#4 – QUANTIFYING CYBER ATTACKS AND CYBER WARFARE – (C) CAPERS JONES – TECHNOLOGY@RISK

Posted on by

The advent of the computer era has brought with it several new kinds of criminal activities and also new forms of military engagements that take place over long distances and involve either disabling military equipment or stealing secret information, or both.

There are also new laws against computer crimes including the United States Computer Fraud and Abuse Act from 1986 and the United Kingdom’s Computer Misuse Act.  There are also several laws against spyware.  However as in other fields laws do not prevent computer crimes.  Also, some computer malware such as browser hijackers and spyware may be legal if they are identified in license agreements that users accept.

A potentially more serious form of future warfare involves detonating nuclear devices in the high atmosphere to create electro-magnetic pulses (EMP).  These pulses have the ability to shut down and damage electrical devices over quite a wide area, and some will be damaged beyond repair.

Some military equipment is shielded from EMP damages but all civilian computers or electronic devices are exposed to potentially serious EMP harm:  automobiles, computers, cell phones, medical equipment, cash registers, fuel pumps, electric power systems, and everything else.

Technically cyber crime and cyber warfare are about the same, but cyber crime is carried out by individuals or criminal groups while cyber warfare is carried out by military personnel, government organizations, and their civilian contractors under the command of senior officers or senior government officials.   Both cyber attacks and cyber warfare present increasingly serious threats to individuals, companies, governments, and military services.

Before dealing with the history of cyber attacks and cyber warfare it is best to explain the major kinds of attacks and harmful software used for these attacks:

  • Botnets
  • Browser hijackers
  • Cyber warfare against civilian targets
  • Data theft from corporations
  • Data theft from unsecured networks
  • Denial of service attacks
  • E-mail address harvesting
  • Identity theft
  • Keyboard trackers
  • Malware
  • Pharming
  • Phishing
  • Root kits
  • Skimming
  • Spam
  • Trojans
  • Viruses
  • Worms

Following are short discussions of the various security threats shown above:

Botnets

 The term “bot” is apparently the last half of the word “robot.”  In the context of cyber crime a “bot” is a computer that has been seized and is under the control of a malicious software routine that arrived from the web or from an external source such as a disk or thumb drive.  Botnets are illegal in the United States and most countries.  Government sponsored botnets are another story.

The problem is bigger than just seizing one computer.   The malicious software is self-propagating and can infect and seize dozens or even hundreds or thousands of individual computers.  When these captive computers operate in concert are called a “botnet.”

The main use of a botnet is to direct concentrated attacks at web sites or the computers of companies and government agencies with the idea that millions of incoming messages will swamp their defenses and either shut them down, slow them down, or prevent their normal work from taking place.  This is called a “denial of service attack.”

The botnet can be controlled by a “bot herder” or a “bot master.”  The individual enslaved computers are sometimes called “zombie computers.”  Although botnets are often used for denial of service attacks, they have other purposes.  For example they can be used to send out millions of spam messages or ads or anything else.

Sometimes bot masters rent their bots to other individuals or cyber criminals who add different kinds of payloads.

Once infected the individual bot computers may need to be repaired one by one.  Some forms of firewalls and network-based intrusion detection systems (NIDS) can stop bot attacks.  Microsoft Windows is a popular target for botnet attacks.  Some anti-virus software can prevent them, but there is a constant race between attackers and defenders.

The origin of botnets is ambiguous but they were found in 2004 and possibly before.  Some of the more famous botnet attacks are named for the offending software:  Conficker and Mariposa in 2008; Zeus in 2010; Bagle in 2004.

In sum total there have probably been several hundred specific malicious bot software packages created and the total number of computers impacted appears to be hundreds of millions.

As an example of the damages done by botnets consider the Conficker attacks in 2008 and 2009:

  • In January of 2009 a French Naval network was invaded which grounded a number of aircraft for several days.
  • Soon after the British Ministry of Defense reported a Conficker attack which affected several ships and also grounded aircraft for several days.
  • The British city of Sheffield reported a Conficker attack against hospitals and government installations that affected about 800 computers.
  • The British city of Manchester reported a Conficker attack on government computers in February of 2009, possibly caused by the use of a thumb drive.
  • In March of 2009 computers used by the House of Commons in the British Parliament were affected by the Conficker botnet software.

As can be seen from the importance of the victims, this was a very sophisticated attack mechanism with substantial self-defense abilities to prevent removal.  The Conficker package was able to invade computer networks with serious professional firewalls and protection.   Five variants of the Conficker botnet software package were identified, called Conficker A, B, C, D, and E.  Later other variants were found.

In February of 2009 Microsoft formed an international working group with a dozen or more organizations to help prevent Conficker attacks and speed up removal and cure for pre-existing attacks.

At least one of the variants was traced by to the Ukraine.  The origins of other variants is either ambiguous or not yet published.  Botnets pose a serious on-going threat to home computers, corporate computers, government computers, and military computers.

It is apparent that much greater use of encryption for confidential government data is likely to occur in the future.  This may also be true for proprietary corporate data such as client addresses, credit card numbers, and social security numbers.

Browser Hijackers

Browser hijackers are annoying and semi-legal malware packages that divert web browsers from their intended destinations and force them to alternate destinations.   All of the well-known browsers are affected such as Bing, Chrome, Firefox, Internet Explorer and others. Some of the current browser hijackers include Abnow, CoolWebSearch, MySearch, search.conduit, and search-daily.

As with other forms of malware, browser hijack owners attempt to make browser hijackers resistant to removal by anti-virus and anti-spyware tools.  If you have a computer that is infected by one or more browser hijackers, you need to do a search for effective solutions by contacting your anti-virus or anti-spyware vendors.

Some of the purposes of browser hijackers are to divert web searches to alternate sites that have ads, pornography, or some other topic different from the one the user wanted.   A common form of browser hijacking starts with some kind of message such as “WARNING YOUR COMPUTER IS INFECTED….”   If you click on this your browser is diverted to a company that wants money to fix your computer, and will not remove the browser hijacker unless paid.

Some browser hijack software owners rent their tools to others who supply their own destination web sites.  Sometimes browser hijackers are included in commercial software on disks or downloaded.  The agreements that users have to check when installing such software may list specific spyware or browser hijackers.

Because some web advertising pays on the number of hits that reach a specific web site, a very common reason for browser hijacking is to artificially force hits to a specific web site so that the advertiser has to pay higher fees.

Browser hijacking is not necessarily illegal.  If it is used without the knowledge and consent of a computer user, it is probably illegal.  If it is included in a license and the user agrees to it, then it is probably not illegal.  Since most users don’t read the full text of these licenses vendors can stuff in alarming amounts of harmful clauses, including permission to download browser hijack tools.

Browser hijacking often shows up in court.  A common plea by people who are charged with downloading pornography is the defensive claim that it was the result of browser hijacking.  These cases are complex and difficult to prove one way or the other.  However the courts do not seem to accept this line of defense very often.

Cyber Warfare against Civilian Targets

Readers may wonder why cyber warfare should be a concern to civilians.  The reason is that civilian targets are important to national economies and to defense preparation.  They also may have less sophisticated defenses than true military targets.  In the United States our telephone systems, our electric power generation and transmission systems, and our air and rail transportation systems are important components of military preparedness.  They are also spotty in defenses against cyber attacks.  Our financial systems are also a critical part of the national economy, and are also spotty in defenses against cyber attacks.

Consider the impact of a successful cyber attack in winter on New England’s electric power and communication systems that shut them down for a two week period.   Without power many stores would be closed and it would not be possible to purchase fuel oil or gasoline and possibly food.  Air travel would be disrupted due to passengers not being able to make reservations, and also possible airport closures.  Within about a week pipes would begin to freeze and burst in homes and office buildings.  Without fuel some automobiles and trucks would be abandoned wherever they stopped, which would interfere with road traffic.  Snow plowing might stop.  Food shortages would soon follow, possibly accompanied by thefts and riots.

No doubt martial law would have to be declared and emergency supplies would need to be brought in by military helicopters.  Very likely there would be deaths among the homeless and elderly who could not make it to emergency shelters.  Billions of dollars of financial losses would accrue to businesses and individuals.   These financial losses might lower tax and government incomes and possibly trigger some municipal bankruptcies.

The bottom line is that a long-term disruption of the U.S. infrastructure due to either cyber attacks or electro-magnetic pulses (EMP) could have wide-ranging consequences that could damage the economy for an extended period.

International cyber warfare is already occurring.  The Stuxnet virus attacks manufacturing equipment and was probably created by a national cyber attack unit.  The newer Gauss virus attacks banks and financial records, and is also probably created by a national government.

In August of 2010 the U.S. government issued a public statement that the Chinese government was gearing up for possible cyber attacks.  Apparently the People’s Liberation Army of China was using civilian experts as well as military cyber warfare specialists.

Data Theft from Corporations

The Verizon company did a study of corporate data in 2011 theft and found about 855 incidents with thefts of perhaps 174,000,000 corporate records.  An interesting part of the study was that about 57% of the stolen data was taken by “hacktivists” who stole the data for political purposes rather than for resale to cyber criminals.   Political groups such as Anonymous and Lulzsec also attack and deface corporate and government web sites.  Some samples of corporate data theft include:

In 2009 three arrests were made for stealing about 130,000,000 credit and debit card numbers for companies such as 7-Eleven and Hannaford Brothers.  A card payment company, Heartland Payment Systems, was the target of the attack, which used a sophisticated SQL injection attack.

In 2011 Norway’s energy, gas, and defense companies were hit by 10 apparently coordinated cyber attacks which swept disk drives for personal information and industrial secrets.  An infected email was the host.

Early in 2012 about 10,000,000 customer accounts for Visa and Mastercard were compromised and probably stolen.  Apparently a third party contractor, Global Payments, was the actual company targeted for the theft.

In April of 2011 an email marketing company in Irvine, Texas was hit by data theft that stole millions of email addresses.  This company sends out about 40,000,000 ads (probably spam) per year.  The email addresses included customers of many major companies such as BestBuy Capital One, Target, Kroger, JP Morgan, McKinsey, and many others.

In May of 2012 the professional network Linkedin reported data thefts of millions of passwords.  Indeed about 6,500,000 Linkedin passwords actually were displayed on a Russian web site.

These samples demonstrate that corporate data theft will probably impact close to 25% of U.S. citizens within the next five years.

Data Theft from Unsecured Networks

The author of this book lives in a fairly small town with a population of about 17,000.  Within a mile of the office where this book is being written are at least a dozen free wireless networks at local coffee shops and restaurants.

In the author’s neighborhood all of the neighbors have private networks, which is common in today’s world.   Most home networks are secured, but some home networks are not.  Recently a friend with an unsecured network noticed a slow-down on his network and discovered that a teen-age neighbor had signed onto the network and was downloading films and music.

Piggy backing on unsecured networks is fairly common and probably the least troubling kind of theft.  However it is not a victimless crime.  The hijacked network fees will probably go up based on the band width and amount of material downloaded, so the true network owner will lose money.

Piggy backing is easy to do.  If a network is unsecured and shows up on a computer list of available networks, it is only necessary to say “connect” and it can be used.

There are also commercial “sniffers” that will report the brands of local wireless routers within range.  Once the brand is identified the hacker can then download data from the manufacturer’s web site that gives the original password for the brand and model of router.  With this information in hand the hacker can then use the wireless network more or less at will.

Free public wireless hot spots are in daily use by hundreds of students from a nearby University, as well as by local citizens who happen to use computers, I-Pads, Kindles, and other wireless devices.  Free wireless networks are a great convenience, but are also fraught with danger of losing passwords, credit card numbers, and other forms of personal information.  How does this happen?

One method is that skilled hackers can tap into the network and extract information from any or all users using the router ID as already described.

A second method is that a hacker can construct a phony wireless hot spot with the same name as the ones used by coffee shops or local restaurants.

When using public networks be sure to specify “public network” when your computer asks about what kind of network it is.  It is also best to do only casual browsing and avoid things like on-line purchases with credit cards or on-line banking.  Of course the most common use of a computer today is probably email or messaging, so there is a high probability of compromising the email addresses of both senders and recipients.

Denial of Service Attacks

Computers and servers are fast and can handle thousands of transactions per minute, but they all have a finite capacity that can be exceeded.  This is why we sometimes have waits when attempting to reach a web site or perform a task.

The idea behind denial of service attacks is to saturate a computer or a server by sending millions of messages that require some form of processing and thereby saturate it so that it no longer functions for its true and legitimate purposes.

In general denial of service attacks are illegal in most countries and they also violate the operating rules of essentially every internet host.  Government-sponsored attacks are another matter.

Denial of service attacks require coordination of a number of computers since a single computer or server is not fast enough to saturate a normal web site or server farm.  Therefore botnets are a common adjunct to denial of service attacks.  However some groups or collections of cyber criminals can create denial of service attacks by means of voluntary cooperation.

There are many different forms of denial of service attack.  In fact there are too many to discuss in this book.  They range from relatively minor annoyances to severe attacks that can actually damage servers and computers.

In today’s world of instant communication, it sometimes happens that a web site has some new and exciting topic that cause millions of individuals to try and access it at about the same time.  The impact on the site being accessed is the same as a denial of service attack, but it is not an attack but rather a spontaneous burst of users all trying to get to the same site at the same time.

This same situation can occur in reverse.  An offensive internet posting may receive millions of indignant complaints at about the same time.  As this is written an actual offensive event is absorbing millions of emails and computer cycles.  The event was the publication of a video that mocked Mohammad and the Islam religion on YouTube.

Email Address Harvesting

In today’s world email addresses are a valuable commodity that are bought and sold on a daily basis.   In many cases these lists are available from reputable companies and often target either specific industries or specific kinds of jobs such as executives or technical officers.  How are these valuable addresses obtained?

In 2003 laws were passed in Australia and the United States that prohibit some kinds of email harvesting, but there are still a number of legal ways available.

There are several ways of obtaining email addresses and they vary in their ethics and legality.  One way is to use a “harvesting bot” or “spider” that searches public sources of email addresses such a Usenet lists and internet forums.  These email address are then collected and added to lists, sometimes collated by industry or type.  This form of harvesting from public data is legal.

More unsavory forms of email harvesting include attacks on specific directories and web sites.  A clever way of gathering email addresses is to use lists of common names and then methodically try each name with a specific site.   Suppose you have an email address that is something like CJones@privatemail.com.  Once the server “privatemail” is identified a harvesting tool would then send dummy emails to the site to see which ones are accepted.

For example the harvesting tool might go through the alphabet and send “AJones, BJones, CJones, DJones, etc.  If any are accepted the valid addresses are added to a list and go to market.  The same tool might have a list of hundreds of common names and try things like, “Arthur,” “Betty,” “Charles,” David,” “Emily,” and so on to see how many work.   This method now seems to be illegal.

A very common and legal method for harvesting email addresses is used daily by thousands of companies.  The companies simply offer a free trial, a free service, or something else that might be useful and require that anyone who requests it must provide and email address.

Long before computers some companies such as magazines and consumer products would sell customer address lists.  Address harvesting is merely a continuation of an idea that is hundreds of years old.

There are a number of counter measures to reduce the incidence of email address harvesting.  Among these can be found;

Address munging or changing the format of email addresses when they are displayed.  Thus instead of Capers@privatemail.com the address would be “Capers at privatemail dot com.”  This can be overcome but adds costs to email harvesting.

CAPTCHA is a method that displays numbers or letters in a little box, often in graphic form.  In order to complete a transaction the user must key in the characters that are displayed.

Spider traps are part of a web site designed to attract email harvester or “spiders.”  The web site includes “honeypot” that is assumed by the spider to contain useful emails but in reality is a trap that blocks access.

There are other methods besides these, but they illustrate that email harvesting is a continuing problem of the modern world.

Identity Theft

The crime of identity theft has become one of the most common crimes in the modern world.  Data from the web indicates that about 4.8% of U.S. households will experience identity theft.  The absolute numbers are in the range of perhaps 15,000,000 people per year in the United States alone.  Surprisingly identify theft also includes about 3,000,000 dead people.  Many identity theft victims are children.  A disturbing fact about identity theft is that it often involves relatives or “friends” of the victims.

Identity theft is not a “victimless crime” because the stolen identities are often used to steal money from banks, make unauthorized use of credit cards, create phony credit cards, rent automobiles, travel by air, and do other kinds of serious harm to the victims.  In a few cases houses have been fraudulently sold by people who were not the true owners!

Worse, the credit ratings and sometimes the reputations of the victims are damaged by identity thieves, and recovery is not easy to achieve.  There have even been arrests when an identity thief performs a crime such as armed robbery and the identity theft victim is wrongly blamed.

There are numerous ways of stealing identities.  Some of these include:

  • Stealing mail from mail boxes such as bills
  • Rummaging through dumpsters outside of office buildings
  • Physical theft of wallets and purses
  • Phishing or sending bogus emails that request personal information
  • ATM Skimming or using an illegal device that captures card data
  • Hacking into business data bases such as retail stores
  • Stealing identity information from relatives or friends

Because identity theft is so common in today’s world that there are fortunately resources available to aid in cancelling credit cards and restoring credit ratings.   These will vary from city to city and state to state, but in today’s world the police in major cities have trained investigators.  Credit card companies can also provide support, as can banks.  There are also commercial identity theft recovery companies, although not all of these are competent and effective.

Many government agencies can provide brochures and advice for those affected by identity theft.  These include the Internal Revenue Service, the Social Security Administration, the Federal Trade Commission (FTC) and the FBI.  Various military services have internal aid for the uniformed services.

There are also a number of non-profit organizations that can assist in identity-theft recovery either via the web or by phone call.  Examples include the Identity Theft Resource Center (ITRC) and CreditReport.

The credit reporting companies of Equifax, Transunion, and Experien also have identity theft support services.

Identity theft is a continuing and growing problem and will probably stay that way for the indefinite future.  Only the replacement of alphanumeric information with unique physical attributes such as retina prints or finger prints are likely to bring about significant reductions in identity theft.  Encryption of personal data might also help, assuming secure encryption methods.

Normally identity theft is a concern for individuals.  The Sunday September 15, 2012 edition of the Providence Journal, on page A5, had an article about the identity theft of an entire LLC corporation, and a security company at that.

The LLC had been registered in Florida.  Someone sent in a corporate amendment form and a fee of $25.00 to the state.  This amendment form, which was not checked or validated by state officials, provided a new owner for the corporation and a new business mailing address.

The apparent reason for this theft was that it entitled the new “owner” to borrow money in the company’s name since the State of Florida confirmed ownership by the hijacker!

To date this may be a unique kind of identity theft without any other examples.  Most state governments do not validate amendments to corporate documents when they are submitted.  This means that the same kind of corporate identity theft could take place in probably every state in the union.

Keyboard Trackers

A Google search on the phrase “keyboard trackers” will turn up more than half a dozen free or open source tools that can be used to track keystrokes with or without the knowledge of the person using the keyboard.  What would these be used for?  Most of the web ads for these trackers use phrases such as “discreetly monitor all keyboard activity….”   Who on earth needs to discretely monitor someone else using a keyboard?

Some legitimate purposes might be used by high-security government agencies or companies with proprietary information to ensure that nothing is sent out without permission.  But the keystroke trackers themselves can dilute security.

If the keystroke tracker is secretly installed via a worm, Trojan, or virus then it can be used to find passwords, bank accounts, social security numbers, or any other confidential information that happens to be typed with the infected keyboard.

There are quite a few different kinds of keyboard trackers: too many for this book to describe.  Some are based on software and some are based on hardware.     Various web sites provide instructions for detecting and removing hardware and software keyboard trackers.

Considering the number of free and open-source keyboard trackers available, one might assume many legitimate uses.  However it is hard to envision a legitimate justification for tracking keystrokes other than as part of a criminal investigation or to protect highly secret information.

Without any statistical studies that report keystroke tracking usage, the most common uses would seem to be something unethical and possible illegal such as seeking passwords, social security numbers, and other kinds of personal information from unsuspecting computer users.

Malware

The term “malware” is a concatenation based on “malicious” in the sense of something harmful and the last half of “software.”  When combined the term “malware” is a generic term that includes viruses, rootkits, worms, Trojans, spam, and other harmful software topics.

Pharming

The term “pharming” is based on “farming” and uses the same “ph” combination as “phishing.”   (George Bernard Shaw once joked that “ghoti” spells “fish” if you pronounced the “gh” as in “cough;” the “o” as in “women” and the “ti” as in “motion.”)

Pharming is a form of phishing that is aimed more at ecommerce and banking sites than at other kinds of users.  One major issue with pharming is that it can affect routers, and once a router has invalid information then anyone joining that network can be infected.

Because “phishing” and “pharming” are close to being identical, there is some objection to the term “pharming.”  Of the two phishing seems the oldest and was noted as far back as 1995.

Phishing

The term “phishing” is an obvious play on the word “fishing” and has more or less the same meaning.  Cast an attractive bait and wait to see what bites.  Phishing in several forms predates the computer era.  Both surface mail and telephones have been used to solicit information from unsuspecting victims long before computers existed.  Telegrams were also used in the days when they were a fast form of communication.

The most common forms of phishing today involve emails or instant messaging.  In one very common form the sender pretends to be an official of a foreign government (often Nigeria) who needs to transmit funds to an American bank.  The email requests that the recipient send bank information so the money can be transferred, and the recipient will then be able to keep a portion as a reward.  A more recent variation involves pretending to be a serving officer in Afghanistan or Iraq who has come across funds that can’t easily be taken out of the country.

More recent and more subtle forms of phishing involve stolen email lists.  Using a name known to the recipient from a stolen email list, the sender writes an email with a message like “I’m writing this with tears in my eyes….”  The message then goes on to describe some kind of tragedy such as a mugging or stolen wallet that left the person with no money and no identification.  There is a request to send funds to pay for a hotel, rental car, or something else.

Phishing attacks aimed at specific individuals using personal information such as their social networks or lists of friends from stolen email lists is called “spear phishing.”

An even more sophisticated form of phishing is called “whale phishing” because it is aimed at senior executives.   This kind of phishing is preceded by very focused email thefts from a law firm or accounting firm known to be used by the intended victim.  Sometimes a credit card firm or retail stores is used.  In any case the idea is to present a convincing story that will cause the victim to provide personal information such as a bank account, social security number, or something else.

Perhaps the most sophisticated form of phishing appears to come from a bank used by the victim.  However if the victim clicks on the email to respond, he or she is diverted to a phony web site that is designed to look like the real bank’s web site.

Even worse, some phishing emails with web links direct the user to their own actual banks, but secretly insert a pop-up screen that appears to be a request from the bank for personal information.

Phishing may have become an adjunct to cyber warfare.  There are reports on the web, not verified by this author, that the Chinese government and military have been involved with attempts to target the Gmail accounts of U.S. government officials and military personnel.  China denies this of course.  A study from 2006 showed a high frequency of phishing attacks originating in Russia from a group called the Russian Business Network, based on U.S. web site accounts.

Early phishing was fairly common on the America on Line (AOL) system circa 1995.

This was initially successful but soon AOL and other internet hosts began to add text to their screens and messages that said “XXX will never ask for you password and billing information….”  This phrase is now a part of almost every commercial ISP and messaging service.

The nominal senders of phishing emails include the Internal Revenue Services, the FBI, many banks, the government of Nigeria, and many social networks.  These of course are all hoaxes.  In fact users of social networks seem to be at greater risk from phishing than non users.

It is not uncommon to get a phishing email along the lines of “Contact this office of the IRS about an unclaimed tax refund….”  Anyone who clicks on the site is at risk of losing at least their email address, and possibly worse if they supply data such as social security numbers or bank accounts.

There is an organization called the Anti-Phishing Working Group that includes both industry and law enforcement organizations.  What we lack, though, is an effective way of tracking backwards to the phishing site or exposing the site to law enforcement personnel without putting the nominal recipients at risk.

A useful feature of email services would be a “Suspected Phishing” command that would alert enforcement personnel and possibly track the message back to its origin point, and do so without putting the target at additional risk.

Rootkits

The UNIX operating system used the word “root” to describe a privileged account that could make changes to the kernel. Linux uses the same concept.  The word “kit” implies a collection of tools.  When put together a “rootkit” is a collection of stealth tools that can invade and change operating systems and software packages, hopefully without detection by anti-virus packages.

Rootkits are complex and difficult to eradicate.  They attempt to acquire administrative rights to change operating systems, and if successful then burrow into the operating system and take control of its component parts.

Rootkits also have the ability to subvert tools such as anti-virus software that attempt to find and root out viruses and other kinds of malware.

The Sony BMG copy protection scheme from 2005 is described elsewhere in this book, and secretly inserted a root kit from 52 music CD’s.  When the CD’s were played on a computer the rootkit installed secret copy protection software which limited access and prevented the CD’s from being copies.  But the rootkit also slowed performance and introduced security vulnerabilities into infected computers.

Another rootkit had been used in 2004 in Greece to wiretap more than 100 mobile phones on the VodaPhone network in Greece.   Alarmingly, most of the taps were on phones used by senior government officials.  The taps were removed in 2005 but the identity of the perpetrators was not discovered.

This rootkit was novel in being apparently the first attempt to subvert an embedded  device rather than a normal commercial operating system.   The infected system was an Ericsson AXE telephone switching system.

Rootkits are serious threats because if secretly installed then the operators of the rootkit can open doors to many other kinds of malware.

Preventing rootkits from attacking, identifying them when they have attacked, and removing them from a computer are among the toughest kinds of computer and software protection in the modern world.    Rootkit elimination is too vast a topic for this book, but it is a topic of increasing importance because rootkits can be used in cyber warfare and can possibly subvert military computers as well as civilian computers.

Skimming

The presence of thousands of automated teller machines (ATM) in public places has created a massive new kind of crime called “skimming.”  Thieves are able to use either small hidden cameras or Bluetooth enabled magnetic stripe readers to capture the passwords, PIN numbers, and other information from debit and credit cards.

There are also commercially available hand-held card readers including new models that plug into smart phones.  Any of these could be used by unscrupulous retail clerks, waiters, or even gas station attendants to copy debit and credit card information.

According to an FBI report magnetic credit card skimmers had been secretly installed in a number of gasoline pumps in the Denver area.  Given the number and distribution of such devices, this was probably the work of an organized group of cyber criminals and not the work of individual gas station employees.

Skimming and other kinds of unauthorized and illegal access to financial records are now a serious threat to global banking systems.  This book only identifies such threats but is not large enough to discuss them in detail.

Readers are urged to use web searches to find out more.  A very instructive summary can be found on the FBI web site.  This is the Congressional Testimony of Gordon Snow, the Assistant Director of the FBI Cyber Division.  At the time of this testimony on September 11, 2011 the FBI was investigating more than 400 cyber attacks on financial institutions.  These cases had total financial costs of about $255,000,000.

The problem that both consumers and businesses face in the modern era is that financial data is comparatively easy to steal and far safer for criminals than many other kinds of crime.  Worse, computerized financial crimes attract a criminal element that is obviously fairly intelligent and also highly computer literate.  Making such criminals hard to catch is the fact that they carry out their crimes inside their own homes or offices and not in public places.

It is unlikely that such crimes can be fully suppressed so long as identities use only alphanumeric information.  Some forms of highly personal information such as facial recognition, retina patterns, finger prints, or other unique attributes will probably be needed in the future.  This will no doubt be opposed as a loss of civil liberties.  However citizens and companies need to balance the use of personal physical identity information against potential financial losses from cyber crimes.

Although “smart credit cards” with on-board chips that contain proprietary information are not yet used widely in the United States, they are starting to be used in Europe and abroad.  It is fairly easy to extract information from these smart credit cards from a distance of five feet or more.  This has led to creation of stainless steel or metallic wallets that screen smart cards from remote detection.

It is an unfortunate fact of modern life that computer and software technology is advancing so fast that unintended consequences of some new inventions are not discovered until criminals figure out how to use them to steal or make money.

Spam

It is unfortunate that the name of a commercial meat product has come to be used for an annoying kind of disinformation that can be rapidly distributed by email and instant messaging.  In a computer context the word “spam” refers to ads, emails, and pop-up screens that are sent to millions of computer users on a daily basis.

Ordinary spam ads are legal in the United States under the CAN-SPAM act of 2003 and are probably protected as a form of free speech under the constitution.  Spam that contains viruses or can cause harm to computers or consumers is not legal.  The European Union, on the other hand, does have explicit laws against spam although that is not the same as stopping it.

In every country spam usually violates the terms of service of Internet Service Providers (ISP) and can be blocked or deleted if detected.  ISP owners can also attempt to collect damages from spam originators by lawsuits, although these are not easy cases to pursue.  The damages are based on misappropriation of band width and server resources, which have financial costs that can be quantified in court.

The fact that sending spam is now the largest user of internet resources has spawned two growing sub-industries.   The first industry is that of the spam creators who sell their services to clients who want to issue bulk ads.  The second and smaller sub-industry consists of the companies that design and market anti-spam tools for blocking spam from emails and instant message sources.   The first industry of spam creation seems to be more profitable than the second industry of spam avoidance.

The actual technology of spam is complex and diverse, and outside the scope of this book.  There are more than a dozen variations in creating and sending spam messages.

According to Wikipedia the first known spam broadcast was an ad for Digital Equipment (DEC) computers sent to 600 ARPANET users in 1978.   In today’s world Microsoft’s security unit reports that spam comprises about 97% of current email traffic.

A remark by Steve Ballmer of Microsoft reported that Bill Gates, the Microsoft founder, is sent about 4,000,000 emails per year, with the vast majority being spam.

Since spam apparently originated in the United States it is interesting that the U.S. remains the number 1 country for spam origination.  The European Union is number 2 and China is number 3.

In today’s world email without effective spam blocking is almost unusable.  A trial by the author noted that when using older email servers that lack effective spam blocking about 200 spam messages arrive per day.  With modern email services such as Gmail which include spam blocking, only one or two spam messages seem to slip through.

Spam is no longer restricted to computers but is also present on tablets and smartphones.  In fact “robo calling” or using software to make recorded calls to targeted lists of phone numbers is a very annoying form of spam for land lines.

There is a technological race between spam originators and spam defenders.  It is the author’s personal hope that spam defenses eventually become sophisticated enough to make spam disappear as a commercial undertaking.  The spam filtering approaches used on modern email services are fairly effective, but spam remains as major waste of human and computer resources.

Trojans

The word “Trojan” harks back to the Trojan horse described in Homer’s Iliad.  The original Trojan horse was a giant statue of a horse given as a gift to the Trojans.  Inside a number of Greek soldiers were concealed.  At night after the horse had been moved into the city of Troy, the hidden solders emerged and opened the city gates to the Greek army.

In today’s computer era the word “Trojan” means an attractive offering that conceals a hidden virus or some other nasty payload.  A recent important Trojan virus called DNS Changer has been front page news in several papers, so it is worth considering.

In November of 2011 the FBI identified a ring of cyber criminals who had released a virus known at the DNS Changer.  This virus infected about 4,000,000 computers globally.  Its purpose was to divert clicks on web sites to other web sites controlled by the cyber criminals.  Apparently the criminals were charging fees for advertizing and made about $14,000,000 until stopped.

In the U.S. about half a million computers were infected.  This virus had some unpleasant attributes besides browser hijacking.  It also attacked anti-virus software and kept it from being updated with virus definitions and tools to stop the DNS Changer!

What happened after the arrests shows how significant some viruses can be.  After the FBI seized the host computers that had issued the DNS Changer Trojan, they could not just shut them down because all of the infected computers would probably have stopped working.  The FBI did replace the rogue addresses with authentic addresses,

The FBI then got a court order that allowed them to keep the host computers running until July 9, 2012.   The reason was to allow time for anti virus companies and the government to provide tools and methods for safely removing the DNS Changer without doing serious harm to half a million computers.  If the host DNS computers were merely stopped, then the infected computers would no longer be able to access the internet.

Tools were made available to check for infections in home and corporate computers, and then other tools were available to remove the Trojan.  The author of this book used the DNS analysis tool on all computers used by his family, and fortunately none were infected.  The URL of the inspection site was http://www.dns.ok.us.  This site returned a green image for clean computers and a red image for infected computers.  Users of infected computers were then routed to several repair tools.

A study of the DNS Changer Trojan on the web stated that about 12% of Fortune 500 companies and 4% of U.S. government computers were infected.  No doubt an even higher percentage of private computers were infected.

The DNS Changer story is a cautionary tale that we should all take seriously.  In the modern world criminals have the technical ability to attack and seize even computers that have some protections such as firewalls and anti-virus packages.  The fact that a few clever cyber criminals could infect 4,000,000 computers with a Trojan is not a good sign for the future when hostile national governments attempt something similar or worse.

Viruses

A natural virus is a small organism that has the ability to enter cells and divert their RNA into making new copies of the invading virus.  A computer virus is a piece of software that has the ability to invade computers and divert part of their functionality into making and distributing new copies of the virus.

Viruses are harmful for the same reason that cancer is harmful:  it metastasizes and infects and eventually shuts down host organisms.  Computer viruses can do the same thing to operating systems and other kinds of software.    The critical feature of a computer virus is that it can replicate itself and make other copies which can then spread to other computers.

It is interesting that the concept of a computer virus showed up in science fiction before real computer viruses were developed.  A story by David Gerrold in Galaxy Magazine in 1969 used the term virus in its modern sense.  But there were no computer viruses in 1969.

A few years later a paper on self-replicating software packages was published in 1972 by an author named Veith Risak, who built a working virus in assembly language that ran on a Seimens 4004 computer system.

The term “virus” applied to a self-replicating piece of computer software was first used in a technical paper in 1984 by Fred Cohen of the University of Southern California.  But apparently the term was coined by a colleague, Leonard Adelman.  Neither seemed to know about the Gerrold science fiction story.

One of the first known computer viruses was created in the 1970’s on ARPANET.  This was called “the creeper” and it infected computers and displayed a message that said, “I’m the creeper.  Catch me if you can.”

As of the modern era there are thousands of individual viruses and many classes and types of virus.  This book is not the place to discuss viruses in detail, but rather to caution readers that they need to take viral attacks seriously and be sure that their anti-virus packagers are kept up to date.

There is serious technological battle on going between virus creators and virus destroyers.  Usually the virus destroyers are able to win, but the more insidious kinds of viruses such as polymorphic viruses and metamorphic viruses are challenging to detect and eliminate.

It is technically possible to build viral-resistant computers but doing requires abandoning the Von Neumann architecture.  Viral resistant software may also be possible, and here too there may be a need for fundamental changes in permissions and access rights.

Worms

Computer “worms” differ from computer viruses in one important manner.  Viruses spread by being attached to other kinds of software such as emails.  Worms are free-standing packages that can travel and reproduce by themselves without requiring help from other kinds of software.

The actual term “worm” seemed to derive from a 1975 science fiction novel called Shockwave Rider by John Brunner.  In that book a self-replicating piece of software is unloosed on a global network and it was called a worm by the main character.

The first worm to attract national attention was the Morris worm released in 1988 by Robert Morris.  This was the famous “Morris worm”.  Although it did not have a payload and did not intentionally cause damage, apparently it infected and slowed about 10% of all computers attached to the internet.  Morris was the first person tried and convicted under the Computer Fraud and Abuse Act of 1986.

Worms use the internet as their main mode of transit from one computer to another.  Some worms were created merely to prove the concept and see how far they could travel.  Even though no harm might have been intended, successful worms devour bandwidth and slow down networks.  The Morris and MyDoom worms were example of traveling worms without payloads.

More malicious kinds of worms include “payloads” that are designed to cause harm to computers, software, and networks.  Some of these can introduce back doors into software that allow other kinds of malware to have access.  Others can be used to create “zombie” computers that can take part in botnet denial of service attacks.  Yet another payload encrypts computer files, with the idea that the file owners have to pay a fee to get their files back.

Not all worms were designed to do harm.  A few were intended to be beneficial.  One class of worm was designed to update Microsoft operating systems in a benign and invisible way without user intervention.  However the results were not satisfactory since the changes were made without the owners’ permission or consent.  Since some of the changes required restarts of the computer at possibly awkward moments this was more of an annoyance than a convenience.

The Odds of Cyber Attacks, Cyber Intrusions, and Data Theft

From reviewing a number of web reports on various kinds of cyber crime and data theft, it is interesting to speculate on the probability of these events impacting readers of this book over the next five years.  These results are speculative but are based on extrapolation from recent cyber attacks.

Table 1:  Approximate Odds of Cyber Intrusions
Form of Cyber Intrusion

Odds

1

 Receiving unwanted spam

100%

2

 Receiving unwanted “robo calls”

95%

3

 Having your email address harvested

90%

4

 Receiving “phishing” emails

75%

5

 Viruses attempting to penetrate your computer

60%

6

 Experiencing browser hijacking

35%

7

 Receiving “spear phishing” emails

25%

8

 Need to cancel stolen credit/debit cards

20%

9

 Having your social security number stolen

18%

10

 Experience personal identity theft

15%

11

 Experiencing slowdowns from denial of service

12%

12

 Having credit card numbers used by thieves

10%

13

 Having rootkits invade your equipment

10%

14

 Having your municipal tax data stolen

9%

15

 Losing data from unsecured networks

8%

16

 Viruses succeeding in penetrating your computer

7%

17

 Having your local voting machines hacked

6%

18

 Skimming of your credit or debit card

5%

19

 Having your medical records stolen

3%

20

 Having your Federal tax data stolen

2%

Average

30%

The alarmingly high odds of having personal experiences with cyber crime or cyber intrusions explain the rapid growth of two new sub-industries:  1) Insurance companies that protect against cyber crime; 2) Professional service companies and non-profits that assist victims in recovery from cyber crime such as identity theft.

Computers and software have brought many benefits to the modern worlds.  But they have also brought new kinds of crime and new threats to individuals, corporations, governments, and military organizations.

Leave a Reply

Your email address will not be published.