INFOWAR Class Notes
INFOWAR: Overview Part 1: Introduction to Information Introduction to Warfare Part 2: Weapons Cyberwarfare Part 3: Military M. E. Kabay, PhD, CISSP-ISSMP Perspectives Part 4: Cyberdefense Professor of Computer Information Systems Policy Issues School of Business & Management Part 5: Emerging College of Professional Schools Vulnerabilities & Norwich University Threats
1 Copyright © 2016 M. E. Kabay. All rights reserved. 2 Copyright © 2016 M. E. Kabay. All rights reserved.
Part 1: Introduction to Introduction Information Warfare Definition* Offensive and defensive use Introduction of information & information Vulnerabilities systems Goals and Objectives To deny, exploit, corrupt or Sources of Threats and Attacks destroy Weapons of Cyberwar An adversary’s information, NOTE: information-based processes, References to “CSH6” are to this textbook: information systems, and Bosworth, S., M. E. Kabay, & E. Whyne (2014), eds. Computer Security computer-based networks Handbook, 6th Edition. Wiley (ISBN 978-0471716525). 2 volumes, 2240 pp. AMAZON < http://www.amazon.com/Computer-Security-Handbook-Seymour- While protecting one’s own. Used with permission of Bosworth/dp/1118127064/ > or Designed to achieve Robert Duffy, Avalon5.com < http://tinyurl.com/ldg9c8r > advantages over military or business See in particular Chapter 14: “Information Warfare” by S. Bosworth. ______adversaries. *Dr Ivan Goldberg, Institute for Advanced Study of Information Warfare
3 Copyright © 2016 M. E. Kabay. All rights reserved. 4 Copyright © 2016 M. E. Kabay. All rights reserved.
Vulnerabilities Critical Infrastructure Presidential Decision Directive 63 (PDD-63) President Clinton (1998) Critical Infrastructure http://www.fas.org/irp/offdocs/pdd-63.htm COTS Software Defined US critical infrastructure includes Dissenting Views Telecommunications Rebuttal Energy Banking and finance Transportation Water systems Emergency services These systems are vulnerable to asymmetric warfare – effective attack by much weaker adversaries (e.g., Mafia Boy vs AMAZON & eBAY in 2000)
5 Copyright © 2016 M. E. Kabay. All rights reserved. 6 Copyright © 2016 M. E. Kabay. All rights reserved.
Copyright © 2016 M. E. Kabay 1 All rights reserved. INFOWAR Class Notes
COTS Software Dissenting Views
Military and civilian sectors both depend on COTS Some critics dismiss discussion of cyberwar as FUD (commercial off-the-shelf ) software Fear, Uncertainty and Doubt Microsoft OS has become Designed to increase sales of hardware, software monoculture and consulting services Continues to be vulnerable to Personal attacks on early promulgators of information subversion warfare doctrine Allows study and exploitation by Controversial figure: Winn Schwartau adversaries Author of novel Terminal Compromise Some hardware being manufactured Nonfiction Information Warfare and in potentially hostile nations Cybershock texts Much manufacturing in PRC Lampooned as wild-eyed Some claims of hardware Trojans (e.g., self-publicist keyboard equipped with keylogger) Actually a committed security expert
7 Copyright © 2016 M. E. Kabay. All rights reserved. 8 Copyright © 2016 M. E. Kabay. All rights reserved.
Rebuttal to FUD claims Goals and Objectives of IW Growing evidence of asymmetric use of information systems in conflicts Military Industrial espionage from PRC Government growing Transportation Conflicts around world demonstrate role Commerce of Internet as tool and target Financial Disruptions India/Pakistan Medical Security Bosnia Koreas Law Enforcement Iranian unrest in June 2009 International & Corporate Espionage Arab Spring ISIS/ISIL/DAESH Communications Potential remains high – e.g., PSYOP using flash crowds to Economic Infrastructure obstruct emergency personnel or create targets for terrorists
9 Copyright © 2016 M. E. Kabay. All rights reserved. 10 Copyright © 2016 M. E. Kabay. All rights reserved.
Sources of IW Threats and Military Perspective Attacks US Joint Doctrine for Operations Security (OPSEC) Identifying critical information Nation-States Analyzing friendly actions in military ops Cyberterrorists Identify which ops can be observed by adversaries Corporations Determine what adversaries Activists could learn Criminals Select and apply measures to control vulnerabilities to Hobbyists minimize adversarial exploitation Some discussion of potential offensive cyberoperations US Air Force established AF Cyber Operations Command to be stood up June 2009 Image © 2009 Beatrix Kiddoe. Used under terms of service of Photobucket. US Army established 2009 Army Posture Statement on http://media.photobucket.com/image/threats/BeatrixKiddoe/motivator639310.jpg?o=19 Cyber Operations 11 Copyright © 2016 M. E. Kabay. All rights reserved. 12 Copyright © 2016 M. E. Kabay. All rights reserved.
Copyright © 2016 M. E. Kabay 2 All rights reserved. INFOWAR Class Notes
Nation-States: Stuxnet Nation-States: China (2010) People’s Republic of China major actor Written to subvert SCADA for People’s Liberation Army doctrine explicitly Siemens centrifuge programmable includes information warfare logic controllers (PLCs) Widespread evidence of Damaged Uranium-enrichment massive probes and attacks centrifuges in Iran originating from China Spun too fast – crashed physically through state sponsorship 60% of Stuxnet infections were in Iran Formal training for cadres Speculations that US & Israel Other countries involved in information warfare wrote Stuxnet Worm ECHELON (SIGINT) organized by UK-USA No direct proof Security Agreement (Australia, Canada, New Zealand, the United Kingdom, and the United Circumstantial evidence includes codes and States) dates that might be related to Israel Documents supporting view that US involved were released by Edward Snowden in July 2013
13 Copyright © 2016 M. E. Kabay. All rights reserved. 14 Copyright © 2016 M. E. Kabay. All rights reserved.
Cyberterrorists Corporations (1) Remains a theoretical possibility Potential for sabotage against rivals Individual criminal-hacker / Documented cases of interference using hobbyist attacks raise concerns computers and networks Documented interference 1999 – BUY.COM underpriced its $588 (mostly pranks) with Hitachi monitors at $164 – perhaps Ground traffic through effects of competing knowbots Emergency 911 systems 2000 – Sun accused Microsoft of corrupting Java to interfere with platform independence Air-traffic control 2000 – Steptoe & Johnson employee accused of Hospital systems…. denial-of-service attack on Moore Publishing Pranksters have been spreading 2000 – AOL accused of interfering with other false news via Twitter (deaths of ISPs by tampering with Internet settings celebrities….) Growing use of insecure wireless systems raises additional concerns for PSYOP
15 Copyright © 2016 M. E. Kabay. All rights reserved. 16 Copyright © 2016 M. E. Kabay. All rights reserved.
Corporations (2) Corporations (3)
2005 – FCC investigated phone FBI deems economic espionage serious problem: < company ISP interference with Vonage VoIP https://www.fbi.gov/about- us/investigate/counterintelligence/economic-espionage > 2006 – Businessman selling t-shirts hired hacker to damage competitors using DDoS Infected 2000 PCs with slave programs in botnet Disabled Websites and online sales Jason Arabo (19 years old) sentenced to 30 months prison & $500K restitution Younger hacker (16 years old) sentenced to 5 years prison & $35K restitution
17 Copyright © 2016 M. E. Kabay. All rights reserved. 18 Copyright © 2016 M. E. Kabay. All rights reserved.
Copyright © 2016 M. E. Kabay 3 All rights reserved. INFOWAR Class Notes
Hacktivists (1) Hacktivists (2)
Hacktivists use criminal hacking in support of 1998: Free East Timor (Indonesian Web sites) politics or ideology 1998: Legions of the Underground declared 1989: WANK (Worms cyberwar on Iraq and China Against Nuclear Killers) 1999: Jam Echelon Day: traffic with many keywords thought to spark capture by spy Infected DOE, network HEPNET & NASA networks 2000: World Trade Organization “You talk of times of peace for all, and then Hackers probed Web sites prepare for war.” 700 times 1998: Electronic Disturbance Theater Tried to penetrate barriers 54 times Indigenous peoples’ rights in Chiapas, Mexico Electrohippies launched DoS attack
19 Copyright © 2016 M. E. Kabay. All rights reserved. 20 Copyright © 2016 M. E. Kabay. All rights reserved.
Hacktivists (3) Hacktivists (4) 2004: Electronic Disturbance Theater launched DoS on Anonymous (Anon) conservative Web sites during 2003 – 4chan board Republican National Convention No leaders 2008: Project Chanology Focus on defending launched against Church of Wikileaks in 2010-2011 Scientology Attacked Church of 2008: Chinese hackers attacked Scientology CNN Web sites to protest Western media bias QUESTION: doing good or not? 2009: much Web-defacement activity during attack by Israel See extensive list at on Gaza < https://en.wikipedia.org/wiki/Ti meline_of_events_associated_ Guy Fawkes Mask with_Anonymous > 21 Copyright © 2016 M. E. Kabay. All rights reserved. 22 Copyright © 2016 M. E. Kabay. All rights reserved.
Hacktivists (5): Criminals (1) Recent Campaigns by Anonymous 2014 Stock manipulation: pump ‘n’ dump schemes Ferguson re shooting of Mike Brown NEI Webworld pump-and-dump (Nov 1999) Operation Hong Kong vs government repression 2 UCLA grad students & associate bought Attacks on Philippine govt for poor response to almost all shares of bankrupt NEI Super Typhoon Yolanda Webworld company 2015 Using many different pseudonyms, posted >500 messages praising company Charlie Hebdo – condolences, target Jihadists Also pretended to be company interested Islamic State – thousands of ISIS Websites, Twitter in acquisition accounts inactivated Within 1 day stock value increased from Death Eaters – pedophiles attacked $0.13 to $15 per share Stop Reclamation – 132 PRC govt Websites attacked Made ~$364K profit StormFront – neo-Nazi group attacked OPKKK – revealing names of KKK members 23 Copyright © 2016 M. E. Kabay. All rights reserved. 24 Copyright © 2016 M. E. Kabay. All rights reserved.
Copyright © 2016 M. E. Kabay 4 All rights reserved. INFOWAR Class Notes
Criminals (2) Criminals (3) – Identity Theft Los Angeles gasoline-pump fraud (1998) New computer chips in gasoline pumps Cheated consumers Overstated amounts 7%-25% Complaints about buying more gasoline than capacity of fuel tank Difficult to prove initially Programmed chips to spot 5 & 10 gallon tests by inspectors Delivered exactly right amount for them! Organized crime (esp. Russian, Eastern European) involved in identity theft Methods and targets could be used in organized state- sponsored information warfare, especially if SCADA (supervisory control and data acquisition) systems Figures from Finklea, K. (2014). “Identity Theft: Trends and Issues.” targeted Congressional Research Service. Report #7-5700. 27 pp. P. 11. < https://www.fas.org/sgp/crs/misc/R40599.pdf >
25 Copyright © 2016 M. E. Kabay. All rights reserved. 26 Copyright © 2016 M. E. Kabay. All rights reserved.
Criminals (4) – ID Theft cont’d Criminals (5) – ID Theft cont’d
27 Copyright © 2016 M. E. Kabay. All rights reserved. 28 Copyright © 2016 M. E. Kabay. All rights reserved.
Criminals (7) – Ransomware Criminals (6) – Ransomware cont’d
1989 – AIDS Information Diskette Scrambled names of folders & files Demanded payment to unlock Today: ransomware
Encrypts data 2015.pdf
Demands payments using Bitcoin - q1
Extortion of $10K-$100K -
threat
-
McAfee Labs Threats Report (May2015).
quarterly
-
From From http://www.mcafee.com/us/resources/reports/r p
29 Copyright © 2016 M. E. Kabay. All rights reserved. 30 Copyright © 2016 M. E. Kabay. All rights reserved.
Copyright © 2016 M. E. Kabay 5 All rights reserved. INFOWAR Class Notes
Part 2: Weapons of Cyberwar Denial of Service Malicious Code Part 2: Cryptography PSYOP Physical Attacks Weapons Biological & Chemical WMD Weapons Inadvertently Provided
31 Copyright © 2016 M. E. Kabay. All rights reserved. 32 Copyright © 2016 M. E. Kabay. All rights reserved.
Examples of INFOWAR DoS Overview (1) Techniques Denial-of-service attacks (DoS) & DDoS This next section is designed (Distributed DoS) attacks Render target systems / networks unusable or to impress newcomers to the inaccessible Saturate resources or cause catastrophic INFOWAR field with the errors Difficult to prevent without widespread existing variety and cooperation among ISPs DoS & DDoS attacks powerful tool for complexity of cyberthreats. asymmetric warfare Attacker resources can be modest Consequences can be severe
33 Copyright © 2016 M. E. Kabay. All rights reserved. 34 Copyright © 2016 M. E. Kabay. All rights reserved.
DoS Overview (2) History of DoS (1) Can also occur by mistakes causing positive feedback loops e.g., Early systems subject to resource exhaustion Autoforwarding between 2 e-mail HP3000 console (early 1980s) received all accounts system messages When target fills up, sends bounce Logons, logoffs, requests for paper & tape to original address which forwards bounce to full account which generates Pressing any key on console without pressing new bounce which… until mailbox fills up key blocked incoming system messages Out-of-office replies to lists System buffers filled up with messages Message sent to everyone on list No further actions requiring notifications Including absent person… No one could finish logging on or off …whose e-mail sends out-of-office reply to entire Anyone asking for tape/paper froze list including same absent person…. All systems that use obligatory user lockout at risk Competing Web-bots of DoS E.g., automatically reducing price below each Attacker need only log on to all userIDs with other’s sale price…. bogus password – locks everyone out
35 Copyright © 2016 M. E. Kabay. All rights reserved. 36 Copyright © 2016 M. E. Kabay. All rights reserved.
Copyright © 2016 M. E. Kabay 6 All rights reserved. INFOWAR Class Notes
History of DoS (2) History of DoS (3)
1987-12: Christmas-Tree Worm IBM internal networks Grew explosively Panix Attacks of September 1996 Self-mailing graphic Unknown criminal hacker attacked the PANIX Escaped into BITNET Internet Service Provider Crashed systems "SYN-flooding attack" 1988-11: Morris Worm Stream of fraudulent TCP/IP requests for Probably launched by mistake connections Demonstration program Non-existent Internet addresses Replicated through Internet Overwhelmed server ~9,000 systems crashed or were deliberately Denied service to legitimate users taken off-line TCP/IP specialists immediately developed patches Was about ½ to ¾ of Internet as it was then to prevent recurrence 37 Copyright © 2016 M. E. Kabay. All rights reserved. 38 Copyright © 2016 M. E. Kabay. All rights reserved.
History of DoS (4) History of DoS (5) Forbes (Feb 1997) Melissa Virus (Mar 1999) Disgruntled employee George Parente CERT-CC reported fast-spreading new MS-Word macro virus deleted budgets, salary data Melissa written by “Kwyjibo/VicodenES/ALT-F11” Crashed 5 of 8 network servers to infect Word documents Systems down 2 days – costs >$100K Uses victim's MAPI-standard e-mail address book Arrested by FBI – pled guilty Sent copies of itself to 50 most e-mailed people Windows NT servers attacked (Mar 1998) E-mail message w/ subject line Repeated crashes "Important Message From
Damages from DoS and Costs of DoS DDoS: Tort Direct costs often difficult to compute Indirect costs involve Potential tort liability from allowing system to be used for harmful activities Loss of immediate business Possible that victims of DoS and DDoS will Consumers switch to another Website if a sue intermediate hosts for contributory vendor’s system is too slow negligence Loss of customer confidence Existing law in USA establishes requirements Many customers stay with latest supplier for best practices in preventing harm Potential legal liability under SLAs (Service Industry standards are common basis Level Agreements) Competitive pressures may move Costs of recovery corporations to prevent misuse of their systems by DoS and DDoS tools National security issues $$$
41 Copyright © 2016 M. E. Kabay. All rights reserved. 42 Copyright © 2016 M. E. Kabay. All rights reserved.
Copyright © 2016 M. E. Kabay 7 All rights reserved. INFOWAR Class Notes
Specific DoS Attacks E-mail-Bombing (1) Destructive Devices (Malicious software) In early days of e-mail (1980s), anyone could flood mailboxes Logic bombs See CSH6 Chapter 16, ISPs imposed strict limits on number of outbound e-mails Viruses, worms, Trojans Malicious Code EULAs / Terms of Service explicitly forbid flooding Exploits of known vulnerabilities But could still use e-mail lists to flood E-mail Bombing & E-mail Subscription-list victims Bombing 1996-08 — “Johnny [x]chaotic” Buffer Overflows Subscribed dozens of people to hundreds Bandwidth Consumption of lists Routing & DNS Attacks Victims received up to 20,000 e-mail msg/day SYN Flooding Published rambling, incoherent manifesto Resource Starvation Became known as “UNAMAILER” Java Struck again in December Router Attacks Caused serious re-evaluation of e-mail list management Other Resources
43 Copyright © 2016 M. E. Kabay. All rights reserved. 44 Copyright © 2016 M. E. Kabay. All rights reserved.
E-mail Bombing (2) Overview of DDoS (1) Root problem Some list managers automatically subscribed people without verification But now almost all lists verify authenticity of request Send request for confirmation to supposed recipient But can still flood victim using automated subscription requests Thus many list managers now use CAPTCHAs*
*Completely Automated Public Turing test to tell Computers and Humans Apart http://tinyurl.com/hl3m7kj 45 Copyright © 2016 M. E. Kabay. All rights reserved. 46 Copyright © 2016 M. E. Kabay. All rights reserved.
Overview of DDoS (2) History of DDoS (1) Attacker subverts poorly secured system Controls tools to send large volumes of coordinated Jun & Jul 1999: Trin00 traffic against target (aka Trinoo) Massive multiplier effect Thought to be 1st DDoS tool Packets arrive from many different sources Tested on 2,000 systems Makes packet filtering by source impossible worldwide Sources can be Aug 1999: large-scale deployment of Trin00 manipulated for >227 systems used as sources PSYOP in Attacked 1 University of Minnesota computer – information down 2 days warfare – misleading Dec 1999: CERT/CC® issued CA-1999-17 impressions discussing DDoS for 1st time Feb 2000: Mafiaboy attacks multiple e-commerce sites (see next slide)
47 Copyright © 2016 M. E. Kabay. All rights reserved. 48 Copyright © 2016 M. E. Kabay. All rights reserved.
Copyright © 2016 M. E. Kabay 8 All rights reserved. INFOWAR Class Notes
History of DDoS (3) History of DDoS (2) May 2001: Attacks on February 7, 2000 attack from “Mafiaboy” Steve Gibson’s GRC.com Michael Calce, 15 year-old boy from Montréal area, Canada Well-known security Used a dial-up modem to control DDoS expert, writer, programmer Effects 13-year-old attacker used Yahoo.com inaccessible 3 hours IRC bot Est. $500,000 loss in revenue Oct 2002: DNS servers Stock value fell 15% attacked Feb 8: Amazon.com 10 hours – $600,000 loss All 13 top-level Domain Name System root servers Buy.com – 9.4% availability stock lost 44% of value swamped by DDoS for 2 hours CNN – user count fell to 5% of normal 9 servers went down – only 4 continued working eBay stock value fell 24% A few more hours might have knocked all the root Feb 9: servers off the ‘Net – could have stopped entire E*Trade & ZDNet – completely unreachable Worldwide Web Charles Schwab – brokerage down – no exact figures
49 Copyright © 2016 M. E. Kabay. All rights reserved. 50 Copyright © 2016 M. E. Kabay. All rights reserved.
History of DDoS (4) DDoS Attack on Social Networking Sites – Aug 2009 DDoS as tool for extortion Growing number of criminals (and criminal Aug 6-8, 2009 – SNS under attack organizations) threaten DDoS attacks unless paid Twitter down ransom LiveJournal down and up Demonstrate power by interrupting service Facebook slow Most victims stay quiet about extortion Gawker affected Jan 2009: TechWatch digital TV site down Xbox Live DDoS allegedly using 9,000 bots Some Google services for SYN flood Analysts believe attack was aimed at 1 blogger 446Mbps avalanche of packets rose to 2 Gbps Cyxymu outspoken critic of South Ossetia war Writes in “Georgianised Russian” Victim applied advanced traffic filters Attackers demanded ransom DDoS attack blamed on Russian hackers* *Example of
51 Copyright © 2016 M. E. Kabay. All rights reserved. 52 Copyright © 2016 M. E. Kabay. All rights reserved. hacktivism
DDoS vs BBC TV Website DDoS vs Irish Lottery
2016-01-02 1121 GMT 2016-01-20 BBC Website down to 1325 for few hours Largest jackpot in 18 DDoS months Post screenshot Could not buy tickets w/ #tangodown Machines blocked or #takendown Website Anti-ISIS hackers unresponsive New Word Hacking Claim pen-testing to fight ISIS “Only a test”
53 Copyright © 2016 M. E. Kabay. All rights reserved. 54 Copyright © 2016 M. E. Kabay. All rights reserved.
Copyright © 2016 M. E. Kabay 9 All rights reserved. INFOWAR Class Notes
DDoS Terminology & DDoS Tools – Details Overview Elsewhere Terms (synonyms) Intruder (attacker, client) Trin00 Master (handler) Tribe Flood Network Daemon (agent, beast, Stacheldraht bcast program, zombie) TFN2K Victim (target) Trinity Process Code Red Worm Intruder compromises insecure systems NIMDA Installs master program Hidden Links in Scans for thousands of weak systems Web Pages or Programs Installs daemon code to listen for instructions Instructs owned systems to launch DDoS Permission requested from Frans Charming 55 Copyright © 2016 M. E. Kabay. All rights reserved. for permanent use of image 56 Copyright © 2016 M. E. Kabay. All rights reserved.
Malicious Code/Malware Linux.Ekcocms.1 Trojan
Terminology: 2016-01-16 Viruses, worms, Trojan horses Linux systems See CSH6 Chapter 16 Snaps screenshot Mobile code such as Java, ActiveX, every 30 seconds VBscript INTEL: user activity See CSH6 Chapter 17 Websites visited Malware widespread Programs used In 1980s & 1990s used by individuals Saves to folders on disk In 1990s & 2000s increasingly used by organized Uploads encrypted crime contents to remote server Significant evidence of state-run malware research and development
57 Copyright © 2016 M. E. Kabay. All rights reserved. 58 Copyright © 2016 M. E. Kabay. All rights reserved.
Cryptography Wars (1) Cryptography Wars (2) Cryptography used in military operations for millennia Control shifted to Export Administration Regulations (EAR) Cracking ciphertext top priority for governments and criminals Dept of Commerce Parallel processing More liberal Ultra-high-speed computers Back doors to crypto (teraflops) Many governments/regimes demand access to Debate about international traffic in strong cryptography encryption keys or “master keys” International Traffic in Arms Regulation (ITAR) of US Civil-liberties groups restricted export oppose demand ITAR under control of State Dept Weaken crypto for all users Critics regarded ITAR application to cryptography as pointless Usable by dictatorial regimes & criminals
59 Copyright © 2016 M. E. Kabay. All rights reserved. 60 Copyright © 2016 M. E. Kabay. All rights reserved.
Copyright © 2016 M. E. Kabay 10 All rights reserved. INFOWAR Class Notes
PSYOP (1) PSYOP (2) Psychological operations = PSYOP Classic example of PSYOP: preparation for Normandy Planned psychological activities invasion (DISINFO) Directed to enemy, friendly, neutral Allies fabricated & planted leaks audiences about supposed invasion at To influence emotions, motives, Pas de Calais attitudes, objective reasoning & Nazis believed that General behaviors George S. Patton leading In ways favorable to originator invasion Targets at all levels (individuals, groups, organizations, Concentrated Nazi troops away military, civilian) from actual Normandy landing Goals areas Reduce morale & combat efficiency among enemy Sep 11, 2001 WTC bombing & subsequent anthrax- Promote dissension & defection among enemy spore scare illustrate effects similar to PSYOP – Support deception operations by friendlies demoralization, economic consequences, changes in culture Promote cooperation, unit, morale in friendlies
61 Copyright © 2016 M. E. Kabay. All rights reserved. 62 Copyright © 2016 M. E. Kabay. All rights reserved.
Physical Attacks Weapons Inadvertently Provided
Sep 11, 2001 attacks had noticeable effects on Vulnerabilities in software systems open nation to information infrastructure cyberwar Backhoe attacks facilitated Bad software design (see RISKS FORUM DIGEST) by warning signs about where not to dig – indicate communications trunks Undersea cables susceptible to sabotage https://catless.ncl.ac.uk/Risks/ International prevalence of car bombings, suicide Poor software quality assurance bombings & IEDs (improvised explosive devices) causing rethinking about weapons of cyberwar Rush to market of incompletely tested software Increased attempts to secure civilian infrastructure See CSH6 Chapters But much of public policy described as security theater 38 Writing Secure Code (after Bruce Schneier) by critics 39 Software Development & Quality Assurance 40 Managing Software Patches & Vulnerabilities
63 Copyright © 2016 M. E. Kabay. All rights reserved. 64 Copyright © 2016 M. E. Kabay. All rights reserved.
Part 3: Military Perspectives on Cyberwarfare Fundamental problems Part 3: Asymmetric warfare: central concept Military In-kind counterattacks Forceful defenses Perspectives Industrial espionage Critical infrastructure Current battle with Daesh/ISIL/ISIS
65 Copyright © 2016 M. E. Kabay. All rights reserved. 66 Copyright © 2016 M. E. Kabay. All rights reserved.
Copyright © 2016 M. E. Kabay 11 All rights reserved. INFOWAR Class Notes
Fundamental Problems (1) Fundamental Problems (2) A fundamental flaw in today’s Internet: THERE IS NO GUARANTEE OF AUTHENTICITY Criminals & hostile forces can use distributed IN IPV4 attacks Botnets created by commandeering Origination IP addresses can be spoofed! poorly-secured computers owned by A 12 year old hacker can make packets coming amateurs from her computer look like they come from Albania Botnets can have 10,000 zombies Distributed networks are impervious to take- IPv6 does include strong down authentication Multiple connectivity But it isn’t Multiple replication yet widely Shut down one TOR node, no one notices* implemented See e.g., Dingledine, R., N. Mathewson, & P. Syverson (2006). “Tor: The Second-Generation Onion Router.” < http://hatswitch.org/~nikita/courses/ece598nb-sp06/slides/tor.ppt >
67 Copyright © 2016 M. E. Kabay. All rights reserved. 68 Copyright © 2016 M. E. Kabay. All rights reserved.
Asymmetric Warfare In-Kind Counterattacks
Defense more expensive than attack Problematic because of address spoofing Probability of at least 1 weakness Not certain where attacks originate Increases as number of potential attack Could attack wrong target points grows Recent incidents have been inconclusive n P(system breach) = 1 – (1 - p) where Israelis vs Arabs p = probability of unit failure & Taiwan vs PRC n = number of independent possible Kashmir vs India breach points or Serbs vs Albanians P = 1 – Π(1 - pi) where PRC vs USA Π is multiplication Fundamental asymmetry of attacker/defender pi = probability of failure of unit i makes counterattacks in kind futile
69 Copyright © 2016 M. E. Kabay. All rights reserved. 70 Copyright © 2016 M. E. Kabay. All rights reserved.
Forceful Defenses Unlikely Industrial Espionage Stahl, J. (2016-01-17). “The Great Brain Barriers to the use of force Robbery: Economic espionage sponsored by US increasingly reluctant to use force without the Chinese government is costing U.S. international support corporations hundreds of billions of dollars Identity of attackers may be unclear and more than two million jobs.” Sixty Minutes, CBS News. Spoofing may lead to misidentification < http://tinyurl.com/hae3fne3 > Difficult to characterize specific incident as cyberattack, error, accident, or malfunction US Dept of Justice describes Chinese cyberespionage as “national security Attackers may not be state actors – cannot launch emergency” war against criminals, activists, individuals Government-sponsored hackers attack 1000s UN doctrine limits reactions to proportional of US private corporations response Thus unlikely to see forceful response to cyberattack US companies doing business in PRC have trade secrets consistently stolen
71 Copyright © 2016 M. E. Kabay. All rights reserved. 72 Copyright © 2016 M. E. Kabay. All rights reserved.
Copyright © 2016 M. E. Kabay 12 All rights reserved. INFOWAR Class Notes
Critical Infrastructure Critical Infrastructure Attacked Electricity generation, http://smile.amazon.com/gp/product/111881763 production & distribution (PTD) Gas PTD Volz, D. (2016-02-25). “U.S. government Oil and oil products PTD concludes cyber attack caused Ukraine power Heating systems outage.” Reuters < http://tinyurl.com/hsf47hl > Financial services (banking, clearing) 2015-12-23 Security services (police, military) 225,000 people affected Water supply (drinking water, waste 1st known successful cyberattack on a grid water/sewage, flood control) Telecommunication (radio, TV, phones, Likely from Russian Sandworm group Internet) Installed malware that switched breakers off Public health (hospitals, clinics, DoS on customer-service phones medicines, ambulances) Agriculture, food PTD (supplies, storage, wholesale, retail) Prevented real customers from reporting Transportation systems (fuel supply, railway network, airports, outages harbors, trucking for inland shipping)
73 Copyright © 2016 M. E. Kabay. All rights reserved. 74 Copyright © 2016 M. E. Kabay. All rights reserved.
DAESH/ISI & Social Media Pentagon v DAESH (1) PSYOP a critical element of strategy Attracting recruits Using YouTube, Twitter, Facebook…. Gruesome videos of violence appeal to angry young people Shifting to also including “normal” “fun” info about members More info: Wagner, D. (2015). “What the Islamic State Is Teaching the West About Social Media.” TheWorldPost. < http://tinyurl.com/jz8pfae > Wallin, M. (2015). “Winning the Social Media War Against ISIS.” American Security Project. < http://tinyurl.com/j8l9mak >
75 Copyright © 2016 M. E. Kabay. All rights reserved. 76 Copyright © 2016 M. E. Kabay. All rights reserved.
Pentagon v DAESH (2) Hackers v DAESH 2016-02-29 Griffin, A. (2015-11-27). “Anonymous has Cyberoffensive launched vs taken down an ISIS website and replaced it ISIS with an ad for Viagra.” Business Insider. < http://tinyurl.com/j2fkf7v > Military hackers attacked computer/cellphone networks GhostSec affiliate Launched from Ft Mead, MD Click through to Overload enemy networks pharmacy site Interrupt C2 of forces w/ Buy Viagra and Prozac DoS PSYOP to make Cannot just blanket entire candidates laugh at ISIS area – need INTEL Block ISIS PSYOP Email Social media
77 Copyright © 2016 M. E. Kabay. All rights reserved. 78 Copyright © 2016 M. E. Kabay. All rights reserved.
Copyright © 2016 M. E. Kabay 13 All rights reserved. INFOWAR Class Notes
DISCUSSION:
What are the most effective measures for defending against cyberwarfare attacks? Part 4: Are kinetic (conventional) warfare methods adequate / appropriate for reducing cyberattacks? Cyberdefense How do we cope with the risk of attacking the wrong targets? Policy Issues
79 Copyright © 2016 M. E. Kabay. All rights reserved. 80 Copyright © 2016 M. E. Kabay. All rights reserved.
Part 4: Cyberdefense Policy Legal Defenses Issues International legal system ineffective vs infowar Information warfare not prohibited under UN charter Legal Defenses (except if it causes death or property damage) Technical Defenses Little or no police power to enforce few laws that exist governing infowar Cooperative Efforts Sovereignty trumps law in cross-border US Military Policies communications US Foreign Policy No major powers have pressed to international laws or treaties to govern infowar Politics may override legal judgement Power of criminals supersedes legal systems Identifying source of attacks difficult Technology advances faster than laws Not likely to see legal defenses used against cyberattack
81 Copyright © 2016 M. E. Kabay. All rights reserved. 82 Copyright © 2016 M. E. Kabay. All rights reserved.
Technical Defenses Cooperative Efforts All the technical defenses used in protecting Little evidence of international cooperation to fight computers and networks against individual attack cyberterrorism or limit cyberwarfare can be used in cyberdefense Strong efforts by US military to Entire contents of CSH6 apply to cyberwarfare increase cyberwarfare capabilities defense NATO starting to act Constant attention to evolving vulnerabilities and Signed agreements for coop’n threats NATO supporting Cooperative Special value for INTEL and COINTEL activities Cyber Defence Centre of Intelligence to track state and non-state actors Excellence in Estonia e.g., infiltration, monitoring Internet chatter EU supporting civilian cyberspace Counterintelligence to identify spies and programs saboteurs
Robinson, N. (2013). “Cybersecurity Strategies Raise Hopes of International Cooperation.” RAND Corporation. < http://tinyurl.com/jfvc9g7 >
83 Copyright © 2016 M. E. Kabay. All rights reserved. 84 Copyright © 2016 M. E. Kabay. All rights reserved.
Copyright © 2016 M. E. Kabay 14 All rights reserved. INFOWAR Class Notes
US Military Policies (1) US Military Policies (2)
Joint Doctrine for Operations Security USCYBERCOM (US Cyber Command) OPSEC 2009-06-23 SecDef ordered Identify critical information creation Analyze visibility to adversaries Mission Identify tactical and strategic Plan, coordinate, advantages to adversaries of integrate synchronize, data acquisition conduct Identify & implement Operations/defense countermeasures DoD info networks Prepare/conduct US Joint Chiefs of Staff (2006). cyberwarfare “Operations Security.” Joint Publication 3-13.3. < https://fas.org/irp/doddir/dod/jp3_13_3.pdf >
85 Copyright © 2016 M. E. Kabay. All rights reserved. 86 Copyright © 2016 M. E. Kabay. All rights reserved.
US Military Policies (3) US Military Policies (4) USCYBERCOM cont’d: Focus Presidential Policy Directive PPD-20 (2012-10) leaked 2013-06-07 Defend DoDIN < http://tinyurl.com/hezjbs2 > Support combatant commanders in action Strengthen US resistance & response to cyberattacks
https://www.stratcom.mil/factsheets/2/Cyber_Command/
87 Copyright © 2016 M. E. Kabay. All rights reserved. 88 Copyright © 2016 M. E. Kabay. All rights reserved.
US Foreign Policy Part 5: http://tinyurl.com/npfoxh9 Emerging Vulnerabilities & Threats
89 Copyright © 2016 M. E. Kabay. All rights reserved. 90 Copyright © 2016 M. E. Kabay. All rights reserved.
Copyright © 2016 M. E. Kabay 15 All rights reserved. INFOWAR Class Notes
Part 5: Emerging Vulnerabilities Internet of Things & Threats Growing number of controls in homes & industry Internet of Things connected via unprotected Internet Connected Automobiles 2010 – STUXNET worm vs Iranian nuclear centrifuges Self-Driving Cars US/Israeli cooperation Industrial Destroyed SCADA for SIEMENS centrifuges Robots Dec 2015 – networked toys usable as spying devices Hospital Jan 2016 – NEST thermostats updated – stop working Systems properly – cold homes Jan 2016 – SHODAN search engine browses Webcams including in people’s houses Feb 2016 – US Dir Natl Intel states that TV, car, & toys networked via Internet usable for surveillance
91 Copyright © 2016 M. E. Kabay. All rights reserved. 92 Copyright © 2016 M. E. Kabay. All rights reserved.
Connected Automobiles Self-Driving Cars (1)
Security Innovation researcher Laser pointer scrambles LIDAR http://tinyurl.com/qby7gok http://fortune.com/2015/09/15/intel-car-hacking/ Laser pointer tricks system into taking evasive action
93 Copyright © 2016 M. E. Kabay. All rights reserved. 94 Copyright © 2016 M. E. Kabay. All rights reserved.
Industrial Robots
http://tinyurl.com/ko6cuhy
http://tinyurl.com/j7jg7w9
Driving Driving Cars (2)
- Self
95 Copyright © 2016 M. E. Kabay. All rights reserved. 96 Copyright © 2016 M. E. Kabay. All rights reserved.
Copyright © 2016 M. E. Kabay 16 All rights reserved. INFOWAR Class Notes
http://tinyurl.com/m2jarqo
DISCUSSION Hospital Hospital Systems
97 Copyright © 2016 M. E. Kabay. All rights reserved. 98 Copyright © 2016 M. E. Kabay. All rights reserved.
Now go and study
99 Copyright © 2016 M. E. Kabay. All rights reserved.
Copyright © 2016 M. E. Kabay 17 All rights reserved.