Exploring the Internet The Dark Side of the Internet 91.113-021 Instructor: Michael Krolak 91.113-031 Instructor: Patrick Krolak See also http://www.cs.uml.edu/~pkrolak/lab1/lab1.html Authors: P. D. & M. S. Krolak Copyright 2005-2011 Edited by Richard Wright, National Expert Traffic & Information Management, Volpe Center US DOT The Internet and Security The Dark Side of the Internet The Dark Side of the Internet is changing our lives in small ways The creation of an evolving rainbow of wireless devices mean that we are always on call, tracked with GPS, and constantly interrupted with text messages, twits, emails. Society and the multitasking lifestyle • Frazzing: A new term for frantic multitasking, says ABC News, in a world where digital gadgets are all demanding our attention. By one estimate, the average office worker loses 2.1 hours a day to interruptions. Teens and the Social Network • Recent medical journal articles have begun documenting how mobile devices are interrupting time formerly reserved for family and friends, i.e. downtime, • This downtime time is now spent texting, tweeting, and posting to Facebook. • The teenager who can not stop responding to messages and tweets even during the night, will soon enter the job world to find the same devices interrupting their business, family, and rest. • The mobile device replaces real world experience with a virtual one. This makes it harder to read the situation where micro expressions of the face and body clue us to feelings and intentions, gain a sense of personal space, and other social skills. Teens and the Social Network References • Confusion about the real world and the virtual world; http://boston.cbslocal.com/2011/03/28/doctors-warnabout-facebook-depression-in-teens/ • Too much social collaboration among teens is leading to fatigue and guilt: http://www.boston.com/community/moms/articles/2011/0 3/27/on_call_all_night_can_leave_texting_teens_tired_o ut/ • Living in the cyber space, virtual world is not the same as living: http://www.boston.com/bostonglobe/editorial_opinion/edit orials/articles/2009/06/16/texting_is_not_talking/ Hoaxes create anxiety, worries, and in some cases real problems With the advent of the Internet social networks, chat rooms, and blogs rumors and hoaxes can travel around the world and reach millions in days if not minutes. Hoaxes – the chain email • In the days of snail mail, the chain letter that offer some reward, prayer answer, good luck for the receiver of the letter if they then copied it and sent 10 copies to others. In some cases they asked that the person put their name and address on a list and send money to the person higher on the list. • Today hoax emails ask that the user say a prayer, do a good deed, send money to a charity, etc. In addition the person is asked to forward it to at least 10 friends. At the very least this clogs the email system with junk. At worse it is a scam that may harm your computer or add your email to a spam or sucker list. • Action – Delete the email immediately and/or notify your system administrator so it can be blocked. For more see the Pyramid Scheme Section. Urban Legend also urban myth or urban tale An urban legend, urban myth, urban tale, or a contemporary legend, is a form of modern folklore consisting of apocryphal stories believed by their tellers to be true. As with all folklore and mythology, the designation suggests nothing about the story's factuality or falsehood, but merely that it is in non-institutional circulation, exhibits variation over time, and carries some significance that motivates the community in preserving and propagating it. Source: http://en.wikipedia.org/wiki/Urban_legend Urban legend • Despite its name, a typical urban legend does not necessarily originate in an urban area. Rather, the term is used to differentiate modern legend from traditional folklore in preindustrial times. For this reason, sociologists and folklorists prefer the term contemporary legend. • Urban legends are sometimes repeated in news stories and, in recent years, distributed by e-mail. People frequently allege that such tales happened to a "friend of a friend" -- so often, in fact, that "friend of a friend," ("FOAF") has become a commonly used term when recounting this type of story. Belief and relation to mythology • The earliest term by which these narratives were known, “urban belief tales,” highlights what was then thought to be a key property: they were held, by their tellers, to be true accounts, and the device of the FOAF was a spurious but significant effort at authentication.[16] The coinage leads in turn to the terms "FOAFlore" and "FOAFtale". • Recently social scientists have started to draw on urban legends in order to help explain complex sociopsychological beliefs, such as attitudes to crime, childcare, fast food, SUVs and other 'family' choices.[20] Debunking or Fact Checking • Urban myths - http://www.urbanmyths.com/ • FactCheck.org - Annenberg Political Fact Check • snopes.com: Urban Legends Reference Pages • PolitiFact | Sorting out the truth in politics Spam Source: http://www.unt.edu/benchmarks/archives/2005/february05/spamandcookiescolor.gif •Spam is electronic junk mail that clogs our internet like the fatty canned meat of the same name clogs our arteries. –Communication lines back up at an alarming rate, –Storage is gobbled up, –Servers and processors thrash, and –Users are irritated at best – incapacitated at worst. •Spam costs the ISPs and others a fortune to prevent and/or to remove. •At its worst spam is used by scammers, hackers, and others to market and prey on literally millions of users at a very low cost. Spam • What is Spam? Junk email – unwanted, resource robbing, and often contains viruses, worms, and scams. • Why is it an increasing problem? Spam is the fastest growing component of messages on the Internet that consumes bandwidth, storage, and angers the user. ISPs and some consumer groups are attempting to shut down the worst offenders. Spam as harassment. Spam as DoS (Denial of Service) attack. Spam as Phishing (attempt to obtain a person’s ID, password, etc, by pretending to be a legitimate request.) • What can be done about it? (Discussion questions) – Closing down ISPs that permit email relaying (Is this too draconian?). – Apply filters and tools to remove it (Can they be by-passed?). – Lobby for federal legislation to create civil and criminal penalties for those who send Spam. (Does this interfere with free speech?) – A recently passed law to prosecute commercial spammers. (When is Internet advertising legitimate and when is it Spam?) Why Estimate the Cost of Spam? • Important for policy reasons to know severity of problem – helps in assigning priority to issue; • To determine which economic actors have to bear costs – also important in focusing on solutions; • Spam imposes negative externality on society (similar to pollution in the manufacturing economy): economic damage and cost borne by third parties resulting in an overall loss of welfare for society; • If costs of spam are unacceptable then have to put in place mechanisms to change behavior of producers of spam; • • Provides metric to “let the punishment fit the crime.” Market itself does not provide mechanism to correct for costs inflicted by spam. If economic solutions are used to combat spam, cost data can help determine prices applied to reduce or eliminate spam; http://www.oecd.org/dataoecd/47/5/26618988.pdf Spam Impact on Consumers • E-mail has value to recipient which varies with the content and should at least equal processing cost; • Each e-mail entails the same receiving/processing cost for consumer. For spam the value of the e-mail content is negative and to this must be added the processing cost; • If the amount of spam received is extremely high it could conceivably outweigh the positive value of receiving email; • Costs to consumers for processing mail are declining as consumers switch to broadband from dial-up (where time based Internet access charges exist) and because of quicker download times; • But increase in volume of spam is likely to result in net increase in costs – if you can go fast but you produce crap, all you get is more crap; http://www.oecd.org/dataoecd/47/5/26618988.pdf Overall Cost: Some Estimates • Reduced use of an efficient and cheap means of communications among economic actors – slows down growth of e-commerce and development of digital economy. Total economic impact of spam – estimates vary: • Global cost “conservatively” estimated at estimated at €10 Billion (European Commission Study 2001); • Ferris Research (Jan. 2003) estimated that spam cost US companies $8.9 billion dollars in 2002. The same study estimated the cost of spam in Europe as US$2.5 billion. • UNCTAD (2003): $20 billion; • Cost to Hong Kong economy $1.3 billion (HKISPA 2004); • $2 - $20 Billion per year and growing. http://www.oecd.org/dataoecd/47/5/26618988.pdf Crimes of Persuasion Crimes of persuasion are scams that appeal to peoples’ greed, goodwill, or other emotions to use the victim to provide the access and assistance to information, the money or other resources, that are the target of the criminal. In other words – A Con Game Internet Scams Internet Scams • Scams over the Internet unlike the fraud and similar crime can be difficult to detect, prosecute, and prevent – and easy to perpetrate. • Email can be used to reach 250 million with a simple program and a CD-ROM with the email addresses. • Example - The African businessman who offers to split a large sum of money (like, $20M) if he can only electronically wire it to your checking account. He also requires a (small) fee ($250.) wired to his account to bribe fellow country men. Your fee and your bank account are immediately seen to vanish. • See: http://www.cnn.com/2000/TECH/computing/10/31/ftc.web.scams/ Internet Pyramid schemes What is a Pyramid Scheme? • Pyramid schemes, also referred to as "chain referral", "binary compensation" or "matrix marketing" schemes, are marketing and investment frauds which reward participants for inducing other people to join the program. Ponzi schemes, by contrast, operate strictly by paying earlier investors with money deposited by later investors without the emphasis on recruitment or awareness of participation structure. • Pyramid schemes focus on the exchange of money and recruitment. At the heart of each pyramid scheme there is typically a representation that new participants can recoup their original investments by inducing two or more prospects to make the same investment. • For each person you bring in you are promised future monetary rewards or bonuses based on your advancement up the structure. Over time, the hierarchy of participants resembles a pyramid as newer, larger layers of participants join the established structure at the bottom. Source: http://www.crimes-of-persuasion.com/Crimes/Delivered/pyramids.htm Internet Pyramid schemes (more) • They say you will have to do "little or no work because the people below you will". You should be aware that the actual business of sales and supervision is hard work. So if everyone is doing little or no work, how successful can a venture be? Too good to be true! • The marketing of a product or service, if done at all, is only of secondary importance in an attempt to evade prosecution or to provide a corporate substance. Often there is not even an established market for the products so the "sale" of such merchandise, newsletters or services is used as a front for transactions which occur only among and between the operation's distributors. • Therefore, your earning potential depends primarily on how many people you sign up, not how much merchandise is sold. • When the Pyramid gets too big, the whole scheme collapses and the people who lose are the people at the bottom. Internet Pyramid schemes (more) • Pyramid schemes are not the same as Ponzi schemes which operate under false pretences about how your money is being invested and normally benefit only a central company or person along with possibly a few early participants who become unwitting shills. • Pyramid schemes involve a hierarchy of investors who participate in the growth of the structure with profits distributed according to one's position within the promotional hierarchy based on active recruitment of additional participants. • Both are fraudulent, because they induce an investment with no intention of using the funds as stated to the investor. Email Fraud Fraud has existed perhaps as long or longer than money. Any new sociological change can engender new forms of fraud, or other crime. Source: http://en.wikipedia.org/wiki/Email_fraud Email Fraud • Almost as soon as e-mail became widely used, it began to be used to defraud people via E-mail fraud. • E-mail fraud can take the form of a "con game" or scam. • Confidence tricks tend to exploit the inherent greed and dishonesty of their victims: the prospect of a 'bargain' or 'something for nothing' can be very tempting. • E-mail fraud, as with other 'bunco schemes' relies on naive individuals who put their confidence in getrich-quick schemes such as 'too good to be true' investments or offers to sell popular items at 'impossibly low' prices. Many people have lost their life savings due to fraud. (Including E-Mail fraud!) Avoiding e-mail fraud E-mail fraud may be avoided by: • Keeping one's e-mail address as secret as possible, • Ignoring unsolicited e-mails of all types, simply deleting them, • Not giving in to greed, since greed is the element that allows one to be 'hooked‘, and • If you have been defrauded, report it to law enforcement authorities -- many frauds go unreported, due to shame, guilty feelings or embarrassment. Source: http://en.wikipedia.org/wiki/Email_fraud Identity Theft on the Internet Identity theft involves finding out the user’s personal information and then using it commit fraud and other crimes. Identity Theft “But he that filches from me my good name Robs me of that which not enriches him And makes me poor indeed." Shakespeare, Othello, Act III. Scene III. What is Identity Theft? • A Federal crime where someone wrongfully obtains and uses another person's personal data in some way that involves fraud or deception, typically for economic gain. • In 2004, almost 250,000 claims of Identity Theft within the US alone (1:1000) • More than $500 million in reported losses Source: http://www.consumer.gov/sentinel/pubs/Top10Fraud2004.pdf Categories of Identity Theft According to the non-profit Identity Theft Resource Center, identity theft is "sub-divided into four categories: 1. Financial Identity Theft (using another's name and SSN to obtain goods and services), 2. Criminal Identity Theft (posing as another when apprehended for a crime), 3. Identity Cloning (using another's information to assume his or her identity in daily life) and 4. Business/Commercial Identity Theft (using another's business name to obtain credit)." Source: http://en.wikipedia.org/wiki/Identity_theft Tiger Woods “A man who used Tiger Woods' identity to steal $17,000 worth of goods was sentenced to 200 years-to-life in prison. Anthony Lemar Taylor was convicted of falsely obtaining a driver's license using the name Eldrick T. Woods, Woods' Social Security number and his birth date. Though he looks nothing like golf's best player, the 30-year-old Taylor then used the false identification and credit cards to buy a 70-inch TV, stereos and a used luxury car between August 1998 and August 1999. Judge Michael Virga gave Taylor the maximum sentence under California's three-strikes law...” Identity Theft by Age Claims by Age in 2004 30 25 20 % of 15 Claims 10 5 0 Under 18-29 30-39 40-49 50-59 18 60+ Souce: http://www.consumer.gov/sentinel/pubs/Top10Fraud2004.pdf Identity Theft • Identity Theft – the acquiring of personal and financial information about a person for criminal purposes. • Your Social Security Number, credit card numbers, and passwords on your machine can be used to gain information about you from the web sources. • Once the information is gained it is used to charge large amounts for plane tickets, etc. • The criminal can also assume your identity for fraud and terrorism. • Some rings communicate data gathered to accomplices in other countries where the fraudulent charges are actually made. • It can take up to 18 months and thousands of dollars to restore your credit. See http://www.newsfactor.com/perl/story/15965.html The role of private industry and government in identity theft Techniques for obtaining information Low Tech – Social Engineering • Stealing (snail) mail or rummaging through rubbish (dumpster diving) • Eavesdropping on public transactions to obtain personal data (shoulder surfing) • Obtaining castings of fingers for falsifying fingerprint identification High Tech – Internet Approaches • Stealing personal information in computer databases [Trojan horses, hacking] – Including theft of laptops with personal data loaded. • The infiltration of organizations that store large amounts of personal information • Impersonating a trusted organization in an electronic communication (phishing) . • Spam (electronic): Some, if not all spam entices you to respond to alleged contests, enter into "Good Deals", etc. • Browsing social network (MySpace, Facebook, Bebo etc) sites, online for personal details that have been posted by users in public domains. Soruce: http://en.wikipedia.org/wiki/Identity_theft What is Pharming? Pharming is the exploitation of a vulnerability in the DNS server software that allows a hacker to acquire the Domain Name for a site, and to redirect traffic from that website to another web site. DNS servers are the machines responsible for resolving internet names into their real Internet Protocol (IP) addresses - the "signposts" of the internet. (e.g., Good_Stuff.com will translate to an address like 152 145 72 30 – i.e. four groups of base 8 (octal) numbers in IP version 4 (IPv4) or eight groups in base 16 (hex) in IP version 6 (IPv6). The Internet has thousands of DNS servers – each one a target for determined hackers. Phishing What is Phishing? – Using email or web sites to look like authentic corporate communications and web sites to trick people into giving personal and financial information. – FBI sees this a fast growing form of fraud and can lead to theft of identity. See http://www.crimes-of-persuasion.com/Crimes/Delivered/internet.htm What is Phishing? phishing (also known as carding and spoofing) n. 1. The act of attempting to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business with a real need for such information in a seemingly official electronic notification or message (most often an email, or an instant message). Source: http://en.wikipedia.org/wiki/Phishing Phishing Example From: eBay Billing Department <aw-confirm@ebay.com> To: you@uml.edu Subject: Important Notification Register for eBay Dear valued customer Need Help? This link points to a bogus site that often will infect and attempt to corrupt or steal data from your computer or to coerce you into divulging private information when You access it. We regret to inform you that your eBay account could be suspended if you don't re-update your account information. To resolve this problems please click here and re-enter your account information. If your problems could not be resolved your account will be suspended for a period of 3-4 days, after this period your account will be terminated. For the User Agreement, Section 9, we may immediately issue a warning, temporarily suspend, indefinitely suspend or terminate your membership and refuse to provide our services to you if we believe that your actions may cause financial loss or legal liability for you, our users or us. We may also take these actions if we are unable to verify or authenticate any information you provide to us. Due to the suspension of this account, please be advised you are prohibited from using eBay in any way. This includes the registering of a new account. Please note that this suspension does not relieve you of your agreed-upon obligation to pay any fees you may owe to eBay. Regards, Safeharbor Department eBay, Inc The eBay team. This is an automatic message. Please do not reply. Source: http://en.wikipedia.org/wiki/Phishing Spear Phishing • Spear phishing is an e-mail spoofing fraud attempt that targets a specific organization, seeking unauthorized access to confidential data. Spear phishing attempts are not typically initiated by "random hackers" but are more likely to be conducted by perpetrators out for financial gain, trade secrets or military information. • Spear phishing messages appear to come from a trusted source. Phishing messages usually appear to come from a large and well-known company or Web site Source: http://searchsecurity.techtarget.com/definition/spear-phishing Spear Phishing (more) • Visiting West Point teacher and National Security Agency expert Aaron Ferguson calls it the "colonel effect." To illustrate his point, Ferguson sent out a message to 500 cadets asking them to click a link to verify grades. Ferguson's message appeared to come from a Colonel Robert Melville of West Point. Over 80% of recipients clicked the link in the message Spoofing Spoofing • E-mail sent from someone pretending to be someone else is known as spoofing. Spoofing may take place in a number of ways. Common to all of them is that the actual sender's name and the origin of the message are concealed or masked from the recipient. Many, if not most, instances of e-mail fraud use at least minimal spoofing, as most frauds are clearly criminal acts. Criminals typically try to avoid easy traceability. Source: http://en.wikipedia.org/wiki/Email_fraud Methods to Steal an Identity • TCP Spoofing – Establish a fake session and act to the user like the real application the user thought was connected. – Can be done by substituting valid access software with “hacked” software after compromising a host or server machine • DNS Spoofing – Mentioned previously – Substitutes a fake IP address for the real one in the DNS table • Typo Squatting (e.g. www.goolge.com) – Set up a real web site with URL that represents common typo. Make site look enough like real one and try to get passwords, ID, etc. – Similar to phishing, but the “phish” catches himself! Internet and Identify Theft – Ref. • Abagnale, Frank W, ”Stealing Your Life”, Broadway Books (2007). Author has written several books including; “Catch Me if You Can” and “The Art of the Steal”. While the book is not very technical it lays out the economics and approaches to preventing Identity Theft. Internet and Security The Internet is a paradox like almost everything in modern society. It offers many benefits yet it also opens us to a variety of evils. It is a tool to leverage the power of advanced computing – for good OR evil. What is computer security? computer security n. 1. The systematic methods and procedures employed to protect information assets on computer systems to protect against intentional and unintentional use, modification, deletion, manipulation, access, or corruption. What is malware? • malware (mal´wãr) (n.) Short for malicious software, software designed specifically to damage or disrupt a system, such as a virus or a Trojan horse. Source:: http://www.webopedia.com/TERM/m/malware.html As we explore the Internet we must also protect ourselves from evil • First we must make sure our computer is secure or at least that we make difficult for trespassers and other evil doers to enter it and attack it. • Second we must secure our browsers and email system. • Third we must protect our network portal and our communications. • Finally we must prepare to be attacked and have a plan for minimizing the damage. Cartoon Source: http://www.offthemarkcartoons.com/cartoons/2002-12-21.gif What is a virus? Virus n. 1. A self-replicating software program that spreads by inserting copies of itself into other executable code or documents. Source: www.wikipedia.org Annual Cost of Viruses to Businesses Virus Cost to Businesses 60 50 40 $ in Billions 30 20 10 0 2001 2002 2003 What is a Trojan Horse? Trojan horse n. 1. A malicious program that is disguised as legitimate software. Trojan horses can – – – – – – – – Erase or overwrite data on a computer, Corrupt files in a subtle way, Spread other malware, Set up networks of zombie computers (subverted to execute commands of the hacker instead of your programs) in order to launch DDoS (Distributed Denial of Service) attacks or send spam, Spy on the user of a computer and covertly report data like browsing habits to other people, Log keystrokes to steal information such as passwords and credit card numbers, Phish for bank or other account details, which can be used for criminal activities, or Install a backdoor on a computer system to facilitate future hacking. • A “Trojan horse” program may force your computer to do any or all of these things without your knowledge! • Individuals have actually been prosecuted for actions committed by their computer while under control of a Trojan horse. Source: www.wikipedia.org What are worms? worm n. 1. A self-replicating piece of code that uses security lapses to travel from machine to machine, placing copies of itself everywhere and then using those newly compromised machines as bases to attack further systems. – The worm is the chunk of code that does the traveling and implanting. Hackers attach other malware to the worm which then carries it along. Source: www.nndb.com Famous Worms Name/Date Comment Est. Cost Melissa 3/26/1999 $1.1B NIMDA 9/2001 $645M Sobig 1/2003 Variant Sobig.f used its own SMTP (Simple Mail Transfer Protocol) to email from user address to others in user’s addressbook. Largest vol. of emails. $36.1B Source: Computer Worms: Past, Present, and Future, Craig Fosnock (CISSP, MCSE, CNE) Famous Worms (continued) Name/Date Comment Est. Cost Mydoom Appearing January 26, 2004 and primarily transmitted via E-mail to appear as a transmission error. • Mydoom’s becomes the fastest spreading email worm ever. •It slowed overall Internet performance by about 10%, and average web page load times by about 50%. $38.5 B Witty Appearing March 19, 2004, •was the fastest developed worm to date as there was only 36 hours after the release of the advisory to the released virus. • Witty infected the entire exposed population of twelve thousand machines in 45 minutes, and • it was the first worm that destroyed the hosts infected (by randomly erasing a section of the hard drive) $11 million Early Viruses • Brain Virus from Pakistan (1986) – First PC virus – Affected only certain types of floppy drives • Dark Avenger.1800 virus (1989) – Written in Sophia, Bulgaria. – Posed the first international virus threat. – Used anti-virus software to spread. • Michelangelo (1992) – 5 million systems were predicted to be affected. – Only 10,000 systems were ever infected. – A boon for anti-virus software companies. Source: http://www.research.ibm.com/antivirus/timeline.htm Trojan Horses • These actions range from harmless messages to destruction of user files, denial of service, or stealing personal data. • Lately hackers have taken over thousands of computers to launch attacks on other sites (using Trojan horse techniques). What is a rootkit? • A type of Trojan that keeps itself, other files, registry keys and network connections hidden from detection. • It enables an attacker to have "root" access to the computer, which means it runs at the lowest level of the machine. • A rootkit typically intercepts common API calls so antivirus scans never see the rootkit programs. What’s a Wabbit? wabbit n. 1. A program that replicates itself on a computer but does not touch other documents or executables. It is not spread through the Internet. It makes so many copies of a program that the computer cannot even start the program that would allow the user to terminate the wabbit program. What’s a backdoor? • Code that allows access of the computer through O/S or application. • In some cases this is intentional and in others it’s a bug. In any case it is a dangerous problem and requires that the user get the latest patches to the O/S and applications. Source: http://cluestick.me.uk/burrow/gallery/cartoons/ Malware Detection • Norton Anti-Virus • McAfee Anti-Virus • Panda Software Software designed to spy on you 1. Adware 2. Spyware What is Adware? • Adware or advertising-supported software is any software package which automatically plays, displays, or downloads advertising material to a computer after the software is installed on it or while the application is being used. • Adware programs other than spyware do not invisibly collect and upload this activity record or personal information when the user of the computer has not expected or approved of the transfer, but some vendors of adware maintain that their application which does this is not also spyware, due to disclosure of program activities: for example, a product vendor may indicate that since somewhere in the product's Terms of Use, there is a clause that third-party software will be included that may collect and may report on computer use, that this Terms of Use disclosure means the product is just adware. http://en.wikipedia.org/wiki/Adware What are Popup ads? • A popup, is a new browser window, usually with ad content, that opens over your current one. • A popunder, which is supposedly less annoying, is a new browser window that opens (duh) under the current one. • A popover (also known as an overlay) is an animated graphic that doesn't have a window in the usual sense but rather materializes on top of the current window. • Sometimes popovers have a click-the-X box that enables you to get rid of them; others don't (or carefully disguise it) and you have to wait till they go away on their own. • Interstitial ads appear after you click on a hyperlink, but before you get to the page you actually want. • Rich media refers to fancy, often interactive, animated graphics that move around the page, etc. Rich media is the hot trend in online advertising since it's difficult to ignore; it typically makes use of a technology aptly called Flash. Flash is often used for popovers. http://www.straightdope.com/columns/041015.html Spyware • Spyware – software that gathers information about a person or computer without permission or knowledge. • Once loaded unto a computer sends data back to the site that launched them. • Can be very dangerous and used in identity theft and other forms of fraud. • Can make your computer appear to be slow and unresponsive. What is spyware? spyware n. 1. a broad category of malicious software intended to intercept or take partial control of a computer's operation without the user's informed consent. Unlike viruses, it does not usually self-replicate. Spyware is designed to exploit infected computers for the commercial gain of third parties. Typical tactics furthering this goal include delivery of unsolicited pop-up advertisements; theft of personal information (including financial information such as credit card numbers); monitoring of web-browsing activity for marketing purposes; or routing of HTTP requests to advertising sites. As of 2005, spyware affects only computers running Microsoft Windows. There have been no reported observations of spyware for Mac OS X, Linux, or other platforms Source: www.wikipedia.org What does Spyware/Malware specifically do to my computer? Malware will perform a variety of nasty activities, ranging from simple email advertising all the way to complex identity-theft and password-stealing. New nasty functions are created every week by malware programmers, but the most common malware functions are: – Malware steals your personal information and address book (identity theft and keystroke-logging). – Malware floods your browser with pop-up advertising. – Malware spams your inbox with advertising email. – Malware slows down your connection. – Malware hijacks your browser and redirects you to an advertising or a phishing-con web page. – Malware uses your computer as a secret server to broadcast pornography files. – Malware slows down or crashes your computer. How to prevent / detect spyware • Adaware – www.lavasoft • WebRoot’s SpySweeper – www.WebRoot.com • Spy Bot • Spyware Doctor • HijackThis • Microsoft Anti Spyware Beta – http://www.microsoft.com/athome/security/spyware/software/default.mspx What are cookies? cookies n. 1. Small data files written to your hard drive by some Web sites when you view them in your browser. These data files contain information the site can use to track such things as passwords, lists of pages you've visited, and the date when you last looked at a certain page. Source: http://www.cnet.com/Resources/Info/Glossary/Terms/cookie.html Source: http://sarahmorgan73.tripod.com/pers.html Cookies can serve a useful purpose • Cookies can be useful. In general web pages are stateless, i.e. they do not remember material from one page in a site to another. For instance, a cookie allows e-commerce to create a market basket of items of things your are ordering while you are shopping through the site’s online catalogue. • It also allows sites to remember you from after you log in to a site. Thus if you are a distance learning student it will remember the pages you visited and the answers you gave to questions. DoubleClick and other cookie exploiters • DoubleClick is an aggressive tracking tool. In general a cookie can only be opened by the site that created it. DoubleClick sets its cookies through its ads on the downloaded page. Because its cookie contains the page which contained the ad the cookies will report the sites that you visit with DoubleClick ads. Thus it can track you from site to site. What do companies know about you? Cookies, flash cookies and beacons -all new tools to gather information about you. In the best case it invades your privacy, In the worst case it attacks your privacy and your identity. Source: http://www.eff.org/deeplinks/2010/08/what-they-know Flash Cookies Removing Flash Cookies Earthlink SpyAudit Report • • • • 4,610,738 computers scanned 769,330 Trojan Horses were detected 24,395,256 Spyware programs were detected 90,594,556 Sypware cookies were detected. Wireless Dangers • • • • War Driving Virtual Intrusion Other means Security Measures Wardriving • Wardriving is the act of searching for Wi-Fi wireless networks by a person in a moving vehicle using a Wi-Fi-equipped computer, such as a laptop or a PDA. It is similar to using a radio scanner, or to the ham radio practice of DXing. • Connecting to the network and using its services without explicit authorization is referred to as piggybacking. Source: http://en.wikipedia.org/wiki/War_driving Further References • http://courses.washington.edu/info100/classwork/ slides/files/fit100-21-darkside.ppt • Beaver, K “Hacking Wireless Networks for Dummies”, (2005) Wiley More Serious Internet Age Problems Cyber Bullying Cyber bullying is a controversial area of Internet abuse. Cyber-Bullying • Cyberbullying is willful and involves recurring or repeated harm inflicted through the medium of electronic text, such as e-mail or instant messaging are just two ways but cyber bullying can occur in any way if it is on the internet. • According to R.B. Standler[1]bullying intends to cause emotional distress and has no legitimate purpose to the choice of communications. Source: http://en.wikipedia.org/wiki/Cyber-bullying Cyber-Bullying (More) • Cyberbullying can be as simple as continuing to send e-mail to someone who has said they want no further contact with the sender. • Cyberbullying may also include threats, sexual remarks, pejorative labels (i.e., hate speech). • Cyber-bullies may publish personal contact information for their victims at websites. They may attempt to assume the identity of a victim for the purpose of publishing material in their name that defames or ridicules them. Cyber Bullying can be deadly • The issue of cyber bullying is not a trivial right of passage in middle and high school • In the last several years the news has reported 3-4 teens driven to suicide after cyber bullying often the victims are girls as are the bullies. • In Jan, 2010 a young girl whose family moved from Ireland committed suicide in western Ma after she was bullied by group of high school girls. • Advice for parents and teachers can be found in http://kimberlybennett.net/APU/The%20Dark%20Side%20o f%20the%20Internet-kbennett.ppt Suggestions for parents If an adult suspects a child is having suicidal thoughts or behaviors as a way of escaping bullying and other problems, here are some suggestions: • Notify school personnel if bullying is identified. • Seek an evaluation from a professional. Suicidal thoughts and behaviors are often linked to depression, which can be treated. • Listen to the child. • Help the child understand these feelings and thoughts are temporary and there are solutions. • Brainstorm on how the child can react to bullying. • If suicidal urges/behaviors are serious, take the child to the emergency room, don't leave him or her alone, and keep firearms, drugs and sharp objects away from the child. Source:http://cbs4.com/local/Celine.Okwuone.Port.2.1708481.html A Few High Profile Cases We examine cases that illustrate particularly egregious examples of cyber bullying. Megan Meier • St. Louis, Missouri, teenager Megan Meier committed suicide after a girl down the street disguised herself as a teenage boy on MySpace and taunted the 13year-old about her weight and sexuality. Megan was three days away from her 14th birthday in October of 2006 • The Missouri officials and Federal officials could not find a crime Finally a charge of computer fraud was filed in California for misrepresentation of the child’s age to use Myspace against the mother. • The following video discusses the legal issues. Note the jury found Laurie Drew not guilty on but one charge which was also dropped by the judge. Megan Meier Case Legal Issues Phoebe Prince Phoebe Prince was an Irish immigrant to Massachusetts when she took her own life in January of 2010. Phoebe was a victim of cyberbullying at South Hadley High School in western Massachusetts. Her parents, who brought Phoebe to America from their small Irish village, said that she had trouble adjusting to life in America. Even though she had just accepted a date to the school dance, Phoebe committed suicide after receiving several taunting comments on her Facebook page. Charges were brought against the mean girls and the older boys who slept with her. Phoebe Prince Case and Legal Issues Rutgers Case • The gay 18-year-old ended his life Sept. 22 by jumping off a bridge, after authorities said two other students streamed his private sexual encounter online. • One of the students, the room mate, planted the web camera. • One major issue is what the two students should be charged with. • The invasion of privacy and the death shocked the campus. Rutgers University Legal & Ethical Issues Sexting Sexting -- Teens text messages including explicit pictures of themselves is raising issues •Is it pornography and if so what should be the punishment for the sender and the receiver. •Is it a new form of Cyber Bullying when the boy or girl friend sends posts those private photos on the web. One in Five Teens are involved The dangers of Sexting lead to criminal charges, registered as sex offenders, and cyberbullying, and has lead to suicide Is Sexting Child Pornography? Source: http://www.youtube.com/watch?v=mYrXG1Yze68&feature=fvst Sexting not only a teenage problem The Congressman Wiener Scandal The Congressman Wiener Scandal • • • • While sex scandals in politics are common, Rep. Anthony Wiener is of note for using twitter and sexting On May 27, 2011, using his Twitter account, Weiner sent a link to a photograph on yfrog of his erect penis clad in gray boxer briefs[16][9] to a 21year-old female college student in Bellingham, Washington, who was following him on the social media website.[17] Though the image was quickly removed from Weiner's Twitter account, it was leaked to conservative blogger Andrew Breitbart who had it published on the BigJournalism website the following day After first denying the posts and saying they were hacks, as more evidence of similar posts to other women started to appear, he announced he would resign on June 21, His name and actions were fodder for http://0.tqn.com/d/politicalhumor/1/0/z/6/4/Following-Congressman-on-Tw.jpg headlines and late night comedians. Source; http://en.wikipedia.org/wiki/Anthony_Weiner_sexting_scandal Trolling “Trolling” means mean-spirited searching of the internet for victims to send harassing, often anonymous messages. Source: http://www.cyberbullyingnews.com/2010/03/cyberbullying-currentnews-trolling-the-suicide-of-alexis-pilkington/ New variation of CyberBullying -Trolling Post-Death Harassment after a suicide • A new variation of trolling involves post-suicide harrassment of family and friends the victim: When families and friends set up memorial “sites” on Facebook and other sites, “trolls” from around the world send or post harassing, often anonymous messages regarding the victim. Depending on the site, the family may have no control over the postings that are added. • At first glance, one might ask “is this really cyberbullying, because the victim is already dead?” However, when you realize that other youth, classmates, friends and family are reading the site, the message is “victim was a loser and deserved to die – if you are a loser like her, you deserve to die too.” Online Crimes against persons -- by rapists, pedophiles, etc. Because of the nature of online cyber relationships it is often the case that criminals can gain the confidence of lonely vulnerable people. Pedophiles in particular use it to attract and lure children into meetings for sex, pornography, and abduction. Youth Internet Safety Survey • National Center for Missing & Exploited Children (NCMEC) provided funding to Dr. David Finkelhor, Director of the Crimes Against Children Research Center at the University of New Hampshire, to conduct a research survey in 1999 on Internet victimization of youth. His research provides the best profile of this problem to date. • Crimes Against Children Research Center staff interviewed a nationally representative sample of 1,501 youth, aged 10 to 17, who used the Internet regularly. “Regular use” was defined as using the Internet at least once a month for the past 6 months on a computer at home, at school, in a library, at someone else’s home, or in some other place. Source: http://www.ojp.usdoj.gov/ovc/publications/bulletins/internet_2_2001/internet_2_01_6.html The survey looked at four types of online victimization of youth • Sexual solicitation and approaches: Requests to engage in sexual activities or sexual talk or to give personal sexual information that were unwanted or, whether wanted or not, made by an adult. • Aggressive sexual solicitation: Sexual solicitations involving offline contact with the perpetrator through mail, by telephone, or in person, or attempts or requests for offline contact. • Unwanted exposure to sexual material: When online, opening email, or opening e-mail links, and not seeking or expecting sexual material, being exposed to pictures of naked people or people having sex. • Harassment: Threats or other offensive content (not sexual solicitation) sent online to the youth or posted online for others to see. Survey Findings • One in 5 youth received a sexual approach or solicitation over the Internet in the past year. • One in 33 youth received an aggressive sexual solicitation in the past year. This means a predator asked a young person to meet somewhere, called a young person on the phone, and/or sent the young person correspondence, money, or gifts through the U.S. Postal Service. • One in 4 youth had an unwanted exposure in the past year to pictures of naked people or people having sex. • One in 17 youth was threatened or harassed in the past year. • Most young people who reported these incidents were not very disturbed about them, but a few found them distressing. Finally -- Survey Shows a Disturbing Trend of Not Seeking Help • Only a fraction of all episodes was reported to authorities such as the police, an Internet service provider, or a hotline. • About 25 percent of the youth who encountered a sexual approach or solicitation told a parent. Almost 40 percent of those reporting an unwanted exposure to sexual material told a parent. • Only 17 percent of youth and 11 percent of parents could name a specific authority, such as the Federal Bureau of Investigation (FBI), CyberTipline, or an Internet service provider, to which they could report an Internet crime, although more indicated they were vaguely aware of such authorities. • In households with home Internet access, one-third of parents said they had filtering or blocking software on their computers. The Dark Side of Craigslist and Social Networks -Cyber Crime Craigslist • Craigslist is a centralized network of online communities, featuring free online classified advertisements – with sections devoted to jobs, housing, personals, for sale, services, community, gigs, résumés, and discussion forums. • Craig Newmark began the service in 1995 as an email distribution list of friends, featuring local events in the San Francisco Bay Area, before becoming a web-based service in 1996. • Craigslist has a business model of free or low cost ads that attacks one major leg of the newspaper of revenue. http://en.wikipedia.org/wiki/Craigs_list Craigslist Crimes and Controversies • The Erotic Section has been the source of controversy and crime, Prostitution, sex crimes, and even murder (Craigslist murderer in spring 2009) • Major state and cities have begun criminal and civil legal proceedings to address the issue. • Craigslist has in summer of 2010 removed the section. Danger of children using Social Networks Taylor Behl • On August 17, 2005, Taylor Behl left home for college at Virginia Commonwealth University. • On September 5, 2005, a 38 year-old amateur photographer, Benjamin Fawley, killed Taylor Behl and dumped her unburied body in a shallow ravine near his ex-girlfriend’s farm. • Behl met Fawley as a prospective student. She kept in contact with him through LiveJournal and Myspace. Long Range dangers of Social Networks • Government agencies, private employers, college admissions all now routinely go to sites like myspace, facebook, etc. and make judgments about the individual based on writings that were never thought of as personal information for these organizations. • Be careful what you post -- think what your parents and future employer may think about it at some time in the future. Remember, the net never forgets. Why you should avoid sharing certain things on the Internet • Burglars Said to Have Picked Houses Based on Facebook Updates (Sept. 2010): http://bits.blogs.nytimes.com/2010/09/12/burglarspicked-houses-based-on-facebook-updates/ • Diamond Ring Ad on Craigslist Leads to Murder (happened Spring 2010): http://www.aolnews.com/crime/article/diamondring-ad-on-craigslist-leads-to-murder/19469483 Twitter Got Me Fired!!! Sometimes the voice of youth is compelling caution to other youths. Source: http://www.youtube.com/watch?v=_TJ-V8wI7Sk MA Teacher Fired for Facebook Posting Source: http://www.youtube.com/watch?v=zU8m-4_CmtU Oct 2010 New York City Schools • After a number of incidents between both male and female teachers and students involving Facebook postings that were sexual, lead to teachers being fired and/or arrested. • NYC found it needed to define appropriate Facebook behavior because it had no policy. 7 Deadly Sins of Social Networks Spammers attacks in Social Networks: 1. Dating spam – a personal message, often from a woman, to a male social network user inviting them to start a romantic relationship. Once contact is secured, this attack proceeds in much the same way as bride email scams; 2. Profile and IM lures – spammers act as legitimate friends or potential new friends interested in getting to know the user in order to lure them to a fake profile page or Instant Messenger conversation; 3. Redirection to inappropriate or dangerous websites – a message is sent to a user, warning them that photographs or rumors about them have been posted on an external site and urging them to go to the site to view; http://www.crime-research.org/news/02.27.2009/3720/ 7 Deadly Sins (More) 4. Nigerian attacks – similarly to Nigerian 419 spam traditionally seen over email, social networking users are targeted with messages alerting them to a fake inheritance or access to a rich stranger’s fortune; 5. Fake jobs – sending personal messages or wall posts, spammers, posing as an employer, offer social network users fantastic job opportunities in order to spark conversation that will allow an avenue for further spam, phishing, malware or scams; 6. Competitor social network lure – invitations that seem to be from legitimate friends are sent to users via wall posts or personal messages urging them to visit virtually unknown social networking sites; 7. Religious based spam – spammers use social networking sites to preach to, and attempt to proselytize, users for various religions. Social Networking Sites Help Combat Crime • Police dept. are using social nets to solve crimes, i.e. pictures and videos of the crimes. Teen beat downs, riots and in some cases serious crimes and gang behavior. • In Baltimore, police charged a student after her attack on a teacher was placed on a personal MySpace page. • In St. Paul, Minn., a woman was charged with vandalism after she posted pictures of her exboyfriend's ransacked apartment. Source:http://cbs4denver.com/consumer/facebook.myspace.social.2.958939.html Social Networking Sites Help Combat Crime (more) • Amateur cyber sleuths like Tracie Edwards. When her 15-year-old son was attacked by a local gang, Edwards tapped into MySpace. Starting with just one name, she followed an interlinking trail from one suspect to another. • "I started typing in these names and boom," Edwards said. "Got my son in front of the computer and I was like, 'Do you know this little boy? Do you know this boy?' And he was like 'this is the boy who did it.'" • Eventually, five people were charged. Social Network and Crime References • Russell, Mathew A. “Mining the Social Web”, O’Reilly (2011). • Timm, Carl “Seven deadliest social network attacks”, Elsevier (2010). • Verton, Dan “The Hacker Diaries: Confessions of Teenage hackers”, McGraw-Hill/Osborne (2002). Chat Roulette 1. 2. 3. Random chat encounters requiring the users have a web cam Can involve teenagers and adults who maybe naked or other in appropriate behavior. Created by a 17 old Russian and it has rapidly grown to 34 Million daily users Crimes against commercial and government web sites and servers • Denial of service • Stealing credit card and other data • Industrial espionage • Blackmail and protection What are Denial of Service (DOS) Attacks? DoS attack Short for denial-of-service attack, a type of attack on a network that is designed to bring the network to its knees by flooding it with useless traffic. Many DoS attacks, such as the Ping of Death and Teardrop attacks, exploit limitations in the TCP/IP protocols. For all known DoS attacks, there are software fixes that system administrators can install to limit the damage caused by the attacks. But, like viruses, new DoS attacks are constantly being dreamed up by hackers. Source: http://www.webopedia.com/TERM/D/DoS_attack.html What are Denial of Service Attacks? denial of service n. 1. An attack on a computer system or network that causes a loss of service to users, typically the loss of network connectivity and services by consuming the bandwidth of the victim network or overloading the computational resources of the victim system. Examples – Teardrop attack • The attacker floods the victim with improperly formatted packets. – Synflood Attack • The attacker simulates many users starting requests for data but not completing the request. The victim is stuck waiting for the attacker to complete the requests. Source: www.wikipedia.org Distributed Denial Of Service (DDOS) Attacks DDOS – Short for Distributed Denial of Service, it is an attack where multiple compromised systems (which are usually infected with a Trojan Horse) are used to target a single system causing a Denial of Service (DoS) attack. Victims of a DDoS attack consist of both the end targeted system and all systems maliciously used and controlled by the hacker in the distributed attack. The DDOS normally has a primary infected computer called a master that infects the other computers called ‘slaves’ or ‘zombies’. The attacker then commands the computers to start sending useless messages to the targeted web site. Source: http://sbc.webopedia.com/TERM/D/DDoS_attack.html Stealing Credit Card and other data from Corporations and Government Gaining access to information of a personal or sensitive nature from government, private industry, hospitals, etc. is almost too easy Loss of data through poor process • Credit card and similar data has been compromised through human error and/or failure to create a secure process or method to store or transmit data, e.g. Dana Farber sends patient data to the wrong fax number. • Failure to screen personnel for character or criminal background. • Failure to train All the personnel in need for security and secure processes. Attacking the vast amount of information distributed thought out the organization • The advent of laptops and multi-GB portable storage devices create an environment for disclosure of thousands if not millions of credit card and social security numbers and other person record files. • Government and private industry laptops stolen or lost at airports, etc. that contain unsecured (unencrypted) personal records have resulted in massive identity thefts, and/or corporate sensitive or government classified breaches. • Internet rings sell the data to credit card and document forgers who in turn sell them to the criminal who uses the credit card or ID. • The crimes may involve fraud, illegal aliens, terrorists, etc. Hacking the corporate databases Over the last decade the corporation has begun acquiring millions of bytes on each and everyone of us – this is done in numerous ways: 1. So called loyalty cards (those pieces of plastic that hang off your key chain). 2. Credit card purchases and retail store charge cards which can be used to expose your SSN, driver’s license, etc. 3. Internet e-commerce application including tracking cookies, • This massive amount of personal data leads to data mining and other marketing techniques to target individual groups with specific ads and products. • Increasingly these massive data sources are tempting targets for sophisticated hacker gangs and making the acquiring and storage of this data a massive liability for the corporation. • These gangs use the Internet to carry out their attacks and often do it from sites that make prosecution difficult if not impossible. Hacking Corporate Data Material Source: http://online.wsj.com/article_email/article_print/SB117824446226991797.html The TJX Corp. -- A cautionary tale • TJX is a local firm that includes Marshalls, TJ Maxx, etc. announced in Jan, 2007 that its 45 Million customers credit cards and personal data (SNN, drivers lic., etc) had been compromised over a two year period. • This theft of information has caused banks to issue new credit and debit cards to these customers and have resulted in lawsuits and goodwill losses to TJX that will cost $B. • It is estimated that it cost the banks $300M to replace the cards and TJX estimates $20M in fraudulent charges. Material Source: http://online.wsj.com/article_email/article_print/SB117824446226991797.html How did it happen? • WSJ reports that the source of the theft was a wireless hack in Minn. • Wireless networks entered retail store IT in 2000. • Wireless Equivalent Privacy (WEP) security encryption was replaced when security experts breached several retail chains. • WI-FI Protected Access (WAP) is a more complex encryption adopted by some retailers but only slowly by TJX • Hand held devices used in pricing and inventory control that communicate to store computers were hacked. • Once the codes were broken the hackers advanced to attacking the headquarters computer databases (Framingham MA) by capturing employee userids and passwords. The Hackers • The so called, “Bonny and Clyde”, hackers break in with a quick attack and often leave clues and other artifacts behind that signal the their presence. • TJX was the hallmark of Russian and eastern European gangs that scout for the weakest link in the security and with careful planning attack it. How did work? • Based on some recent arrests it appears that an eastern European gang penetrated TJX and then bundled the credit card data and personal data into 10,000 IDs and then sold them over the Internet. • Gangs who purchased the data such as happened in Florida then created credit cards and IDs and used them to purchase gift cards and other expensive items. • One woman found her Bank of Am card with $45,000 in fraudulent charges (repeated $450 gift card purchases). The Second Act It is said that in America there are no second acts. But recently the gang that brought you TJX is accused of a new theft involving over 130 M credit and debit cards. Albert Gonzales • Albert Gonzalez, a Miami hacker who once worked as a government mole tracking down identity thieves, is accused of playing a critical role in all the largest credit-card heists on record. • He was previously charged in other computer break-ins, most significantly at TJX Cos., the chain that owns discount retailers T.J. Maxx and Marshalls, in which as many as 100 million accounts were lifted. Source: http://www.google.com/hostednews/ap/article/ALeqM5ij90C Summer 2009 -- The Second Act Justice Department says he helped steal: • 130 million card numbers from payment processor Heartland Payment Systems, • 4.2 million card numbers from East Coast grocery chain Hannaford Bros. and • An undetermined number of cards from 7-Eleven. Gonzalez is in jail and awaiting trial in New York for allegedly helping to hack the computer network of the Dave and Buster's restaurant chain. The Awful Bad News • The underlying security holes mined by the hackers still exist in many payment networks. • The fact that hundreds of millions of card numbers could be stolen from retailers illustrates the flaws in a payment system that's built more for speed than security. • Gonzalez and his associates exploited vulnerabilities that remain widespread. Prosecution of Hackers outside US is Difficult • Ori Eisen, founder of Scottsdale, Ariz.-based security firm 41st Parameter and previously worldwide fraud director for American Express, noted that Gonzalez is "most likely not the kingpin. • The kingpin would not risk being in the United States. They operate out of the Ukraine or Russia, and they're former militants or ex-KGB who know their way around just enough not to get caught." Privacy and Security References • Holtzman, D,“Privacy lost : how technology is endangering your privacy”, Jossey-Bass, (2006). The Internet and the law Dark side of the Internet and the law CAN SPAM Law of 2003 CAN-SPAM Act of 2003 (Pub. L. 108-187, S. 877) • The Controlling the Assault of Non-Solicited Pornography and Marketing Act requires unsolicited commercial e-mail messages to be labeled (though not by a standard method) and to include opt-out instructions and the sender's physical address. It prohibits the use of deceptive subject lines and false headers in such messages. The FTC is authorized (but not required) to establish a "do-not-email" registry. State laws that require labels on unsolicited commercial e-mail or prohibit such messages entirely are pre-empted, although provisions merely addressing falsity and deception would remain in place. The CAN-SPAM Act took effect on January 1, 2004. Cyber-Warfare Cyber-Warfare uses computers and the Internet to wage war. This mode of warfare is being used in hot and cold wars as well as by both sides of in the war on terrorism. Source for Cyber Warfare : http://en.wikipedia.org/wiki/Cyber-warfare An Electronic Pearl Harbor “It may even be unclear what constitutes an act of war. If U.S. satellites suddenly go blind and the telephone network on the eastern seaboard goes down, it is possible that the United States could not even identify the enemy. Its strategic stockpile of weapons would be of little use. There would be no big factory to bomb -- only a person somewhere writing software. The possibility of an electronic Pearl Harbor has sparked a debate on how to counter the threat.” Source: “Bits, bytes, and diplomacy” Walter Wriston (Foreign Affairs, Sept-Oct 1997 v76 n5 p172(11) Types of attacks There are several methods of attack in cyber-warfare, this list is ranked in order of mildest to most severe. • Web vandalism: Attacks that deface webpages, or denial-ofservice attacks. This is normally swiftly combated and of little harm. • Propaganda: Political messages can be spread through or to anyone with access to the internet. • Gathering data. Classified information that is not handled securely can be intercepted and even modified, making espionage possible from the other side of the world. • Denial-of-Service Attacks: Large numbers of computers in one country launch a DoS attack against systems in another country. • Equipment disruption: Military activities that use computers and satellites for co-ordination are at risk from this type of attack. Orders and communications can be intercepted or replaced, putting soldiers at risk. • Attacking critical infrastructure: Power, water, fuel, communications, commercial and transportation are all vulnerable to a cyber attack Cyber-Warfare -- Major Powers • September, 2007 the Pentagon and several European organizations reported penetration by hackers from China reported to be Peoples Liberation Army (PLA). In diplomatic meetings with Germany, Great Britain, and the US, China claimed that it was not responsible for the attacks. • The US has been under attack by Chinese and Russian hackers for the last several years for details see: – Titan Rain -- http://en.wikipedia.org/wiki/Titan_Rain, and – Moonlight Maze -http://en.wikipedia.org/wiki/Moonlight_Maze Eligible Receiver • Eligible Receiver, code name of a 1997 internal exercise initiated by the Department of Defense. • A "red team" of hackers from the National Security Agency (NSA) was organized to infiltrate the Pentagon systems. • The red team was only allowed to use publicly available computer equipment and hacking software. • Although many details about Eligible Receiver are still classified, it is known that the red team was able to infiltrate and take control of the Pacific command center computers, as well as power grids and 911 systems in nine major U.S. cities. Source: http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/interviews/hamre.html Moonlight Maze • Moonlight Maze refers to a highly classified incident in which U.S. officials accidentally discovered a pattern of probing of computer systems at the Pentagon, NASA, Energy Department, private universities, and research labs. • It began in March 1998 and had been going on for nearly two years. • The invaders were systematically marauding through tens of thousands of files -- including maps of military installations, troop configurations and military hardware designs. • The Defense Department traced the trail back to a mainframe computer in the former Soviet Union but the sponsor of the attacks is unknown and Russia denies any involvement. Source: http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/warnings/#maze Titan Rain • In 2005 a cyber attack, code named, Titan Rain was exposed. It was targeted at military and secret government sites world wide. • Using computer forensics techniques and hacking into the offending systems, Shawn Carpenter was able to use the compromised systems against themselves and find the actual origin of the attacks. Doing things that official government agents could not, he determined that the root of the attacks was inside China. Source: http://www.time.com/time/printout/0,8816,1098961,00.html Estonia -- Perhaps the First 21st Century Cyber-Warfare Attack • May 17, 2007 saw a Distributed Denial of Service (DDOS) attack on Estonia. • Prior to the attack the Estonian government removed the "Bronze Soldier", a Russian war monument from the center of Tallinn to a cemetery. • The DDOS attacks were aimed at the banking, government, and major economic uses of the Internet. • The Estonian government blamed the Russian government for the attack The Estonia DDOS Attack • The attacks whether organized by or sanctioned by the Russian government drew the attention and assistance of the US, NATO, and European nations. • The attack is thought to involve rented networks of zombie computers and millions of other computers infected with a bot program to attack fundamental institutions of the Estonian government and economy. China Presents Unique Resources • High Tech and skilled programmers • As the manufacturer of computer hardware, software, and other critical electronic components that could have Trojan horse and other programs that would be difficult to detect and remove. • A Chinese general has stated that China would attack the US communication and electrical networks before starting an attack. United States Reorganizes the Military • On Sept. 18, 2007 the United States Air Force announced the creation of a Cyber Command. • One of the problems has been that military people did not perceive the threat in manner as real war, i.e. – “Software does not kill, bullets do”. President Obama creates a cyber security czar 5/29/2009 Attacking the Critical Infrastructure The US has not been an agrarian society for two centuries, and in the 21st century we now are highly dependent on an interconnected system of networks for the goods and services that sustain us. Includes slides from: http://www.infragard.net/library/congress_05/drinking_water/drinking_water_ threats.ppt The Nation’s Infrastructure is a Complex “System of Systems” • Infrastructure The framework of interdependent networks and systems that provides a continual flow of goods and services essential to the defense and economic security of the United States • Critical National Infrastructures Infrastructures that are deemed to be so vital that their incapacity or destruction would have a debilitating regional or national impact or would severely disrupt the behavior and activities of large numbers of people who depend upon the infrastructure The National Infrastructure Protection Plan defines 17 Sectors and Key Resources • Agriculture & Food • Banking and Finance • Chemical & Hazardous Materials Industry • Defense Industrial Base • Energy • Emergency Services • Information Technology • Telecommunications • • • • • • • • • Postal & Shipping Public Health Transportation Water National Monuments and Icons Commercial Assets Government Facilities Dams Nuclear Power Plants Most of the U.S. Infrastructure is privately owned U.S. Critical Infrastructure Protection Challenge • 1,912,000 Farms • 87,000 food-processing plants • 5,800 registered hospitals • 87,000 emergency services entities • 2 billion miles of telecomm cable • 2,800 electric power plants • 104 commercial nuclear power plants • 300,000 oil and natural gas sites • 460 skyscrapers • … • 5,000 public airports • 120,000 miles of major railroads • 590,000 highway bridges • 2,000,000 miles of pipelines • 500 urban public transit systems • 26,600 banks & financial institutions • 66,000 chemical plants • 80,000 dams • 3,000 federal government facilities • … The threat is real! • Unstructured adversaries – Cracker, hacker, script-kiddie – Competitors – Criminals • Structured adversaries – Terrorists, hactivists (hacker-activist) – Organized crime Three levels of “Terrorist” – Foreign nations • Independent • Supported • Insiders • Foreign agent – Witting – Unwitting – Half-witting (You can’t fix “stupid”) Source: http://www.iti.uiuc.edu/events/2005_09_15_Jeff_Dagle.pdf A “System of Systems” Perspective Is Needed for Analyzing Infrastructure Interdependencies Transportation Oil Natural Gas Electric Power Water Telecom Types of Threats / Means of Attack Nuclear Weapon/Explosive Radiological Dispersal Device Biological Weapon/Material Chemical Weapon/Material Conventional Explosive Physical Force Cyber Means Insider Emerging Threats … Complex Interdependencies Prevent Attacks Reduce Vulnerability Minimize Damage & Recover Homeland Security Strategic Objectives “Targets” and Vulnerabilities Attacking the nation’s networks • While DDoS can be used to attack government and economic sites it is not a long term crippling attack. • Attacking the communication, energy (pipelines), and transportation networks can provide devastating damage to the economy, crippling to the military, and demoralizing to the population. • Supervisory Control and Data Acquisition (SCADA) system is the Achilles' heel of the above networks. SCADA attacks • SCADA was designed for automated plant process control. Its original design did not envision its use over the Internet and/or security. • SCADA was adopted by electrical grids, pipelines, and transportation networks. Source: http://www.pcworld.com/article/id,137845-c,networksecurity/article.html Proof of SCADA attack concept • The Idaho National Laboratory prepared the demonstration, in March 2007,for the U.S. Department of Homeland Security (DHS). • The simulated attack took advantage of a known SCADA software vulnerability and showed how a motor-generator could be driven into failure. Photo is from a video of the SCADA attack. Video Is no longer on the web. Source: http://www.zdnet.com/blog/btl/blowing-up-generators-remotely/6451 Stuxnet first SCADA Malware/Worm New computer worm, 2009-2010, has appeared that attacks industrial networks and plants. The worm is called Stuxnet It attacks the Windows 7 operating system and Siemens industrial control and SCADA software such that the found in pipeline, power networks, etc. Stuxnet is sophisticated and appears expensive to develop • It is claimed that the level of effort and the sophistication of the worm indicate that only a well financed and motivated professional group could have created it. Siemens reports that at least 4 industrial sites in Germany and many other places in the world have been attacked by the worm. The worm has been around for a year (2010) and both Microsoft and Siemens claim to have patches for the worm. How does Stuxnet work? Langner, one of the first experts to report on Stuxnet states: • "Langner's analysis also shows, step by step, what happens after Stuxnet finds its target. Once Stuxnet identifies the critical function running on a programmable logic controller, or PLC, made by Siemens, the giant industrial controls company, the malware takes control. One of the last codes Stuxnet sends is an enigmatic “DEADF007.” Then the fireworks begin, although the precise function being overridden is not known, Langner says. It may be that the maximum safety setting for RPMs on a turbine is overridden, or that lubrication is shut off, or some other vital function shut down. Whatever it is, Stuxnet overrides it, Langner’s analysis shows. " http://news.yahoo.com/s/csm/327178 How does Stuxnet work? - a more detailed analysis • This detailed analysis is included for purposes of pointing the technical programmer to a more through review of the code. See http://www.codeproject.com/KB/websecurity/StuxnetMalware.aspx Source: Provided by Prof J.Veranas. What might have been the Stuxnet target? Stuxnet References • http://en.wikipedia.org/wiki/Stuxnet • http://www.google.com/hostednews/ap/article/ALe qM5jam2yTGb8W1t53gQ6SRbSquSmiAD9IFORD00 • http://volokh.com/2010/09/22/vc-scoops-thesecurity-pros-by-two-months/ • NYT links Iran worm to bible • Stuxnet 'cyber superweapon' moves to China More Technical Information SCADA Security: • SCADA Tutorial http://www.uoregon.edu/~joe/scada/SCADAsecurity.ppt • http://www.esisac.com • Hackers Target U.S. Power Grid http://navastream.com/News_Releases_03112005.sht ml • Staged Attack Causes Generator to Self-Destruct http://www.schneier.com/blog/archives/2007/10/stage d_attack_c.html The Boden Incident • Nov. 2001 – Sewage release into river, Queensland, Australia In November 2001, 49-year-old Vitek Boden was sentenced to two years in prison for using the Internet, a wireless radio and stolen control software to release up to 1 million liters of sewage into the river and coastal waters of Maroochydore in Queensland, Australia. Boden, who had been a consultant on the water project, conducted the attack in March 2000 after he was refused a fulltime job with the Maroochy Shire government. He had attempted to gain access to the system 45 times, and his last attempt proved successful, allowing allowed him to release raw sewage into the waterways. Source: CNET New.com – August 26, 2002 Maroochy Shire Australia Source: http://images.businessweek.com/ss/10/10/1014_cyber_attacks/8.htm SCADA attack using Google Search • • "You can make it do anything you want it to do," Pollet, founder and principal consultant at Red Tiger Security said. "If that RTU or PLC has large motors connected to it, pumping out water or chemicals, the equipment could be turned off. If it was a substation and the power recloser switches were closed, we could break it open and create an (electricity) outage for an entire area or city...The bottom line is you could cause physical damage to whatever is connected to that PLC." To know exactly what to search for on the Internet, the researchers bought a PLC with an embedded Web server that had an identifying string of characters associated with the hardware and then typed that information into Google, according to Pollet. • Read more: http://news.cnet.com/830127080_3-20087201-245/researchers-warn-ofscada-equipment-discoverable-viagoogle/#ixzz1XZdsX21w Tom Parker, chief technology officer at FusionX, explaining in detail how SCADA systems are controlled. (Credit: Seth Rosenblatt/CNET ) Some Infrastructure failure examples (not due to attacks) To show the extent of the danger in Infrastructure Attacks we cite some incidents thought to be due to equipment or human failure or due to natural hazards. The Bellingham WA June 10, 1999 Gasoline Pipeline Rupture and Fire… El Paso Natural Gas 30” Pipeline Rupture and Fire Near Carlsbad NM, August 19, 2000 The Boden Incident Wasn’t Unusual… Wireless Network Porosity Is Common • ‘Paul Blomgren […] measures control system vulnerabilities. Last year, his company assessed a large southwestern utility that serves about four million customers.“ Our people drove to a remote substation," he recalled. "Without leaving their vehicle, they noticed a wireless network antenna. They plugged in their wireless LAN cards, fired up their notebook computers, and connected to the system within five minutes because it wasn't using passwords. […] Within 15 minutes, they mapped every piece of equipment in the operational control network. Within 20 minutes, they were talking to the business network and had pulled off several business reports.’ http://www.memagazine.org/backissues/dec02/ features/scadavs/scadavs.html Hacking and Political Activism Hacking and Political Activism now called Hackivism Within the last ten years inspired by social networks and mobile devices and their successful use in political campaigns has lead to what is called Hackivism. Cyber Warriors Cyber Warrior – Richard A. Clarke • Richard A. Clarke served 4 presidents. A highly controversial figure with over 30 years in anti- terrorism. • He was the head of counterterrorism under Clinton and was carried over to George W. Bush. • He was outspoken on cyberterrorism in the 90’s. • He left government after 9-11 and has been highly critical of the Bush administration. Cyber Warrior -- Shawn Carpenter • Shawn worked on tracking down the Chinese connection to the Titan Rain. • He hunted them despite being pulled off the trail by his government lab employer and he eventually got fired. The FBI used him and encouraged him to track but later turned on him. • The Chinese did not cooperate as is normal for private hackers. • The red tape showed the difficulty of countercyberwarfare. Source: http://www.time.com/time/printout/0,8816,1098961,00.html Cyber Warfare/Terrorism References • Alexander, Y and Swetnam, M, “Cyber Terrorism and Information Warfare: Threats and Responses” Transnational Pub, Inc. (2001) • Branigan, S. , “High-Tech Crimes Revealed”, Addison Wesley, (2005). • Chirillo, J., “Hack Attacks Encyclopedia”, John Wiley, (2001). • Clarke, R. A., “Against All Enemies”, Thorndike Press, (2004). • Clarke, R. A.& Knake,R.K., “Cyber War, The Next Threat to National Security and What to do about It”, Harper Collins, (2010). • Morozov, E. “The Net Delusion, The Dark side of Internet Freedom”, Public Affairs Press (2011). • Singer, P.W. “Wired for War, the Robotic Revolution and Conflict in the 21st Century” (2005), Penquin Press. • Verton, D, “Black Ice The Invisible Threat of Cyber-terrorism”, McGraw Hill, (2003). • Weimann, G, “Terror on the Internet”, United States Institute of Peace Press, (2006). • Winkler, I., “Spies Among Us”, Wiley, (2005). Hackers The term hacker goes back to early days of computers and originated with a group of computer students at MIT Who are hackers? hacker n. 1. A computer expert 2. A person that intentionally circumvents computer security systems (more often used by the media) Hackers • Hackers were originally those people with intense interest and computer skills. • Hackers are now people who use their computer skills to break into secure computer sites, disrupt Internet communications, steal information, etc. • In the early days of the transition hackers were sort of seen as teenage (mostly male) geeks who broke into sites and looked around. • The world became less tolerant as the costs rose rapidly and the behavior is now seen as the work of terrorists and criminals. Cracker or Black Hat • For other uses, see Black hat (disambiguation). • A black hat is a person who compromises the security of a computer system without permission from an authorized party, typically with malicious intent. The term white hat is used for a person who is ethically opposed to the abuse of computer systems, but is frequently no less skilled. • The term cracker was coined by Richard Stallman to provide an alternative to using the existing word hacker for this meaning.[1] The somewhat similar activity of defeating copy prevention devices in software which may or may not be legal in a country's laws is actually software cracking. Source: http://en.wikipedia.org/wiki/Black_hat Script Kiddie • In hacker culture, a script kiddie (occasionally script bunny, skidie, script kitty, script-running juvenile (SRJ), or similar) is a derogatory term used for an inexperienced malicious cracker who uses programs developed by others to attack computer systems, and deface websites. It is generally assumed that script kiddies are kids who lack the ability to write sophisticated hacking programs on their own,[1] and that their objective is to try to impress their friends or gain credit in underground cracker communities.[1] What is phone phreaking? Phone Phreaks • The ``phone phreak'' (phreak for short) is a specific breed of hacker. A phreak is someone who displays most of the characteristics of a hacker, but also has a specific interest in the phone system and the systems that support its operations. Additionally, most of the machines on the Internet, itself a piece of the Public Switched Network, are linked together through dedicated, commercial phone lines. A talented phreak is a threat to not only the phone system, but to the computer networks it supports. • There are two advantages of attacking systems through the phone system. The first advantage is that, phone system attack are hard to trace. It is possible to make connections through multiple switching units or to use unlisted or unused phone numbers to confound a tracing effort. Also by being in the phone system, it is sometimes possible to monitor the phone company to see if a trace is initiated. • The second advantage to using the phone system is that a sophisticated host machine is not needed to originate an attack nor is direct access to the network to which the target system is attached. A simple dumb terminal connected to a modem can be used to initiate an attack. Often, an attack consists of several hops, a procedure whereby one system is broken into and from that system another system is broken into, etc. This again makes tracing more difficult. http://csrc.nist.gov/publications/nistir/threats/subsection3_4_3.html Infamous Hackers A Rogues Gallery of Hackers along with the damage to private industry, society, and government. Stanley Mark Rifkin (Social Engineer) • Rifkin in 1978 pulled off one of the largest bank thefts ever. Using social engineering to get bank information and codes he transferred $10.2 M from the Security Pacific Bank in LA to a Swiss bank account and then converted the funds to $8.2 M worth of Russian commercial diamonds. Footnote – Rifkin returned to the US and believing that the diamonds could be sold at a profit attempted to sell them to local jewelry outlets for $13.2M. Working on a tip he was turned in. The bank after the trial believed that it could now sell the diamonds at a profit via auction. After a year of trying the bank sold them at greatly less than the original price. Lesson – DIAMONDS are greatly over inflated in value and are a classic example of social engineering. Their value as an investment is highly doubtful. See John Draper (a.k.a Cap’n Crunch) • Used a Cap’n Crunch toy whistle to make unlimited free payphone calls. • The whistle, unbeknownst to General Mills (the manufacturer of Cap’n Crunch) created a 2600 Hz tone. • This frequency was the same used by phone technicians to test payphones and make free phone calls. Ian Murphy • Changed the internal clocks at AT&T. • Impact: Phone bills were universally incorrect. Late night discounts were given to daytime users and late night users were subject to high bills. • First hacker to go to jail. • Inspired the movie, Sneakers Robert Morris • Son of chief scientist at the National Security Agency (NSA) • In 1988, he wrote the first worm that was released to the public. • He claimed he was trying to determine the size of the Internet. • Affected 6,000 systems • 3 yrs probation • 400 hours of community service • Fined $10,400. Source: www.nndb.com Erik Bloodaxe (a.k.a. Chris Goggans) • Member of Legion of Doom • Texas Hacker • Starts feud with Masters of Deception. • Two year hacker war ensues. • Telephone systems and credit cards are the victims. Vladimir Levin • • • • Hacked Citibank Stole $10 – 12 million Arrested in 1995. Fought extradition for two years • 3 yrs in prison • Had to return $240,015 to Citibank David L. Smith • Creator of “Melissa” virus • The Melissa virus was named after a stripper and was send as an email attachment. • Caught by hard work and luck Ehud Tenebaum • 18-year-old Israeli who created "the most organized and systematic attack the Pentagon has seen to date." Kevin Mitnick • Hacked – PACBell – The Pentagon – North American Air Defense Command – MCI – Digital Equipment Co. – Nokia – Motorola – Novell – Fujitsu – NEC – Sun • Prison Term: 5 yrs. • Fines: $4,000 • Not allowed to touch a computer for three years Kevin Mitnick • After being convicted and serving 4 yrs., he became a security professional. • While the media portrayed him as a computer genius, he exploited human weakness through social engineering for his exploits • See “Art of Deception” by K.D. Mitnick & Wm. L. Simon, Wily (2002). A compendium of cons for getting information including private, governmental, and corporate data and ways to prevent them. Source: http://www.mccullagh.org/image/10d-9/kevin-mitnick.html Shown at Los Vegas Def Con selling his services as a security professional Hao Jinglong and Hao Jingwen • Hacked – Commercial Bank of China in 1999 • Stole: $87,000 • Hao Jinglong – Prison Term: Life • Hao Jingwen – Death Penalty Source: http://www.computerworld.com.au/index.php/id;1224861705;relcomp;1 Reomel Lamores • Author of the Love Bug • Damage caused to international businesses estimated at over $100 million • Prison term: None • Fine: $0 • Hacking is not a crime in the Phillipines Adrian Lamo • Homeless hacker who only performs intrusion analysis for free for large companies. • Hacked into – – – – – – MCI WorldCom New York Times Co. Microsoft AOL Time Warner CSC NBC • NYT pressed charges against him. • 1 year home probation. The Worcester Phreaker Caused computer crash that disabled Massachusetts airport March 18, 1998 • Web posted at: 10:40 p.m. EST (0340 GMT) BOSTON (CNN) -- A Massachusetts teen hacker who disabled communications to the air traffic control tower at the Worcester, • Massachusetts, airport in 1997 has become the first juvenile charged in federal court with computer hacking. The boy, whose age, identity and hometown have not been disclosed, has agreed to plead guilty in return for two years probation, a fine and community service, according to documents released Wednesday by the U.S. Department of Justice. On March 10, 1997, the unidentified hacker broke into a Bell Atlantic computer system, causing a crash that disabled the phone system at the airport for six hours. The crash of the switch knocked out phone service at the control tower, airport security, the airport fire department, the weather service, and carriers that use the airport. Also, the tower's main radio transmitter and another transmitter that activates runway lights were shut down, as well as a printer that controllers use to monitor flight progress. http://www.cnn.com/TECH/computing/9803/18/juvenile.hacker/ Super Hacker • • • • • Gary Mc Kinnon, is alleged to have hacked over 90 U.S. military computers and NASA before and after 9/11 Looking for existence of UFOs and to prove inadequacies in US Security He supposedly stole 950 passwords from one military system and prevented naval email traffic being routed across the internet for a month. The US investigation was carried out with the aid of the UK's national hitech crime unit. He eventually could face a total of up to 70 years in a US jail. http://www.superhacker.com/hacker.html The criminal hacker as entrepreneur • Jeanson James Ancheta, who prosecutors said was a well-known member of the "Botmaster Underground" -- a secret network of hackers skilled in "bot" attacks -- was arrested in November in what prosecutors said was the first such case of its kind. • "He hijacked somewhere in the area of half a million computer systems. This not only affected computers like the one in your home, but it allowed him and others to orchestrate large scale attacks." • Prosecutors say the case was unique because Ancheta was accused of profiting from his attacks by selling access to his "bot nets" to other hackers and planting adware, software that causes advertisements to pop up, into infected computers. • He agreed to pay some $15,000 in restitution to the military facilities and forfeit the proceeds of his illicit activities, including more than $60,000 in cash, a BMW automobile and computer equipment. Source: 'Botmaster' pleads guilty to computer crimes Tue Jan 24, 2006 8:53 AM ET, Reuters Emulex Corporation • • • • • • • August 25, 2000 the media reported that Emulex was under investigation by the Securities and Exchange Commission for accounting fraud. In response to the investigation, the media further reported, the CEO would be stepping down. Within hours, Emulex had lost 62% of its value or $2.2 billion in market capitalization. By the end of the day, it was discovered that it was a hoax. Within a week, it was tracked to a community college student name Mark Jacob. Jakob had made over $250,000 by shorting the stock. Prison term: 3 yrs. 8 mos. Fine: Forfeit all profits and $103,000 in punitive fines. The Good Guys who track the hackers down Cyber Crime Reference • While the current presentation is extensive the following is recommended for any one looking for a presentation that was designed for law school student, IT, or criminal justice and includes extensive and current cases. http://www.law.uoregon.edu/faculty/shoar/docs/cc10 /darkside.ppt Clifford (Cliff) Stoll • Astronomer and systems analyst. • Tracked down, Markus Hess, a German hacker working for the KGB attacking and spying on government sites. • Wrote a book about his exploits, The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage http://www.pro-linux.de/berichte/jpgs/cliff_interview.jpg Hacker Trackers • Kevin Mitnick was tracked down in part by Tsutomu Shimomura. • See “Take Down”, T. Shimomura & J. Markoff, Hyperion Press, (1996). References • Verton, D “The Hacker Diaries, Confessions of Teen Age Hackers”, (2002), McGraw Hill The Tools of Hackers Soft tech tools -- social engineering uses deception and hard work. High tech tools are often developed by systems administrators to test and explore their networks and computer assets for holes and exploits. These same tools are in turn used by the hacker for break-ins and exploits. Techniques for obtaining information Low Tech – Social Engineering • stealing mail or rummaging through rubbish (dumpster diving) • eavesdropping on public transactions to obtain personal data (shoulder surfing) • Obtaining castings of fingers for falsifying fingerprint identification Soruce: http://en.wikipedia.org/wiki/Identity_theft Social Engineering While the media portrays the hacker as a super smart geek, in fact many of the best “hackers” use social engineering to accomplish their criminal acts. Social Engineering In the field of computer security, social engineering is the practice of obtaining confidential information by manipulation of legitimate users. A social engineer will commonly use the telephone or Internet to trick people into revealing sensitive information or getting them to do something that is against typical policies. By this method, social engineers exploit the natural tendency of a person to trust his or her word, rather than exploiting computer security holes. It is generally agreed upon that “users are the weak link” in security and this principle is what makes social engineering possible. Source: http://en.wikipedia.org/wiki/Social_engineering_%28computer_security%29 The High Tech Hacker High Tech – Internet Approaches • Stealing personal information in computer databases [Trojan horses, hacking] • infiltration of organizations that store large amounts of personal information • Impersonating a trusted organization in an electronic communication (phishing) . • Spam (electronic): Some, if not all spam requires you to respond to alleged contests, enter into "Good Deals", etc. • Browsing social network (MySpace, Facebook, Bebo etc) sites, online for personal details that have been posted by users in public domains. The Dark Side of Google Using the advance search features to find private individual’s private and other confidential information Intro to Google Hacking • "Google Hacking” is the use of Google’s data stores for naughty things. • Makes extensive use of the advanced Google syntaxes. • Is trivially easy to do and is rather trendy. • An excellent guide to get up to speed on the techniques of "Google Hacking” is the O'reily book Google Hacks by Tara Calishain. Makes extensive use of the advanced Google syntaxes. • Is trivially easy to do and is rather trendy. • An excellent guide to get up to speed on the techniques of "Google Hacking” is the O'reily book Google Hacks by Tara Calishain. An Invitation to Data Mining http://www.romanpoet.org/1/iz4__Invitation_to_DataMining.ppt Google Hacking University of Sunderland CSEM02 Harry R Erwin, PhD Peter Dunne, PhD Section taken from web posted by Erwin Basics • • • • • Web Search Newsgroups Images Preferences Language Tools Google Queries • • • • • • Non-case sensitive * in a query stands for a word ‘.’ in a query is a single character wildcard Automatic stemming Ten-word limit AND (+) is assumed, OR (|) and NOT (-) must be entered • “” for a phrase More Queries • You can control the language of the pages and the language of the reports • You can restrict the search to specific countries (google tricks) how to download files from google! Controlling Searches • • • • • • • • • • Intitle, allintitle Inurl, allinurl Filetype Allintext Site Link Inanchor Daterange Cache Info • • • • • • • • • • Related Phonebook Rphonebook Bphonebook Author Group Msgid Insubject Stocks Define Controlling Searches (II) • These operators can be used to restrict searches. • To restrict the search to the university: site:sunderland.ac.uk • Or to search for seventh moon merlot in the uk: “seventh moon” merlot site:uk Typical Filetypes • • • • • • • Pdf Ps Xls Ppt Doc Rtf Txt Why Google • You access Google, not the original website. • Most crackers access any site, even Google via a proxy server. • Why? If you access the cached web page and it contains images, you will get the images from the original site. Directory Listings • • • • • • • Search for intitle:index.of Or intitle:index.of “parent directory” Or intitle:index.of name size Or intitle:index.of inurl:admin Or intitle:index.of filename This can then lead to a directory traversal Look for filetype:bak, too, particularly if you want to expose sql data generated on the fly Commonly Available Sensitive Information • • • • • • • HR files Helpdesk files Job listings Company information Employee names Personal websites and blogs E-mail and e-mail addresses Google Hacking Examples Examples showing how to use the previous ideas Download eBooks with Google Basic Google Hacks Network Mapping • Site:domain name • Site crawling, particularly by indicating negative searches for known domains • Lynx is convenient if you want lots of hits: – lynx -dump “http://www.google.com/search?\ – q=site:name+-knownsite&num=100” >\ – test.html • Or use a Perl script with the Google API Link Mapping • Explore the target site to see what it links to. The owners of the linked sites may be trusted and yet have weak security. • The link operator supports this kind of search. • Also check the newsgroups for questions from people at the organization. Web-Enabled Network Devices • The Google webspider often encounters webenabled devices. These allow an administrator to query their status or manage their configuration using a web browser. • You may also be able to access network statistics this way. Searches to Worry About • • • • • Site: Intitle:index.of Error|warning Login|logon Username|userid|employ ee.ID| “your username is” • Password|passcode| “your password is” • Admin|administrator • -ext:html -ext:htm ext:shtml -ext:asp ext:php • Inurl:temp|inurl:tmp| inurl:backup|inurl:bak • Intranet|help.desk Protecting Yourselves • • • • • Solid security policy Public web servers are Public! Disable directory listings Block crawlers with robots.txt <META NAME=“ROBOTS” CONTENT=“NOARCHIVE”> • NOSNIPPET is similar. More Protection • Passwords • Delete anything you don’t need from the standard webserver configuration • Keep your system patched. • Hack yourself • If sensitive data gets into Google, use the URL removal tools to delete it. Youtube Google Hacks 2.0 Google Hacks for Web cams • One trick to find and search for open unprotected Internet webcams that broadcast to the web, is by using the following query: • inurl:/view.shtml • or • intitle:”Live View / – AXIS” | inurl:view/view.shtml^ Source: Unknown web page More patterns for finding web cams • If you know the unique pattern of URL or link, or title pattern that other manufacturers’ webcams’ or IP network cameras’ software used, you can also easily locate and crack those unprotected that are released or leaked to the public Internet insecure cameras or webcams by using Google. inurl:ViewerFrame?Mode= inurl:ViewerFrame?Mode=Refresh inurl:axis-cgi/jpg inurl:axis-cgi/mjpg (motion-JPEG) More patterns for finding web cams • inurl:view/indexFrame.shtml inurl:view/index.shtml inurl:view/view.shtml liveapplet intitle:”live view” intitle:axis intitle:liveapplet allintitle:”Network Camera NetworkCamera” intitle:axis intitle:”video server” intitle:liveapplet inurl:LvAppl intitle:”EvoCam” inurl:”webcam.html” More patterns for finding web cams • intitle:”Live NetSnap Cam-Server feed” intitle:”Live View / – AXIS” intitle:”Live View / – AXIS 206M” intitle:”Live View / – AXIS 206W” intitle:”Live View / – AXIS 210″ inurl:indexFrame.shtml Axis inurl:”MultiCameraFrame?Mode=Motion” intitle:start inurl:cgistart intitle:”WJ-NT104 Main Page” More patterns for finding web cams • intext:”MOBOTIX M1″ intext:”Open Menu” intext:”MOBOTIX M10″ intext:”Open Menu” intext:”MOBOTIX D10″ intext:”Open Menu” intitle:snc-z20 inurl:home/ intitle:snc-cs3 inurl:home/ intitle:snc-rz30 inurl:home/ • intitle:”sony network camera snc-p1″ intitle:”sony network camera snc-m1″ site:.viewnetcam.com www.viewnetcam.com intitle:”Toshiba Network Camera” user login intitle:”netcam live image” intitle:”i-Catcher Console – Web Monitor” Youtube – Finding Webcams The Dark Side of Googling References • • • • Dornfest, Rael, Google Hacks 3rd ed, O’Rielly, (2006) Ethical Hacking, http://www.ncnet.info/2006conf/Ethical_Hacking_Presentation_Octob er_2006.ppt A great cheat sheet of Google search features: http://www.google.com/intl/en/help/features.html A valuable Cheat Sheet for Google Search Hacks -how to find information fast and efficiently http://www.expertsforge.com/Security/hackingeverything-using-google-3.asp The Dark Side of Googling References (more) • • • Henk Van Ess, Hacking with Google, http://www.zoekzone.com/gijc2005_vaness3.pdf A tutorial for finding things like social security numbers, phone directories, and similar items that should not be left lying about on the Web. This is done to illustrate how to protect your web site and your personal data. Google Hacking, http://osiris.sunderland.ac.uk/~cs0her/CSEM02%20Lec tures/GoogleHacking.ppt Google Hacks 101 http://osiris.sunderland.ac.uk/~cs0her/CSEM02%20Lec tures/GoogleHacking.ppt Google Hacks webcam reference • How to Find and View Millions of Free Live Web Cams -- http://www.traveltowork.net/2009/02/howto-find-view-free-live-web-cams/ • How to Hack Security Cameras, http://www.truveo.com/How-To-Hack-SecurityCameras/id/180144027190129591 • How to Hack Security Cams all over the World http://www.youtube.com/watch?v=9VRN8BS02Rk &feature=related Tools for Hacking Password Cracking • Password cracking is the process of recovering secret passwords from data that has been stored in or transmitted by a computer system. A common approach is to repeatedly try guesses for the password. • Password cracking works in a number of ways: – Guessing common words, birth dates, etc. – Dictionary attacks- trying all the words in a dictionary – Brute force based on the hashing system used by the operating system Source:http://en.wikipedia.org/wiki/Password_cracking Password cracking programs • • • • • • Ophcrack - Open source Crack Cain John the Ripper LC5 (formerly L0phtCrack) RainbowCrack Packet Sniffers • A sniffer is a program that monitors and analyzes network traffic, detecting bottlenecks and problems. • Ethernet protocol works by sending packet information to all the hosts on the same circuit. A machine that is accepting all packets, no matter what the packet header says, is said to be in promiscuous mode. • Because, in a normal networking environment, account and password information is passed along Ethernet in clear-text, it is not hard for an intruder once they obtain root to put a machine into promiscuous mode and by sniffing, compromise all the machines on the net. Source:http://cs.baylor.edu/~donahoo/tools/sniffer/packetsniffers.htm Packet Sniffers The popularity of packet sniffing stems from the fact that it sees everything. Typical items sniffed include: • SMTP, POP, IMAP traffic • Allows intruder to read the actual e-mail. • POP, IMAP, HTTP Basic, Telnet authentication • Reads passwords off the wire in clear-text. • SMB, NFS, FTP traffic • Reads files of the wire. • SQL databse • Reads financial transactions and credit card numbers. Source:http://cs.baylor.edu/~donahoo/tools/sniffer/packetsniffers.htm Packet Sniffers Source: http://sectools.org/sniffers.html Cain and Abel Network Sniffer Tutorial Cryptography and encryption Network tools -http://networktools.nl/ • Network tools provides an online set of useful network tools to determine the source of SPAM, etc. • The four tools provided – – – – Nslookup Whois Ping Traceroute Nslookup nslookup is a network administration command-line tool available for many computer operating systems for querying the Domain Name System (DNS) to obtain domain name or IP address mapping or for any other specific DNS record Source: http://en.wikipedia.org/wiki/Nslookup Whois WHOIS (pronounced as the phrase who is) is a query and response protocol that is widely used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block, or an autonomous system, but is also used for a wider range of other information. The protocol stores and delivers database content in a humanreadable format.[1] The Whois protocol is documented in RFC 3912. Source: http://en.wikipedia.org/wiki/Whois Ping – – – Ping is a computer network administration utility used to test the reachability of a host on an Internet Protocol (IP) network and to measure the round-trip time for messages sent from the originating host to a destination computer. The name comes from active sonar terminology. Ping operates by sending Internet Control Message Protocol (ICMP) echo request packets to the target host and waiting for an ICMP response. In the process it measures the time from transmission to reception (roundtrip time)[1] and records any packet loss. The results of the test are printed in the form of a statistical summary of the response packets received, including the minimum, maximum, and the mean round-trip times, and sometimes the standard deviation of the mean. Ping may be run using various options (command line switches) depending on the implementation that enable special operational modes, such as to specify the packet size used as the probe, automatic repeated operation for sending a specified count of probes, time stamping options, or to perform a ping flood. Flood pinging may be abused as a simple form of denial-of-service attack, in which the attacker overwhelms the victim with ICMP echo request packets. Source: http://en.wikipedia.org/wiki/Ping Traceroute • • • • traceroute is a computer network diagnostic tool for displaying the route (path) and measuring transit delays of packets across an Internet Protocol (IP) network. traceroute outputs the list of traversed routers in simple text format, together with timing information Traceroute is available on most operating systems. On Microsoft Windows operating systems it is named tracert. Windows NT-based operating systems also provide PathPing, with similar functionality. Variants with similar functionality are also available, such as tracepath on Linux installations. For Internet Protocol Version 6 (IPv6) the tool sometimes has the name traceroute Source: http://en.wikipedia.org/wiki/Traceroute Hacking Wireless Networks Tools Reference: Hacking Wireless Networks • Beaver, Kevin & Davis, Peter “Hacking the Wireless Networks for Dummies” Wiley (2005). Keystroke Logging • Keystroke logging is the program installed on a computer to record every keystroke that the user makes. Typically it is hidden in a Trojan horse. • The keystroke logger can reveal user ids and passwords, scripts, etc. • The data can be downloaded and also used to upload other damaging programs or to create a slave computer that obeys a master in DDOS attacks. Hacking Tool References • Schwartau, W., ”CyberShock”, Thunder Mouth Press, (2000). Securing your computer and website There is no foolproof mechanism for securing your computer or your website from attach. However, you can make it very difficult and time consuming to attack with some simple and inexpensive (relative to the cost of the attack) means. Simple Protection against Hackers • Simplest security – Username and Password – Statistic about password frequency – Passwords should contain letters, numbers and other assorted symbols. • Use – – – – – – – @ instead of a $ instead of s 3 instead of E & instead of et 1 or ! instead of i 1 instead of l (depending on if you use ! instead of i) Ex. Instead of using the password “mainstreet” use “m@1n$tr3&” What is a firewall? (fīr´wâl) (n.) A system designed to prevent unauthorized access to or from a private network. Firewalls can be implemented in both hardware and software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria. Source: http://www.webopedia.com/TERM/f/firewall.html How does a firewall work? There are several types of firewall techniques: • • • • Packet filter: Looks at each packet entering or leaving the network and accepts or rejects it based on user-defined rules. Packet filtering is fairly effective and transparent to users, but it is difficult to configure. In addition, it is susceptible to IP spoofing. Application gateway: Applies security mechanisms to specific applications, such as FTP and Telnet servers. This is very effective, but can impose a performance degradation. Circuit-level gateway: Applies security mechanisms when a TCP or UDP connection is established. Once the connection has been made, packets can flow between the hosts without further checking. Proxy server: Intercepts all messages entering and leaving the network. The proxy server effectively hides the true network addresses. In practice, many firewalls use two or more of these techniques in concert. A firewall is considered a first line of defense in protecting private information. For greater security, data can be encrypted Source: http://www.webopedia.com/TERM/f/firewall.html Protecting Yourself on the Internet • Firewalls (both HDW and SFW) • Anti-Virus & Anti-Spyware • Never open an attachment that you were not expecting. If in doubt call the person. • Always backup the critical data • Always use the current patches to your O/S and applications. • Always use the most current updates to your antimalware. A more complex strategy – Honeypot • A server that is configured to detect an intruder by mirroring a real production system. It appears as an ordinary server doing work, but all the data and transactions are phony. • Located either in or outside the firewall, the honeypot is used to learn about an intruder's techniques as well as determine vulnerabilities in the real system. • Honeynets • A "honeynet" is a network containing honeypots. A "virtual honeynet" is one that resides in a single server, but pretends to be a full network. See firewall, darknet, honeyproxy and honeymonkey. Source: http://www.answers.com/ The DMZ (DeMilitarized Zone) • A middle ground between an organization's trusted internal network and an untrusted, external network such as the Internet. The DMZ is a subnetwork (subnet) that may sit between firewalls or off one leg of a firewall. Organizations typically place their Web, mail and authentication servers in the DMZ. DMZ is a military term that refers to the area between two enemies. http://www.answers.com/ DMZ with Honeypots Source:http://www.securitydocs.com/library/2692 Reference: • Scrambrey,J et al “Hacking Exposed Web Applications”, 2nd edit,(2006) McGraw Hill. • Dhanjani, N “Linux and Unix Security Portable Reference”, (2003) McGraw Hill • Shema, M “Web Security Portable Reference”, (2003) McGraw Hill Protecting Your Identity • Never enter personal information (Acquired Characteristics) into a web site that uses only http (as opposed to https) • Never send acquired characteristics (except your name) through the email. • Unless you encrypt your email, expect that anyone can read it. • Always pay close attention to the spelling of the URL (web address) when paying for anything on line. • Do not respond to unsolicited emails. • Shred all snail mail that contains personal information (especially credit card offers!!) • Expect that once you throw something away, you are legally giving it to the public. • Use only one credit card for online purchases • Keep your browsers up to date. Install security patches when they are released. Credit cards and the Internet • Credit and debit cards are now used routinely to purchase airline tickets, gifts and flowers, and thousands of other items from e-tailers, Amazon.com, Ebay, etc. The internet is a rapidly growing source of e-commerce involving $Billions. • The consumer is probably no more at risk than at any other type of credit card transaction. However, this is by no means a riskless environment and the user should take at least as much care as with any transaction. Common Sense Protection Advice Precautions: • • Shopping on the Internet is no less safe than shopping in a store or by mail. Keep the following tips in mind to help ensure that your online shopping experience is a safe one. Use a secure browser - software that encrypts or scrambles the purchase information you send over the Internet - to help guard the security of your information as it is transmitted to a website. When submitting your purchase information, look for the "lock" icon on the browser's status bar, and the phrase "https" in the URL address for a website, to be sure your information is secure during transmission. Check the site's privacy policy, before you provide any personal financial information to a website. In particular, determine how the information will be used or shared with others. Also check the site's statements about the security provided for your information. Some websites' disclosures are easier to find than others - look at the bottom of the home page, on order forms or in the "About" or "FAQs" section of a site. If you're not comfortable with the policy, consider doing business elsewhere. http://tutorials.freeskills.com/read/id/646 Common Sense Protection Advice (more) • • • • • Read and understand the refund and shipping policies of a website you visit, before you make your purchase. Look closely at disclosures about the website's refund and shipping policies. Again, search through the website for these disclosures. Keep your personal information private. Don't disclose your personal information - your address, telephone number, bank account number or e-mail address - unless you know who's collecting the information, why they're collecting it and how they'll use it. Give payment information only to businesses you know and trust, and only when and where it is appropriate - like an order form. Never give your password to anyone online, even your Internet service provider. Keep records of your online transactions and check your e-mail for contacts by merchants with whom you're doing business. Merchants may send you important information about your purchases. Review your monthly credit card and bank statements for any errors or unauthorized purchases promptly and thoroughly. Notify your credit or debit card issuer immediately if your credit or debit card is lost or stolen, or if you suspect someone is using your accounts without your permission. What to do if your credit card is lost, stolen, or disclosed? Recently millions of credit card numbers and Social Security Numbers were disclosed when hackers broke in and stole them from TJX company, and Dana Farber sent out patient information to a wrong fax number. In other cases they were on laptops that were stolen or lost at airports, in poorly secured databases, etc. Actions to take • Call and report all lost or compromised credit and debit cards immediately. Your liability for loss is often dependent on quick reporting. Remember driver licenses, passports, and other id as well. – Carry a list of your credit/debit cards, their numbers, and phone numbers in a separate place than the cards. • Call the hot line at the Credit reporting agencies. – Each of the big three has a single hot line to alert creditors to protect you from having some else issue new cards/or lines of credit in your name. – It will require you to go through extra steps to get new credit cards etc. but will save your thousands and grief. The 3 Credit Card Phone Numbers to call • Keep these phone numbers handy if you suspect your credit or identity has been compromised. • It will cause your credit lines to be flagged and may on occasion cause some transactions to be questioned but it will also keep your finances secure. Experian 1 888-397-3742 1 800-583-4080 EQUIFAX 1 800-685-1111 1 800-349-9960 TRANS UNION 1 800-916-8800 References • Standler, R.B., Computer Crime, http://www.rbs2.com/ccrime.htm (2002) The Dark Side of the Internet in the novel, movies, television In the age of international terrorism and cyber crime is spawning a new genre of crime and spy novels featuring the white hat hacker and the black hat hacker villains. Movies • Hackers (1995) starring a very young Angelina Jolie • Takedown (2000) A cult classic about the phone phreaker, Kevin Mitchnik • The Score (2001) Ed Norton and Robert De Niro in a crime set in Canada • Live Free or Die Hard (2007) A Bruce Willis flix, The attacking the nation’s infrastructure thru its interlocking grids. Source: http://netforbeginners.about.com/od/hacking101/a/hackermovies. htm Dark Side of the Internet Fiction References: Deaver, Jeffery. The blue nowhere New York : Simon & Schuster, c2001. Deaver, Jeffery. The broken window [sound recording], Simon and Schuster Audio, p2008.