Term paper

“Hacktivism & Cyberwarfare”

Ahmed Shahbou
A00762568
Introduction to Computer Crime
FSCT 7220
Rui Pereira
April 7th 2011

1
 INDEX

Title page...................................................................................................................................................1
Index..........................................................................................................................................................2
Executive Summary...................................................................................................................................2
Introduction...............................................................................................................................................2
Body...........................................................................................................................................................3
Bibliography..............................................................................................................................................9

HACKTIVISM & CYBERWARFARE

Executive Summary

Cyberwar used to be somewhat of an elusive or futuristic idea but it has become very real
within the last decade and now is at the top of national security concerns in several countries. We have
seen attacks on entire countries, some of the largest corporations and organizations in the world as well
as specific critical infrastructure. With the mass availability of the Internet and information, joining
cyberwarfare is at the disposal of practically anybody who cares to join. This allows for bigger protests
than any physical ones so far, which would be limited by geographic location and space as well as the
number of people available and intimidation tactics used by those opposing the protests. Our world has
changed drastically since the introduction and widespread use of the Internet and then again with the
arrival of Wikileaks and Anonymous on the scene. This paper discusses the background to these attacks
and describes a few of them.

Introduction

Our physical world is slowly becoming one with its digital counterpart. With technology
progressing at exponential rates as always and generations of children who do not know of a time when
computers and the internet were seamlessly part of everyone's lives, we are at a point of no return.
What was once unimaginable only thirty years ago (or less), is now as regular as breathing to many
people. Online banking, dating, social networking, schooling and working are now extremely popular
to the extent that it has affected our language, globalization and the way we interact with each other and
even see life! Law enforcement has started to investigate robberies of virtual homes, cyber bullying,
electronic crimes that were simply committed from a keyboard, but do have real observable effects in
our physical world. Considering the level of integration we are faced with today, the levels of
anonymity that come with the internet, and the distances involved (as well as the problems with
jurisdictions that arise from this), it is not hard to see why criminals have been turning to the internet
for their dirty work. Law enforcement is clearly always a step behind when it comes to high-tech
crimes and criminals know this well. Technology is merely a tool and not evil or moral – rather the
people that are using it have these attributes and can use the tool in whichever way they want. While it
enables criminals, it has also aided the police forces in finding and investigating people.

2
 These cyber criminals are no longer even necessarily “hackers”. Much of their activities is
facilitated by coders, who develop exploit scripts for them and make them publicly available. The term
hacker originally meant coder, somebody talented with computers (when they weren't as easily useable
by the general populous) or simply a reference to somebody 'hacking' away all day at their keyboard.
Once the hacker phenomenon got media attention, they were demonized making the term infamous.
Self-proclaimed hackers, who upheld a strong code of honour or “hacker ethics”, started coming up
with new terms to differentiate themselves from these evil cyber pirates the media made them out to be.
These terms included white-hat and black-hat hackers, hackers and crackers etc. Both groups shared
some ideological values such as freedom of information, however differed in their method or approach
with regards to achieving this end goal. Just as wars have brought about new inventions and
improvements on existing technologies, traditional hackers feel they are contributing in a similar
fashion to our digital world.
With machines (computers) now capable of the storage of enormous amounts of data and a
ridiculous amount of processing cycles (calculations), software developers (or coders) are free to
produce ever more bloated and fancy looking applications for these machines and their users. Software
is built upon and often expected to interact with other software, from other companies. The immense
amount of code and interaction brings about the existence of vulnerabilities. Vulnerabilities are
weaknesses in the design of the code that allow for malicious minded (or curious) individuals to cause
the application to produce unexpected or unintended results. These results often involve access to
information or the systems they reside on that the user is not supposed to have access to. The term used
for the action of taking advantage of these vulnerabilities is “exploit”. The noun of this word refers to a
script written by a coder, that attacks the specific weakness in the system. Each exploit considered a
threat and in today's world administrators are inundated with constantly released patches and fixes
which attempt to plug the holes in the software that allow for these exploits to work. Patches are merely
one form of risk mitigation, along with firewalls which block intrusion attempts, intrusion detection
systems, intrusion prevention systems, insurance, employee awareness and training, system hardening
(the tweaking of settings to make for more secure systems), physical site security, backup systems etc
etc. However, no computer can ever be totally secure! The more one secures a system, the more it
becomes (unreasonably) expensive to do so and the less useable it becomes. After all, a turned off
computer, encased in cement, at the bottom of an ocean, is quite secure, but of no use to anybody.
Security however, while being very important, is an extremely tough sell as most people do not
concern themselves with it until a breach has occurred. The return on investment is zero unless one
counts the future potential damages against it or a breach occurs. Only people with bad experiences,
security minded professionals, paranoid people and IT admins who can think like economists
(opportunity cost) are concerned with it unfortunately. Heck, the internet itself was built on a protocol
that had reliability in mind with total disregard to security. This laissez-faire type of attitude prevalent
throughout our combined physical and digital worlds, makes it the perfect playground for criminals.
The types of crime that have become so common on the internet that most people just shrug them off
now include phishing, spear phishing, DOS attacks, dDOS attacks, spam, scams, vishing, many types
of hijacking, trojans, viruses, worms, spyware, adware, bots and botnets, password cracking and
unauthorized access, identity theft, money laundering, social engineering, and a plethora of other
attacks. These attacks may be initiated out of boredom, a desire for kudos in the underground
community, financial gain, curiosity or political motivations (known as hacktivism).
Spam is simply unsolicited junk email, which can be for legitimate products or combined with
many different kinds of scam or scheme. Phishing is a type of spam that attempts to fool you into
submitting your personal information (such as passwords, information relating to your identity or

3
financial records) to a fake copy of the website you believe you are submitting the information to.
Spear phishing is a more targeted version of this in which the messages are directed to people who are
more likely to be interested in the content (for example sending them in Spanish due to a guess about
the individual's nationality using their family name). Since phone services have made a movement to
voice over IP rather than the classic POTS system (plain old telephone system - the telephone network
infrastructure as we originally know it), the same concept of phishing was coined vishing for attacks of
this nature done over the telephone. Hijacking comes in many forms, namely blue for bluetooth, black
for blackberry, side for session (such as hotmail), browser (for URL redirects) as well as many others.
Spyware is software that collects information about the individual and their habits for marketing
purposes usually. Adware causes pop-up advertisements (to legitimate and scam products). Trojans
allow for remote access of a machine by masquerading as a useful application to the user, but actually
carrying out another hidden task in the background while they are unaware. Viruses are simply
malicious codes that carry out undesirable effects on the system. A logic bomb is a type of virus that is
usually initiated by a specific date. A worm is a virus that propagates itself using networks. Money
laundering involves the movement of money obtained through criminal activities through several
systems as to obfuscate their origin or make them useable in the real world. This is often done these
days using gift cards and prepaid credit card. Identity theft is one of the biggest ones these days and can
take many forms. One can buy full or partial identities on the 'darknet' (which in our whole computer
crime degree I have yet to actually see...(?!)), which likely consists mainly of IRC servers where people
of similar interests can come to chat, but unlikely to reside on forums any more as Mark Fenton told us
that they all know that law enforcement is all over the forums. Identities are worth varying amounts of
money depending on the person's nationality, importance, the completeness of the identity information,
their financial wealth and value etc. Identity theft carries very little penalty these days (the maximum
fine is $2000, but one can sell someone's house from under their feet!). Social engineering attempts to
target the usually weakest link of the system – the user! By dropping certain information into the
conversation and manipulating the person into trusting you or inadvertently giving up sensitive or
useful information. An example of social engineering would be mentioning the Cannuck's score to a die
hard fan, to try put him in a better mood. Kevin Mitnick, possibly the most infamous hacker wrote a
book called the Art of Deception about social engineering which rocked the banks' worlds (my mother
at Jpmorgan-Chase told me that a memo was sent out recommending the book and that it caused big
changes to occur internally at her bank). Bots is a term used detonating 'robots', not dissimilar to
zombies. Bots were originally beneficial programs enlisted to make people's stay in IRC chat rooms
more pleasant by providing greetings or services, even games. However, it wasn't long until these
started to become used for malicious purposes and were made to infect people's computers, use their
computing power and bandwidth to connect back to a secret IRC channel (or 'room') from which a bot
herder or master could send commands to each one, causing them to perform operations for him
without the victim's knowledge. If a bot herder had many of these bots (known an 'owning' machines),
it could be described as a botnet. Botnets have come a long a long way and no longer have a single
point of failure or a traditional command and control architecture. Rather they use encryption, peer-to-
peer networking and have the ability to spread themselves, update themselves and dynamically
generate new domain names to which it connects to in cycles as to elude law enforcement (although
Google did an awesome job taking down the TORPIG botnet).Password cracking is the means by
which one can attack a password using brute computing power, a dictionary, or something known as
rainbow tables (pre-computed hashes of passwords... once hashes were used to make passwords more
secure). A brute force password attack against a web-server could well take it down, just as in the case
of a Denial of Service attack, which is discussed next.
DOS stands for denial of service with the reason being that this attack attempts to cause a

4
service or resource to become unavailable (usually on a server, as these machines' primary aim is to
provide services). This is basically a flood of information that either crashes the service or simply uses
up all the resources. These floods can consist of many different kind of packets and are thus known by
different names like SYN or ping flood. SYN is the TCP flag that is turned on in the packets being sent.
TCP is simply the protocol being used to send information over the network. Ping floods however
consist of ICMP echo replies and request floods. This is a services often used by network technicians to
check whether a host (computer) is up and running and also reachable from the computer he or she is
typing this from. Sometimes pings are used to test connectivity to the internet in general by simply
trying to ping a site that is likely to be always up (Google comes to mind). One kind of DOS attack is
known as a smurf attack. This attack is an asymmetric attack in which the hacker (or script kiddie)
sends an IP packet to a network address that is reserved for broadcast messages (messages that go to all
computers on the network like 255.255.255.255 or FF:FF:FF:FF:FF, although the latter is a MAC
address rather than IP and is not used in this attack). Misconfigured routers will forward these messages
on acting as an amplifier for the traffic. In addition, these packets are sent with a spoofed (faked)
source IP address that actually specifies the victim's IP address, causing a sort of infinite loop which
can be debilitating for the network and the attached host machines or devices. A nuke is an old example
of a DOS attack from the Windows 95 days which used incorrectly formatted fragments of ICMP
packets that when repeatedly sent to a victim's machine caused the Blue Screen of Death (Windows
fatal error), requiring a reboot (not a strong attack against an individual but if it works on a high profile
machine, significant costs could be incurred).
The distributed version of DOS attacks involves any form of DOS attack that originates from
many sources simultaneously. This makes the attack asymmetric as the volume of traffic being received
by the victim can be immense due to the number of connections and the bandwidth available to each
attacker. This type of attack is extremely difficult to mitigate (one can try firewalls, IPS, load balancing
etc). The only real way to 'stop' the attack is to shut down, which is precisely the aim of the attack (self-
defeating). A dDOS can either be done using a botnet with lots of unsuspecting zombie hosts attacking
your target from all over the world (traditionally the most likely method), a combination of botnets
(coordinated attack) or by simulating it. This can be done using a port scanner known as nmap. This
application scans any reachable host that is specified for a list of predefined ports, to check if they are
listening for active connections. Open ports usually indicate a running service on the machine (such as
port 80 for HTTP requests.. ie serving web-pages to the public). The numbers are usually standardized,
but they can be changed manually to secure slightly by obfuscation or for custom configuration
purposes. When sending computers that are running different operating systems a combination of
malformed or legitimate packets, they respond uniquely and can thus be identified to a certain extent.
An example of a type of scan is the Christmas tree scan which involves every single flag being turned
on in the IP header... This is an invalid packet since it does not make sense to have a flag that indicates
the start of a connection and one that indicates the end of a connection, in the same packet. Nmap offers
a lot of flexibility with its scan options and one of these is known as the decoy operator. By appending
-D followed by a string of IP addresses, separated by commas, one can make nmap send out the packets
used for the scan with several spoofed IP addresses. Since this is really supposed to be a defensive
tactic for concealing the true source of the scan (rather than for DdoS purposes), one's own IP will be
included in the list, as one needs to receive the responses from the victim machine to the scan so that
the results can be interpreted (for reconnaissance or penetration testing purposes). The victim however
will reply to every spoofed IP on the list (unless cleverly configured to ignore the type of scan being
applied against it), causing an enormous amount of traffic to be generated and potentially causing it to
crash. At the same time however, the spoofed IPs could belong to hosts that are offline or online hosts
that would simply send a RST packet back (ending the connection immediately).

5
 The newest form of dDOS (arguably) was observed recently when an idealistic and ideological
hacker who calls himself “Anonymous” mass distributed a program called Low Orbit Ion Cannon to
anybody who empathized with his socio-political causes for use against major entities. Admittedly, this
program wasn't very sophisticated and merely caused your machine to send out frequent HTTP, UDP
and TCP requests to the target, without any decoy-like option. This program was first released in 2006
and was written in C# and was intended for the voluntary joining of botnets in a sense as well as the
equivalent of virtual cyber sit ins. A decently configured firewall is able to dampen the effect of such an
attack and since no unauthorized usage is occurring (as all attackers are volunteering) it is drastically
different to the traditional dDOS attack. It has been argued that using the LOIC must be legal since it is
the equivalent of protesters gathering outside of a building, making entry and exit for employees
impossible. Protests however are not legal everywhere in the world. There are plenty of countries
where the law in practical terms simply comes down to an imbalance of power and diverging interests.
One cannot always count on law or the international community to protect them either. A web-version
of the LOIC exists which means one does not even have to download any potentially illegal programs
(Anti-virus does pick it up as malicious). In addition to this, one could visit the web-LOIC website via
Altavista's babelfish translation engine. If 'traditional Chinese to English' is selected, since no Chinese
exists on the page, the words remain in English. The beauty of it though comes from the fact that the
traffic between you and the translation engine is encrypted using SSL (the lock at the bottom of Internet
Explorer / the 's' in 'HTTPS', known as Secure Sockets Layer) and your history will only show
'translator'. This can similarly be done using an anonymizer tool known as TOR, which encrypts all
traffic between you and the TOR network (servers run by volunteers, that strip identifying header
information and encrypt), but of course cannot encrypt from the TOR network to the final target (as to
keep it useable or readable for the end destination... unless you are using another layer of encryption
that the target is pre-configured for). It is likely that running the LOIC application from your machine
would produce the most efficient results though and a way to conceal this would be by using
encryption such as TrueCrypt. It should be kept in mind that there are rumours that encryption software
produced in North America must contain a back-door for law enforcement, although the writers of
TrueCrypt claim otherwise. Disregarding that though, the encryption is currently basically unbreakable
(possibly by NSA's super computer(?) and possibly via distributed processing (like the SETI project))
and can even be set up as to have multiple encrypted volumes within each other, making it impossible
for anybody to know that there is more than one (one is easily detectable), meaning if tortured (let's
hope not), one could give up only one 'fake' password with 'fake' 'hidden' files in the volume. It can also
be set up to use a certain combination of key files that can reside on a MMC flash card... which you
could crunch with your foot if you're being arrested. Then you can't even help them if you wanted to.
Besides, in the context of a national crises such as a revolution (as with Egypt recently), the
government and law enforcement do not have the time ability or means to deal with tracking down
citizens (or non-citizens!) who use the LOIC against their web-servers. This is going to be especially
true for anything requiring extra-jurisdictional reach, although it is possible that the attackers internet
provider (in whatever country they may reside) will detect the attempted attack and disconnect service
or send a warning, although realistically, unless several attackers are using the same ISP, the network is
going to remain relatively unaffected (no more affected than downloading a large file from a Peer to
Peer network). Soon after the development of the LOIC came the HOIC which included evasion
techniques against firewalls that attempt to block the dDOS attacks and multi-threading of the HTTP
requests for greater efficiency. These tools enabled wide-scale internet vigilantism as people using
these programs needed no technical knowledge at all to operate them (as simple as inputting the
website URL and 'chargin ur lazorz').
Wikileaks is a not-for-profit organization that is lead by Julian Assange, who is described as an

6
internet activist with a nomadic lifestyle. This company was founded in 2006 as well under the
Sunshine Press organization and allowed for whistle-blowers to submit confidential or sensitive
documents to the website, who would then publish them for the sake of transparency in our world,
especially with regard to politics. Originally they allowed for user comments and edits, but eventually
ceased to accept these additions and reverted to a more traditional publication style. Mr. Assange came
under fire from several world governments, militaries and corporations, understandably since they
despised their dirty laundry being aired to the world (good one Assange). They accused him of being
reckless and for having a total disregard to national security and the anonymity of vulnerable
individuals mentioned in the release of secret documents. The Free-Brad (the name somewhat inspired
by the Free-Kevin campaign from years ago, when Mitnick was still in jail) campaign started after a US
military soldier (Bradley Manning) leaked a handful of documents to Julian's website and was arrested
in Iraq last year. Soon thereafter a smear campaign was launched against Mr. Assange, claiming he had
raped a young girl in his home country, but he insisted these allegations were politically motivated
(although some sexual interaction did occur, but the details of that fall outside the scope of this
assignment). He was eventually arrested and moved by top security vehicles, guarded by all sorts of
three-letter organizations and was brought to court in the UK. The British courts decided on a bail
value of close to a third of a million dollars and required it to be delivered (in cash!!) within a short
time frame. Michael Moore (political activist and documentary producer) along with several others
came to his aid, but it was of course difficult for anybody to liquidate this kind of money given the time
restraints. The Swiss government tried to apply for extradition, but the wikileaks founder claimed that
he would not get a fair trial in Switzerland. VISA and MasterCard both froze Assange's credit card
accounts with them which infuriated political activists, hackers and anyone else's on his side or that
supported his cause. One of these people is a man (presumably) who names himself “Anonymous”.
Anonymous went on to threaten and then attack both of those credit companies by convincing
people from all around the world to join in on a cyber sit in with their lazer cannons (LOIC). Who
knows if he or others joined in with a few botnets too (quite possible). His attacks succeeded and the
websites were taken down (causing billions in losses for the companies). Paypal also was attacked for
the same reason (they deserve it really... look at their ToS in detail) as well as the Swiss bank that held
Julian's funds (or some of them). These attacks broadly fell under the name “Operation Payback” which
also included attacks against major sites belonging to the entertainment industry such as SONY since
they were believed to be behind a dDOS attack against the Pirate Bay – a torrent website well known in
the underground community that provided search capabilities for finding files being shared online
(often copyrighted material). The Pirate Bay is a key source for many enthusiasts that are looking for
different kinds of software. It also involved several Law firms (ACS), political parties (pro-copyright
parties), and organizations like the US copyright group and the RIAA. The RIAA was trying to sue
Limewire for enabling people to copy copyrighted files and was going a step further by suing for
damages. No doubt, the operation payback website got taken out in response too, but they simply
moved their services to another website. That's part of the beauty of the internet. Unless you're a
company who relies on their website being easily findable and always operational, someone like
anonymous can just keep popping up on the next new website but still reach thousands of people
around the globe easily to coordinate attacks.
Anonymous is fond of the Guy Falks masks used in the movie V for Vendetta. Guy Falks was
involved in the Gunpowder plot in Britain which conspired to overthrow the government. In 1994,
arguably the first public dDOS attack as a form of protest occurred, in the UK on Guy Falks Day since
the Government was attempting to outlaw outdoor festivals and music with repetitive beats. This was
called the Intervention of the UK. “Anonymous” is actually a blanket term for everybody involved in
the effort or who aligns themselves with this particular type of internet subculture. The symbol and flag

7
of this loosely-knit community is of a headless man wearing a suit, with a question mark as a head.
This symbolizes it as a leaderless movement concerned more with ideals rather than political
correctness. While leaderless, anonymous and loosely-knit, the group is heavily associated with the
image board 4-chan. The number of 'operations' that this group has been involved in is so large that one
easily loses track. Wikileaks founder Assange published research on the history of hacktivism, claiming
it to date back to 1989, but really, the world has not seem this volume of dDOS attacks until the last
few years, with a lot of it stemming from “Anonymous”. The attack from 1989 was known as the
WANK worm, which penetrated NASA's machines and changed their login display information to
“You talk about peace yet you prepare for war” as a form of protest against nuclear activities. This is
quite benign compared to say the recent STUXNET code that was designed to infiltrate and infect
specifically Iranian nuclear stations and cause them to malfunction (supposedly it did set them back,
along with the assassination of one of their top researchers). That code was salient as it involved FOUR
zero-day exploits. A zero-day exploit is an exploit that a patch has not yet been created for, making
everybody using that software vulnerable until then. Zero-day exploits these days don't usually last for
more than 4 days (before they get patched, if they are critical), so the fact that STUXNET used four is
extremely impressive. We also did not see attacks on entire countries like we have in this past decade.
An example being the Estonian cyberwar in which the country's networks were totally debilitated to
the extent that people were unable to withdraw cash from ATM machines and if abroad, unable to
phone their home bank to find out why their accounts were inaccessible.
Several countries in the Middle-East had operations named after them, such as op-tunisia, op-
egypt, op-algeria, op-libya and so forth. These are countries that have recently faced uprisings and civil
unrest with its citizens demanding freedom of expression, true democracy including elections that will
actually represent the people's votes, freedom of speech, less oppression, human rights and for their
leaders to step down and stop using the countries as their personal piggy banks. (Check out this cool
video the anonymous group published as a warning to the Egyptian government
http://www.youtube.com/watch?v=yOLc3B2V4AM). In Egypt's case the NDP website, Al-Ahram
newspaper and the main gov.eg websites were all targeted. This was mainly due to censorship in Egypt,
the national media producing total propaganda, and especially the government ordering ISPs and
telecoms providers to shut down (also turned off power and water at times). It also stands against the
idea of protests being illegal (freedom to gather). Notice the similarity in this video with what the
Mentor originally said in the Hacker's Manifesto at the dawn of the age of hackers being demonized in
the media. “We exist without nationality, race or skin colour...” which overlaps with the concept of
Anonymous standing for ideological change in the world, excluding politics or racism etc. The
Egyptian government did not only order ISPs to shut down their service (other than noor.net since the
stock exchanges were running on those connections... which lost 12 billion the first day it was shut
down), but actually had all the routing information removed to the border routers on the backbone
(almost 200 entries!) and thus made internet history by actually “deleting themselves off the map”
entirely. While what the Egyptian government did to its people during the unrest was frankly
disgusting, it is unfortunate that it got the most media coverage (as it is described as the “beating heart
of the Arab world”) when the other Middle Eastern countries saw uprisings lasting much longer than
this (over a month!) and much more killings and brutality than in Egypt. The Libyan leader had been in
power for 42 years! This is why attacks were launched against them all. Considering the severity of the
issues on the ground, one might disclaim these attacks as ineffective, however when speaking to my
cousin briefly on the phone during the uprising (while the internet was down), his main concern was for
Al-Ahram to be silenced since they were spreading misinformation and propaganda to Egypt's people
and the rest of the world. In fact, this revolution was sparked not just by the protest in Tunisia, but also
by the large number of Egyptian youth connected to the internet and each other via social media sites

8
such as Facebook and Twitter (one man named his newborn “Facebook”). Given that it was a major
contributing cause and the importance of the media who got attacked by anonymous' gang of
cyberwarfare custodians, one can say the Internet played a key role in this revolution, it's outcome
(getting live reports via Twitter to the media meant quicker actions), and in possibly the proudest time
in Egyptian modern history. I conclude therefore with a statement about the power of the Internet:
“Who needs nuclear weapons when you have the power of the internet “~ Leah Wakefield.

Bibliography

FSCT 7220 Class notes by Rui Pereira

http://www.counterpunch.org/assange11252006.html
http://wikileaks.ch/
http://anonops.ru/
http://www.youtube.com/watch?v=JCbKv9yiLiQ (Anon to Scientology... Church tried to frame
anonymous by attacking epilepsy boards)
http://www.youtube.com/watch?v=yOLc3B2V4AM
http://www.youtube.com/watch?v=SQKbHBqDwSI (there are too many of these, Ill stop)
http://anonnews.org/
http://www.religiousfreedomwatch.org/intolerance-hate/anonymous/
http://www.ebooks.com/ebooks/book_display.asp?IID=140243
http://records.viu.ca/~soules/media112/hacker.htm
http://www.renesys.com/blog/2011/01/egypt-leaves-the-internet.shtml
http://www.bbc.co.uk/news/technology-12110892
http://www.theregister.co.uk/2010/09/20/4chan_ddos_mpaa_riaa/
http://www.guardian.co.uk/science/the-lay-scientist/2011/feb/20/1
http://www.newsweek.com/2008/02/07/the-passion-of-anonymous.html