1 copyright © 2005 m. e. kabay. all rights reserved. 09:05-11:55 information warfare part 2: cases...

1 Copyright © 2005 M. E. Kabay. All rights reserved. 09:05-11:55

INFORMATION WARFARE

Part 2: CasesAdvanced Course in Engineering

2005 Cyber Security Boot CampAir Force Research Laboratory Information Directorate, Rome, NY

M. E. Kabay, PhD, CISSPAssoc. Prof. Information Assurance

Program Direction, MSIADivision of Business & Management, Norwich University

Northfield, Vermont mailto:[email protected] V: 802.479.7937


Topics

08:00-08:15 Introductions & Overview08:30-09:00 Fundamental Concepts09:05-11:55 Case Histories13:15-15:15 INFOWAR Theory15:30-16:00 Project Assignments


Examples of INFOSEC Breaches and Failures

Electronic infrastructure growing in importance

Must expand conception of warfare in the age of ubiquitous computing

Cases intended to stimulate your imaginationSpans last decade of developments to

provide wide range of examplesProvide ideas for your INFOWAR

attack/defense projects


Cases

Breaches of confidentiality Industrial EspionageUnauthorized Access (Penetration)Unauthorized Modification

Data DiddlingSabotage, vandalismTrojan Horses

DeceptionFraud, disinformationPsyops

Denial of Service (DoS)


Cases



DeceptionFraudPsyops



Breaches of Confidentiality: GAO vs IRSGAO blasts IRS (1997.04) IRS “misplaced” 6,400 computer records1,515 cases unauthorized browsing in 1994-5Only 23 employees fired for browsingSen. John Glenn introduced bill

establish criminal penalties against unauthorized access by employees


Eavesdropping: Gingrich

1997.01 -- Newt Gingrich cellular call monitoredFL couple using police scannersent tapes to Democrats

1997.04 -- Gingrich wiretappers chargedJohn & Alice Martinfederal chargesfines up to $10,000

MORALdon’t talk about sensitive stuff on cell

phones without activating encryption


Eavesdropping: Easy

1997.02 -- Billy Tauzin (R, LA) demonstrated scanner modifications to Subcommitteemodified off-the-shelf scanner in 2 minuteseavesdropped on cell-phone call

1997.02 -- French high court examined unauthorized wire-tapping by government anti-terrorism unit


Eavesdropping: AT&T Insider Job

AT&T WorldNet Sniffer Scandal (1997.05)Reports that WorldNet subject to packet

sniffing from external sitecaptured user IDs and passwordsmuch fuss and bother

Hoaxdiscovered misrepresentationpacket sniffer was on internal LANs, not on

TCP/IP circuits


Eavesdropping: NJ Pagers

Pager eavedropping in NJ (1997.08)Content sold to news organizationsSenior New York City officials

mayor's officetop police and fire department officers

Authorities used pagers believing them more secure than phones

Nov: Steven Gessman, Vinnie Martin and Robert Gessmanadmitted illegal eavesdroppingscheduled for sentencing on March 3, 1998


Eavesdropping: White House

White House pagers (1997.09)Hacker posted transcripts of WH pager

messages on Net Include sensitive information about First

Family movementsTraffic analysis dangerous

flurry of messages before President (etc.) move from one site to another

problem even if message encrypted


Eavesdropping: Wireless Phone

Blabbermouth criminals arrested (1998.06)Saratoga County, NY woman

overhead crooks on wireless phoneplanned to beat and rob old womanreported to police

Police arrested three men and charged them with conspiracy

Woman refused to reveal her identityillegal to intercept wireless communicationsillegal to communicate content


Man-in-the-Middle: Pager

Teenager intercepts doctor’s pages (2001.01) Inova Fairfax Hospital, VATeenager forwarded physician’s number to

his own pagerResponded to nurses’ requests with fake

medical instructionsBlood testsAdminister oxygenAbout a dozen orders in all


Potential Connectivity: HealthSouth

Digital Hospital? (2001.03)HealthSouth hospitals to have Internet

connections at each bedDoctors and nurses can access and update

patient records


Data Leakage: Spy Data on TV

Live broadcasts from spy satellites on TV (2002.06)

European satellite TV viewers can watch live broadcasts of peacekeeping and anti-terrorist operations US spyplanes over the Balkans

Broadcast through a Telstar 11 satellite over Brazil

US spyplane broadcasts not encryptedAnyone in Europe with satellite TV receiver

can watch surveillance operationsSatellite feeds connected to the Internet


Cases






Industrial Espionage: Davy Intl vs VA Technologie AG

Dow Jones News Service (1996.06)UK Davy Intl

Lost lucrative Saudi-Arabian contractalleged industrial espionage

Sued Voest-Alpine Industrial ServicesUK branch of Austrian firm VA Tecnologie AG

Obtained court order for seizure of evidenceReceived 2,000 pages & disks with info

belonging to Davy Intl from VA Technologie


Industrial Espionage: Boehringer Mannheim Corp vs Lifescan

1996.06US subsidiary of Boehringer Mannheim Corp

(pharmaceuticals) vs Johnson & Johnson unitAccused Lifescan Inc of encouraging industrial

espionage for 18 monthsSupposedly stole prototype blood sugar monitorAllegedly presented "Inspector Clouseau" and

"Columbo" awards to employees for stealing secret info from BMC

Lifescan countersued with equivalent accusationsBMC had Lifescan Competitive Kill TeamHired private detectives to spy on Lifescan


Industrial Espionage: Intel & AMD

1996.06 -- ReutersArgentinian national Guillermo GaedeAdmitted he sent videotapes about Intel chip-

manufacturing to AMDAMD immediately notified police Industrial spy sentenced to 33 months in

federal prison


Espionage: CIA vs Europe

1996.08-- Sunday Times, RISKS 18.30US CIA allegedly hacking into European

Parliament & European Commission computers

Stealing economic and political secretsSupposedly used info in GATT


Industrial Espionage: Interactive Television Technologies

1996.08 -- PR Newswire4 yr R&D project for TV interface to NetTop secret -- moving to high-security facilityBefore move, thieves stole computers and

storage media Estimated $250M valueLooks like industrial espionageReconstructed data from backupsBut patenting prematurely to protect property


Industrial Espionage: Owens Corning & PPG

PPG & Owens Corning (1996.12)Major manufacturers & competitorsCleaning contractor stole operational

documents at night from PPGOffered to Owens Corning for $1,000Some years ago PPG had informed OC of

similar scam — also resulted in arrestsOwens Corning notified PPG Informed FBI, worked with LEOs to build casePerpetrator arrested by FBI


Industrial Espionage: GM Opel vs VW1997.01 — news wiresGM alleged industrial espionage (Oct 96)

former purchasing chief, Jose Ignacio Lopez de Arriortua

left GM to join VW in 1993allegedly stole 3 crates confidential

documentsGM claimed stolen documents included highly

confidential infofuture product plans, parts prices &

manufacturing techniquesunfairly allowed VW to reduce costscaused unspecified financial damage

Settled out of court (1997.01)


Industrial Espionage: Bristol-Myers-Squibb

Taiwanese arrested for espionage (1997.06)Attempted to bribe Bristol-Myers Squibb

scientistWanted production details for Taxol

ovarian cancer drugworth $B

Employee reported to employer; then FBI arranged sting

Both agents arrestedFace 35 years and 10 years in jail,

respectively


Battle of the Giants: DEC vs Intel1997.05 — DEC sues Intel, claiming theft of

chip designs1997.05 — Intel sues DEC, demanding return

of proprietary information1997.06 — DEC demands former employee

now at Intel remain silent about proprietary DEC information

1997.07 — DEC accuses Intel of anti-trust1997.10 — out of court settlement

Industrial Espionage: DEC/INTEL


Industrial Espionage: Law FirmLegal firm accused of espionage (1999.11)1st lawsuit involving industrial espionage by

lawyersMoore Publishing (Wilmington DE) sued Steptoe

& Johnson (Washington DC)allegedly breaking into computer systems

750Xstolen user-ID & password

Systematic cyberwarmisinformation posted on newsgroupsHotMail account traced to defendants

Damages at least $10M


Industrial Espionage: France vs UK

French Intelligence Service Targets UK Businesses (2000.01)

James Clark writing in Sunday Times of LondonSpent $M on satellite technology for listening

stations & upgraded SIGINTAimed at British defense firms, petroleum

companies and other commercial targetsSurveillance includes GSM phonesUK officials warned not to discuss sensitive

issues on mobile phones


Industrial Espionage: Oracle vs Microsoft

Oracle Dumpster®-Dives vs MS (2000.06)Bill Gates complained about Dumpster® Diving

of trash of organizations supporting MS in antitrust case

CEO Larry Ellison of Oracle admitted using private detectives to go through trash ofAssociation for Competitive TechnologyIndependent InstituteCitizens for a Sound Economy

Suggested he would happily ship Oracle trash to MS in spirit of full disclosure.


Industrial Espionage: Echelon

EU Parliament attacks Echelon (2000.07)Formed temporary committee to investigate

spy networkSuspicions that Echelon used to intercept

conversations of European businesses Information might be given to competitors

from Echelon operatorsUS, Canada, Australia, New Zealand

In 2001.05, report recommend more use of encryption to defeat Echelon


Industrial Espionage: Datang vs Lucent et al.Chinese nationals arrested (2001.05)Two citizens of PRC worked at Lucent

Highly respected scientistsWorked with a Chinese business partner

Sent proprietary information to Beijing’s Datang Telecom Technology Co.Pathstar Access Server -- “Crown jewel”

Arrested by FBIConspiracy to commit wire fraudMax penalty 5 years in prison & $250K fine

In 2002.04, charged with additional espionageTheft from Telenetworks, NetPlane Systems,

Hughes Software Systems, and Ziatech


Industrial Espionage: Short Notes

2001.07: EMC sues former employees for data theft to help competitor Network Appliance

2002.09: 32-year old Chinese national working for (PRC) China National Petroleum Corp arrested for trying to steal seismic-imaging software from 3DGeo of Mountain View, CA

2003.05: 3 charged in Ericsson spy case in Sweden. Sold secrets to Russian intelligence agent.

2005.01: IBM selling PC business to PRC Lenovo Group for $1.75B – US Ctee on Foreign Investments investigating implications.


Industrial Espionage: Scandal in IsraelTrojan Horse scandal rocks Israel (2005.06)Author Amon Jackont target of attacks

Parts of current novel MS posted on WebAttempted theft from bank account

Police found keystroke logger on Jackont’s computerSuspicion fell on stepdaughter’s ex-husband,

Michael HaephratiDiscovered Haephrati apparently installed

Trojan programs on big industrial firms’ computers (HP, Ace Hardware…)Confidential info sent to server in LondonAllegedly selling secrets to other companiesDozens of arrests at highest levels (CEOs)


Industrial Espionage: Interloc vs AmazonLawsuit over intercepted e-mail (1999.11) Interloc admitted intercepting & copying 4,000

e-mail messages sent to Amazon.comWent through own ISP Valinet To gain competitive advantage against

Amazon? Interloc's business managers denied any

wrongful intentionfailed to explain why they copied e-mail

Alibris company bought Interloc & paid $250K fine on behalf of their new acquisitionThis is called a failure of due diligence in

mergers and acquisitions practice


Cases






Penetration: Library Systems

June 96 — NCSA IS/ReconPublic and corporate library systems being

used to train apprentice criminal hackersMay also be used by more experienced

criminal hackers Isolate library network from rest of network


Penetration: San Francisco High Schoolers vs PBX

July 96 — RISKS 18.26High-school students in the San Francisco

areaBroke into local manufacturing firm PBX

Attacked voice-mailerased informationchanged passwordscreated new accounts for own usecrashed system through overuse

Company spent $40,000 on tech support


Penetration: Scotland Yard PBX

Aug 96 — ReutersScotland Yard's PBX hacked by phone

phreaksU$1.5M of fraudulent callsUsed direct inward services access (DISA)Moral

disable DISAno limit on liability when using DISAuse phone service cards insteadlimit on liability if card stolen or account

abused


Penetration: MitnickSept 96 — AP Kevin Mitnick indicted in Los Angeles 25 count indictment

stealing softwaredamaging computers at University of Southern

Californiausing passwords without authorizationusing stolen cellular phone codes

Readings about the Mitnick case Goodell, J. (1996). The Cyberthief and the Samurai: The True Story of Kevin Mitnick—and

the Man Who Hunted Him Down. Dell (New York). ISBN 0-440-22205-2. xix + 328. Hafner, K. & J. Markoff (1991). Cyberpunk: Outlaws and Hackers on the Computer Frontier.

Touchstone Books, Simon & Schuster (New York). ISBN 0-671-77879-X. 368. Index. Littman, J. (1996). The Fugitive Game: Online with Kevin Mitnick—The Inside Story of the

Great Cyberchase. Little, Brown and Company (Boston). ISBN 0-316-5258-7. x + 383. Shimomura, T. & J. Markoff (1996). Takedown: The Pursuit and Capture of Kevin Mitnick,

America's Most Wanted Computer Outlaw—by the Man Who Did It. Hyperion (New York). ISBN 0-7868-6210-6. xii + 324. Index.


Penetration: Danish Criminal Hackers

Dec 96 — AP6 criminal hackers from Denmark Attacked Pentagon & business computersSentenced to minor jail termsOrdered to pay fines, perform community

serviceOne sentenced to 90 days in jail, second to 40

daysDefense lawyers: criminals had “done the

hacking victims a favor by exposing the vulnerability of their computer systems.”


Penetration: Ex-Employees

1997.02 -- Computer Sciences CorporationWarn that many organizations attacked by ex-

employeesEx-employees of outsourcing firms a threatCited example of Big Six firm where ex-

employee used e-mail and voice-mail for one year after termination

Recommend use of single-logon systemToken-based authentication also useful in

centralizing control of I&A


Penetration: Croatian Hackers Attack Pentagon

1997.02 -- RISKS, ReutersTeenagers in Croatia broke into US military

systemsPentagon asked Croatian police for

cooperationArrested kids, searched homesConfiscated computer equipmentPreliminary estimates of losses running in

$500K range


Penetration: DISA Report

1997.03 — EDUPAGE InfoWar Division of Defense Information

Systems Agency of USRetested 15,000 Pentagon computers

had warned system managers of vulnerabilities in previous audit

90% of systems were still vulnerableRecommended emphasizing response

(immediate shutdown) instead of focusing solely on preventing penetrations


Penetration: Cloverdale TwoMultiple assaults on military & research sites —

1998.01Attacks on 11 military computer systemsseveral universitiesfederal laboratories

“Most organized and systematic [attack] the Pentagon has seen to date. . . .” BUT . . .

. . . Actually teenaged criminal hackersSuburbs north of San FranciscoCaught with cooperation of ISP — 1998.02provided facilities for FBI monitoring

Punished by 3-year exclusion from computing by themselves


Penetration: Hungarian ISP

1997.03 -- RISKSHungary's main ISP, MATAVAssigned 1,200 IDs whose passwords were

the billing ID itselfPublished list of these IDs -- as a warning to

change the passwords USENET postings announced the breach of

security


Penetration: Netherlands Hackers vs Pentagon?

1997.03 -- EDUPAGECriminal hackers penetrated Pentagon

systems during Gulf WarClaimed that hackers approached Iraqi

intelligence with stolen information Iraqis said to have rejected info, fearing a

disinformation campaignRop Gongrijp of HacTic

extremely skeptical of whole storytraces what he thinks is an urban myth to

an article that never claimed anything about Iraqis at all


Penetration: Datastream Cowboy Fined

UK teenager cracked military computers (1994; trial 1997.03)

Richard Pryce attacked US Air Defense System in 1994 (was 16 years old)

Broke into Griffiss AFB, NYCracked Lockheed network in CAWas described as “#1 threat to US security”

in Senate Armed Forces Committee hearingsFined equivalent of $1,915Pryce now working hard on getting to play

bass fiddle in a London orchestra


Swedish “Demon Freaker” Fined a Pittance

Phreak placed 60,000 calls at US telco expense (1996; trial 1997.05)

Racked up $250K of chargesRepeatedly linked US emergency lines to

each other, causing havocCaught by rapid trace while claiming his

penis was glued to a wallHistory of alcohol abuse and glue-sniffingFined equivalent of $350 Interned in psychiatric institution


Penetration: Private-School Naughty Boys

Brockville teens crack RipNet (1997.06)16-year-old A+ student + 4 accomplicesBroke into RipNet ISP in Brockville, ONStole 1300 user IDs + passwordsDistributed for free accessQuickly discoveredRipNet and police agreed to let posh school

handle punishmentringleader out of computer class for 1 yearall have to write essays on what bad boys

they were


Penetration: “Mr Nobody” Cracks Netcom

15-year-old boasts of exploits to Interactive Week (1997.06)

Cracked PBX in 1995 (age 13)Listened to voice-mail messages

boxes had “Joe” passwords -- same as extension itself (stupid default)

Phreak and friends placed long-distance calls at Netcom expense


Penetration: ON 14-year-old

1997.09 -- Burlington, ON>500 attempts to penetrate systems

all over North Americaevidence of malicious hacking

Attacked US military computerscaused downfallmilitary tracked him downcooperated with local police


Penetration: NTT Hacked

Nippon Telephone & Telegraph -- 1997.10Stole proprietary programs for software

developmentUsed internal ID -- possibly social

engineeringHad or found number of modem

did it bypass the firewall?


Pentration: Citibank Hack

1998.02 (events started 1994.07)Vladimir Levin of St Petersburg hacked

Citibank computersConspirator Alexei Lachmanov transferred

U$2.8M to five Tel Aviv banksAdmitted to attempting to withdraw

US$940,000 from those accountsThree other members of the gang pleaded

guiltyLevin extradited 1997.09


Citibank -- Conclusion

1998.02 -- Levin sentenced to 3 years, finedVladimir Levin convicted by NYC courtTransferred $12M in assets from CitibankCrime spotted after first $400K theftCitibank cooperated with FBIMORAL: report computer crime & help

prosecute the criminals


Penetration: Voice Mail

1998.05: Cincinnati Enquirer reporter breaks lawMichael Gallagher broke into voice mail of

Chiquita FruitsStories in paper accused Chiquita of illegal

activitiesReporter firedEnquirer paid

$10M to Chiquita in damagespublished front-page apologies 3 days in a

row


Penetration: U Colorado

U. Colorado student arrested -- 1998.03Joshua Gregory Pearson, 18

computer science major Allegedly provided stolen passwords and

access codes to Israeli hacker “Heavy Metal”may have used packet snifferintercepted passwords and access codes

Israeli broke into U.CO computer systemalso denial of serviceunauthorized programs flooded U.CO e-

mail accounts with error messages


Penetration: MOD redux

New MOD crows about exploits -- 1998.04Masters of Downloading instead of Masters of

DeceptionClaimed penetration of US military networks

DISN (Defense Information Systems Network)

DEM (DISN Equipment Manager)controls military Global Positioning

Satellites (GPS)


Penetration: AOL Techs

ACLU site on AOL vandalized -- 1998.05 Intruder simply asked AOL help-desk staffers

for a “new” password for Web site controlSuccess may be function of size

1000s of staffersmany new and poorly trained

Birthday problem:

P{at least one failure} = 1 - (1-p)n

p=probability of one failure and

n=number of independent units


Penetration: SLAC AttackedStanford Linear Accelerator Center -- 1998.06 Intruder logged in with a password

guessed? sniffed? borrowed?later posting indicated LAN sniffersimplies inside job

Evidencenew zero-length file50 files accessed

Results: SLAC off the Net entire week30 people worked overtimepossible interdiction of foreign logins


Penetration: John the Ripper

Decryption of password files -- 1998.08UC Berkeley Sys Admin

discovered someone cracked his passwordrunning “John the Ripper” decryption progsuccessfully cracked about 48,000 pws from

a list of 186,126 encrypted passwordsCracker broke into systems at

noted Silicon Valley companyIndiana ISPother UC Berkeley systems, Caltech, MIT, and Harvard

Used Swedish ISP Telenordia then went through England, Denmark, South Korea


Automated Shoulder-Surfing (1)

Newmarket, ON customers surfed -- 1998.04Thieves in cahoots with a gas-station

employee installed minicam for debit-card PIN pad

Make fake debit cards to pillage accountsused ATMs at midnight to steal 2 days’ max

Total thefts > $100KArrested just before a planned expansion to

five more gas stations


Automated Shoulder-Surfing (2)

Finland: extra card-reader on ATM -- 1998.10Small black card reader glued onto regular

card slot Collected debit- and credit-card codes

Standard shoulder-surfing to garner PINsMade 60 counterfeit cardsStole 180 000 FIM (~U$36,600)


Penetration: 2000

2000.01: Global Hell member, 16 yrs old, arrested in Eldorado, CA for stealing userIDs and passwords for 200,000 accounts on Pacific Bell ISP. Cracked 63,000 & boasted about it in chat room.

2000.03: Max Ray “Max Vision” Butler, 27, of Berkeley, CA indicted on charges of penetrating systems as NASA, Argonne Natl Labs, Brookhaven Natl Lab, Marshall Space Center, and DoD facilities.

2000.07: Raymond Torricelli, 20, of New Rochelle, NY arrested and charged with breaking into NASA, Georgia Southern U, San Jose State U computers & stealing credit card #s used for $10K of theft


Penetration: 2000

2000.09: 16-yr-old Florida boy “cOmrade” sentenced to 6 mo detention in federal prison for penetrating NASA & Pentagon computers

2000.10: 21 cyberthieves arrested in Sicily in process of stealing $500M from Banco de Sicilia. Included members of the Mafia, computer specialists and bank employees.

2000.12: Netherlands hacker penetrated U Washington Medical Center in Seattle. Stole admissions records for 4,000 cardiac patients. No firewalls or encryption.


Penetration: 2001

2001.01: Jerome Heckenkamp, 21, indicted for allegedly hacking computers at eBay, Exodus, Juniper, eTrade, Lycos, and Cygnus and causing a total of more than $900,000 in damage in 1999.

2001.05: Chinese hackers in Guandong penetrated California Independent System Operator’s flow-control computers during an electrical-power crisis.

2001.07: Lee Ashurst, 22, of Manchester, England, hacked into UAE only ISP and crashed entire country’s access to Internet. Fined £2000 and faced civil tort for £500K


Penetration: 2002

2002.02: Adrian Lamo [sic] claimed he hacked NY Times computers and demonstrated how to alter news stories on Yahoo.

2002.05: Experian loses 13,000 credit reports to hackers.

2002.05: Criminal hackers steal financial information about 265,000 CA state personnel

2002.08: Princeton admissions personnel hack into Yale University admission records

2002.08: ForensicTec Solutions of San Diego brags about breaking into Army, Navy, NASA computers – gets raided by FBI


Penetration: 2003

2002.02: Contractor for VISA and MASTERCARD penetrated by hackers

2003.03: Hackers gain full access to AOL customer database with 3.5 million users.Access requires a user ID, two passwords

and a SecurID code; Hackers obtained all of these by spamming

the AOL employee database with phony security updates, through online password trades, or by "social engineering" attacks over AOL's Instant Messenger (AIM) or the telephone.


Penetration: 2003

2003.03: U Texas Austin loses control to hackers over 59,000 records about students, alumni, faculty, staff. Police charge 20-yr-old student Christopher Andrew Phillips.

2003.04: GA Tech computers 0wn3d by hackers from Feb 4 to Mar 14; 57,000 database records copied included credit-card data for about 40,000 people

2003.04: “Blaster Ball” Trojan allows hacker in former Soviet Union to penetrate William Bee Ririe Hospital in Ely, NV

2003.07: French hackers break into KY govt computers, gain root


Penetration: 2003

2003.08: Diebold e-voting company’s Web servers cracked

2003.11: Hackers access top-secret files at Australian DoD.

2003.12: Hackers attack VoteHere systems


Penetration: 2004

2004.03: Allegiance Telecom notifies 4,000 users of hack attack that released their userIDs and passwords [what? Not encrypted??]

2004.04: TeraGrid supercomputer network funded by NSF disrupted by hackers

2004.09: DoE auditors report 199 hacks penetrating 3,541 systems in 2003

2004.10: Purdue University systems hacked


Penetration: 2005

2005.01: Nicolas Lee Jacobsen, 21, charged with breaking into T-Mobile computers for more than 1 yearAccess to 16.3M customer filesObtain voicemail PINs, passwords for Web

access to e-mailRead e-mail of FBI agent investigating his

own case!2005.01: Hackers break into George Mason

University computers2005.03: 150 applicants to business schools

break into their own records illegally on ApplyYourself Web site


BREAK5’12”


Data Diddling: NYC Tax Fraud

Nov 96 -- AP3 NYC tax department employeesBribed by property owners from 1992 onwardRemoved records of taxes owingFraudulently entered legitimate payments

from innocent victims to wrong tax accountsUsed bugs in software to cover tracksStole $13M in taxes owing + $7M in interestOver 200 arrests expectedFace 10 years prison per count


Data Diddling: Thick Salami at Taco Bell

1997.01 -- RISKSWillis Robinson (22 years old) reprogrammed

Taco Bell cash registerregistered each $2.99 item as costing $0.01pocketed $2.98 cash per transactionstole $3,600

Management assumed error was hardware or software

Idiot was caught because he bragged about his theft to co-workers

Sentenced to 10 years in prison


Data Diddling: Embezzlement

London & Manchester Assurance (1997.01)Jamie Griffin

21 years oldclerkaltered records to steal £44,000gambled it all awayclaimed extortion by IRA

Sentenced to 7 months imprisonment


Data Diddling? or QA?

Brisbane, Australia (1997.09)Three men charged with hacking Transferred A$1.76M

from Commonwealth Bank to Metway Bank

Claimed they were victims of QA errorblame Commonwealth Bankallege CB placed A$50M into practice

accountfor learning how to use online system for

direct payments


Data Diddling: SANS

SANS Security Digest hacked (1997.10)Satirical, misspelled, vulgar nonsenseAcutely embarrassing


Data Diddling: Québec

Tax evasion by computer (1997.12)Québec, Canada restaurateursU.S.-made computer program ("zapper")Skimmed off up to 30% of the receiptsEvaded Revenue Canada and provincial tax$M/year


Data Diddling: SSA

Social Security Administration -- 1998.10Employee become angry with woman

argued in an Internet chatroomUsed fellow-employee's terminalFilled in death date for woman in SSA recordsVictim applied for loan at bank

she was "cyberdead”Jorge Yong admitted culpability

resignedpaid $800 in fines and damages


Data Diddling: LA Gas

Los Angeles gasoline-pump fraud -- 1998.10DA charged 4 men with fraudAllegedly installed new computer chips in

gasoline pumpscheated consumersoverstated amounts 7%-25%

Complaints about buying more gasoline than capacity of fuel tank

Difficult to prove initiallyprogrammed chips to spot 5 & 10 gallon

tests by inspectorsdelivered exactly right amount for them


Data Diddling: X.COM

Free money (2000.01)X.COM online bankTransfer funds from the account of any

person at any U.S. bankNeeded only target’s account number and

bank routing information


Data Diddling: BOOM!

New security measures at UK nuclear plants (2001.09)

Employee tried to sabotage nuclear plant (1999.06)

Security guard!Tried to alter sensitive informationNew measures put into place 18 months later


Data Diddling: Cisco

Cisco accountants stole stock (2001.11)Oct 2000-Mar 2001: schemed to issue stock

Abused access to computer systemsCreated forged stock-disbursal recordsTotal theft: $7,868,637

Sentences34 months in federal prisonComplete restitution of theft3 years supervised release


Data Diddling? GOOGLE Bombs

GOOGLE used as political ploy (2004.01)Pranksters engineer Web sites to alter

GOOGLE links and statisticsLinked George W. Bush to bad words

“unelectable”“miserable failure”

Supporters retaliated with similar ploys against Kerry


Data Diddling: Making the Grade

California high school student arrested (2004.05)

Corona del Mar High School, Newport-Mesa Unified School District

17 years oldAccused of felonyAllegedly hacked school system to change

gradesAltered grades of 6 juniors and 1 seniorFaces up to 3 years in prison


Cases






Sabotage? IE vs Navigator

Internet Explorer 4.0 vs Netscape Navigator (1997.10)

IE 4.0 includes features from Plus! for Windows 95anti-aliasing functionsmoothes large fonts on screen

Reportedly does not smooth fonts in Netscape Navigator

Allegedly not found to fail in any other program tested -- but updated Occam’s Razor states:

Never attribute to malice

what stupidity can adequately explain.


Sabotage? MS-MediaPlayer vs RealAudio

Several reports of software conflicts — 1998.10 Installation of MS-MediaPlayer causes

problems with other media playersMS product takes over file associationsPrevents usability of RealAudioDe-installation switches file associations to

other MS productsMS denied deliberate attack, accuses other

programs of quality problems

[Attila the Hun no doubt accused Europeans of quality problems, too.]


Hactivists: Pentagon Meets Monty Python

“Electronic Disruption Theater” hacker group whine about unfair tactics — 1998.10

Criminal hackers attacke DoD DefenseLink 1998.09.09

DoD allegedly used offensive information warfare techniques allegedly posted hostile Java appletcriminals downloaded itsupposedly crashed their systems

Criminals complained about illegal responseSome legal minds agreed (!)


“Hactivism” on the Rise

Political action by criminal hackers — or criminal hacking by political activists?

“HACKING BHABA” article in FORBESattack on Bhaba nuclear research facility in

India (1998.05)interviews with teenaged perpetrators

Attacks on Chinese censorship (1998.11)WIREDgraduate student disabled Chinese content

filtersvandalized pro-censorship site in China


Sabotage: Reuters Hong Kong

Nov 96 -- RISKS 18.65Reuters in Hong Kong

market information crucial for tradinglogic bombs at 5 investment-bank clients36 hours downtime in networksno significant effects on their workembarrassed by the incident

Caused by disgruntled computer technicianCosts

1,700 person-hours for recoveryHK$1.3M (~$168K)


Sabotage: CA Dept Info Tech

1997.01 -- San Francisco Chronicle, RISKSFired subcontractor arrested

accused of trying to cause damage the California Department of Information Technology

Spent six hours online before being detected

Crashed systemData restored from backupsSystem management did not know the

accused had been firedDid not alter security after his dismissal


Sabotage: Gateway2000

1997.01 -- EDUPAGE20,000 copies of promotional video30 seconds of pornography in mid-video Investigators thinking focusing on likelihood

of disgruntled employee of Gateway2000 or at video production company


Sabotage: US Coast Guard

DP worker goes ballistic -- 1998.06Shakuntla Devi Singla

civilian data processing workerreported possible crime by contractor

Warnings disregardedWiped out personnel databaseCrashed system

Recovery (where were their backups?)115 Coast Guard employees1,800 hours to restore data

Sentenced to 5 months jail then 5 months home detention

Fined $35,000 restitution


Sabotage: Telecast Fiber

Former Employee Destroys Files (2003.08)John Corrado broke into Telecast Fiber

Systems Inc, Worcester MA Used modemDestroyed R&D files and demos used by

sales repsPleaded guilty, agreed to pay $10,360

restitutionPossible penalties:

max 1 year prison$100K fine


Web VandalismCIA (1996.09)USAF (1996.12)NASA (1997.03)AirTran (1997.09)UNICEF (1998.01)US Dept Commerce (1998.02)New York Times (1998.09)SETI site (1999)Fort Monmouth (1999)Senate of the USA (twice)(1999)


CIA (1996.09)


USAF (1996.12)


NASA (1997.03)


AirTran (1997.09)


UNICEF (1998.01)


US Dept Commerce (1998.02)


New York Times (1998.09)


SETI (1999)


Fort Monmouth (1999)


Senate of the USA (1) (1999)


Senate of the USA (2) (1999.06)


DEFCON (1999.07)


Vandalism: 2000

2001.01: “Lamers Team” deface Library of Congress Web site

2000.03: Gallup site defaced with misleading pointers to AntiOnline

2000.04: 16-year-old in Sweden arrested for defacing Web side of Swedish National Board of Health and Welfare

2000.09: “fluxnyne” defaces OPEC Web site


Vandalism: 2001 & 2003

2001.01: MS Web pages defaced by “Prime Suspectz” hacker group

2001.05: Chinese security experts report 14% of worldwide hacker attacks aimed at PRC Web sites

2003.05: Hackers attack Denver Internet radio station hosting security conference

2003.06: Hijacker switched registration of LA County Web site by calling ARIN and then stole 65,000 Web site addresses for use in sending pornographic spam


Vandalism: 2003 & 2004

2003.07: Sudanese hacker destroys Websites of Sudan Airlines, Khartoum University, Aptec Computers, Sudanese Internet Company.

2003.12: 13 NASA Websites defaced by Brazilian hackers “drwxr” with antiwar sentiments

2004.06: Silicon Valley Land Survey Web site used to post videos of Paul Johnson (victim of Al Qaeda terrorists)

2004.06: Hackers infest 60 computers at South Korean research institutes and government agencies with Peep Trojan RAT


BREAK5’02”


Cases






Trojan: Moldovan Scam

1997.11 — news wires, EDUPAGE, RISKSPornography seekers logged into

http://www.sexygirls.com (Nov 96-1997.02)Special viewer program to decode picturesTrojan program

secretly disconnected modem connectionturned modem sound offdialed ISP in Moldavia — long distance

Long-distance charges in $K/victimCourt ordered refund of $M to consumers


Trojan: Back Orifice

cDc (Cult of the Dead Cow) — 1998.07Back Orifice for analyzing and compromising

MS-Windows securitySir Dystic — hacker with L0PHT“Main legitimate purposes for BO:”

remote tech support aidemployee monitoringremote administering [of a Windows

network]."Wink.”


Back Orifice — cont’dFeatures

image and data capture from any Windows system on a compromised network

HTTP server allowing unrestricted I/O to and from workstation

packet snifferkeystroke monitorsoftware for easy manipulations of the

victims' Internet connectionsTrojan allows infection of other applicationsStealth techniques15,000 copies distributed to IRC users in

infected file “nfo.zip”


Trojan: Open Source Contaminated

TCP wrapper infected with Trojan (1999.01)Early on 21 Jan 1999 someone inserted

Trojan code into distribution siteTrapdoor access to contaminated systemsSent e-mail indicating which sites

contaminated


Trojan: Palm PDA

“Pirated” Gameboy software infects PDAs (2000.08)

Deletes applications on Palm PilotProof of concept?


Trojan: MS a Victim

QAZ Trojan invaders Microsoft (2000.10)Company passwords sent to e-mail address

in St Petersburg, Russia“Deplorable act of industrial espionage” Investigation suggested little damageSource files very large – probably not

transferred


Trojan: MS “Cumulative Patch”

MS Cumulative Patch a trick (2002.03)E-mail with 160 KB attachmentSubject: “Internet Security Update”“Eliminates MS Outlook/Express…

vulnerabilities”Vague link to MS security siteActually contained “Gibe” worm


Reverse-Proxy Spam Trojan - Migmaf

Migmaf trojan commandeers PCs (2003.07)“Migrant mafia” takes over PCs by stealth

Not certain how it spreadsProgrammer may be changing code

constantly to elude anti-malware productsRelays requests for porn sites through infected

systemsWeb page passed through zombieImpossible to locate master serverPorn sites may be traps for credit-card data

Zombies also serve as spam relay sites


Trojan: Linux Backdoor

Linux kernel attacked (2003.11)Hacker tried to enter backdoor code into

sys_wait4() functionWould have granted rootNoticed by experienced Linux programmers


Trojan: Phatbot uses P2P

Phatbot attacks security (2004.03)Extensive feature set

Controlled through P2P networksProvides complete remote control over

system (open files, reboot, send files….)Snoops for passwords & tries to send

themTries to disable firewalls and AV products

Author arrested 2004-05Baden-Württemberg, Germany


Trojan: Mac Attack

MS-Office Installer icon is Trojan (2004.05)AS.MW2004.Trojan has icon like that of MS

Installaer for MS-Office for MacActually Trojan that deletes all files in user’s

home folder


Trojan: Cell Phones

“Skulls” targets Nokia 7610 (2004.11)Appears as a “theme manager” utilityExploits Symbian OSActually disables all programs on phone

Calendar, phonebook, camera, Web browser, SMS applications, etc.

Leaves only outbound and inbound phone calls functional

By 2005.04, researchers had found >100 Trojans affecting Symbian OS


Trojan: Cellery

Cellery Worm Clogs Networks (2005.01) Infected “Tetris” game contains wormReproduces throughout networkCan cause serious bandwidth saturationUsers who perceive playing games at work as

normal may not realize that the program is a threat


Trojan: Bankash-A

Trojan attacks antispyware tool, logs keystrokes (2005.02)

Arrives in e-mail attachmentTries to disable MS antispyware and antivirus

softwareLogs user keystrokes, tries to send credit-

card & banking info to receiving siteMay delete filesAttempts to install yet more malwareDownloads additional code from the Internet


Cases



DeceptionFraud, disinfoPsyops



Deception: Holiday Inns vs Call Management

1997.01 -- APHoliday Inns uses 1-800-HOLIDAY for

reservations (note the O)Call Management uses 1-800-H0LIDAY (note the

ZEROHoliday Inns sued and lostOther firms have used phone numbers adjacent

to important commercial numbers in order to capture calls from misdealing customers

Old porn site whitehouse.com (now a respectable site) used confusion with whitehouse.gov to trick kids into visit


Disinfo: Belgian ATC Fraud

1997.01 — ReutersBelgian lunatic broadcasting false

information to pilotsAir-Traffic Control have caught the false

information in time to prevent tragedySerious problem for air safetyPolice so far unable to locate pirate

transmitterLunatic thought to be former ATC employee


Disinfo: Negotiations with Kidnappers Spoofed

1997.02 — RISKSColombian terrorists kidnapped soldiers

Government of Colombia decided to negotiate through e-mail

Right-wing terrorists sent fraudulent e-mail claiming to represent government position


Disinfo: Cronkite Smeared

1997.01 — APTim Hughes created Web libeling Walter

Cronkite said WC had shrieked imprecations spat at Hughes and wife in FL restaurant

Included falsified digital images purporting to show Cronkite posing with KKK members

Cronkite threatened lawsuitHughes took down page, said it was a satire


Psyops: Motley Fool

Mar 96 -- Wall Street Journal; EDUPAGE; RISKS Iomega high-capacity removable disk drivesAmerica Online's Motley Fool bulletin board

False informationFlaming and physical threats

Caused volatility of stock prices


Psyops: Pairgain1999.04: Gary Dale Hoke arrested by FBI

Employee of PairgainCreated bogus Web page

Simulated Bloomberg information service Touted PairGain stock

undervalued – impending takeoverPointed to fake page using Yahoo message

boardsInvestors bid up price of Pairgain stock from

$8.50 to $11.12 (130%)13.7 M shares traded – 700% normal volume


Pairgain – cont’d

Windfall gains & losses by investorsHoke did not in fact trade any of the stock

himselfPleaded guilty to charges of stock

manipulationSentenced to home detention, probation,

restitution


Psyops: Emulex

2000.98: Emulex lost 60% of total share value Mark Jakob, 23 years oldFabricated news releaseSent from community college computerCirculated by Dow Jones, BloombergClaimed profit warning, SEC investigators,

loss of CEOJackob profited by $240,000 in minutes


Psyops: Ponzi

EE-Biz Ventures steals $50M (2001.07)Donald A. English claimed huge profitsPaid early investors with money from later

onesClassic “Ponzi” schemeArrested by FBIMost victims were sick or elderly


Psyops: 4-1-9 Brides

Prospective Brides Needed Money (2004.11)Russian Yury Lazarev hired women to write

flowery letters to possible partners Included sexy photographs3,000 men responded from around worldAttempts to meet met with requests for

moneyVisasAirline tickets

Net profits: $300,000One year suspended sentence in Moscow


BREAK4’56”


Cases






History of DoS

1987-12: Christmas-Tree WormIBM internal networksGrew explosivelySelf-mailing graphicEscaped into BITNET

1988-11: Morris WormProbably launched by mistakeDemonstration programReplicated through Internet~9,000 systems crashed or were

deliberately taken off-line


DoS: Mail-Bombing Via Lists 1996.08/121996.08 — “Johnny [x]chaotic”

subscribed dozens of people to hundreds of listsvictims received up to 20,000 e-mail msg/daypublished rambling, incoherent manifestobecame known as “UNAMAILER”

1996.12 — UNAMAILER struck againRoot problem

some list managers automatically subscribe people should verifying authenticity of requestsend request for confirmation


DoS: Spam / Junk E-mail 1996.09

AOL began blocking all inbound mail from junk e-mailers

Court challenges on both sidesOther ISPs beginning to revolt against

onslaught of automated spam generatorsCourts have ruled that junk e-mail does not

have to be transmitted by ISPs


DoS: Spam / Junk E-mail 1996.09

Paul Engel, San Francisco stock brokerDisagreement with an employee of the SRIAllegedly resulted in mail-bombing run on 23

September25,000 messages consisting of the word

“Idiot”Originated from SRI accountPrevented him from using his computer1996.12: Sued SRI for $25,000 of damages


DoS: VineyardNET vs Spam 1997.01VineyardNET hijacked by CV CommunicationsConnected directly to the ISP's SMTP server Sent out 66,000 advertisements for spamming

servicesMost victims: CompuServe and AOLTuned firewall to reject further input from rogueAdjusted two-stage mail delivery software

scan and delete all junk e-mail


DoS: Miscellany 1997.01/03 1997.01 — “Rev. White” spams IRC Undernet

racist, homophobic, misogynist threatening messages

1997.01 — Cleveland resident receives 100 calls/night because his phone # is 1-off AOL’s

1997.03 — InterNIC loses papers for unnamed companycut off its DNS entrydown for 20 hours

1997.03 — Sprynet suddenly terminates service to anyone not using <name>@sprynet.com — including legitimate customers with their own POP servers


DoS: Wasting Time On-Line 1997.061997.06 — employee use of Web for fun during

working hours consumes average 2 hours of

productivity/weekother estimates range from 5% to 40% lostalso consume bandwidth

1997.06 — Pitney Bowes study from Gallup and San Jose State University972 top-level staff from Fortune 1000severe damage to productivity from

interrupts50% said interruptions every 10 minutesoverwhelmed by flood of messages


DoS: Bluelister Attacks Antispammers 1997.06

1997.06: Forged headers from Antispam sites1 or more personsSend large amounts junk e-mail from

antispammers home sitesResulting floods of angry responses crashes

systemsNetHome Web-hosting service severely

compromised


DoS News 1998

1998.01: Sanford “Spamford” Wallace found new spam-friendly ISPoffices swamped with phone calls, e-mails

and threats1998.03: Windows NT servers crash under

hack attacksCarnegie Mellon, MIT, NASA sites, man U.

Cal. Campuses, US Navy1998.03: Mailstorm by National Association

of Broadcastersinstructions on how to unsubscribe

actually sent messages to list itself


DoS News 1998 (Cont’d)

1998.05: Panamsat Galaxy 4 satellite malfunctions10M pagers silencedalso some public radio networkstwo days of disruption

1998.09: Misappropriation of resourcesAaron Blosser accused of using 2585

computers at US Westlooking for prime numbersused 10 years of processing cyclessent response time from 3-5 seconds to 5

minutes


DoS: Worcester Hacker Convicted Teenager punished for hack — 1998.03Kid broke into Bell Atlantic switch in suburb

of Boston, MA in 1997.03crashed switch6 hours down

Disrupted service for 600 customers & local airport control tower

Severely sentenced as example to others2 years probationloss of computer250 hours community service$5,000 restitution


DoS: MS & CERT-CC Down

Network vandal attacks MS (2001.01)Flooded MS sites w/ packetsDown for a dayDue to putting DNS servers in single network

CERT-CC down 30 hours (2001.05)DoS packet floodViewed as “just another attack” by staff


DoS: Cloud Nine

Cloud Nine ISP out of business (2002.01)Massive DoS

E-mailDNS servers

Shut down operations Insurance insufficient to pay for rebuilding

systemsDecided to sell business to competitors


DoS: White House

White House site offline (2002.05)DoS 09:00-11:15 4 May 2002Suspect Chinese and pro-Chinese hackers


DoS: Root Servers

DoS cripples 9 of 13 root servers (2002.10)Most sophisticated and large-scale assault on

root servers to dateStarted 16:45 EDT Monday 21 Oct 200230-40x normal traffic from South Korea and US

origins7 servers failed completely; 2 intermittentlyRemaining 4 servers continued to service ‘Net

requests – no significant degradation of service

Verisign upgraded protection on its servers as a result


DoS: Al-Jazeera

Al-Jazeera swamped (2003.03)Arab satellite TV network Web site

unavailableSwamped by bogus traffic aimed at US

servers for its site


DoS: Akamai (E-Commerce)

Akamai Technologies goes down (2004.06)Network vandals attacked Akamai serversManages 15% of total traffic on InternetDown for 45 minutesServe major players in e-commerce

MicrosoftYahooFedExXeroX, ... many othersAlso FBI

Care to estimate the costs of downtime??


DoS: GOOGLE & .com Disappear Briefly

GOOGLE disappears from Web (2005.05)Gone for 15 minutes 7 May 2005Glitch in DNSDrew attention to concerns over DNS stabilityNational Research Council issued report

criticizing state of DNS infrastructure

http://www7.nationalacademies.org/cstb/pub_dns.html

Historical note:

2000.08.23: 4 of 13 root DNS servers failedAll access (http, ftp, smtp) to entire .com

domain blocked for 1 hour worldwide


DoS: Backhoe Attacks1997.06 -- Republic of Buryatiya

Thief removed 60m copper cableShut down all external communications 5

hoursEstimated cost ~$135,000

1997.06 -- Khazakhstan2 thieves began stealing copper from high-

voltage electrical power line -- while it was live

soon they weren’t1997.06 -- Florence, NJ

construction crew sliced through major UUNet backbone


DoS: More Backhoe Attacks

1997.10: Dump-truck driver leaves truck bed up, rips telephone cables – 119,000 Sprint users out of service for 4 hours

1998.02: Illuminet cables severed in Illinois – phone/ISP service out all over eastern seaboard for AT&T, Teleport, Bell Atlantic mobile

2001.03: Thieves attempted to steal copper cable in Ontario Canada. They actually cut a fiber-optic cable and wiped out Internet service for 300,000 users. Then while workers were repairing the damage, rodents attacked the exposed cable and eliminated service once more.


DoS: Tunnel Fire Derails Internet Service

Train derailed in Baltimore tunnel (2001.07)Damaged fiber-optic cablesAffected Internet service, telephony across

USAWorldCom, PSINet, AboveNetDelays on eastern seaboardProblems even in Seattle, Los Angeles


DoS: What if GPS Fails?

As if 2003.04: 18 of 28 GPS satellites Operating beyond intended lifespan or Have equipment failure

GPS failure would affectCivil aviationTruckingShippingTelecommunications

Internet backbone operators use GPS time stamps


DISCUSSION


Resume at 13:14:54

1 copyright © 2005 m. e. kabay. all rights reserved. 09:05-11:55 information warfare part 2: cases...

Documents