HACKTIVISM AND CYBER TERRORISM

Document Sample
HACKTIVISM AND CYBER TERRORISM Powered By Docstoc
					 HACKTIVISM AND
CYBER TERRORISM
   Dorothy E. Denning
  Georgetown University



                          1
                    Outline
• Hacktivism
• Terrorists in cyberspace
• Cyber terrorism




                              2
3
4
               What is Hacktivism
• Cyber protest that includes hacking
   – cyber attack or use of software to facilitate the protest
   – not just hacking for fun and challenge
   – not just using the Internet to facilitate traditional forms of activism
• Analogies have been made with sit-ins and street protests
• Cyber terrorism would be extreme form
   – Most activists are not terrorists




                                                                               5
                    Aspects
• Individual operations vs group acts -- “swarming”
• Coordinated with non-electronic protest vs
  independent, electronic activity
• Open and accountable vs secret and anonymous
• Legal vs gray vs illegal
• Specified time & duration vs unlimited assault
• May have elements of art and theater
• Usually automated with hacking tools
• Impact -- may bring about desired change or calls for
  better defense
                                                          6
                    Attraction
•   Global visibility
•   Low cost
•   Fun
•   Distance not a factor
•   Relatively easy to assemble large group
•   Internet facilitates coordination of action
•   Anonymity possible
•   Not life threatening
•   Not get thrown in jail

                                                  7
                          Trends
• Cyber attacks often accompany regional and global
  conflicts, both armed and unarmed
   – often immediately accompany physical attacks
• Politically motivated cyber attacks are increasing in
  volume, sophistication, and coordination
• Cyber attackers are attracted to high value and high
  volume targets like networks, servers, and routers




                                                          8
                   Protest Issues
•   War and conflict      •   Capitalism
•   Independence          •   Laws and regulations
•   Foreign policy        •   Taxes
•   Domestic politics     •   Smoking
•   Nuclear weapons       •   Child pornography
•   Human rights          •   Terrorists, hate groups
•   Animal rights         •   Hacker arrests
•   Environment           •   Internet security
•   Globalization         •   Echelon

                                                        9
                       Examples
•   Jam Echelon Day
•   WANK Worm
•   EDT and the Mexican Zapatistas
•   Electrohippies and WTO protests
•   Kosovo conflict
•   China-related conflicts
•   Packistan/India conflict over Kashmir
•   Mideast conflict
•   bin Laden WTC/Pentagon terrorism

                                            10
11
12
13
          NASA WANK Worm

   W O R M S           A G A I N S T     N U C L E A R       K I L L E R S
     W O R M S           A G A I N S T     N U C L E A R       K I L L E R S
   _______________________________________________________________
     _______________________________________________________________
   \__ ____________ _____              ________     ____ ____      __ _____/
     \__ \ ____________ _____ \ ________ \ \ ____ ____ | / / _____/
    \ \           /\      / /    / /\           |        | |    |    __    /
            \
     \\ \\ \ / /\ / // / / /__\ \
                     \             / /\ \       | | \ \\ | | | | | | // / / /
                                                  |\       |      |/
       \ \ \ / \ /
      \ \ \/ /\ \/ / / / ______ \ / /__\ \        | \ \ |
                                                | | |\ \| | | | | |/ / / /
                                                                  |\ \
         \ \ \/ /\ \/ /
        \_\ /__\ /____/ /______\           \               |____| |_\ \
                                 / ______ \____| | | \ |\| |
                                                  |__\            | |\ \_/ /
          \_\ /__\ /____/ /______\ \____| |__\ | |____| |_\
         \___________________________________________________/\_/
           \\___________________________________________________/      /
            \ \      Your System Has Been Officically WANKed         / /
                \       Your System Has Been Officically WANKed
              \_____________________________________________/ /
                  \_____________________________________________/
    You talk of times of peace for all, and then prepare for war.
      You talk of times of peace for all, and then prepare for war.



October 1989, just before launch of shuttle carrying Galileo probe.
 October 1989, just before launch of shuttle carrying Galileo probe.
Booster system was fueled with radioactive plutonium.
 Booster system was fueled with radioactive plutonium.
Took weeks to eradicate and cost NASA $500,000.
 Took weeks to eradicate and cost NASA $500,000.
                                                                                14
 Electronic Disturbance Theater (EDT)
• Support for Mexican Zapatistas
• Developed FloodNet software (Java applet) to automate
  Web “sit-ins”
   – participants point browsers to FloodNet site
   – can send message to target’s log
• Existence since December 1997
   – tens of thousands of participants
• Operations viewed as acts of civil disobedience as
  articulated by Thoreau in 1848
• Operating at intersection of
   – radical politics
   – recombinant and performance arts
   – software design                                      15
16
17
18
19
      EDT Targets & Reasons
• Mexican President Zedillo’s site
• US White House
   – support for Mexican govt, strikes/sanctions against Iraq
• Pentagon and School of the Americas
   – trained soldiers carrying out human rights abuses
• The Frankfurt Stock Exchange
   – represented globalization - “root of Chiapas’ problems”
• Mexican Embassy in the UK
   – part of June 18, 1999 International Day of Protest
• Starbucks
• World Economic Forum
                                                                20
           June 18, 1999
    International Day of Protest
•   Anti-capitalism protest
•   Physical and Electronic Activity
•   Coordinated from J18 Web site
•   Hacker attacks against 20 companies
    – More than 10,000 attacks over 5-hour period
• Web sit-ins
  – EDT at Mexican Embassy in London
        • 18,615 participated from 46 countries
        • 7.4% from .mil accounts (some DISA)
• Marches, protests in London, Austin, elsewhere
  – physical damage and arrests
                                                    21
22
23
24
25
26
27
28
                   EDT Impact
• Considerable press, drawing attention to issues
• EDT approach and software used by other groups
   – over 800 animal rights activists staged sit-in at Web
     sites in Sweden
• Raised issues about legality of sit-ins and legality
  of strike-back defenses
   – Pentagon fought back with HostileApplet



                                                             29
30
    Electrohippies Philosophy
• Mission - to assist the process of change towards a
  more fair and sustainable society using only electrons
• Actions being protested must be reprehensible to
  many, not just small group
   – democratic accountability - people vote with modems
• Event used to justify DoS attack must provide focus
  for debate (e.g., WTO conference)
• Must substitute the deficit of speech by one group
  with broad debate on issues
   – Cult of the Dead Cow said e-hippies rationalize DoS attacks
     and violate opponents’ rights of free speech and assembly
• Openness and accountability
   – announce in advance & no hiding behind encryption             31
• Broad view of hacktivism
       Electrohippies DDoS Tools
• Client-side DDoS (vs. server-side DDoS)
   – Real people (vs. zombies on compromised servers)
   – Lots of people must participate for impact
   – Democratic accountability
• Distribution
   – Javascript on their Web site
   – client software via e-mail
• Allow selection of
   – hit rate
   – targets by date and international time zone

                                                        32
       E-hippies E-mail Compositor
• Used in letter-writing campaign to Welsh Assembly to
  protest superstore proposals
   – Supporting the Dinefwr Green Group
   – Concern is that superstores will push out small, local shops
• Pre-programmed with 8 “arguments” on why Welsh
  Assembly should call in 2 development applications for
  public inquiry
• Public can go to web page and
   –   Enter name, address, phone #
   –   Select member of Welsh Assembly or committee chair
   –   Select between 1 and 8 of the arguments
   –   Press button to compile and print letter
                                                                    33
       Electrohippies WTO Sit-in
• Coincided with WTO protests in Seattle in late 99
• Hits at their sit-in site
   – November 30:    105,635
   – December 1:     137,114
   – December 2:     ?
• Estimated 452,000 people participated
• Disrupted for 4-5 hour stretches
• WTO’s hosting service, Conxion, fought back
   – redirected packets back to e-hippies server
   – compared to denying mail and returning to sender

                                                        34
Electrohippies “E-Resistance is Fertile”
• Part of international week of protest “Resistance is
  Fertile” against genetically modified foods
• April 1: perception management op against Steven J.
  Milloy, operator of the Junk Science Web site
• April 3-7: launched “email lobby compositor” to
  send protest messages to targeted companies
• April 6: cancelled remaining following poll results:
   – 42% for, 29% against, 29% don’t know
• April 8-9 (planned): server log rant campaign - flood
  server logs of targets with protest messages
• April 10-12 (planned): DoS action against Web sites
  and e-mail servers
                                                          35
36
                                                             37
http://www.fraw.org.uk/ehippies/tools/ho_d3os/d3os_system.html
38
39
                 Kosovo Conflict
• Web defacements
   – Kosovo Hackers Group put “Free Kosovo” banners on 5+ sites
   – Team Spl0it said “stop the war”
   – Chinese hackers protested Embassy bombing
• Disruptions to servers
   – NATO web and e-mail servers subjected to sustained attacks
      • DoS, DDoS, e-mail bombardment
   – Serb Black Hand group crashed Kosovo Albanian Web site and
     planned daily actions against NATO computers



                                                                  40
41
led to several
web defacements




             42
43
44
      China-Related Hacker Wars
•   Japan over Rape of Nanking
•   Taiwan over Taiwan independence
•   US over Embassy bombing in Kosovo
•   US over spy plane incident




                                        45
     China – Japan Cyberwar
• Chinese hackers attacked Japanese websites 1/23/00
• Protested conference held by Japanese right-wing
  group on The Verification of the Rape of Nanking
  (called “the Biggest Lie of the 20th Century)
   – Official and non-official requests from China to cancel
• Nearly every major Japanese government site hit
• Deleted files, posted messages of opposition, and
  inserted links to porn sites
• Chinese Extreme Right-Wing Anti-Japanese Alliance
  claimed 30 attacks between 1/24 & 2/13 as part of
  “anti-Japanese” war
• More attacks a year later in response to call on a
  Chinese website                                              46
47
      China – Taiwan Cyberwar
• Started in July 1999 when Taiwan President Lee
  Teng-hui called for bilateral ties to be conducted
  on a special “state-to-state” basis
• Hacktivists on both sides defaced each other’s
  Web sites
• On eve on March 18, 2000 elections, Taiwan said
  they had discovered 7,000 attempts by hackers to
  enter Taiwan’s security systems
   – concerned that China could disrupt elections with DoS
     attacks and e-mail bombs
                                                             48
49
Spy Plane Incident (April 1, 2001)
• Organized, sustained cyber attacks, mainly 4/28/01-5/8/01
   – White paper by iDefense <http://www.idefense.com/papers.html>
• Pro-Chinese hackers most active
   – Organized groups included
       • Hacker (Honker) Union of China (HUC), led by +Lion+
       • China Eagle group, led by Chineagle (organizer)
           – members in Macao, South Africa, Germany, Japan, Australia, US
       • Green Army Corps
   – Internet postings and IRC to plan and coordinate assault
   – Defaced about 1,000 US sites; launched worm
   – E-mail floods and DDoS attacks against White House, CIA
• Pro-US hackers probably started it
   – Included pr0phet, Hackweiser, World of Hell
                                                                             50
   – Defaced about 200 Chinese sites
51
       QFZ 3.0 E-mail Flooding Tool


 # times to send 




Distributed by
Chinese hackers
in cyber skirmish
over spy plane
                                      52
Pakistan/India Conflict Over Kashmir

• Pro-Pakistan web defacements against Indian sites
  by Pakistan Hackerz Club and others
   – 45 in 1999
   – 133 in 2000
   – 275 in 2001




                                                  53
54
55
                   Mideast Cyberwar
• Erupted in October 2000 after Hezbollah abducted 3 Israeli soldiers
• Pro-Israeli hackers attacked Hezbollah website
     – was displaying images of Palestinians killed and calling on Palestinians to
       kill Israelis.
     – hackers put up images of Israeli flag, Hebrew text, and recording of
       national anthem
•   Pro-Palestinian hackers shut down Israeli government websites
•   And so on with DoS assaults and web defacements
•   Pro-Palestenian actors engaged in multi-phased attack
•   Report of Palestinians trying to hack into Israeli air traffic control
    system to shut down airports


                                                                                56
57
58
Cyber Attacks
During the War
on Terrorism,
ISTS Dartmouth
report, Sep 2001




         59
     Extent of Mideast Cyberwar
• From October 2000 - January 2001 [iDefense]
• Pro-Palestinian attackers hit 166+ websites
   – Commercial sector hit hardest (51%)
• Pro-Israeli attackers hit 34+ sites
   – Terrorists/extremists (Hamas, Hezbollah) hit hardest (39%)
• 16+ tools used – posted on supporting websites
• Attackers from 23 countries hit 8 governments
   – 10+ pro-Israeli actors (groups, individuals)
   – 30+ pro-Palestinian actors (groups, individuals)
       • Unity, Muslim extremists with ties to Hezbollah
       • al-Muhajiroun, Muslim extremists with ties to bin Laden
       • 4-phases: 1) Israeli government sites, 2) Tel Aviv stock exchange and
         Bank of Israel, 3) Israeli ISP infrastructure, 4) Zionist e-commerce 60
         sites
September 11 Inspired Actions




                                61
Launched by
Kim Schmitz
(since arrested
on unrelated
charges)



         62
seeking
corporate
networks
to hack –
electronic
equivalent
of cyber
training
camps




       63
one of their
web defacements




          64
65
66
Defaced by
Fluffi Bunni




       67
Defaced by
Fluffi Bunni




       68
69
www.taleban.com
defaced 9/13/01




                  70
www.talibanonline.com
defaced 10/22/01




              71
                        Dispatchers
• Group of 60 people world-wide
• Led by 21-yr-old Ohio security worker “Hackah Jak”
• Targeting nations that support terrorists
• Plans to destroy web servers and Internet access in
  Afghanistan
• Defaced 200-300 websites and launched DoS attacks
    –   Iranian Ministry of Interior
    –   Presidential Palace of Afghanistan
    –   Palestinian ISPs
    –   company with offices in WTC (accident)

                                                        72
73
74
Oct 17, 2001 defacement of
National Oceanic & Atmospheric Administration




                                       75
76
Their Demands




                77
78
Oct 20, 2001 defacement of
Defense Test and Evaluation Professional Institute
http://defaced.alldas.de/mirror/2001/10/20/www.dtepi.mil




                                              79
80
81
.mil defacement Oct 27, 2001
last archived GF defacement




                     82
Americans be prepared to die

                     83
YIHAT vs GForce




                  84
      Al-Qaeda Alliance Online
• Formed post Sep 11
• Members
  – GForce Pakistan
     • 212 defacements in alldas.org defacement mirror
  – Pakistan Hackerz Club
  – Anti India Crew




                                                         85
                 WTC (Vote) Worm
• Subject “Fwd: Peace BeTweeN AmeriCA and IsLaM!”
• Body
    “Is it a war against America or Islam. Let’s Vote to live in peace.”
• Attachment: wtc.exe
• Overwrites web documents with message
    “AmeRiCa … Few Days WiLL Show You What We Can Do!!! It’s Our Turn
      >>> ZaCkEr is So Sorry For You.”
• Formats hard drive and leaves message
    “I promise that we will rule the world again … by the way your are captured
       by Zacker.”
• Tries to download and install Backdoor.Trojan
• E-mails itself to everyone in Outlook address book


                                                                              86
        Terrorists and the Internet
• Extensive use of the Internet
   – e-mail, etc
   – Web
• Use of information hiding tools
   –   cyber cafes, libraries, Kinkos
   –   anonymous accounts
   –   use of code words
   –   encryption
   –   maybe steganography
• Little if any hacking

                                        87
           Terrorists and Email
• Sept 11 hijackers sent e-mail
   – used public sites - libraries, cyber cafes, Kinkos
   – used anonymous accounts - Hotmail
• Shoe bomber sent e-mails before his flight
• Kidnappers of Wall Street Journal reporter Daniel
  Pearl sent demands via e-mail



                                                          88
         Terrorists and the Web
• Terrorist groups and supporters have Web sites
• Use the Web to communicate, find information, book
  tickets, research crop dusters, etc.
• al Qaida used Web to gather information about critical
  infrastructures, including utilities
• al Qaida searched for information on SCADA systems
  used to control water supply and waste management
  facilities
• Terrorists recruiting members on Web
• FBI issued advisory warning of potential threats from
  posting sensitive information on Web sites.
                                                           89
Hizbollah website
                90
91
92
Tracking Terrorists on Web

               Guido Rudolphi
                 Swiss operator of Netmon Inc
                 tracking terrorists on Internet
  Ould Slahi   Found Web site of Ould Slahi
               Slahi had been tied to
                 millenium bomb plot at LAX
                 September 11 attacks
               Slahi also operated an Internet cafe
               Slahi had guestbook on his Web site
                 guestbook may have been used
                 by terrorists to communicate
               Activity on site peaked right before 9-11

                                                  93
          Ould Slahi’s Website




http://www.cnn.com/2002/US/03/06/al.qaeda.internet/index.html
                                                                94
         Terrorists and Encryption
• Ramsey Yousef
    – mastermind of 1993 WTC bombing & bin Laden associate
    – encrypted files on laptop held plans for additional attacks
• Wadih El Hage
    – convicted in 1998 E. Africa Embassy bombings
    – sent encrypted e-mails to associates of al-Qaida
• Aum Shinryko cult
    – conducted 1995 sarin gas attack on Tokyo subway
    – encrypted files had plans to use WMD against US and Japan
• UK-based Sakina Security Services Ltd
    – website offered Islamic military training, had terrorist connections
    – site gave out PGP public key to users
• al Qaida computer acquired by reporter
    – 40-bit encryption broken
                                                                             95
    – found information on chemical weapons program
Terrorists and Steganography?




                                96
         Terrorist Cyber Attacks
• Few known cyber attacks by terrorists
• Khalid Ibrahim, a member of the militant Indian
  separatist group Harkat-ul-Ansar, tried to buy
  military software from hackers in late 1998
• Provisional IRA hired hackers to penetrate British
  government computers to get home addresses of
  law enforcement and intelligence officers.
   – planned to kill officers in “night of the long knives” if
     British government didn’t meet terms for cease-fire
                                                                 97
Internet Black Tigers offshoot
swamped Sri Lankan
embassies with 800 e-mail
messages/day for 2 weeks

Characterized as first known
attack by terrorists against a
country’s computer systems




                       98
          al Qaida Cyber Threats
• After Sep 11 attacks, bin Laden allegedly told Hadmid Mir
  (ed. Ausaf newspaper)
   – “… hundreds of Muslim scientists were with him and who would
     use their knowledge in chemistry, biology and (sic) ranging from
     computers to electronics against the infidels.”
• Mohammad Razzak, suspected member of al Qaida, said
   – terrorists had penetrated Microsoft (by gaining employment) and
     attempted to plant Trojan horses and bugs in XP.
   – Microsoft responded that claims were “bizarre and
     unsubstantiated”


                                                                        99
                  Cyber Terrorism
• DOD definition of terrorism [Joint Pub 1-02, DoD reg O-2000.12-H]
     “The calculated use of unlawful violence or the threat of unlawful
      violence to inculcate fear; intended to coerce or to intimidate
      governments or societies in the pursuit of goals that are generally
      political, religious, or ideological.”
• Cyber terrorism – two possible extensions to cyberspace
    – The calculated use of unlawful cyber attacks or the threat of
      unlawful cyber attack to inculcate fear; intended to coerce or to
      intimidate governments or societies in the pursuit of goals that are
      generally political, religious, or ideological.
    – Achieving or threatening violence through cyber attacks


                                                                        100
       NPS Cyberterrorism Study
• Center for the Study of Terrorism and Irregular Warfare,
  Naval Postgraduate School (CSTIW/NPS)
• Report: Cyberterror: Prospects and Implications, August
  1999
• Assessed prospects of terrorist organizations pursuing
  cyber terrorism
• Cyberterror defined as: unlawful destruction or disruption
  of digital property to intimidate or coerce governments or
  societies in pursuit of goals that are political, religious, or
  ideological.

                                                                101
      Conclusions of NPS Study
• Barrier for entry for anything beyond annoying
  hacks is high
• Terrorists generally lack the wherewithal &
  human capital
• Cyberterrorism is thing of future, but might be
  pursued as ancillary tool




                                                    102
 Levels of Cyberterror Capability
• Simple-unstructured
   – Conduct basic hacks using available tools
• Advanced-structured (2-4 years to develop)
   – Conduct more sophisticated attacks against multiple
     systems/networks; create or modify tools; target
     analysis, C2, learning
• Complex-coordinated (6-10 years to develop)
   – Coordinated attacks causing mass disruption against
     integrated, heterogeneous systems; create sophisticated
     tools; advanced target analysis, C2, learning

                                                           103
                   Terrorist Types
• Religious
   – Most likely to seek complex-coordinated (most damaging)
     capability (consistent with indiscriminate application of violence)
• New Age, single issue
   – Settle for disruption
• Ethno-nationalist separatist
   – Likely to seek advanced-structured
• Revolutionary
   – Likely to seek advanced-structured
• Far-right extremists
   – Settle for simple-unstructured (cyberterror doesn’t offer intimacy
     or cathartic effects central to far right terror)
                                                                       104
        CSTIW/NPS Conference
• Held in Paris in May 2000
• Objective: examine decision making process that
  leads sub-state groups engaged in armed resistence
  to develop new operational methods
   – will they engage in cyberterrorism?
• Participants included former and active members
  of terrorist groups and a hacker
• Report by David Tucker: The Future of
  Resistance: Cyberterror? Mass Destruction?

                                                    105
                       Participants
• Practitioners (5)
   –   PLO (1, now serving in PA)
   –   Basque Fatherland and Liberty-Political/Military (ETA-PM) (2)
   –   Liberation Tigers of Tamil Eelan (LTTE) (1)
   –   Revolutionary Armed Forces of Colombia (FARC) (1)
• Hacker (1)
• Academics (11)
• UN member (1)


                                                                       106
                         Agenda
• Day 1 – presentations
• Day 2 – simulation based on Chechnya
   – 3 groups:
      • Chechen resistance in Chechnya
      • Chechens and sympathizers in Moscow
      • Control team – Russian government, rest of world
   – Chechen groups asked to develop strategies
      • one involved attack on Russian Stock Exchange
• Day 3 – reports

                                                           107
          Conference Conclusions
• IT not used to cause mass disruption
   – prefer to target selectively and limit effects
• Cyber terror may be an attractive non-lethal weapon
• Information and communications revolution may lesson
  need for violence
   – easier to get message out by other means
• Terrorists not yet integrated IT into strategy and tactics
• Significant barriers between hackers and terrorists may
  prevent their integration into one group
   – disagreed over tactics (using computer network attacks)
• Weakness and isolation could lead group to launch a mass
  casualty attack
                                                               108
                       Conclusions
• Systems are vulnerable to serious attack
   – especially via insiders and outsourcers (e.g., Aum cult)
• Cyber attacks are increasing in volume and impact
• Methods of attack are easy to learn and acquire, and tools
  are easy to acquire
• Politically inspired attacks are increasing
• Terrorist use of cyberspace is increasing
   – there will be terrorists with computer hacking skills
• Few indicators of terrorists planning cyber attacks of a
  “terrorist” nature, but on radar screen
• Hacker affiliates/sympathizers will engage in disruptive
  and costly nuisance attacks, maybe worse                      109
           Contact Information
Dorothy E. Denning
Computer Science Department
Reiss 238
Georgetown University
Washington DC 20057
Ph: 202-687-5703, Fax: 202-687-1835
denning@cs.georgetown.edu
http://www.cs.georgetown.edu/~denning


                                        110