This action might not be possible to undo. Are you sure you want to continue?
INDEX Title page...................................................................................................................................................1 Index..........................................................................................................................................................2 Executive Summary...................................................................................................................................2 Introduction...............................................................................................................................................2 Body...........................................................................................................................................................3 Bibliography..............................................................................................................................................9
HACKTIVISM & CYBERWARFARE
Executive Summary Cyberwar used to be somewhat of an elusive or futuristic idea but it has become very real within the last decade and now is at the top of national security concerns in several countries. We have seen attacks on entire countries, some of the largest corporations and organizations in the world as well as specific critical infrastructure. With the mass availability of the Internet and information, joining cyberwarfare is at the disposal of practically anybody who cares to join. This allows for bigger protests than any physical ones so far, which would be limited by geographic location and space as well as the number of people available and intimidation tactics used by those opposing the protests. Our world has changed drastically since the introduction and widespread use of the Internet and then again with the arrival of Wikileaks and Anonymous on the scene. This paper discusses the background to these attacks and describes a few of them. Introduction Our physical world is slowly becoming one with its digital counterpart. With technology progressing at exponential rates as always and generations of children who do not know of a time when computers and the internet were seamlessly part of everyone's lives, we are at a point of no return. What was once unimaginable only thirty years ago (or less), is now as regular as breathing to many people. Online banking, dating, social networking, schooling and working are now extremely popular to the extent that it has affected our language, globalization and the way we interact with each other and even see life! Law enforcement has started to investigate robberies of virtual homes, cyber bullying, electronic crimes that were simply committed from a keyboard, but do have real observable effects in our physical world. Considering the level of integration we are faced with today, the levels of anonymity that come with the internet, and the distances involved (as well as the problems with jurisdictions that arise from this), it is not hard to see why criminals have been turning to the internet for their dirty work. Law enforcement is clearly always a step behind when it comes to high-tech crimes and criminals know this well. Technology is merely a tool and not evil or moral – rather the people that are using it have these attributes and can use the tool in whichever way they want. While it enables criminals, it has also aided the police forces in finding and investigating people.
These cyber criminals are no longer even necessarily “hackers”. Much of their activities is facilitated by coders, who develop exploit scripts for them and make them publicly available. The term hacker originally meant coder, somebody talented with computers (when they weren't as easily useable by the general populous) or simply a reference to somebody 'hacking' away all day at their keyboard. Once the hacker phenomenon got media attention, they were demonized making the term infamous. Self-proclaimed hackers, who upheld a strong code of honour or “hacker ethics”, started coming up with new terms to differentiate themselves from these evil cyber pirates the media made them out to be. These terms included white-hat and black-hat hackers, hackers and crackers etc. Both groups shared some ideological values such as freedom of information, however differed in their method or approach with regards to achieving this end goal. Just as wars have brought about new inventions and improvements on existing technologies, traditional hackers feel they are contributing in a similar fashion to our digital world. With machines (computers) now capable of the storage of enormous amounts of data and a ridiculous amount of processing cycles (calculations), software developers (or coders) are free to produce ever more bloated and fancy looking applications for these machines and their users. Software is built upon and often expected to interact with other software, from other companies. The immense amount of code and interaction brings about the existence of vulnerabilities. Vulnerabilities are weaknesses in the design of the code that allow for malicious minded (or curious) individuals to cause the application to produce unexpected or unintended results. These results often involve access to information or the systems they reside on that the user is not supposed to have access to. The term used for the action of taking advantage of these vulnerabilities is “exploit”. The noun of this word refers to a script written by a coder, that attacks the specific weakness in the system. Each exploit considered a threat and in today's world administrators are inundated with constantly released patches and fixes which attempt to plug the holes in the software that allow for these exploits to work. Patches are merely one form of risk mitigation, along with firewalls which block intrusion attempts, intrusion detection systems, intrusion prevention systems, insurance, employee awareness and training, system hardening (the tweaking of settings to make for more secure systems), physical site security, backup systems etc etc. However, no computer can ever be totally secure! The more one secures a system, the more it becomes (unreasonably) expensive to do so and the less useable it becomes. After all, a turned off computer, encased in cement, at the bottom of an ocean, is quite secure, but of no use to anybody. Security however, while being very important, is an extremely tough sell as most people do not concern themselves with it until a breach has occurred. The return on investment is zero unless one counts the future potential damages against it or a breach occurs. Only people with bad experiences, security minded professionals, paranoid people and IT admins who can think like economists (opportunity cost) are concerned with it unfortunately. Heck, the internet itself was built on a protocol that had reliability in mind with total disregard to security. This laissez-faire type of attitude prevalent throughout our combined physical and digital worlds, makes it the perfect playground for criminals. The types of crime that have become so common on the internet that most people just shrug them off now include phishing, spear phishing, DOS attacks, dDOS attacks, spam, scams, vishing, many types of hijacking, trojans, viruses, worms, spyware, adware, bots and botnets, password cracking and unauthorized access, identity theft, money laundering, social engineering, and a plethora of other attacks. These attacks may be initiated out of boredom, a desire for kudos in the underground community, financial gain, curiosity or political motivations (known as hacktivism). Spam is simply unsolicited junk email, which can be for legitimate products or combined with many different kinds of scam or scheme. Phishing is a type of spam that attempts to fool you into submitting your personal information (such as passwords, information relating to your identity or 3
financial records) to a fake copy of the website you believe you are submitting the information to. Spear phishing is a more targeted version of this in which the messages are directed to people who are more likely to be interested in the content (for example sending them in Spanish due to a guess about the individual's nationality using their family name). Since phone services have made a movement to voice over IP rather than the classic POTS system (plain old telephone system - the telephone network infrastructure as we originally know it), the same concept of phishing was coined vishing for attacks of this nature done over the telephone. Hijacking comes in many forms, namely blue for bluetooth, black for blackberry, side for session (such as hotmail), browser (for URL redirects) as well as many others. Spyware is software that collects information about the individual and their habits for marketing purposes usually. Adware causes pop-up advertisements (to legitimate and scam products). Trojans allow for remote access of a machine by masquerading as a useful application to the user, but actually carrying out another hidden task in the background while they are unaware. Viruses are simply malicious codes that carry out undesirable effects on the system. A logic bomb is a type of virus that is usually initiated by a specific date. A worm is a virus that propagates itself using networks. Money laundering involves the movement of money obtained through criminal activities through several systems as to obfuscate their origin or make them useable in the real world. This is often done these days using gift cards and prepaid credit card. Identity theft is one of the biggest ones these days and can take many forms. One can buy full or partial identities on the 'darknet' (which in our whole computer crime degree I have yet to actually see...(?!)), which likely consists mainly of IRC servers where people of similar interests can come to chat, but unlikely to reside on forums any more as Mark Fenton told us that they all know that law enforcement is all over the forums. Identities are worth varying amounts of money depending on the person's nationality, importance, the completeness of the identity information, their financial wealth and value etc. Identity theft carries very little penalty these days (the maximum fine is $2000, but one can sell someone's house from under their feet!). Social engineering attempts to target the usually weakest link of the system – the user! By dropping certain information into the conversation and manipulating the person into trusting you or inadvertently giving up sensitive or useful information. An example of social engineering would be mentioning the Cannuck's score to a die hard fan, to try put him in a better mood. Kevin Mitnick, possibly the most infamous hacker wrote a book called the Art of Deception about social engineering which rocked the banks' worlds (my mother at Jpmorgan-Chase told me that a memo was sent out recommending the book and that it caused big changes to occur internally at her bank). Bots is a term used detonating 'robots', not dissimilar to zombies. Bots were originally beneficial programs enlisted to make people's stay in IRC chat rooms more pleasant by providing greetings or services, even games. However, it wasn't long until these started to become used for malicious purposes and were made to infect people's computers, use their computing power and bandwidth to connect back to a secret IRC channel (or 'room') from which a bot herder or master could send commands to each one, causing them to perform operations for him without the victim's knowledge. If a bot herder had many of these bots (known an 'owning' machines), it could be described as a botnet. Botnets have come a long a long way and no longer have a single point of failure or a traditional command and control architecture. Rather they use encryption, peer-topeer networking and have the ability to spread themselves, update themselves and dynamically generate new domain names to which it connects to in cycles as to elude law enforcement (although Google did an awesome job taking down the TORPIG botnet).Password cracking is the means by which one can attack a password using brute computing power, a dictionary, or something known as rainbow tables (pre-computed hashes of passwords... once hashes were used to make passwords more secure). A brute force password attack against a web-server could well take it down, just as in the case of a Denial of Service attack, which is discussed next. DOS stands for denial of service with the reason being that this attack attempts to cause a 4
service or resource to become unavailable (usually on a server, as these machines' primary aim is to provide services). This is basically a flood of information that either crashes the service or simply uses up all the resources. These floods can consist of many different kind of packets and are thus known by different names like SYN or ping flood. SYN is the TCP flag that is turned on in the packets being sent. TCP is simply the protocol being used to send information over the network. Ping floods however consist of ICMP echo replies and request floods. This is a services often used by network technicians to check whether a host (computer) is up and running and also reachable from the computer he or she is typing this from. Sometimes pings are used to test connectivity to the internet in general by simply trying to ping a site that is likely to be always up (Google comes to mind). One kind of DOS attack is known as a smurf attack. This attack is an asymmetric attack in which the hacker (or script kiddie) sends an IP packet to a network address that is reserved for broadcast messages (messages that go to all computers on the network like 255.255.255.255 or FF:FF:FF:FF:FF, although the latter is a MAC address rather than IP and is not used in this attack). Misconfigured routers will forward these messages on acting as an amplifier for the traffic. In addition, these packets are sent with a spoofed (faked) source IP address that actually specifies the victim's IP address, causing a sort of infinite loop which can be debilitating for the network and the attached host machines or devices. A nuke is an old example of a DOS attack from the Windows 95 days which used incorrectly formatted fragments of ICMP packets that when repeatedly sent to a victim's machine caused the Blue Screen of Death (Windows fatal error), requiring a reboot (not a strong attack against an individual but if it works on a high profile machine, significant costs could be incurred). The distributed version of DOS attacks involves any form of DOS attack that originates from many sources simultaneously. This makes the attack asymmetric as the volume of traffic being received by the victim can be immense due to the number of connections and the bandwidth available to each attacker. This type of attack is extremely difficult to mitigate (one can try firewalls, IPS, load balancing etc). The only real way to 'stop' the attack is to shut down, which is precisely the aim of the attack (selfdefeating). A dDOS can either be done using a botnet with lots of unsuspecting zombie hosts attacking your target from all over the world (traditionally the most likely method), a combination of botnets (coordinated attack) or by simulating it. This can be done using a port scanner known as nmap. This application scans any reachable host that is specified for a list of predefined ports, to check if they are listening for active connections. Open ports usually indicate a running service on the machine (such as port 80 for HTTP requests.. ie serving web-pages to the public). The numbers are usually standardized, but they can be changed manually to secure slightly by obfuscation or for custom configuration purposes. When sending computers that are running different operating systems a combination of malformed or legitimate packets, they respond uniquely and can thus be identified to a certain extent. An example of a type of scan is the Christmas tree scan which involves every single flag being turned on in the IP header... This is an invalid packet since it does not make sense to have a flag that indicates the start of a connection and one that indicates the end of a connection, in the same packet. Nmap offers a lot of flexibility with its scan options and one of these is known as the decoy operator. By appending -D followed by a string of IP addresses, separated by commas, one can make nmap send out the packets used for the scan with several spoofed IP addresses. Since this is really supposed to be a defensive tactic for concealing the true source of the scan (rather than for DdoS purposes), one's own IP will be included in the list, as one needs to receive the responses from the victim machine to the scan so that the results can be interpreted (for reconnaissance or penetration testing purposes). The victim however will reply to every spoofed IP on the list (unless cleverly configured to ignore the type of scan being applied against it), causing an enormous amount of traffic to be generated and potentially causing it to crash. At the same time however, the spoofed IPs could belong to hosts that are offline or online hosts that would simply send a RST packet back (ending the connection immediately). 5
The newest form of dDOS (arguably) was observed recently when an idealistic and ideological hacker who calls himself “Anonymous” mass distributed a program called Low Orbit Ion Cannon to anybody who empathized with his socio-political causes for use against major entities. Admittedly, this program wasn't very sophisticated and merely caused your machine to send out frequent HTTP, UDP and TCP requests to the target, without any decoy-like option. This program was first released in 2006 and was written in C# and was intended for the voluntary joining of botnets in a sense as well as the equivalent of virtual cyber sit ins. A decently configured firewall is able to dampen the effect of such an attack and since no unauthorized usage is occurring (as all attackers are volunteering) it is drastically different to the traditional dDOS attack. It has been argued that using the LOIC must be legal since it is the equivalent of protesters gathering outside of a building, making entry and exit for employees impossible. Protests however are not legal everywhere in the world. There are plenty of countries where the law in practical terms simply comes down to an imbalance of power and diverging interests. One cannot always count on law or the international community to protect them either. A web-version of the LOIC exists which means one does not even have to download any potentially illegal programs (Anti-virus does pick it up as malicious). In addition to this, one could visit the web-LOIC website via Altavista's babelfish translation engine. If 'traditional Chinese to English' is selected, since no Chinese exists on the page, the words remain in English. The beauty of it though comes from the fact that the traffic between you and the translation engine is encrypted using SSL (the lock at the bottom of Internet Explorer / the 's' in 'HTTPS', known as Secure Sockets Layer) and your history will only show 'translator'. This can similarly be done using an anonymizer tool known as TOR, which encrypts all traffic between you and the TOR network (servers run by volunteers, that strip identifying header information and encrypt), but of course cannot encrypt from the TOR network to the final target (as to keep it useable or readable for the end destination... unless you are using another layer of encryption that the target is pre-configured for). It is likely that running the LOIC application from your machine would produce the most efficient results though and a way to conceal this would be by using encryption such as TrueCrypt. It should be kept in mind that there are rumours that encryption software produced in North America must contain a back-door for law enforcement, although the writers of TrueCrypt claim otherwise. Disregarding that though, the encryption is currently basically unbreakable (possibly by NSA's super computer(?) and possibly via distributed processing (like the SETI project)) and can even be set up as to have multiple encrypted volumes within each other, making it impossible for anybody to know that there is more than one (one is easily detectable), meaning if tortured (let's hope not), one could give up only one 'fake' password with 'fake' 'hidden' files in the volume. It can also be set up to use a certain combination of key files that can reside on a MMC flash card... which you could crunch with your foot if you're being arrested. Then you can't even help them if you wanted to. Besides, in the context of a national crises such as a revolution (as with Egypt recently), the government and law enforcement do not have the time ability or means to deal with tracking down citizens (or non-citizens!) who use the LOIC against their web-servers. This is going to be especially true for anything requiring extra-jurisdictional reach, although it is possible that the attackers internet provider (in whatever country they may reside) will detect the attempted attack and disconnect service or send a warning, although realistically, unless several attackers are using the same ISP, the network is going to remain relatively unaffected (no more affected than downloading a large file from a Peer to Peer network). Soon after the development of the LOIC came the HOIC which included evasion techniques against firewalls that attempt to block the dDOS attacks and multi-threading of the HTTP requests for greater efficiency. These tools enabled wide-scale internet vigilantism as people using these programs needed no technical knowledge at all to operate them (as simple as inputting the website URL and 'chargin ur lazorz'). Wikileaks is a not-for-profit organization that is lead by Julian Assange, who is described as an 6
internet activist with a nomadic lifestyle. This company was founded in 2006 as well under the Sunshine Press organization and allowed for whistle-blowers to submit confidential or sensitive documents to the website, who would then publish them for the sake of transparency in our world, especially with regard to politics. Originally they allowed for user comments and edits, but eventually ceased to accept these additions and reverted to a more traditional publication style. Mr. Assange came under fire from several world governments, militaries and corporations, understandably since they despised their dirty laundry being aired to the world (good one Assange). They accused him of being reckless and for having a total disregard to national security and the anonymity of vulnerable individuals mentioned in the release of secret documents. The Free-Brad (the name somewhat inspired by the Free-Kevin campaign from years ago, when Mitnick was still in jail) campaign started after a US military soldier (Bradley Manning) leaked a handful of documents to Julian's website and was arrested in Iraq last year. Soon thereafter a smear campaign was launched against Mr. Assange, claiming he had raped a young girl in his home country, but he insisted these allegations were politically motivated (although some sexual interaction did occur, but the details of that fall outside the scope of this assignment). He was eventually arrested and moved by top security vehicles, guarded by all sorts of three-letter organizations and was brought to court in the UK. The British courts decided on a bail value of close to a third of a million dollars and required it to be delivered (in cash!!) within a short time frame. Michael Moore (political activist and documentary producer) along with several others came to his aid, but it was of course difficult for anybody to liquidate this kind of money given the time restraints. The Swiss government tried to apply for extradition, but the wikileaks founder claimed that he would not get a fair trial in Switzerland. VISA and MasterCard both froze Assange's credit card accounts with them which infuriated political activists, hackers and anyone else's on his side or that supported his cause. One of these people is a man (presumably) who names himself “Anonymous”. Anonymous went on to threaten and then attack both of those credit companies by convincing people from all around the world to join in on a cyber sit in with their lazer cannons (LOIC). Who knows if he or others joined in with a few botnets too (quite possible). His attacks succeeded and the websites were taken down (causing billions in losses for the companies). Paypal also was attacked for the same reason (they deserve it really... look at their ToS in detail) as well as the Swiss bank that held Julian's funds (or some of them). These attacks broadly fell under the name “Operation Payback” which also included attacks against major sites belonging to the entertainment industry such as SONY since they were believed to be behind a dDOS attack against the Pirate Bay – a torrent website well known in the underground community that provided search capabilities for finding files being shared online (often copyrighted material). The Pirate Bay is a key source for many enthusiasts that are looking for different kinds of software. It also involved several Law firms (ACS), political parties (pro-copyright parties), and organizations like the US copyright group and the RIAA. The RIAA was trying to sue Limewire for enabling people to copy copyrighted files and was going a step further by suing for damages. No doubt, the operation payback website got taken out in response too, but they simply moved their services to another website. That's part of the beauty of the internet. Unless you're a company who relies on their website being easily findable and always operational, someone like anonymous can just keep popping up on the next new website but still reach thousands of people around the globe easily to coordinate attacks. Anonymous is fond of the Guy Falks masks used in the movie V for Vendetta. Guy Falks was involved in the Gunpowder plot in Britain which conspired to overthrow the government. In 1994, arguably the first public dDOS attack as a form of protest occurred, in the UK on Guy Falks Day since the Government was attempting to outlaw outdoor festivals and music with repetitive beats. This was called the Intervention of the UK. “Anonymous” is actually a blanket term for everybody involved in the effort or who aligns themselves with this particular type of internet subculture. The symbol and flag 7
of this loosely-knit community is of a headless man wearing a suit, with a question mark as a head. This symbolizes it as a leaderless movement concerned more with ideals rather than political correctness. While leaderless, anonymous and loosely-knit, the group is heavily associated with the image board 4-chan. The number of 'operations' that this group has been involved in is so large that one easily loses track. Wikileaks founder Assange published research on the history of hacktivism, claiming it to date back to 1989, but really, the world has not seem this volume of dDOS attacks until the last few years, with a lot of it stemming from “Anonymous”. The attack from 1989 was known as the WANK worm, which penetrated NASA's machines and changed their login display information to “You talk about peace yet you prepare for war” as a form of protest against nuclear activities. This is quite benign compared to say the recent STUXNET code that was designed to infiltrate and infect specifically Iranian nuclear stations and cause them to malfunction (supposedly it did set them back, along with the assassination of one of their top researchers). That code was salient as it involved FOUR zero-day exploits. A zero-day exploit is an exploit that a patch has not yet been created for, making everybody using that software vulnerable until then. Zero-day exploits these days don't usually last for more than 4 days (before they get patched, if they are critical), so the fact that STUXNET used four is extremely impressive. We also did not see attacks on entire countries like we have in this past decade. An example being the Estonian cyberwar in which the country's networks were totally debilitated to the extent that people were unable to withdraw cash from ATM machines and if abroad, unable to phone their home bank to find out why their accounts were inaccessible. Several countries in the Middle-East had operations named after them, such as op-tunisia, opegypt, op-algeria, op-libya and so forth. These are countries that have recently faced uprisings and civil unrest with its citizens demanding freedom of expression, true democracy including elections that will actually represent the people's votes, freedom of speech, less oppression, human rights and for their leaders to step down and stop using the countries as their personal piggy banks. (Check out this cool video the anonymous group published as a warning to the Egyptian government http://www.youtube.com/watch?v=yOLc3B2V4AM). In Egypt's case the NDP website, Al-Ahram newspaper and the main gov.eg websites were all targeted. This was mainly due to censorship in Egypt, the national media producing total propaganda, and especially the government ordering ISPs and telecoms providers to shut down (also turned off power and water at times). It also stands against the idea of protests being illegal (freedom to gather). Notice the similarity in this video with what the Mentor originally said in the Hacker's Manifesto at the dawn of the age of hackers being demonized in the media. “We exist without nationality, race or skin colour...” which overlaps with the concept of Anonymous standing for ideological change in the world, excluding politics or racism etc. The Egyptian government did not only order ISPs to shut down their service (other than noor.net since the stock exchanges were running on those connections... which lost 12 billion the first day it was shut down), but actually had all the routing information removed to the border routers on the backbone (almost 200 entries!) and thus made internet history by actually “deleting themselves off the map” entirely. While what the Egyptian government did to its people during the unrest was frankly disgusting, it is unfortunate that it got the most media coverage (as it is described as the “beating heart of the Arab world”) when the other Middle Eastern countries saw uprisings lasting much longer than this (over a month!) and much more killings and brutality than in Egypt. The Libyan leader had been in power for 42 years! This is why attacks were launched against them all. Considering the severity of the issues on the ground, one might disclaim these attacks as ineffective, however when speaking to my cousin briefly on the phone during the uprising (while the internet was down), his main concern was for Al-Ahram to be silenced since they were spreading misinformation and propaganda to Egypt's people and the rest of the world. In fact, this revolution was sparked not just by the protest in Tunisia, but also by the large number of Egyptian youth connected to the internet and each other via social media sites 8
such as Facebook and Twitter (one man named his newborn “Facebook”). Given that it was a major contributing cause and the importance of the media who got attacked by anonymous' gang of cyberwarfare custodians, one can say the Internet played a key role in this revolution, it's outcome (getting live reports via Twitter to the media meant quicker actions), and in possibly the proudest time in Egyptian modern history. I conclude therefore with a statement about the power of the Internet: “Who needs nuclear weapons when you have the power of the internet “~ Leah Wakefield. Bibliography FSCT 7220 Class notes by Rui Pereira http://www.counterpunch.org/assange11252006.html http://wikileaks.ch/ http://anonops.ru/ http://www.youtube.com/watch?v=JCbKv9yiLiQ (Anon to Scientology... Church tried to frame anonymous by attacking epilepsy boards) http://www.youtube.com/watch?v=yOLc3B2V4AM http://www.youtube.com/watch?v=SQKbHBqDwSI (there are too many of these, Ill stop) http://anonnews.org/ http://www.religiousfreedomwatch.org/intolerance-hate/anonymous/ http://www.ebooks.com/ebooks/book_display.asp?IID=140243 http://records.viu.ca/~soules/media112/hacker.htm http://www.renesys.com/blog/2011/01/egypt-leaves-the-internet.shtml http://www.bbc.co.uk/news/technology-12110892 http://www.theregister.co.uk/2010/09/20/4chan_ddos_mpaa_riaa/ http://www.guardian.co.uk/science/the-lay-scientist/2011/feb/20/1 http://www.newsweek.com/2008/02/07/the-passion-of-anonymous.html