Cyberterrorism

Tim Shimeall, Ph.D.

CERT Centers, Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213-3890
SEI is sponsored by the U.S. Department of Defense
2002 by Carnegie Mellon University
CoC - page 1

Overview
Introduction
Definitions
Examples
Observations
Summary

2002 by Carnegie Mellon University

CoC - page 2

A Different Internet
Armies may cease to march
Stock may lose a hundred points
Businesses may be bankrupted
Individuals may lose their social identity
Threats not from novice teenagers, but purposeful
military, political, and criminal organizations

2002 by Carnegie Mellon University

CoC - page 3

Cyber Threats
Out-of-the-box Linux PC hooked to Internet, not
announced:
[30 seconds] First service probes/scans detected
[1 hour] First compromise attempts detected
[12 hours] PC fully compromised:
Administrative access obtained
Event logging selectively disabled
System software modified to suit intruder
Attack software installed
PC actively probing for new hosts to intrude
Clear the disk and try again!
2002 by Carnegie Mellon University

CoC - page 4

Attack Sophistication vs.

Intruder Technical Knowledge

Auto
Coordinated

Tools

Cross site scripting

stealth / advanced
scanning
techniques
packet spoofing denial of service

High

sniffers
Intruder
Knowledge

sweepers

Staged

distributed
attack tools
www attacks
automated probes/scans
GUI

back doors
network mgmt. diagnostics

disabling audits

hijacking
burglaries sessions
Attack
Sophistication

exploiting known vulnerabilities

password cracking
self-replicating code

Intruders

password guessing

Low
1980

2002 by Carnegie Mellon University

1985

1990

1995

2000
CoC - page 5

Vulnerability Exploit Cycle

Novice Intruders
Use Crude
Exploit Tools
Crude
Exploit Tools
Distributed

Automated
Scanning/Exploit
Tools Developed
Widespread Use
of Automated
Scanning/Exploit
Tools

Intruders
Begin
Using New
Types
of Exploits

Advanced
Intruders
Discover New
Vulnerability

2002 by Carnegie Mellon University

CoC - page 6

Definitions
Cyberterror: The deliberate
destruction, disruption or distortion
of digital data or information flows with
widespread effect for political, religious
or ideological reasons.
Cyber-utilization: The use of on-line networks or data by
terrorist organizations for supportive purposes.
Cybercrime: The deliberate misuse of digital data or
information flows.

2002 by Carnegie Mellon University

CoC - page 7

Sophistication of Cybercrime
Simple Unstructured: Individuals or groups working with
little structure, forethought or preparation
Advanced Structured: Groups working with some
structure, but little forethought or preparation
Complex Coordinated: Groups working with advance
preparation with specific targets and objectives.

2002 by Carnegie Mellon University

CoC - page 8

Example: Zapatista Cyberstrike

Mid-1990s rebellion in Mexico
Military situation strongly favored Mexican Army
Agents of influence circulated rumors of Peso instability
Peso crash forced government to negotiating table
Compounded by intrusions into Mexican logistics

2002 by Carnegie Mellon University

CoC - page 9

Example: Signed Defacement

Defaced Health-care web site in India
"This site has been hacked by ISI ( Kashmir is ours), we want
a hospital in Kashmir" and signed by Mujahideen-ul-dawat
Post-dates activity by Pakistani Hackers Club
Linked to G-Force Pakistan
Part of larger pattern of influenced
hacker activity (3Q99 - 4Q01)
Differing expertise
Multiple actors/teams
Transnational collaborations
2002 by Carnegie Mellon University

CoC - page 10

Pakistani/Indian Defacements

More
1/0
0

10/99

Well written

4/0
0

7/0
0

10/00

1/0
1

4/0
1

Juvenile

No mention of terrorist organizations

Mentions terrorist organizations
2002 by Carnegie Mellon University

CoC - page 11

Cyber Trends
CERT/CC Year 2000 - 21,756 Incidents
16,129 Probes/Scans
2,912 Information Requests
261 Hoaxes, false alarms, vul reports, unknown
2454 Incidents with substantive impact on target
Profiled 851 incidents, all active during July-Oct 2000
(plus some preliminary June data, profiling work is
ongoing)
Many different dimensions for analysis and trend
generation (analysis work is ongoing)

2002 by Carnegie Mellon University

CoC - page 12

Immediate Data Observations

Varying diversity of ports used

in incidents

Incidents

Incidents Active

Seasonal trend of incidents per

month (some incidents carry
over between months)

600
500
400
300
200
100
0

Shifts in services used in

incidents

Generic attack tools adapted to

specific targets

2002 by Carnegie Mellon University

Ports in Incidents

Shifts in operating systems

involved in incidents

Ports
100
80
60
40
20
0

CoC - page 13

Weekly Incidents by Target

100
90
80

com
gov
edu
intl
user
isp
org
fin
k12
misc
other

70
60
50
40
30
20
10
0

2002 by Carnegie Mellon University

CoC - page 14

2002 by Carnegie Mellon University

2/17/01

2/3/01

1/20/01

1/6/01

12/23/00

12/9/00

11/25/00

11/11/00

10/28/00

10/14/00

9/30/00

9/16/00

9/2/00

8/19/00

8/5/00

7/22/00

7/8/00

6/24/00

100

Weekly Incidents by OS

90

80

70

60

50

40

30

unknown
LX
NT
SO
UN
IR
MO
Other
misc

20

10

CoC - page 15

Weekly Incidents by Impact

100
90
80
70

Disrupt
Distort
disclosure
Destruct
Deception
Unknown

60
50
40
30
20

2002 by Carnegie Mellon University

2/17/01

2/3/01

1/20/01

1/6/01

12/23/00

12/9/00

11/25/00

11/11/00

10/28/00

10/14/00

9/30/00

9/16/00

9/2/00

8/19/00

8/5/00

7/22/00

7/8/00

6/24/00

10

CoC - page 16

100

Socio-Political Activity
Inauguration

90

Holidays

Conventions
Debates

80

Election

Best Fit

Controversy

70

Campaign

60

50

40

30

20

10

2002 by Carnegie Mellon University

CoC - page 17

Summary
Majority of on-line threat is cybercrime
Cyberterror is still emerging
Evolving threat
Integrating critical missions with general Internet
Increasing damage/speed of attacks
Continued vulnerability of off-the-shelf software
Much confusion of descriptions and definitions
Widely viewed as critical weakness of Western nations

2002 by Carnegie Mellon University

CoC - page 18