Cyberterrorism

Tim Shimeall, Ph.D.

CERT Centers, Software Engineering Institute

Carnegie Mellon University
Pittsburgh, PA 15213-3890

SEI is sponsored by the U.S. Department of Defense

© 2002 by Carnegie Mellon University

CoC - page 1
Overview
Introduction

Definitions

Examples

Observations

Summary

© 2002 by Carnegie Mellon University CoC - page 2

A Different Internet
Armies may cease to march

Stock may lose a hundred points

Businesses may be bankrupted

Individuals may lose their social identity

Threats not from novice teenagers, but purposeful

military, political, and criminal organizations

© 2002 by Carnegie Mellon University CoC - page 3

Cyber Threats
Out-of-the-box Linux PC hooked to Internet, not
announced:
[30 seconds] First service probes/scans detected
[1 hour] First compromise attempts detected
[12 hours] PC fully compromised:
• Administrative access obtained
• Event logging selectively disabled
• System software modified to suit intruder
• Attack software installed
• PC actively probing for new hosts to intrude

Clear the disk and try again!

© 2002 by Carnegie Mellon University CoC - page 4

Attack Sophistication vs.
Intruder Technical Knowledge Auto
Coordinated
Cross site scripting Tools
“stealth” / advanced
High scanning
techniques
packet spoofing denial of service Staged

sniffers distributed
attack tools
Intruder sweepers www attacks
Knowledge
automated probes/scans
GUI
back doors
disabling audits network mgmt. diagnostics
hijacking
burglaries sessions
Attack exploiting known vulnerabilities
Sophistication
password cracking
self-replicating code
password guessing
Intruders
Low
1980 1985 1990 1995 2000

© 2002 by Carnegie Mellon University CoC - page 5

 Vulnerability Exploit Cycle
Novice Intruders Automated
Use Crude Scanning/Exploit
Exploit Tools Tools Developed
Intruders
Begin
Crude Widespread Use
Using New
Exploit Tools of Automated
Types
Distributed Scanning/Exploit
of Exploits
Tools

Advanced
Intruders
Discover New
Vulnerability

© 2002 by Carnegie Mellon University CoC - page 6

Definitions
Cyberterror: The deliberate
destruction, disruption or distortion
of digital data or information flows with
widespread effect for political, religious
or ideological reasons.

Cyber-utilization: The use of on-line networks or data by

terrorist organizations for supportive purposes.

Cybercrime: The deliberate misuse of digital data or

information flows.

© 2002 by Carnegie Mellon University CoC - page 7

Sophistication of Cybercrime
Simple Unstructured: Individuals or groups working with
little structure, forethought or preparation

Advanced Structured: Groups working with some

structure, but little forethought or preparation

Complex Coordinated: Groups working with advance

preparation with specific targets and objectives.

© 2002 by Carnegie Mellon University CoC - page 8

Example: Zapatista Cyberstrike
Mid-1990s rebellion in Mexico

Military situation strongly favored Mexican Army

Agents of influence circulated rumors of Peso instability

Peso crash forced government to negotiating table

Compounded by intrusions into Mexican logistics

© 2002 by Carnegie Mellon University CoC - page 9

Example: Signed Defacement
Defaced Health-care web site in India

"This site has been hacked by ISI ( Kashmir is ours), we want

a hospital in Kashmir" and signed by Mujahideen-ul-dawat

Post-dates activity by Pakistani Hackers Club

Linked to G-Force Pakistan

Part of larger pattern of influenced

hacker activity (3Q99 - 4Q01)
• Differing expertise
• Multiple actors/teams
• Transnational collaborations

© 2002 by Carnegie Mellon University CoC - page 10

 Pakistani/Indian Defacements

More…

10/99 1/0 4/0 7/0 10/00 1/0 4/0

0 0 0 1 1

Well written Juvenile

No mention of terrorist organizations

Mentions terrorist organizations

© 2002 by Carnegie Mellon University CoC - page 11

Cyber Trends
• CERT/CC Year 2000 - 21,756 Incidents
• 16,129 Probes/Scans
• 2,912 Information Requests
• 261 Hoaxes, false alarms, vul reports, unknown

• 2454 Incidents with substantive impact on target

• Profiled 851 incidents, all active during July-Oct 2000
(plus some preliminary June data, profiling work is
ongoing)

• Many different dimensions for analysis and trend

generation (analysis work is ongoing)

© 2002 by Carnegie Mellon University CoC - page 12

Immediate Data Observations
Seasonal trend of incidents per Incidents

month (some incidents carry

Incidents Active
600
500
over between months) 400
300
200
Varying diversity of ports used 100
0
in incidents

Shifts in services used in

incidents Ports

Shifts in operating systems 100

Ports in Incidents
80
involved in incidents 60
40

Generic attack tools adapted to 20

0
specific targets 0 0 0 0 0 1
0 0 1
n-0 l-0 g-0 p-0 ct -0 v-0 c-0 n-0 b-0
u u e o e e
Ju J A S O N D Ja F

© 2002 by Carnegie Mellon University CoC - page 13

 Weekly Incidents by Target
100

90

80

com
70 g ov
ed u
60 in tl
u ser
50 is p
o rg
40 fin
k12
30
m is c
o th e r
20

10

0
/ 0
0
/ 00 / 0
0
/ 00 / 0
0
/ 00 / 0
0
/ 0
0
/ 00 / 00 / 00 / 00 / 0
0
/ 00 /0
1
/0
1
/0
1
/0
1
24 /8 22 /5 19 /2 16 30 / 14 / 28 / 11 / 25 /9 / 23 1/
6
/2
0
2/
3
/1
7
6/ 7 7/ 8 8/ 9 9/ 9/ 10 10 11 11 12 12 1 2

© 2002 by Carnegie Mellon University CoC - page 14

 0
10
20
30
40
50
60
70
80
90
10 0
6 /2 4/00

7 /8 /0 0

7 /2 2 /0 0

8/5/0 0

8 /19 /0 0

9 /2 /00

© 2002 by Carnegie Mellon University

9/16 /0 0

9 /3 0/00

1 0/1 4/00

1 0 /2 8/00

11 /1 1 /0 0

11 /2 5 /0 0

12 /9 /0 0
Weekly Incidents by OS

1 2/23 /0 0

1 /6 /0 1

1 /2 0/01

2 /3 /0 1

2 /17 /0 1
IR
LX
NT

UN
SO

MO

m is c
O th e r

CoC - page 15
u n kn own
 0
10
20
30
40
50
60
70
80
90
100
6 /2 4 /0 0

7 /8 /0 0

7 /2 2 /0 0

8 /5 /0 0

8 /1 9 /0 0

9 /2 /0 0

© 2002 by Carnegie Mellon University

9 /1 6 /0 0

9 /3 0 /0 0

1 0 /1 4 /0 0

1 0 /2 8 /0 0

1 1 /1 1 /0 0

1 1 /2 5 /0 0

1 2 /9 /0 0

1 2 /2 3 /0 0

1 /6 /0 1
Weekly Incidents by Impact

1 /2 0 /0 1

2 /3 /0 1

2 /1 7 /0 1
CoC - page 16
D is t o r t
D is r u p t

D e s tr u c t

U n kn ow n
D e c e p t io n
d is c lo s u r e
 Socio-Political Activity
100
Inauguration
Holidays
90
Conventions
80 Debates Election Best Fit
Controversy
70
Campaign

60

50

40

30

20

10

© 2002 by Carnegie Mellon University CoC - page 17

Summary
Majority of on-line threat is cybercrime

Cyberterror is still emerging

• Evolving threat
• Integrating critical missions with general Internet
• Increasing damage/speed of attacks
• Continued vulnerability of off-the-shelf software

Much confusion of descriptions and definitions

Widely viewed as critical weakness of Western nations

© 2002 by Carnegie Mellon University CoC - page 18