Cyber Terrorism & Hacktivism

Keren Elazari,TAU, 17 May 2012

Agenda

IntroductionCyber Threat LandscapeBasic Terminology, Why distinguish

threatsCyber Terrorism & HacktvismComparative Analysis FrameworkNorms & Thresholds - The future?

About Keren10+ years in cyber security, CISSP June 2012 : Teaching Fellow – Security

at Singularity UniversitySpeaker at security conferences,

including: Y2Hack, Y2Hack04 & ILHack09 in Tel Aviv Keynote - ITBN 2007 Security Day, Budapest Co-Chair IDC Herzelya Cyber Terrorism

Workshop Keynote NATO International Conference on

Cyber Conflict, June 2011 Technical workshop at NATO CyCon , June 2012

Cyber “Personae Dramatis”

Cyber Crime Cyber Terrorism Cyber Warfare

Cyber Espionage ?

Cyber Conflict ? Cyber Terrorism Cyber Warfare

1998, Center for Strategic and International Studies (Washington, D.C.)

Common view of cyber threats

DDoS, Website Defacement

Phishing, Keylogger,Malware, Trojans

APT/ attack on Critical Systems

Cyber Terrorism

Cyber Warfare

Cyber Crime

Hacktivism

Criminal activity in cyber space

State Sponsored

Cyber Terrorism

using Cyber

crime tools

Espionage

Web War one? Estonia in 2007

April 27th, 2007 - preparations to remove Bronze Soldier in Talinn, World War 2 monument to Russian soldiers.

Russian forums publishing tools to carry out DDoS and defacement attacks on gov sites : Estonian President, Prime Minister, Parliament

April 30th, coordinated attack including DDoS - attacks used Botnets from all around the world, and shifted on random intervals to make it difficult to defend against.

May 3rd, the botnets began attacking private sites and servers. Banks in Estonia were shut down, as well as major news sites .

May 9th - Climax of the attacks happens on, Russian anniversary of the end of World War 2

Too Much Confusion

1998, Center for Strategic and International Studies (Washington, D.C.)

Basic Terminology What is Cyber ?

General electronic or computer-related prefix

What is Terror? “violence deliberately used against

civilians in order to achieve political goals”.

What is Cyber Terrorism? “government agencies responsible

for responding to cyber attacks have each created their own definitions.”

Contended definitions & critics

" One man's terrorist in another's freedom fighter“

▪ D.Denning's "Activism, Hacktivism, and Cyberterrorism"▪ International treaties and conventions▪ "cyber terrorism“ = blowing things up

remotely? ??▪ “Hacktivsm”= virtual graffiti/

vandalism? ???

Denning’s Defintion“cyberterrorism,

refers to the convergence of cyberspace and terrorism. It covers politically motivated hacking operations intended to cause grave harm such as

loss of life or severe economic damage.

An example would be penetrating an air traffic control system and causing two planes to collide.

Denning’s Defintion“Cyber terrorism is

the convergence of cyberspace and terrorism. It refers to unlawful attacks and threats of attacks against computers, networks and the information stored

therein when done to intimidate or coerce a government or its people in furtherance of political or social objectives.

Denning – Cont.

Further, to qualify as cyber terrorism, an attack should result in violence against persons or property, or at least cause enough harm to generate fear.”

Wikipedia to the Rescue ?

Cyber terrorism : the use of Internet based attacks in terrorist activities, including acts of deliberate, large-scale disruption of computer networks, especially of personal computers attached to the Internet, by the means of tools such as computer viruses.

Cyber Terrorism Vs Hacktivsm

Cyber Terrorism HacktivismThe use of information technology by terrorist groups and individuals to further their agenda. This can include attacks against networks, computer systems and telecommunications infrastructures, or for exchanging information or making threats electronically. Examples are hacking into computer systems, introducing viruses to vulnerable networks, web site defacing, Denial-of-service attacks, or terroristic threats made via electronic communication.

Hacktivism is the nonviolent use of illegal or legally ambiguous digital tools in pursuit of political ends. These tools include web site defacements, redirects, denial-of-service attacks, information theft, web site parodies, virtual sit-ins, virtual sabotage, and software development.” promoting expressive politics, free speech, human rights, or information ethics.

Little, or no expenseLittle, or no risk to perpetratorFew participants = big media

impactPotential for damage to a

nation’s resilience, stability and safety

Non lethal attacks = less back lash

Common Asymmetric Advantages

Network connected critical infrastructures (Brazil?)

Disruption of ISP/CSP operational networks

Civilian/commercial information systems – ELAL, Tel Aviv Stock Exchance

Defacement of government/national web sites

Publishing data from sensitive databases to cause embarrassment, confusion and panic “Saudi hacker 0xOmar”

Common Targets

Cyber Terrorism & Global Hacktivism - examples

Website Defacements

517,459.000544,409.000

Amounts of Website Defacements in 2008-2009

Year 2008Year 2009

Website Defacements Motivation

Amounts of Website Defacements in 2008-2009

I just

want to

be th

e best

defac

er

Heh ju

st for

fun!

As a c

hallen

ge

Not av

ailable

Politic

al rea

sons

Patrio

tism

Reven

ge ag

ainst

that w

ebsite

0

50,000

100,000

150,000

200,000

250,000

Year2008Year2009

Cyber Jihad In Numbers

Cyber Jihad – Examples

Turkish-Greek Hacktivsm

Turkish-Greek Hacktivsm

The Hacker Manifesto (1986) “I am a hacker, enter my world...” “rushing through the phone line like heroin

through an addict's veins, an electronic pulse is sent out….”

“This is our world now... the world of the electron and the switch, the beauty of the baud”

Information wants to be free! Hack the planet! My crime is that of curiosity…

Hackers - Defined?

Infamous Hackers of the world

Most-wanted computer criminal in the United States.Kevin Mitnik, arrested 1995

Solar Sunrise 1998 - the Analyzer hacks US DOD Y2Hack : Captain Crunch & Phreaks ( John Draper)

Hacktivism - Anonymous! International groups of Hacktivists Started on 4chan & evolved to global

scaleRepresents a new & chaotic internet

forceTargets: Epileptics, Scientologists,

Pedophiles, PayPal, US GOV, IL GOV, HBGary, the Pope?

Hacktivism - Anonymous! International groups of Hacktivists Started on 4chan & evolved to global

scaleRepresents a new & chaotic internet

forceTargets: Epileptics, Scientologists,

Pedophiles, PayPal, US GOV, IL GOV, HBGary, the Pope?

WikiLeaksWikiLeaks founded 2006 by Julian

Assangepublished secret and classified media

from anonymous sources, leaks, whistleblowers

2010 : “Cable Gate”, Anonymous – “Operation PayBack”

Anonymous

#OpAntiSec

Recent Anonymous operation …

Anonymous Austria@MariaHilfer

Anonymous Austria@MariaHilfer

Anonymous in Museums & Bars?

Tools of the Trade - DDoSPing Flood, Ping of Death, EvilPingWinsmurf, QuickFire, DefendHTTP bomber 1.001bMail BomberAnonymous favorite –

Low Orbit Ion Canon(LOIC) is an open source network stress testing and denial-of-service attack application, written in C#See Also :  JS LOIC, Low Orbit Web Cannon

Cyber Threat Analysis Framework

So what do we do?

Know your Enemy - not just

technically

Attribution of Attack remains a

key problem

Intelligence , Investigation tools

and models

Why Distinguish Cyber ThreatsMitigation – just block the IP range? InvestigationProsecution – Estonia & NATO for

exmapleAttribution & Retribution - who do

we targetDeterrence?

Attack Attribution - Who is behind the attacks?

STUXNETDDoS via Botnet

Parameters for Analysis

1. Impact2. Ideology 3. Technical threshold4. Participation threshold5. Operational threshold6. Visibility

Parameters for Analysis

1. Impact on civilians & collateral damage

2. Ideological / Political motivation e.g.:Jihad, Green Hacktivism, White Supremacist , “LolzSec” etc

3. Technical threshold : R&D, Complexity

4. Participation threshold : entry price

5. Operational threshold: Recon, Persistency, Evasion

6. Public Aspect : Is Responsibility claimed?

Parameters for Analysis

Impact on civilians & collateral damage

Terror according to ICT = ?

Almost all Cyber Attacks harm “innocents”

Unnecessary attack on civilian targets could be considered as war crime, when done by state

Parameters - Continued

Ideological / Political motivation: Jihad Green Hacktivism Neo Nazi/White Supremacist Hactivism Anonymous

Parameters - ContinuedParticipation threshold : entry

price Easy as ping 1.2.3.4 –t –w = DDoS

participation Can be done from anywhere in the

world, anytime

Compare with launching an APT or attack of CI:

Hard : infiltrate & exploit ISP, Military or Civilian Critical Infrastructure

may need inside access, Use unique targeting tools (e.g. for

SCADA)

Parameters - Continued

Technical threshold : R&D, Complexity Use of Zero Day Exploits requires strong

R&D base, funding For complex attacks (APT) in depth

technical knowledge of the target is required

Parameters - Continued

Operational threshold: Reconnaissance phases Persistency Evasion techniques Post mortem and lesson learning

Parameters - Continued

Public Aspect : Is Responsibility claimed?

More Comparison Parameters Perpetrated by Intended Target /

Victim Goal of attack Consequence scope “Visibility” R&D Threshold :

Required budget, tools and know how

Goal of attack Participation in the

attack

Non Trivial Problems

National security & Cyber Jihad

Cyber Terrorism - Strategic or Tactical?

Cyber crime and cyber terrorism together

State sponsored cyber terrorism

Future - Norms and thresholdsRetribution threshold – what makes

an attack revenge worthy? Who decides?

Is Deterrence in cyberspace even possible?

Cyber threats from Non-state actors – rules of engagement?

Is a global Treaty, or Norm even possible?

On the national scale: Criminal prosecution of attackers - according

to various Computer Fraud and Abuse Act LEA need authority, know how , and tools to

collect digital evidence and conduct investigation across country border

Nation-wide regulation to protect Cis and CSPs Attacked organizations : sector specific

regulation, e.g. Energy Sector, Finanical sector , mandated reporting to CERT/ISAC

End users / Victims : increase “Cyber Hygene”

Legal/ Regulatory remedies ?

International Treaties & Norms European Convention on Cyber Crime▪ Legal framework for criminal law standards▪ Cooperation framework for computer crime

investigation▪ Procedural framework for cross-country cease

& investigate digital evidence (The future) conventions on cyber

warfare?

Legal/ Regulatory remedies ?

Cyber Terrorism – Bombs are next?

“At least for now, hijacked vehicles, truck bombs, and biological weapons seem to pose a greater threat than cyber terrorism. However, just as the events of September 11 caught us by surprise, so could a major cyber assault. We cannot afford to shrug off the threat.” Prof. Dorothy Denning, November 1, 2001

Summary and conclusions

The definition of Terror itself is contended

The line between Cyber Terrorism and Hacktivism is blurry, grey and crossed often

Analysis of each attack and incident ?

A new breed of “Cyber analysts” is born

Questions?

Bibliography & Key sources

Proceedings of the IDC Herzelya Cyber Terrorism Workshop , November 2010

Dorothy E. Denning,"Activism, Hacktivism, and Cyberterrorism: The Internet as a Tool for Influencing Foreign Policy, Georgetown University June 8, 2001

Trachtman, Joel P., 2004. ‘Global Cyberterrorism, Jurisdiction, and International Organization’, http://ssrn.com/abstract=566361.