INFORMATION
WARFARE
Part 3: Cases & Scenarios
Advanced Course in Engineering
2006 Cyber Security Boot Camp
Air Force Research Laboratory Information Directorate, Rome, NY
M. E. Kabay, PhD, CISSP-ISSMP
Assoc. Prof. Information Assurance
Program Direction, MSIA & BSIA
Division of Business & Management, Norwich University
Northfield, Vermont
mailto:mkabay@norwich.edu
V: 802.479.7937
3-1/66
Copyright © 2006 M. E. Kabay. All rights reserved.
09:05-10:25
Topics
 08:00-08:15 Introductions & Overview
 08:15-09:00 Fundamental Concepts
 09:05-10:25 INFOWAR Theory
 10:35-11:55 Case Histories & Scenarios
3-2/66
Copyright © 2006 M. E. Kabay. All rights reserved.
09:05-10:25
Examples of INFOSEC
Breaches and Failures
 Electronic infrastructure growing in
importance
 Must expand conception of warfare in the age
of ubiquitous computing
 Cases intended to stimulate your imagination
 Spans last decade of developments to
provide wide range of examples
 VERY FAST OVERVIEW (66 slides in <90
minutes)
3-3/66
Copyright © 2006 M. E. Kabay. All rights reserved.
09:05-10:25
Cases
 Breaches of confidentiality
 Industrial Espionage
 Unauthorized Access (Penetration)
 Unauthorized Modification
Data Diddling
Sabotage, vandalism
Trojan Horses
 Deception
Fraud
Psyops
 Denial of Service (DoS)
3-4/66
Copyright © 2006 M. E. Kabay. All rights reserved.
09:05-10:25
Data Losses on BU Tapes
 2005.02 Citibank loses mag tape in Japan w/
data on 120,000 customers
 2005.05 Iron Mountain loses tapes in 4th
incident in 4 months – 600,000 employee
records
 2005.02 Citibank loses box of tapes w/ data
on 4M US customers
 2006.05 Wells Fargo loses computer w/
unadmitted # of customer records including
SSNs
3-5/66
Copyright © 2006 M. E. Kabay. All rights reserved.
09:05-10:25
Laptops Losses Compromise
Customer Data
 2006.01-03 Ernst & Young debacle
Jan: laptop lost or stolen w/ data for Sun,
Cisco, HP & BP (38,000) employees
Jan: a different laptop stolen from employee’s
car:
IBM employee data
Admitted loss in March
Feb: 4 laptops left in conference room
Stolen by 2 intruders
No details
All computers “password protected” so OK (!)
3-6/66
Copyright © 2006 M. E. Kabay. All rights reserved.
09:05-10:25
Cases
 Breaches of confidentiality
 Industrial Espionage
 Unauthorized Access (Penetration)
 Unauthorized Modification
Data Diddling
Sabotage, vandalism
Trojan Horses
 Deception
Fraud, disinformation
Psyops
 Denial of Service (DoS)
3-7/66
Copyright © 2006 M. E. Kabay. All rights reserved.
09:05-10:25
Industrial Espionage:
Echelon
EU Parliament attacks Echelon (2000.07)
 Formed temporary committee to investigate
spy network
 Suspicions that Echelon used to intercept
conversations of European businesses
 Information might be given to competitors
from Echelon operators
US, Canada, Australia, New Zealand
 In 2001.05, report recommend more use of
encryption to defeat Echelon
3-8/66
Copyright © 2006 M. E. Kabay. All rights reserved.
09:05-10:25
Industrial Espionage in Israel
Israeli Trojan Horse Keylogger
 2005.05 Suspicions raised by keylogger software
on PCs
Author found his MS on ‘Net
Someone tried to steal money from his bank
Created by Michael Haephrati – ex-son-in-law
Many companies found infected by same
program – sent data to server in London
 2006.03 Perpetrators sent to jail
Michael Haephrati: 4 years
Ruth Brier-Haephrati: 2 years
3-9/66
Copyright © 2006 M. E. Kabay. All rights reserved.
09:05-10:25
Cases
 Breaches of confidentiality
 Industrial Espionage
 Unauthorized Access (Penetration)
 Unauthorized Modification
Data Diddling
Sabotage, vandalism
Trojan Horses
 Deception
Fraud, disinformation
Psyops
 Denial of Service (DoS)
3-10/66
Copyright © 2006 M. E. Kabay. All rights reserved.
09:05-10:25
Penetration: Mitnick
Sept 96 — AP
 Kevin Mitnick indicted in Los Angeles
 25 count indictment
 stealing software
 damaging computers at University of Southern
California
 using passwords without authorization
 using stolen cellular phone codes
 Readings about the Mitnick case
 Goodell, J. (1996). The Cyberthief and the Samurai: The True Story of Kevin Mitnick—and
the Man Who Hunted Him Down. Dell (New York). ISBN 0-440-22205-2. xix + 328.
 Hafner, K. & J. Markoff (1991). Cyberpunk: Outlaws and Hackers on the Computer Frontier.
Touchstone Books, Simon & Schuster (New York). ISBN 0-671-77879-X. 368. Index.
 Littman, J. (1996). The Fugitive Game: Online with Kevin Mitnick—The Inside Story of the
Great Cyberchase. Little, Brown and Company (Boston). ISBN 0-316-5258-7. x + 383.
 Shimomura, T. & J. Markoff (1996). Takedown: The Pursuit and Capture of Kevin Mitnick,
America's Most Wanted Computer Outlaw—by the Man Who Did It. Hyperion (New York).
ISBN 0-7868-6210-6. xii + 324. Index.
3-11/66
Copyright © 2006 M. E. Kabay. All rights reserved.
09:05-10:25
Penetration: DISA Report
1997.03 — EDUPAGE
 InfoWar Division of Defense Information
Systems Agency of US
 Retested 15,000 Pentagon computers
had warned system managers of
vulnerabilities in previous audit
 90% of systems were still vulnerable
 Recommended emphasizing response
(immediate shutdown) instead of focusing
solely on preventing penetrations
3-12/66
Copyright © 2006 M. E. Kabay. All rights reserved.
09:05-10:25
Penetration: Citibank Hack
1998.02 (events started 1994.07)
 Vladimir Levin of St Petersburg hacked
Citibank computers
 Conspirator Alexei Lachmanov transferred
U$2.8M to five Tel Aviv banks
 Admitted to attempting to withdraw
US$940,000 from those accounts
 Three other members of the gang pleaded
guilty
 Levin extradited 1997.09
3-13/66
Copyright © 2006 M. E. Kabay. All rights reserved.
09:05-10:25
Citibank -- Conclusion
1998.02 -- Levin sentenced to 3 years, fined
 Vladimir Levin convicted by NYC court
 Transferred $12M in assets from Citibank
 Crime spotted after first $400K theft
 Citibank cooperated with FBI
 MORAL: report computer crime & help
prosecute the criminals
3-14/66
Copyright © 2006 M. E. Kabay. All rights reserved.
09:05-10:25
Penetration: 2005
 2005.01: Nicolas Lee Jacobsen, 21, charged
with breaking into T-Mobile computers for
more than 1 year
Access to 16.3M customer files
Obtain voicemail PINs, passwords for Web
access to e-mail
Read e-mail of FBI agent investigating his
own case
 2005.01: Hackers break into George Mason
University computers
 2005.03: 150 applicants to business schools
break into their own records illegally on
ApplyYourself Web site
3-15/66
Copyright © 2006 M. E. Kabay. All rights reserved.
09:05-10:25
Cases
 Breaches of confidentiality
 Industrial Espionage
 Unauthorized Access (Penetration)
 Unauthorized Modification
Data Diddling
Sabotage, vandalism
Trojan Horses
 Deception
Fraud, disinformation
Psyops
 Denial of Service (DoS)
3-16/66
Copyright © 2006 M. E. Kabay. All rights reserved.
09:05-10:25
Data Diddling: Québec
Tax evasion by computer (1997.12)
 Québec, Canada restaurateurs
 U.S.-made computer program ("zapper")
 Skimmed off up to 30% of the receipts
 Evaded Revenue Canada and provincial tax
 $M/year
3-17/66
Copyright © 2006 M. E. Kabay. All rights reserved.
09:05-10:25
Data Diddling: LA Gas
Los Angeles gasoline-pump fraud -- 1998.10
 DA charged 4 men with fraud
 Allegedly installed new computer chips in
gasoline pumps
cheated consumers
overstated amounts 7%-25%
 Complaints about buying more gasoline than
capacity of fuel tank
 Difficult to prove initially
programmed chips to spot 5 & 10 gallon
tests by inspectors
delivered exactly right amount for them
3-18/66
Copyright © 2006 M. E. Kabay. All rights reserved.
09:05-10:25
Data Diddling: BOOM!
 Employee tried to sabotage nuclear plant in
UK (1999.06)
Security guard
Tried to alter sensitive information
 New measures put into place 18 months later
(2001.09)
3-19/66
Copyright © 2006 M. E. Kabay. All rights reserved.
09:05-10:25
Data Diddling: GOOGLE
Hacking*
 GOOGLE used as political ploy (2004.01)
 Pranksters engineer Web sites to alter GOOGLE
links and statistics
 Linked George W. Bush to bad words
“unelectable”
“miserable failure”
 Supporters retaliated with similar ploys against
Kerry
___________
* Term now used to mean using search engines as
part of hacker tool kit
3-20/66
Copyright © 2006 M. E. Kabay. All rights reserved.
09:05-10:25
Cases
 Breaches of confidentiality
 Industrial Espionage
 Unauthorized Access (Penetration)
 Unauthorized Modification
Data Diddling
Sabotage, vandalism
Trojan Horses
 Deception
Fraud, disinformation
Psyops
 Denial of Service (DoS)
3-21/66
Copyright © 2006 M. E. Kabay. All rights reserved.
09:05-10:25
Sabotage? IE vs Navigator
Internet Explorer 4.0 vs Netscape Navigator
(1997.10)
 IE 4.0 included features from Plus! for
Windows 95
anti-aliasing function
smoothes large fonts on screen
 Reportedly did not smooth fonts in Netscape
Navigator
 Allegedly not found to fail in any other
program tested -- but updated Occam’s Razor
states:
Never attribute to malice
what stupidity can adequately explain.
3-22/66
Copyright © 2006 M. E. Kabay. All rights reserved.
09:05-10:25
Sabotage? MS-MediaPlayer
vs RealAudio
Several reports of software conflicts — 1998.10
 Installation of MS-MediaPlayer causes
problems with other media players
 MS product takes over file associations
 Prevents usability of RealAudio
 De-installation switches file associations to
other MS products
 MS denied deliberate attack, accuses other
programs of quality problems
[Attila the Hun no doubt accused Europeans
of quality problems, too.]
3-23/66
Copyright © 2006 M. E. Kabay. All rights reserved.
09:05-10:25
Web Vandalism Classics
 CIA (1996.09)
 USAF (1996.12)
 NASA (1997.03)
 AirTran (1997.09)
 UNICEF (1998.01)
 US Dept Commerce (1998.02)
 New York Times (1998.09)
 SETI site (1999)
 Fort Monmouth (1999)
 Senate of the USA (twice)(1999)
 DEFCON 1999 (!)
3-24/66
Copyright © 2006 M. E. Kabay. All rights reserved.
09:05-10:25
CIA (1996.09)
3-25/66
Copyright © 2006 M. E. Kabay. All rights reserved.
09:05-10:25
USAF (1996.12)
3-26/66
Copyright © 2006 M. E. Kabay. All rights reserved.
09:05-10:25
NASA (1997.03)
3-27/66
Copyright © 2006 M. E. Kabay. All rights reserved.
09:05-10:25
AirTran (1997.09)
3-28/66
Copyright © 2006 M. E. Kabay. All rights reserved.
09:05-10:25
UNICEF (1998.01)
3-29/66
Copyright © 2006 M. E. Kabay. All rights reserved.
09:05-10:25
US Dept Commerce
(1998.02)
3-30/66
Copyright © 2006 M. E. Kabay. All rights reserved.
09:05-10:25
New
York
Times
(1998.
09)
3-31/66
Copyright © 2006 M. E. Kabay. All rights reserved.
09:05-10:25
SETI (1999)
3-32/66
Copyright © 2006 M. E. Kabay. All rights reserved.
09:05-10:25
Fort Monmouth (1999)
3-33/66
Copyright © 2006 M. E. Kabay. All rights reserved.
09:05-10:25
Senate of
the USA
(1) (1999)
3-34/66
Copyright © 2006 M. E. Kabay. All rights reserved.
09:05-10:25
Senate of
the USA
(2)
(1999.06)
3-35/66
Copyright © 2006 M. E. Kabay. All rights reserved.
09:05-10:25
DEFCON (1999.07)
3-36/66
Copyright © 2006 M. E. Kabay. All rights reserved.
09:05-10:25
Cases
 Breaches of confidentiality
 Industrial Espionage
 Unauthorized Access (Penetration)
 Unauthorized Modification
Data Diddling
Sabotage, vandalism
Trojan Horses
 Deception
Fraud, disinformation
Psyops
 Denial of Service (DoS)
3-37/66
Copyright © 2006 M. E. Kabay. All rights reserved.
09:05-10:25
Trojan: Moldovan Scam
1997.11 — news wires, EDUPAGE, RISKS
 Pornography seekers logged into
http://www.sexygirls.com (Nov 96-1997.02)
 Special viewer program to decode pictures
 Trojan program
secretly disconnected modem connection
turned modem sound off
dialed ISP in Moldavia — long distance
 Long-distance charges in $K/victim
 Court ordered refund of $M to consumers
3-38/66
Copyright © 2006 M. E. Kabay. All rights reserved.
09:05-10:25
Trojan: Back Orifice
cDc (Cult of the Dead Cow) — 1998.07
 Back Orifice for analyzing and compromising
MS-Windows security
 Sir Dystic — hacker with L0PHT
 “Main legitimate purposes for BO:”
remote tech support aid
employee monitoring
remote administering [of a Windows
network].
 "Wink.”
3-39/66
Copyright © 2006 M. E. Kabay. All rights reserved.
09:05-10:25
Back Orifice — cont’d
 Features
image and data capture from any Windows
system on a compromised network
HTTP server allowing unrestricted I/O to and
from workstation
packet sniffer
keystroke monitor
software for easy manipulations of the
victims' Internet connections
 Trojan allows infection of other applications
 Stealth techniques
 15,000 copies distributed to IRC users in
infected file “nfo.zip”
3-40/66
Copyright © 2006 M. E. Kabay. All rights reserved.
09:05-10:25
Trojan: Linux Backdoor
Linux kernel attacked (2003.11)
 Hacker tried to enter backdoor code into
sys_wait4() function
 Would have granted root
 Noticed by experienced Linux programmers
3-41/66
Copyright © 2006 M. E. Kabay. All rights reserved.
09:05-10:25
Cases
 Breaches of confidentiality
 Industrial Espionage
 Unauthorized Access (Penetration)
 Unauthorized Modification
Data Diddling
Sabotage, vandalism
Trojan Horses
 Deception
Fraud, disinfo
Psyops
 Denial of Service (DoS)
3-42/66
Copyright © 2006 M. E. Kabay. All rights reserved.
09:05-10:25
Deception: Holiday Inns vs
Call Management
1997.01 -- AP
 Holiday Inns uses 1-800-HOLIDAY for
reservations (note the O)
 Call Management uses 1-800-H0LIDAY (note the
ZERO
 Holiday Inns sued and lost
 Other firms have used phone numbers adjacent
to important commercial numbers in order to
capture calls from misdealing customers
 Old porn site whitehouse.com (now a respectable
site) used confusion with whitehouse.gov
to trick kids into visit
3-43/66
Copyright © 2006 M. E. Kabay. All rights reserved.
09:05-10:25
Disinfo: Belgian ATC Fraud
1997.01 — Reuters
 Belgian lunatic broadcasting false
information to pilots
 Air-Traffic Control caught the false
information in time to prevent tragedy
 Serious problem for air safety
 Police unable to locate pirate transmitter
 Lunatic thought to be former ATC employee
3-44/66
Copyright © 2006 M. E. Kabay. All rights reserved.
09:05-10:25
Psyops: Motley Fool
1996.03 -- Iomega high-capacity removable disk
drives slammed by false information
 America Online's Motley Fool bulletin board
False information
Flaming and physical threats
 Caused volatility of stock prices
 People who know which way the stock will
rise or fall can make money on the trades
3-45/66
Copyright © 2006 M. E. Kabay. All rights reserved.
09:05-10:25
Psyops: Pairgain
 1999.04: Gary Dale Hoke arrested by FBI
Employee of Pairgain
 Created bogus Web page
Simulated Bloomberg information service
Touted PairGain stock
undervalued – impending takeover
 Pointed to fake page using Yahoo message
boards
Investors bid up price of Pairgain stock from
$8.50 to $11.12 (130%)
13.7 M shares traded – 700% normal
volume
3-46/66
Copyright © 2006 M. E. Kabay. All rights reserved.
09:05-10:25
Pairgain – cont’d
 Windfall gains & losses by investors
 Hoke did not in fact trade any of the stock
himself
Pleaded guilty to charges of stock
manipulation
Sentenced to home detention, probation,
restitution
3-47/66
Copyright © 2006 M. E. Kabay. All rights reserved.
09:05-10:25
Psyops: Emulex
2000.98: Emulex lost 60% of total share value
 Mark Jakob, 23 years old
 Fabricated news release
 Sent from community college computer
 Circulated by Dow Jones, Bloomberg
 Claimed profit warning, SEC investigators,
loss of CEO
 Jackob profited by $240,000 in minutes
3-48/66
Copyright © 2006 M. E. Kabay. All rights reserved.
09:05-10:25
Psyops: 4-1-9 Brides
Prospective Brides Needed Money (2004.11)
 Russian Yury Lazarev hired women to write
flowery letters to possible partners
 Included sexy photographs
 3,000 men responded from around world
 Attempts to meet met with requests for
money
Visas
Airline tickets
 Net profits: $300,000
 One year suspended sentence in Moscow
3-49/66
Copyright © 2006 M. E. Kabay. All rights reserved.
09:05-10:25
Cases
 Breaches of confidentiality
 Industrial Espionage
 Unauthorized Access (Penetration)
 Unauthorized Modification
Data Diddling
Sabotage, vandalism
Trojan Horses
 Deception
Fraud, disinformation
Psyops
 Denial of Service (DoS)
3-50/66
Copyright © 2006 M. E. Kabay. All rights reserved.
09:05-10:25
History of DoS
 1987-12: Christmas-Tree Worm
IBM internal networks
Grew explosively
Self-mailing graphic
Escaped into BITNET
 1988-11: Morris Worm
Probably launched by mistake
Demonstration program
Replicated through Internet
~9,000 systems crashed or were
deliberately taken off-line
3-51/66
Copyright © 2006 M. E. Kabay. All rights reserved.
09:05-10:25
DoS: Mail-Bombing Via Lists
1996.08/12
 1996.08 — “Johnny [x]chaotic”
 subscribed dozens of people to hundreds of lists
 victims received up to 20,000 e-mail msg/day
 published rambling, incoherent manifesto
 became known as “UNAMAILER”
 1996.12 — UNAMAILER struck again
 Root problem
 some list managers automatically subscribe people
 should verifying authenticity of request
 send request for confirmation
3-52/66
Copyright © 2006 M. E. Kabay. All rights reserved.
09:05-10:25
DoS: Root Servers
DoS cripples 9 of 13 root servers (2002.10)
 Most sophisticated and large-scale assault on
root servers to date
Started 16:45 EDT Monday 21 Oct 2002
30-40x normal traffic from South Korea and US
origins
7 servers failed completely; 2 intermittently
Remaining 4 servers continued to service ‘Net
requests – no significant degradation of
service
 Verisign upgraded protection on its servers
as a result
3-53/66
Copyright © 2006 M. E. Kabay. All rights reserved.
09:05-10:25
DoS: Al-Jazeera
Al-Jazeera swamped (2003.03)
 Arab satellite TV network Web site
unavailable
 Swamped by bogus traffic aimed at US
servers for its site
3-54/66
Copyright © 2006 M. E. Kabay. All rights reserved.
09:05-10:25
DoS: GOOGLE & .com
Disappear Briefly
GOOGLE disappears from Web (2005.05)
 Gone for 15 minutes 7 May 2005
 Glitch in DNS
 Drew attention to concerns over DNS stability
 National Research Council issued report
criticizing state of DNS infrastructure
http://www7.nationalacademies.org/cstb/pub_dns.html
Historical note:
2000.08.23: 4 of 13 root DNS servers failed
 All access (http, ftp, smtp) to entire .com
domain blocked for 1 hour worldwide
3-55/66
Copyright © 2006 M. E. Kabay. All rights reserved.
09:05-10:25
Future INFOWAR Scenarios
 Technology for Spies
 Cryptography vs Parallel Computing
 Archives
 Permanence of Human Knowledge
 RFID
 Down the Road a Bit (or Byte)
 Flash Crowds
 Smart Appliances?
 Direct Neural Interfaces
3-56/66
Copyright © 2006 M. E. Kabay. All rights reserved.
09:05-10:25
Technology for Spies
 Cell phones becoming PDAs
Victimized by viruses
Ideal for spreading malware
Include cameras and microphones
Can be remotely controlled
 Flash drives make it easy to steal data
Watch out for sushi on the back of your
computer
3-57/66
Copyright © 2006 M. E. Kabay. All rights reserved.
09:05-10:25
Cryptography vs
Parallel Computing
 Some computers being described in Kproc
(kilo-processors)
 Brute-force cracking catching up with popular
keylengths
 Have seen PGP users change their keys from
512 bits to 1024 to 2048 in a few years
 How are companies managing their keys?
3-58/66
Copyright © 2006 M. E. Kabay. All rights reserved.
09:05-10:25
Archives
 Technology changing very fast
1980 8” 128 KB disk unreadable
1990 5¼” 768 KB disk unreadable
2000 100 MB ZIP disk obsolete
2002 2 GB Jaz disk obsolete
20?? 700MB CD-ROM obsolete
2??? 4.4 GB DVD obsolete
 Changes in OS and application software make
old versions unreadable too
 What will happen to our archival data?
3-59/66
Copyright © 2006 M. E. Kabay. All rights reserved.
09:05-10:25
Permanence of Human
Knowledge
 How do we stabilize URLs?
 How safe are TinyURLs?
 Who safeguards availability of important
electronic documents?
STILL WORKS AFTER 2 YEARS
… and now there are more:
3-60/66
Copyright © 2006 M. E. Kabay. All rights reserved.
09:05-10:25
RFID
 Radio-Frequency Identifiers
Not only for products
Can be implanted under skin
Being used to track and identify critters
What about people?
Privacy issues?
http://www.bibleetnombres.online.fr/image8/rfid.jpg
3-61/66
Copyright © 2006 M. E. Kabay. All rights reserved.
09:05-10:25
Down the Road a Bit
(or Byte)
 Computer-controlled cars
Follow guides in roads
Any bets security will be minimal?
Hijack a car moving at 70 mph??
 Segways
Extensive computer controls for gyroscopic
stabilization
How long until they are hacked?
3-62/66
Copyright © 2006 M. E. Kabay. All rights reserved.
09:05-10:25
Flash Crowds
 People respond to anonymous instructions
Be at specific place at specific time for no
particular reason
News spreads through e-mail, IM
 Crowds of thousands gather on command
and jam available space for fun
 Now think about how such obedience can be
used by criminals – or terrorists. . . .
3-63/66
Copyright © 2006 M. E. Kabay. All rights reserved.
09:05-10:25
Smart
Appliances?
Copyright © 1999 Rich Tenant.
All rights reserved.
3-64/66
Copyright © 2006 M. E. Kabay. All rights reserved.
09:05-10:25
Direct Neural Interfaces
 Direct neural interfaces
Working on reading brain activity patterns
Control computers
Control machinery?
What about hackers?
 Being proposed to
control prostheses
RFI interference?
Hacking?
DoS?
http://whatisthematrix.warnerbros.com/img/1-3d.jpg
3-65/66
Copyright © 2006 M. E. Kabay. All rights reserved.
09:05-10:25
DISCUSSION
3-66/66
Copyright © 2006 M. E. Kabay. All rights reserved.
09:05-10:25