The Rapid Evolution of the Internet – and Related Dangers KOCSEA 13th Annual Technical Symposium Dec. 15, 2012 – Atlanta, GA. – updated for Georgia Tech course ECE6612. John A. Copeland Electrical and Computer Engineering Georgia Institute of Technology Updated 1/9/2016 1960's -Computers come into widespread use in government and companies. Attacks The "Logic Bomb" - program installed by computer technician that would wipe out memory after a time period (if not reset). This may be retaliation for a firing. In one case the culprit called the company and said he heard about their disaster, and said that fortunately he had backup tapes at home that he would sell (he went to prison). Defenses Better off-site data backup systems. 2 1970's -Computers became accessible from remote terminals. Attacks (Insiders only, or Burglars) Guess other user's passwords, or write "Trojan Horse" programs for others to use which would write passwords and other information into the hacker's file. Defense Better passwords (educate users - still an ongoing battle today). Trojan Horse programs are still a problem today. Only install programs from trusted sources. Government "Trusted” computers" check permissions on every read and write. 3 1980's -Computers became accessible from telephone voice lines by using a modem. "Bulletin Board" servers downloaded files, mostly text files for printout. Attacks Demon Dialers - rapidly dialed telephone numbers in sequence to find lines with a modem. Then password guessing, if a password was even needed. 1983 Movie, Teen hacks into US Air Defense Command computer WOPR, and almost starts World War 3 . Defenses Better passwords and challenge-response authentication. [RSA, Inc. dongles provide one-time passwords, but their basic code was temporarily stolen by hackers in 2010]. 4 Thanks to the movies, computer hacking (breaking in) becomes a sport for highschool age males. They can find "exploit" programs on the Internet from "hacker" Bulletin Boards, and instructions on how to use them. Many of these young men claim they are doing good by exposing weak security in corporate and government computers. They did damage, even without meaning too, by deleting files and crashing mainframes. 1982, Computer innards portrayed as a virtual world where protagonists compete. Who writes the exploit programs? Could it be professional hackers who want the network noise to cover their own tracks? 5 In the mid 1980’s, private data networks joined with the NSFNET (nee ARPAnet) to form the Internet, joining government organizations, universities, and corporations. Internet Service Providers began connecting individuals to file download sites such as America on Line (AOL). 6 1990's - The World Wide Web is born. Web servers, which work with Web Browsers using the HTTP protocol and HTML formatted pages, download all manner of files: email, images, articles, music. Attacks Email messages encouraged people to download executable files, that would install root kits and back doors. "Viruses" (computer programs that replicate and spread) have different payloads. Defenses: “Do not ‘click’ on attachments.” Anti-virus software. Software and operating system updates were continually coming more often, and becoming larger. 7 The Dawn of the Worm. In Nov. 1988, the Morris "Worm" (a Virus that spreads through network connections) spread through email servers. Not intended to be malicious, it infected servers multiple times, crashing the Internet email service. In 2001, the "Anna Kournikova" spreads as an email attachment ("click here"). "Code Red" attacks 360,000 PC's over the Internet. The infected number doubled every 37 minutes. The Sapphire worm later spread 100 times faster, infecting almost every computer that was susceptible worldwide within 10 minutes. Code Red spread rate In 2004, the "Witty" worm targeted certain network security products: ISS "Black Ice" and "Real Secure." Every available system worldwide was infected within 45 minutes. 8 A “worm” is a malicious program that spreads through network connections. Computer “viruses” were spread by content in floppy-disk files. Later they were spread mainly by email. The line between a virus and a worm blurred. Spread of Sapphire virus, after 38 minutes. 9 Late 2000's - The Worm Evolves into the "Bot" (for Robot). A Botnet is a sparse network of compromised computers. They communicate with only a few other members to hide the "Command and Control" points. These could be Web servers whose URL belongs to the Bot Master. The Bot Master can provide services such as Spam mailing, phishing email, Denial of Service flooding attacks (for extortion or damage to competitors). Botnets are sometimes controlled by criminal organizations (e.g., Russian Mafia). In Nov. 2008, the "Conficker" bot infected over 10 million computers. It could send over 10 billion spam and phishing emails a day. 10 2010's - Wireless Networks are Everywhere Cell phones will become the primary access to the Internet (shopping and banking), and a way to access shortrange networks like point-of-sale payment systems and auto access. Wireless Networks have a checkered history. Early AMPS cell phones were cloned. WiFi cryptographic methods WEP and WPA were broken very quickly. Attacks - All previous, and spoofing. Defense - Using network characteristics to "fingerprint" wireless nodes to detect intruders. Use “challenge authentication.” Ref. 3 11 The “Advanced Persistent Treat” APT In a Nov. 28, 2007, a confidential report from Homeland Security's U.S. CERT obtained by BusinessWeek: "Cyber Incidents Suspected of Impacting Private Sector Networks," the federal cyber watchdog warned U.S. corporate information technology staff to update security software to block Internet traffic from a dozen Web addresses after spear-phishing attacks. "The level of sophistication and scope of these cyber security incidents indicates they are coordinated and targeted at private-sector systems," says the report. March 21, 2008 12 Spear Phishing – the Most Common Attack "Phishing," one technique used in many attacks, allows cyber spies to steal information by posing as a trustworthy entity in an online communication. The term was coined in the mid1990s when hackers began "fishing" for information (and tweaked the spelling). The e-mail attacks on government agencies and defense contractors are called "spear-phishing" because they target specific individuals. They are the Web version of laser-guided missiles. Spearphish creators gather information about people's jobs and social networks, often from publicly available information and data stolen from other infected computers, and then trick them into opening an e-mail [which the installs a “root kit” or “bot”]. Kimi Werner, 2008 Women’s National Spearfishing Champion BusinessWeek, March 21,2008 13 Denial of Service Flood Attack – Overwhelms victim’s connection to Internet. Used for extortion, and political statements. Strongest Attack Seen Year Strength (Gbps) 2003 1 2005 10 2007 24 2009 46 2011 60 2013 309 2014 329 14 Stuxnet - The first computer worm aimed at destroying specific physical facilities (Iran's uranium-purifying centrifuges). The attack by the U.S. and Israel started in 2007 and may have slowed the Iranian program by as much as two years [2]. Stuxnet spread around the world by accident in 2010, and was detected. It did no harm except to a specific combination of Siemens controllers and P-1 centrifuges found only in Iranian uranium processors. It contained five previously unknown (Day-0) vulnerabilities in Windows worth $250,000 each on the hacker market. Defense against new bots with Day-0 exploits: none. Air-gap did not work. People used thumb drives. 15 Cyber Warfare – Attacking Physical Infrastructure 2008 – Oil Pipeline in Turkey exploded by cyber attack. 2012 – Attack on Saudi oil company Aramco that wiped out 30,000 of the oil company’s computers (Iran ?) “China and "one or two" other countries are capable of mounting cyber attacks that would shut down the electric grid and other critical systems in parts of the U.S.” -Adm. Michael Rogers, head of NSA and U.S. Cyber Command. 11/20/14 16 Cyber War The commercial Internet in Estonia was disrupted for several days by Russian hackers unhappy because a WW2 monument was moved. Thousands of computers in South Korea were destroyed in what was thought to be a test by North Korea. The U.S. government has developed thresholds for a Cyber Attack that would warrant a counter Cyber-War attack, or a conventional military response. BW, July 25, 2011 Defense: None, not even MAD*. * Mutually Assured Destruction 17 Current Defensive Strategies – 1 Identifying Known Enemies “Honey Pots” are computers that have unpatched operating systems or applications and appear ripe for compromising. They are used to capture the attacker’s “exploit” software. Exploit software is analyzed to discover what vulnerabilities being used, particularly “day zero” vulnerabilities. Also to try to attribute responsibility for the malicious activity. Signatures are developed when possible, to allow future detection. Clearing houses for collecting and codifying elements of attack code have been set up, to update email-server filters and analysis of Web-server downloads. 18 Current Defensive Strategies - 2 Identifying Abnormal Behavior When a computer is compromised, a root kit can hide indications of the problem from users – but network activity is necessary (other than for a “logic bomb”). A network Intrusion Detection System can look for: Signatures - known patterns of behavior or bit patterns, or Abnormal Network Behavior (e.g., StealthWatch), or New devices on the network, detected by timing or protocol variations*. 19 Current Defensive Strategies - 3 Monitoring infrastructure Control Systems Everything’s OK Faster, Faster, Controller Computer Supervisor’s Computer ALARM ! Passive Monitor 20 What Does the Future Hold? There is no doubt that the Internet has become critical to our economy, and our way of life. >75% of the world’s population is connected. It carries >90% of e-information. There was an effort in 2012 to get congress to pass a law requiring privately-owned critical infrastructure companies to meet network security standards. The power industry successfully lobbied to keep self-regulation. Will losses reach the point that all users and all servers will be required to have “Certificates,” like those used by the large e-commerce servers today? This would require a trustworthy “Certificate Authority,” perhaps better than those built into browser software today, and governed by global regulations. 21 References [1] Joseph Menn, “Fatal System Error: The Hunt for the New Crime Lords Who Are Bringing Down the Internet,” Public Affairs, 2010. [2] David E. Sanger, “Confront and Conceal,” Crown, New York, 2012. [3] "Cyberwar: Countdown to Day Zero: Stuxnet and the Launch of the World's First Digital Weapon," Kim Zetter, (Nov. 2014). Author Contact Information John A. Copeland, Weitnauer Prof, GRA Eminent Scholar Georgia Tech, Elec. & Computer Eng. – 0765 Atlanta, GA 30332-0765 office 404 894-5177, cell 404 786-5804 Home Page: http://www.csc.gatech.edu/copeland/ PGP Public Key: http://www.csc.gatech.edu/copeland/jac/PGP_Key.html Dir., Communications Systems Center, Home page: http://www.csc.gatech.edu/ 22