a precursor or component
of other attacks. These attacks are used to gather information about the target in an attempt to exploit
its defenses and learn more about the system. A mapping exploit is used to gain information on the
hosts in a network, including what programs are running and what operating system is used. Security
scanning is similar, but involves testing the host for known vulnerabilities in the hardware or software it
is using. A packet sniffer is designed to intercept and log traffic on a network, which can potentially be
decoded later (Hansman, 2003). Worms such as Sasser, Slammer, and Code Red also use scanning as a
method of determining vulnerable hosts to compromise (Kikuchi et al., 2008).
Sniffing
Packet sniffers are a simple but invaluable tool for anyone wishing to gather information about a
network or computer. For the attacker, packet sniffers provide a way to glean information about
the host or person they wish to attack, and even gain access to unauthorized information.
Traditional packet sniffers work by putting the attacker’s Ethernet card into promiscuous mode.
An Ethernet card in promiscuous mode accepts all traffic from the network, even when a packet
is not addressed to it. This means the attacker can gain access to any packet that is traversing on
the network they are on. By gathering enough of the right packets the attacker can gain
information such as login names and passwords. Other information can also be gathered, such a
MAC and IP addresses and what services and operating systems are being run on specific hosts.
This form of attack is very passive. The attacker is not sending any packets out, they are only
listening to packets on the network.
Mapping
Mapping is used to gather information about hosts on a network. Information such as what
hosts are online, what services are running and what operating system a host is using, can all be
gathered via mapping. Thus potential targets and the layout of the network, are identified
Host detection is achieved through a variety of methods. Simple ICMP queries can be used to
determine if a host is on-line. TCP SYN messages can be used to determine whether or not a
port on a host is open and thus, whether or not the host is on-line.
After detecting if a host is on-line, mapping tools can be used to determine what operating
system and what services are running on the host. There are a wide range of techniques that
can be used. Simply examining the service banners18 may reveal the operating system. More
advanced techniques include analyzing the network protocol stack used by the operating
system. Running services are usually identified by attempting to connect to a host’s ports. Port
scanners are programs that an attacker can use to automate this process. Basic port scanners
work by connecting to every TCP port on a host and reporting back which ports were open.
More sophisticated port scanners, such as Nmap, use additional techniques to avoid detection
and to gain more information. Mapping identifies potential targets, such as a version 6.0 IIS web
server, but specific vulnerabilities that could be exploited are not identified. Either the attacker
has to choose an attack using the information gathered, or more information needs to be
gathered through security scanning.
Security Scanning
Security scanning is similar to mapping, but is more active and more information is gathered.
Security scanning involves testing a host for known vulnerabilities or weaknesses that could be
exploited by the attacker. For example, a security scanning tool may be able to tell the attacker
that port 80 of the target is running an HTTP server, with a specific vulnerability. Security
scanning is more easily detected than mapping, as attack patterns testing the vulnerabilities can
usually be detected by intrusion detection systems.
Blended Attacks
While blended attacks are not a new development, they have recently become popular with attacks
such as Code Red and Nimda. Blended attacks are attacks that contain multiple threats, for example
multiple means of propagation or multiple attack payloads. Many of the attacks mentioned previously
herein can be considered as blended. The first instance of a blended attack occurred in 1988 with the
first Internet worm: the Morris Worm. The Morris Worm attacked and propagated through multiple
vulnerabilities in Unix based systems. Newer attacks such as Code Red and Nimda work in a similar way
by exploiting multiple vulnerabilities and by launching multiple attacks.
Code Red is the most famous blended attack. It was the first of the new wave of blended attacks and it
came as a surprise to the security industry. Code Red was also the first worm to spread through memory
rather than through file uploads. Microsoft’s Internet Information Services (IIS) web server was Code
Red’s target. IIS versions from 4.0 to 6.0b all contained a buffer overflow vulnerability in the Indexing
Service DLL of IIS. Code Red spread by using a buffer overflow to compromise susceptible hosts and
once a host was infected, Code Red would do the following, depending on which day of the month it
was:
Day 1 - 19: Code Red would try to spread by attempting to connect to vulnerable hosts.
Day 20 - 27: A denial of service attack would be launched against a fixed IP address. Day 28 - end
of month: No activity.
Code Red is a blended attack as it is a worm that utilizes a buffer overflow attack and launches a denial
of service attack. Blended attacks have become one of the leading security threats and will no doubt
continue to be asignificant problem in the future. While blended attacks have existed for some time, a
new wave of highly damaging attacks started with the release of Code Red. The Internet is especially
susceptible to blended threats, as was shown by the recent SQL Slammer attack, in which the Internet
suffered a significant loss of performance.
Dimensions of the Attack – After the fact
Damage: A damage dimension would attempt to measure the amount of damage that the attack does.
Attacks have different degrees of damage. An attack such as the recent SoBig virus cause more damage
than a simple virus such as the Infector virus.
Cost: Cleaning up after an attack costs money. In some cases billions of dollars are spent on attack
recovery.
Propagation: This category applies more to replicating attacks. The propagation of an attack is the speed
at which it reproduces or spreads. For attacks such as worms and viruses, a dimension covering this
aspect would be useful.
Defense: The methods in how an attack has been defended against could be made into a further
defense dimension.
Analysis
Before examining the requirements that the taxonomy is supposed to meet, a brief analysis of the
classification process is given. In general, it was found the taxonomy worked well and that most attacks
were easily (with the appropriate information) classified. However, there were a number of issues that
were identified:
Blended Attacks: While the taxonomy deals with blended attacks well, some blended attacks
(especially Nimda) were hard to classify. This was due to the complexity of the attacks as they
contained multiple sub-attacks.
Targets: The second (target) dimension overall worked well. However, in some cases it was hard
to determine what the target was. For example, a worm like Nimda attacks specific versions of
Internet Explorer (IE) but email clients were affected the most1. However, attacks must made
specific, that is, it is the specific versions of IE that are being attacked and not the email clients.
Blended Sub-Attacks: One problem occurred when classifying the Melissa attack. The Melissa
attack contains a macro virus payload in a Microsoft Word document. The document is a trojan
in the sense that it appears to be benign. The taxonomy was unable to account for both the
payload being a virus and a trojan. However, the main feature of the payload is that it is a virus,
therefore Melissa was categorized in the fourth dimension as a macro virus.
Ranges: Ranges of classifications, especially in the second (target) dimension could be handled
better. Ranges such as DOS versions 2.4 to 4.1 require every DOS version in the range to be
added to the classification. As many email clients use IE to view HTML emails.
Requirements: One problem that the taxonomy cannot handle fully is when an attack requires a
combination of targets to be successful. For example, an attack may require that a certain
operating system run a certain service. If the service and operating system are not in the certain
combination, then the attack fails. Thus, there is a relationship between the two targets. This
relationship is currently not accounted for, so in the above situation, each target will simply be
listed in the second dimension. The same problem exists for the third (vulnerabilities)
dimension.
Level of Automation and Rate
During the attack preparation, the attacker needs to locate prospective agent machines and infect them
with the attack code. Based on the degree of automation of the attack, we differentiate between
manual, semi-automatic and automatic DDoS attacks.
Manual Attacks
Only the early DDoS attacks belonged to the manual category. The attacker scanned
remote machines for vulnerabilities, broke into them and installed the attack code, and then
commanded the onset of the attack. All of these actions were soon automated, leading to
development of semiautomatic DDoS attacks, the category where most contemporary attacks
belong.
Semi-Automatic Attacks
In semi-automatic attacks, the DDoS network consists of handler (master) and agent
(slave, daemon) machines. The attacker deploys automated scripts for scanning and
compromise of those machines and installation of the attack code. He then uses handler
machines to specify the attack type and the victim's address and to command the onset
of the attack to agents, who send packets to the victim. Based on the communication
mechanism deployed between agent and handler machines we divide semi-automatic attacks
into attacks with direct communication and attacks with indirect communication.
Attacks with direct communication During attacks with direct communication, the agent and
handler machines need to know each other's identity in order to communicate. This is
achieved by hard-coding the IP address of the handler machines in the attack code that is
later installed on the agent. Each agent then reports its readiness to the handlers, who store its
IP address in a file for later communication. The obvious drawback of this approach is
that discovery of one compromised machine can expose the whole DDoS network. Also, since
agents and handlers listen to network connections, they are identifiable by network
scanners.
Attacks with indirect communication deploy a level of indirection to increase the
survivability of a DDoS network. Recent attacks provide the example of using IRC channels
for agent/handler communication. The use of IRC services replaces the function of a handler,
since the IRC channel offers sufficient anonymity to the attacker. Since DDoS agents
establish outbound connections to a standard service port used by a legitimate network
service, agent communications to the control point may not be easily differentiated from
legitimate network traffic. The agents do not incorporate a listening port that is easily
detectable with network scanners. An attacker controls the agents using IRC
communications channels. Thus, discovery of a single agent may lead no further than the
identification of one or more IRC servers and channel names used by the DDoS network.
From there, identification of the DDoS network depends on the ability to track agents
currently connected to the IRC server. Although the IRC service is the only current
example of indirect communication, there is nothing to prevent attackers from subverting
other legitimate services for similar purposes.
Automatic Attacks
Automatic DDoS attacks additionally automate the attack phase, thus avoiding the need for
communication between attacker and agent machines. The time of the onset of the
attack, attack type, duration and victim's address is preprogrammed in the attack code. It
is obvious that such deployment mechanisms offer minimal exposure to the attacker, since
he is only involved in issuing a single command – the start of the attack script. The
hardcoded attack specification suggests a single-purpose use of the DDoS network.
However, the propagation mechanisms usually leave the backdoor to the compromised
References
1. R. Barber. Hackers profiled: who are they and what are their motivations? Computer Fraud and Security, 2(1):1417, 2001.
2. D. Bell and L. La Padula. Secure computer system: unified exposition and multics interpretation. Technical
Report MTR-2997, MITRE Corporation, 1976. Accessed at http://csrc.nist.gov/publications/history/bell76.pdf.
3. L. Bridwell. ICSA labs 10th annual computer virus prevalence survey. Technical Report, ICSA Labs, 2005.
Accessed at http://www.icsa.net/icsa/docs/html/library/whitepapers/VPS2004.pdf.
4. N. Chantler. Profile of a Computer Hacker. Infowar, 1996.
5. S. Chapa and R. Craig. The anatomy of cracking. Online Publication, University of Texas, 1996. Accessed at
http://www.actlab.utexas.edu/~aviva/compsec/cracker/crakhome.html.
6. T. Chen and J. Robert. Worm epidemics in high-speed networks. Computer, 37(6):48-53, 2004. Accessed at
http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=1306386.
7. M. Collins, C. Gates, and G. Kataria. A model for opportunistic network exploits: the case of P2P worms. In
Proceedings of the Fifth Workshop on the Economics of Information Security, Cambridge, England, 2006. Accessed
at http://weis2006.econinfosec.org/docs/30.pdf.
8. D. Denning. Activism, hacktivism, and cyberterrorism: the internet as a tool for influencing foreign policy.
Chapter 8 of Networks and Netwars: the Future of Terror, Crime, and Militancy, Rand Monograph MR-1382, 2001.
Accessed at http://www.rand.org/pubs/monograph_reports/MR1382/index.html.
9. G. Di Lucca, A. Fasolino, M. Mastoanni, and P. Tramontana. Identifying cross-site scripting vulnerabilities in
web applications. In Proceedings of the Sixth International IEEE Workshop on Website Evolution, pages 71-80,
Benevento, Italy, 2004. Accessed at http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=1410997.
10. S. Eltringham (editor), Computer Crime and Intellectual Property Section, US Department of Justice.
Prosecuting Computer Crimes. Office of Legal Education Executive Office for US Attorneys, 2007. Accessed at
http://www.usdoj.gov/criminal/cybercrime/ccmanual/index.html.
11. A. Emigh. Online identity theft: phishing technology, chokepoints, and countermeasures. Technical Report,
Infosec Technology Transition Council, Department of Homeland Security, 2005. Accessed at
http://www.cyber.st.dhs.gov/docs/phishing-dhs-report.pdf.
12. J. Evers. Report: net users picking safer passwords. ZDNet News, December 16, 2006. Accessed at
http://news.zdnet.com/2100-1009_22-150640.html.
13. C. Fötinger and W. Ziegler. Understanding a hacker‟s mind- a psychological insight into the hijacking of
identities. Technical Report, Danube University, Krems, Austria, 2004. Accessed at
http://www.safetybelt.at/download/danubeuniversityhackersstudy.pdf.
14. L. Garber. Denial-of-service attacks rip the internet. Computer, 33(4):12-17, 2000. Accessed at
http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=839316.
15. M. Gelles, D. Brant, and B. Geffert. Building a secure workforce: guard against insider threat. Technical Report,
Deloitte Federal Consulting Services, 2008. Accessed at
http://www.deloitte.com/dtt/article/0,1002,cid%253D226369,00.html.
19
16. J. Glave. Cracking the mind of a hacker. WIRED Magazine, January 20, 1999. Accessed at
http://www.wired.com/science/discoveries/news/1999/01/17427.
17. I. Goldberg and D. Wagner. Randomness and the Netscape browser. Dr. Dobb’s Journal, January 2006.
Accessed at http://www.cs.berkeley.edu/~daw/papers/ddj-netscape.html.
18. S. Gordon. Virus writers: the end of the innocence? In Proceedings of the 10th International Virus Bulletin
Conference, Orlando, FL, 2000. Virus Bulletin.
19. S. Gordon. Understanding the adversary: virus writers and beyond. IEEE Security and Privacy, September 2006,
67-70.
20. T. Gorman. The cracker cracks up? Phrack Magazine, December 21, 1986. Accessed at
http://www.phrack.com/issues.html?issue=11&id=11.
21. Government Accountability Office (GAO). Cybercrime: public and private entities face challenges in addressing
cyber threats. Technical Report GAO-07-705, US Government Accountability Office, 2007. Accessed at
http://www.gao.gov/products/GAO-07-705.
22. S. Hansman. A taxonomy of network and computer attack methodologies. Master‟s Thesis, University of
Canterbury, New Zealand, 2003. Accessed at
http://nzcsrsc08.canterbury.ac.nz/research/reports/HonsReps/2003/hons_0306.pdf.
23. S. Hansman and R. Hunt. A taxonomy of network and computer attacks. Computers and Security, 21:31-43,
2005. Accessed at http://linkinghub.elsevier.com/retrieve/pii/S0167404804001804.
24. L. Heberlein and M. Bishop. Attack class: address spoofing. In Proceedings of the National Information Systems
Security Conference, pages 371-377, Baltimore, MD, 1996. NIST. Accessed at
http://seclab.cs.ucdavis.edu/papers/spoof-paper.pdf.
25. H. Highland. A history of computer viruses- introduction. Computers and Security, 16(5):412-415, 1997.
Accessed at http://linkinghub.elsevier.com/retrieve/pii/S0167404897822456.
26. R. Hollinger. Computer hackers follow a Guttman-like progression. Sociology and Social Research, 72:199-200,
1988. Accessed at http://www.phrack.com/issues.html?issue=22&id=7.
27. J. Howard. An analysis of security incidents on the internet, 1989-1995. Ph.D. Thesis, Carnegie Mellon
University, 1997. Accessed at http://www.cert.org/archive/pdf/JHThesis.pdf.
28. J. Howard and T. Longstaff. A common language for computer security incidents. Technical Report SAND988667, Sandia National Laboratories, 1998. Accessed at http://www.cert.org/research/taxonomy_988667.pdf.
29. Internet Crime Complaint Center. 2008 Internet crime complaint report. Technical Report, Internet Crime
Complaint Center, 2008. Accessed at http://www.ic3.gov/media/annualreports.aspx.
30. R. Jennings. A (partial) spammer taxonomy. Computer World, June 21, 2007. Accessed at
http://blogs.computerworld.com/node/5720.
31. G. Jones. The 10 most destructive PC viruses of all time. VARBusiness Magazine, July 7, 2006. Accessed at
http://www.crn.com/it-channel/190301109.
32. S. Keats. Mapping the mal web, revisited. Technical Report, McAfee Inc., 2008. Accessed at
http://www.siteadvisor.com/studies/map_malweb_jun2008.pdf.
33. B. Kehoe. Zen and the Art of the Internet: a Beginner’s Guide. Prentice Hall, 1992. Accessed at http://wwwrohan.sdsu.edu/doc/zen/zen-1.0_toc.html.
20
34. H. Kikuchi, M. Terada, N. Fukuno, and N. Doi. Estimation of increase of scanners based on ISDAS distributed
sensors. Journal of Information Processing, 16:100-109, 2008. Accessed at
http://www.jstage.jst.go.jp/article/ipsjjip/16/0/16_100/_article.
35. M. Kjaerland. A classification of computer security incidents based on reported attack data. Journal of
Investigative Psychology and Offender Profiling, 2:105-120, 2005. Accessed at http://doi.wiley.com/10.1002/jip.31.
36. M. Kjaerland. A taxonomy and comparison of computer security incidents from the commercial and government
sectors. Computers and Security, 25:522-538, 2006. Accessed at
http://linkinghub.elsevier.com/retrieve/pii/S0167404806001234.
37. E. Kowalksi, D. Cappelli, and A. Moore. Insider threat study: illicit cyber activity in the information technology
and telecommunications sector. Technical Report, National Threat Assessment Center, United States Secret Service,
2008. Accessed at http://www.secretservice.gov/ntac.shtml.
38. M. Landler and J. Markoff. Digital fears emerge after data siege in Estonia. The New York Times, May 29, 2007.
Accessed at http://www.nytimes.com/2007/05/29/technology/29estonia.html.
39. B. Landreth. Out of the Inner Circle: a Hacker’s Guide to Computer Security. Microsoft Press, 1985.
40. C. Landwehr. Formal models for computer security. Computing Surveys, 3(13):247-278, 1981. Accessed at
http://portal.acm.org/citation.cfm?id=356852.
41. C. Landwehr, A. Bull, J. McDermott, and W. Choi. A taxonomy of computer program security flaws, with
examples. ACM Computing Surveys, 26(3):211-254, 1994. Accessed at
http://chacs.nrl.navy.mil/publications/CHACS/1994/1994landwehr-acmcs.pdf.
42. L. Lawson. You say cracker; I say hacker: a hacking lexicon. Tech Republic, April 13, 2001. Accessed at
http://articles.techrepublic.com.com/5100-10878_11-1041788.html.
43. E. Levy (under alias Aleph One). Smashing the stack for fun and profit. Phrack Magazine, November 8, 1996.
Accessed at http://www.cs.wright.edu/people/faculty/tkprasad/courses/cs781/alephOne.html.
44. E. Levy. The making of a spam zombie army: dissecting the Sobig worms. IEEE Security and Privacy, 1(4):5859, 2003. Accessed at http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=1219071.
45. H. Lipson. Tracking and tracing cyber attacks: technical challenges and global policy issues. Technical Report
CMU/SEI-2002-SR-009, Carnegie Mellon University, 2002. Accessed at
http://www.sei.cmu.edu/pub/documents/02.reports/pdf/02sr009.pdf.
46. D. Lough. A taxonomy of computer attacks with applications to wireless networks. Ph.D. Thesis, Virginia
Polytechnic Institute, 2001. Accessed at http://scholar.lib.vt.edu/theses/available/etd-04252001-234145/.
47. J. Markoff. Before the gunfire, cyberattacks. New York Times, August 12, 2008. Accessed at
http://www.nytimes.com/2008/08/13/technology/13cyber.html.
48. K. Mitnick. The Art of Deception: Controlling the Human Element of Security. Wiley, 2002.
49. J. Murphy, P. Elmer-Dewitt, and M. Krance. The 414 gang strikes again. TIME Magazine, August 29, 1983.
Accessed at http://www.time.com/time/magazine/article/0,9171,949797,00.html.
50. G. Popek and C. Kline. A verifiable protection system. ACM SIGPLAN Notices, 10(6):294-304, 1975. Accessed
at http://portal.acm.org/citation.cfm?id=390016.808451.
21
51. J. Post. The dangerous information systems insider: psychological perspectives. Technical Report, George
Washington University, 1998. Retrieved from an archive of http://www.infowar.com.
52. R. Rantala. Bureau of Justice Statistics special report: Cybercrime against businesses, 2005. Technical Report
NCJ 221943, US Department of Justice, 2008. Accessed at http://www.ojp.usdoj.gov/bjs/abstract/cb05.htm.
53. E. Raymond. The Art of Unix Programming. Addison-Wesley Professional Computing Series, 2003. Accessed at
http://www.faqs.org/docs/artu/.
54. R. Richardson. 2008 CSI computer crime and security survey. Technical Report, Computer Security Institute,
2008. Accessed at http://www.gocsi.com/forms/csi_survey.jhtml.
55. M. Rogers. A new hacker taxonomy. Technical Report, University of Manitoba, 1999. Accessed at
http://homes.cerias.purdue.edu/~mkr/hacker.doc.
56. M. Rogers. Psychological theories of crime and hacking. Technical Report, University of Manitoba, 2000.
Accessed at http://homes.cerias.purdue.edu/~mkr/crime.doc.
57. M. Rogers. A social learning theory and moral disengagement analysis of criminal computer behavior: an
exploratory study. Ph.D. Thesis, University of Manitoba, 2001. Accessed at
http://homes.cerias.purdue.edu/~mkr/cybercrime-thesis.pdf.
58. M. Rogers. A two-dimensional circumplex approach to the development of a hacker taxonomy. Digital
Investigation, 3:97-102, 2006.
59. D. Russell and G. Gangemi. Computer Security Basics. O‟Reilly, 1991.
60. J. Rutkowska. Introducing stealth malware taxonomy. Technical Report, COSEINC Advanced Malware Labs,
2006. Accessed at http://www.invisiblethings.org/papers/malware-taxonomy.pdf.
61. W. Scherlis. DARPA establishes computer response team. Press Release, Defense Advanced Research Projects
Agency (DARPA), 1988. Accessed at http://www.cert.org/about/1988press-rel.html.
62. W. Schwartau. Information Warfare: Cyberterrorism: Protecting Your Security in the Electronic Age. Thunder‟s
Mouth Press, 1996. Accessed at http://www.winnschwartau.com/resources/IW1.pdf.
63. E. Shaw, K. Ruby, and J. Post. The insider threat to information systems: the psychology of the dangerous
insider. Security Awareness Bulletin, 2:1-10, 1998. Accessed at http://www.pol-psych.com/sab.pdf.
64. A. Smith and W. Rupp. Issues in cybersecurity: understanding the potential risks associated with
hackers/crackers. Information Management and Computer Security, 10(4):178-183, 2002. Accessed at
http://www.emeraldinsight.com/Insight/viewContentItem.do?contentType=Article&contentId=862828.
65. M. Soper. Digital picture frames- now with free malware! MaximumPC Magazine, February 16, 2008. Accessed
at http://www.maximumpc.com/article/digital_picture_frames_now_with_free_malware.
66. S. Specht and R. Lee. Distributed denial of service: taxonomies of attacks, tools, and countermeasures. In
Proceedings of the 17th International Conference on Parallel and Distributed Computing and Systems, pages 543550, Cambridge, MA, 2004. ACTA Press. Accessed at
http://palms.ee.princeton.edu/PALMSopen/DDoS%20Final%20PDCS%20Paper.pdf.
67. S. Steele and C. Wargo. An introduction to insider threat management. Information Systems Security, 16(1):2333, 2007. Accessed at http://www.infolocktech.com/download/ITM_Whitepaper.pdf.
68. B. Sterling. The Hacker Crackdown: Law and Disorder on the Electronic Frontier. Bantam Books, 1993.
Accessed at http://www.mit.edu/hacker/hacker.html.
22
69. C. Stoll. Stalking the wily hacker. Communications of the ACM, 31(5):484-497, 1988. Accessed at
http://pdf.textfiles.com/academics/wilyhacker.pdf.
70. C. Taylor, J. Alves-Foss, and V. Freeman. An academic perspective on the CNSS standards: a survey. In
Proceedings of the 10th Colloquium for Information Systems Security Education, pages 39-46, Adelphi, MD, 2006.
Springer. Accessed at http://www.cisse.info/colloquia/cisse10/proceedings10/pdfs/papers/S02P01.pdf.
71. United States Computer Emergency Readiness Team (US-CERT). Quarterly trends and analysis report, Volume
3, Issue 4. Technical Report, US-CERT, 2008. Accessed at http://www.us-cert.gov/reading_room/.
72. W. Van Eck. Electromagnetic radiation from video display units: an eavesdropping risk? Computers and
Security, 4:269-286, 1985.
73. L. Walleij. Copyright Does Not Exist. Online Book, 1998. Accessed at http://home.c2i.net/nirgendwo/cdne/.
74. J. Walker. The ANIMAL episode. Technical Report, Fourmilab Switzerland, 1996. Accessed at
http://www.fourmilab.ch/documents/univac/animal.html.
75. K. Walter, S. Schaen, W. Ogden, W. Rounds, D. Shumway, D. Schaeffer, K. Biba, F. Bradshaw, S. Ames, and J.
Gilligan. Structured specification of a security kernel. ACM SIGPLAN Notices, 10(6)285-293, 1975. Accessed at
http://portal.acm.org/citation.cfm?id=390016.808450.
76. N. Weaver, V. Paxson, S. Staniford, and R. Cullingham. A taxonomy of computer worms. In Proceedings of the
2003 Workshop on Recurring Malcode, pages 11-18, Washington, DC, 2003. ACM Press. Accessed at
http://www.icir.org/vern/papers/taxonomy.pdf.
77. R. Westervelt. Cybercriminals employ toolkits in rising numbers to steal data. Search Security, September 6,
2007. Accessed at http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1271024,00.html.
78. A. Wood and J. Stankovic. A taxonomy for denial-of-service attacks in wireless sensor networks. Chapter 32 of
Handbook of Sensor Networks: Compact Wireless and Wired Sensing Systems, CRC Press, 2004. Accessed at
http://www.cs.virginia.edu/~adw5p/pubs/handbook04-dos-preprint.pdf.
79. H. Xia and J. Brustoloni. Detecting and blocking unauthorized access in wi-fi networks. In Proceedings of the
Third International IFIP-TC6 Networking Conference, LNCS 3042, Athens, Greece, 2004. Springer. Accessed at
http://www.springerlink.com/content/xbq6gt5uypnrabm5/.