Friday, December 12, 2008

Attacking Integrity

We will spend a great deal of time this semester discussing the three principles of Information Security - CIA. C stands for confidentiality, I stands for integrity, and A stands for availability.

A recent example of an integrity attack can be found in a variant of the DNSChanger Trojan. This variant is now in the wild and has been well described by a number of security vendors including McAfee. As described by McAffe to date DNSChanger Trojans have relied on the following tactics:
  1. Modify Windows Hosts file to map specific domain names to specific IP addresses
  2. Modify Windows registry settings to reference specific (rogue) DNS servers
  3. Create a scheduled task under Mac OS X to reference specific (rogue) DNS servers
  4. Exploit cross-site request forgery vulnerabilities in routers to overwrite the DNS server configuration offered to local area network clients
According to McAfee, this new variant "involves serving the rogue DNS server configuration over DHCP, the protocol responsible for distributing dynamic IP addresses, as well as other information, including DNS settings." McAfee outlines a possible attack scenario here.

As we will discuss throughout class, integrity attacks are particularly nasty because even a minor attack will compromise a users trust in an entire system. For example, if a user discovered that his hosts file had been hacked and his web browsing and other internet activities were being re-routed outside of their control than they can no longer trust the integrity of their entire system nor any of their online personas. The user must assume that all their personal data has been compromised.

Thursday, December 11, 2008

Defining Cyberwar

On December 8th 2008, the CSIS Commission on Cybersecurity for the 44th Presidency released a report entitled Securing Cyberspace for the 44th Presidency.. The Commission's three major findings are:
  1. Cybersecurity is now one of the major national security problems facing the United States;
  2. Decisions and actions must respect American values related to privacy and civil liberties; and
  3. Only a comprehensive national security strategy that embraces both the domestic and international aspects of cybersecurity will improve the situation.
Of equal importance, the Commission notes many important questions that need to be answered in order to create a unified and effective cybersecurity policy. One important question posed by the commission is "at what point does a cyberattack constitute an act of war or a violation severe enough to justify a response?"

This question is critical importance as it must be answered in order for the United States federal government to create a cyber deterrent policy. Any deterrent strategy must be based on clear red lines that articulate what actions are considered an acts of war. Further retribution strategies must be delineated so any adversary understands that malicious acts crossing defined red lines will be meet with punishment. Without clearly defined red lines or the threat of punishment adversaries will not be deterred from conducting withering attacks.

Friday, December 5, 2008

NASA Pwned

According to a recent article in BusinessWeek, NASA has been the target of an ongoing campaign of cyber espionage. Specifically, the article notes,

America's military and scientific institutions—along with the defense industry that serves them—are being robbed of secret information on satellites, rocket engines, launch systems, and even the Space Shuttle. The thieves operate via the Internet from Asia and Europe, penetrating U.S. computer networks. Some of the intruders are suspected of having ties to the governments of China and Russia, interviews and documents show. Of all the arms of the U.S. government, few are more vulnerable than NASA, the civilian space agency, which also works closely with the Pentagon and American intelligence services.
These attacks are first and foremost an example of a violation of data confidentiality. In one case an attacker stole "at least 20 gigabytes of compressed data—the equivalent of 30 million pages."

John McManus, chief technology officer at NASA from 2003 through 2006, has stated. "If another country can break in and steal information about rocket motors or fuel systems, well, that's billions of dollars that can be spent elsewhere."

Additionally, the article also details an attack on system availability. According to the article, "In 1998 a U.S.-German satellite known as ROSAT, used for peering into deep space, was rendered useless after it turned suddenly toward the sun. NASA investigators later determined that the accident was linked to a cyber-intrusion at the Goddard Space Flight Center in the Maryland suburbs of Washington."

Given these penetrations and apparent tampering it is unlikely that NASA can trust the integrity of either their data or their systems.

Other random thoughts:
  • In one case it took NASA and its contractors approximately 7 months to discover a breach on its network. This clearly demonstrates that all the technology in the world wont protect a network if the network operators are lazy, untrained, or otherwise incompetent. As the BusinessWeek article states, "had anyone been monitoring the Marshall computer networks in real time, the suspicious activity, automatically recorded on logs, would have been 'immediately evident,' NASA investigators concluded, according to a Dec. 11, 2002, report to top NASA executives."
  • Breaches were reported on NASA's network as early as 1997 - over 11 years ago! Its amazing that after 11 years security at NASA is as weak as it appears to be.

From Russia With Love

According to the Los Angeles Times, "senior military leaders took the exceptional step of briefing President Bush this week on a severe and widespread electronic attack on Defense Department computers that may have originated in Russia." Specifically, the article noted that "the attack struck hard at networks within U.S. Central Command, the headquarters that oversees U.S. involvement in Iraq and Afghanistan, and affected computers in combat zones. The attack also penetrated at least one highly protected classified network."

This attack appears to be the reason that Pentagon officials banned the use of external flash drives on military systems. This ban was likely designed to prevent the spread of the worm between unclassified and classified networks via sneakernets.

F-Secure provides a write-up on the worm in question, known as Agent.btz, and states explains that worm is spread "if the malware detects a new partition, or usb stick for example, it will get infected immediately." Further, the worm attempts two outbound connections in an attempt to download further binaries. The outbound connections are made to the following servers:[random digits].jpg[random digits].jpg


According to Netcraft, is hosted in Greece and is hosted in Hong Kong. The locations of these servers is inconsequential as the attacker likely choose these locations based off lax enforcement or weak security procedures by the hosting providers of the above websites and not based of his or her geographic proximity to these malware distribution points.

The Los Angeles Times's reporting that the attack originated in Russia would indicate that the malware downloaded from these servers attempted to steal data and siphon it directly or indirectly back to attackers in Russia.

This case demonstrates two points that we will discuss throughout the semester.

  • Conducting a cyber attack is an extremely low-risk and potentially high reward operation. The cost of failure here is extremely low. If the worm doesnt spread the attacker simply starts over and creates a new worm or virus. As a result of the massive amount of attacks attacks the Pentagon it is unlikely that the attack would be tracked down and held responsible for a failed attack. If the attack is successful then the attacker would expect to steal potential valuable information.
  • On a related note, attribution of a cyber attack is very hard. The technical evidence to date does not point definitively to a single source as the IP addresses involved are distributed around the world. Attribution of a cyber attack requires more than just technical analysis but also good human intelligence and investigative skills.

Thursday, December 4, 2008

Marching off to Cyberwar

The Economist weighs in with a wonderful piece entitled Marching off to Cyberwar.

Terrorist on YouTube

According to a recent article published by Reuters, "Islamic extremists are being instructed on how to use the popular video-sharing site YouTube as a way to disseminate propaganda videos." Specifically, online jihadist are being encouraged to participate in a "YouTube Invasion" and have been provided "several screenshots showing step by step instructions on how to create a YouTube account and to upload material."

Im not really sure why this story is "news" as we have known for quite some time that jihadist and other terrorist groups upload propaganda videos to YouTube and other video sharing websites.

It's possible that this latest effort to create a "YouTube Invasion" is a direct response to the increasing inability of Internet jihadists to keep their primary online forums operational.

The Mumbai Attacks

Many commentators have stated that the recent terrorist attacks in Mumbai were a "low-tech" affair. On the surface this description seems apt as the gunmen relied on automatic weapons and grenades to carry out their assualt. However, an article in the Washington Post describes how the attackers made clever use of technology to aid in the execution of their attack. Specifically the article writes,
The heavily armed attackers who set out for Mumbai by sea last week navigated with Global Positioning System equipment, according to Indian investigators and police. They carried BlackBerrys, CDs holding high-resolution satellite images like those used for Google Earth maps, and multiple cellphones with switchable SIM cards that would be hard to track. They spoke by satellite telephone.
An obvious reaction this information is to condemn technology for enabling terrorist to increase their deadly efficiently. Many politicians have called for restrictions on technology in an effort to impede terrorists from gaining a tactical advantage. For example, Indian government officials previously worked out a deal with Google to degrade satellite imagery of select sensitive locations in India.

I have no problem with targeted and specific efforts to restrain technology out of fear that it can be abused by terrorist and other malicious actors. However, I worry that politicians may only focus on the malevolent uses of technology causing them to overreach in an effort to regulate against potential and in many cases unrealistic abuses of technology.

It is important to remember that technology is neither inherently good or evil. It is what people make out of it and it can be used to achieve the goals of its users - both good and bad. Interestingly, the Mumbai attacks demonstrated both the positive and the negatives uses of technology. While the terrorists used technology to aid in their attack, the citizens of Mumbai also used to technology to disseminate information about the attack in real-time. These unfilitered first hand accounts of the attacks, posted to sites like Twitter and Flickr, may have served to reduce panic as people were able to connect with friends and family in a timely fashion.

As a result, lets remember not to blame technology and blindly seek to regulate it.

Good Reads

From time to time I will post short reviews of books that are not required reading but are either relevant to the class or that I otherwise find interesting. I know most students do not have much time to read for pleasure but should the class discussions prove interesting and you feel compelled to additional research feel free to use these reviews as a guide to further your studies.

Also, if you have read a good book that you think is suitable for class or you found stimulating please feel free to post about it in the comments section.

Wednesday, December 3, 2008


Welcome students! I intend to use this blog a compliment to our in class lectures and discussions. While I rarely have epiphany's or thoughts that merit our attention, it behooves me to create a forum to record these thoughts as I am certain they will not always come to me during class.

I will also post links to interesting articles here that will not be required but rather recommended reading. Please make it a point to drop by this blog on a weekly basis, check in on the recommended readings, and post your comments or questions as you see fit.

I look forward to exploring the exciting realm of Information Privacy with you. I run an open class and welcome your feedback whether positive or negative.