Intruders | Protect Your Information with Intrusion Detection (Power)

An intruder, i.e., an attack initiator, is the first element in the attack model described earlier in this chapter. This element can be described using the so-called informal model of the intruder, which takes into account their theoretical and practical skills, knowledge, time and place of his actions, level of qualification, and so on. The intruder may act alone, or there might be a group of intruders.

Generally, all intruders can be subdivided into the following six categories.

Hackers. They perform attacks to get moral satisfaction, to improve their self-esteem, or to increase their status in others' opinions. This means that they do not get any material benefit from their activities.

The Morris Worm

On November 2, 1988, one of the students of the University of California, at Berkeley, detected a small "alien" program running at the Sun workstation. In the course of investigating this "alien" program, it became clear that the program used small vulnerabilities in the implementations of such common utilities as sendmail, rsh/rexec, and finger. This allowed the program to run on any infected computer, significantly degrading its performance and propagating its copies to any other computers that it could access remotely. Within several hours, hundreds and thousands of computers connected to the Internet went down. During a subsequent investigation of the incident, it became evident that this program was written by 23-year-old Robert Tappan Morris, a student of UC Berkeley. His aim was to create a program that would use the vulnerabilities of the Berkeley UNIX version to check the security level of all computers all over the country. However, the code of his program contained a bug, and what he had meant to be a small, useful program turned out to be a real monster. According to the most optimistic estimations, about 10% of all computers on the Internet were affected, and the total sum of financial losses ranged from $96 million to $300 million. The program is now known as the Morris Worm [Markoff1-95].

Spies. They organize attacks in order to gather information that can be used for espionage purposes.

Hackers Recruited by the Argentinian Government

In June 2001, the Argentinian anti-dictatorship group Mothers of Plaza de Mayo (MPM), known to be active defenders of human rights, became a victim of a hack group that destroyed all the information on MPM's computers. According to a statement by the leader of this organization, this attack, along with other actions against the group, was undertaken by the Argentinian government.

Terrorists. These are intruders who perform their attacks for blackmailing purposes.

Attack on the Bloomberg Information Agency

In early August 2000, two hackers were arrested in London on charges of cracking the network of the Bloomberg LP agency network and subsequent attempts of blackmail. According to information published by Bloomberg, Oleg Zezov and Igor Yarimaka were arrested during a special FBI operation, in which Bloomberg founder Michael Bloomberg also participated. According to information from police sources, Zezov worked for Kazkommerts Securities, located in Alma-Ata, and a client of the Bloomberg company. He repeatedly e-mailed Michael Bloomberg demanding $200,000 for information on the security hole he had detected in the company's computer system. In March, Zezov showed that he was not joking — Bloomberg received personal files of the company head containing photos of his personal documents, user name and passwords, and other personal information, including credit-card numbers. After that, Bloomberg representatives began to cooperate with the FBI.

Corporate raiders. They perform attacks to obtain special information, the theft of which would provide substantial financial benefit for competitors.
Professional criminals. These types of intruders mainly act to get personal financial profit.
Vandals. The only aim of a vandal attack is to produce as much damage as possible.

The most widely known categories of intruders are hackers and professional criminals. As a matter of fact, hackers become known because they themselves inform the community about successful attacks. Professional criminals are widely known because of the media. In fact, even now, there is no general consensus on the term "hacker." In using this term, the media refers to any specialist who has some criminal agenda, or is looking for profit from their activity. In the professional community, however, the term hacker designates a qualified and skilful professional in the field of information technologies. Therefore, later in this book, I will follow this tradition and designate the criminals by the term "intruder."

In the 60s and 70s, individuals who created programs that made hardware perform undocumented functions were known as hackers. Thus, by the term hackers, one designated programmers who were knowledgeable, and sophisticated in the scope of their knowledge or in their profession. Later on, the term was used for any highly qualified professionals who organized their own community and culture. However, in the 70s and late 80s, this tradition became twisted and distorted, and "hackers" began to intrude upon information systems, leaving their "visiting cards." It was that time when the term "hacker" obtained its negative connotation. Apart from hackers, there are also crackers, phreakers, and so on.

Cracking Just to Protest

Sometimes, hacking is simply a way to make a social or political protest. One example of this took place in January 2001 when an unknown hacker intruded upon Bulgarian president Petar Stoyanov's website. He proceeded to delete all information on it and left a message explaining why he did it. The explanation was simple — the young man's parents were poor, himself was unemployed, and lacking any decent job prospects in Bulgaria. Such incidents are part of the new Internet trend, known as hacktivism.

As professionals from the CIA and FBI note, the main threat originates from foreign governments developing technologies of information warfare, rather than from individual hackers. According to data provided by the Defense Information Systems Agency (DISA), besides the U.S., the list of such states includes Russia, Israel, Great Britain, France, China, North Korea, Iraq, Libya, and Cuba. However, it should be noted that commercial companies (even large ones) are unlikely to become the target of attacks implemented by foreign governments. For such companies, individual hackers and hack groups still remain the main threat.

Intruder Goals

It is quite probable that you, upon reading about the hacking of some specific company's site, thought that this could never happen to you. Perhaps you are right. However, it is still necessary to know the reasons why your computer (including your home PC) or your corporate network might become an attack target. There are quite a lot of classifications for intruders developed by various organizations (including the FBI, CIA, Interpol, etc.). Considering them all is a tedious (and practically unnecessary) task. After all, if you suffer from an attack, does it really matter who has hacked you — an amateur or a corporate raider hunting for your secrets? In real-world practice, it would be much better to know the reasons why you might become a target of a hacker attack. To become an attack target, you must attract an intruder's attention. Let us consider what might make you a target, or induce a hacker to choose you or your company. Note that, in this section, we will only consider intentional attacks. Accidental attacks will not be covered here.

Joke

Jokes are rather common, and perhaps one of the first of the motives for hacker attacks. Perhaps nearly everyone has received, for example, anonymous messages containing something like: "Your account will be locked within 5 minutes." Apart from this relatively harmless joke, there are more cruel ones, which can really scare novice users. For example, someone might send you a message inviting you to visit some address on the Internet (for example, http://chatcenter.virtualave.net/delwin). If you do, be prepared to watch how Windows is supposedly being deleted from your computer. Sometimes these jokes can be quite outrageous. One of the latest jokes (at the time of writing) was implemented by a German hack club known as the Chaos Computers Club. On Christmas Eve, the club hacked the system controlling the engineering communications of a building and made various pictures on its fa$cade by switching various lights on and off.

Curiosity

Curiosity comes right after jokes when listing hacking motives. Note that there are two types of curiosity. The first kind is when penetrating the system presents a challenge to the hacker. By bypassing various traps and security tools, the hacker improves skills and self-assurance. The second type of curiosity came into play quite recently, as the Internet plays more and more of a significant role in everyday life. Users surfing the Web find various programs there, and start them out of pure curiosity. Without a proper understanding of the algorithms and working principles of such programs, such "hackers" can inflict serious damage on their friends, colleagues, or other Internet users.

Publicity and Fame

After becoming self-assured enough, some intruders begin to long for fame and publicity. They might search for it among other people of a similar opinion (for example, at hacker conferences and sites) and among other individuals who have at least heard about the Internet. The most common example of such activity is defacing sites, which can be accomplished as self-promotion.

Politics and Ideology

Political motives for hacking activities are also rather common. Practically all more-or-less significant political events are followed by hacker attacks (which they consider a counter-strike).

Ideological motives are also as widespread as political ones. Basic hacker ideology usually disapproves any attempt at restricting access to information. To illustrate this thesis, let us again consider the activities of the above-mentioned Chaos Computer Club, members of which have hacked several government sites and published quite a large amount of confidential information on the Chernobyl catastrophe. Attacks on the IT components of crucial and vitally important infrastructures can also be attempted for ideological reasons. Consider, for example, the second part of the "Die Hard" blockbuster, in which terrorists attack the navigation system of a airport, and cause landing aircraft to crash.

Anti-Globalists in Cyberspace

Early in 2002, Italian police traced six members of an anti-globalist hack group suspected of attacking thousands of sites located in 62 countries all over the world. The group started its activities in July 2001 during a summit in Genoa that was accompanied by anti-globalist protests. Among other sites defaced by the group are NASA, Pentagon, Columbia University, Harvard University, Cornell University, etc.

Financial Profit

Financial profit is the most common motive for committing crime, both in the virtual and real worlds. If the attack is successful, the intruder will be able to live comfortably for quite a long time. Financial profit might present a motive both for individual hackers who attack Internet stores in order to steal credit-card numbers, and for companies that recruit hackers in order to attack their competitors. The Western Union site was hacked with especially this purpose in mind.

Revenge and Disappointment

Revenge or disappointment is mainly an internal threat for a company. The motives that might induce employees to implement such an attack include a lack of career prospects, low salary, dissatisfaction with the management policy, etc. Note that practically no one can insure themselves against it, and sometimes this motive even represents the main threat to the company. Furthermore, it is especially dangerous, since knowledgeable insiders can inflict much more serious damage than external intruders.

The Administrator Sets a Logical Bomb

In the autumn of 2001, the Philadelphia courts passed a guilty verdict on Tim Lloyd, ex-administrator of the Omega Engineering network. Lloyd left a logical bomb on one of the corporate servers, which, after a period of time, destroyed the software managing the production processes of the company. The damage reached around $10 million.

Vandalism

Vandalism is relatively rare, although at first glance you might think that this is not the case. DoS attacks represent quite an illustrative example of vandalism. However, things are not as simple as they might seem. In most cases, DoS attacks, destroying information, or other acts of vandalism, are induced by revenge or other motives.

Other Motives

This classification does not come any close to covering all motives, but it does allow us to understand the main motives of the intruders. It should be pointed out that the above-described categories might overlap, and sometimes it is rather difficult to distinguish between them. Apart from this, there are other motives that are rather difficult to identify as falling within a specific category. For example, hacker attacks might be induced by ecological problems, the release of a new version of the Microsoft OS, or anything else. All this might cause dissatisfaction among the hacker community, and thus result in an increase in attacks. Although these reasons are hard to forecast, and can not be applied to most companies, you must keep them in mind.

Why Are You Under Attack?

After considering the most common hacker motives, you can now better understand the reasons why you might become a target of their attacks. The main reasons include:

You have openly or implicitly declared that your security system is absolutely unassailable.

Unassailable Oracle Hacked

Any declaration stating that your system contains no vulnerabilities or is absolutely secure will immediately attract thousands of hackers. Be sure that they will, in the end, detect some vulnerabilities, and, in the long run, they will penetrate your unassailable system and cause it to fail. The most illustrative example of this statement was recently confirmed by a successful attack on Oracle9i immediately after release of this version. The PR and marketing specialists of the company characterized the system as "unbreakable." After the ninth version of the Oracle DBMS was announced, hackers all over the world joined efforts to show Larry Ellison that he spoke too hastily. This attempt was successful. Their activity was subdivided into two directions — first, it was necessary to hack the Oracle 9i product, and next the Oracle website. The first direction produced results practically at once — within the last year, quite a lot of vulnerabilities and security holes have been detected in the Oracle 9i software. As for the second type of activity, although hackers did not inflict serious damage, they managed to make the administrators of the Oracle Web site (http://www.oracle.com) rather nervous. According to a statement by a representative of Oracle, normally there are about 3,000 attacks on their server per week. After Oracle began its promotion campaign, which included something like "Oracle9i. Unbreakable. Can not break it. Can not break in." into the body of e-mail messages and other material, the number of attacks on its server went up to 30,000 attacks per week. However, this did not teach Oracle marketing experts anything, since they continue to use such terms as "unbreakable" and "unassailable" when naming their new releases (for example, the newest one is similarly toted, developed in cooperation with Dell and based on Linux).

You are the leader in your segment of the market, constantly beating your competitors.

University Battles in Cyberspace

On July 2002, Yale University requested that the FBI verify that its computer network had been penetrated by hackers from Princeton University. In this request, the university stated that its IS specialists had detected at least 18 attempts to penetrate its internal database from computers belonging to Princeton University. The FBI representative confirmed that this actually took place. According to him, this was done in order to find out who among potential students had submitted applications to both universities. On the other hand, he also pointed out that, although this information was obtained using illegal methods, the data were not used for malicious purpose.

You have made a "strong" statement.

Attack on the RIAA Site

At the end of July 2002, unknown hackers implemented a DoS attack on the Recording Industry Association of America (RIAA) site. According to data published by CNET News.com, the DoS attack started on Friday, July 26, and stopped at about 2 a.m. on Monday, July 29. On Saturday and Sunday, the RIAA site was practically unavailable. RIAA representatives emphasize the fact that the internal network was not penetrated. They also do not know who could have attempted the attack. News.com, on the other hand, supposes that this attack might have been implemented by hackers backing the idea of free music on the Internet. RIAA is famous for its aggressive opposition to numerous file-exchange networks and their users. Furthermore, RIAA quite recently managed to get a bill passed stating that Internet radio stations must pay to broadcast a composition. The amount asked is out of the league of most on-line radio stations, and especially free ones.

Your company is a financial organization or performs on-line payments.

Russian Hacker Arrested

In January 2002, Russian authorities, in cooperation with the FBI, arrested a hacker who blackmailed an American bank in order to get $10,000. Early in 2001, the hacker penetrated one of the servers of the ORCC ASP company and accessed confidential information. When he started to blackmail the bank, its representatives contacted FBI. After a long investigation and communication with the hacker, the FBI found his trail, which led to Russia.

Your company is a well-known brand (for example, Ericsson).

Your main activity lies in the field of communications or security. Hackers enjoy attacking such companies, which they consider their main opponents. This why such companies as Symantec or Network Associates are hacked.

Attack on SecurityFocus

At the end of December 2001, the site of the SecurityFocus company, specializing in information security technologies, was hacked to display the banners of the "Fluffi Bunni" hack group. Hackers also cracked the server of the Thruport company, whose ads are shown on the SecurityFocus site. Hacker banners appeared for several hours, after which SecurityFocus specialists replaced them with their own. However, the ThruPort site displayed "incorrect" banners for quite a long time. Jay Dyson, an independent security expert, admitted that the "Fluffi Bunni" attack was the most elegant of all the recent attacks, since it was planned down to the smallest detail and perfectly implemented. According to Alfred Huger, SecurityFocus vice president, hackers exploited a newly detected vulnerability of the OpenSSH authorization technology to get control over the ThruPort server. He also stated that the hackers did not attack the security systems of the SecurityFocus site.

You are a governmental organization.
You are supporting a site of some popular or well-known person.
You have a poor employee-relations policy.

You have quarreled with one of your employees.

A Worm in the Pentagon Networks

According to the PCWeek/RE data, in the summer of 2001, Max Butler, an IS specialist collaborating with the FBI, was condemned to 18 years of prison for infecting the Pentagon network with a worm.

You are promoting an idea that has lots of opponents.

Anti-Globalists on the Internet

During the World Economic Forum that took place in New York early in 2002, the site of the forum became unavailable to visitors. The most interesting aspect of this attack was that the technical personnel supporting this site could not answer the simple question of why this happened. According to their opinion, it was unlikely that their site became a target of DoS attack. However, most experts suppose that a DoS attack was the exact reason for this failure. This is especially true since the Electronic Disturbance Theater hack group had been planning to implement just such an attack. However, the World Economic Forum site could never really have been mentioned as among the most secure. For example, in February 2001, 1,400 credit-card numbers of participants were stolen. The list of victims included Bill Gates, Bill Clinton, and Yasser Arafat.

You are using well-known, general-purpose software. For example, hackers never miss an opportunity to demonstrate the vulnerabilities of Microsoft solutions.
You are supporting a hacking resource. In this case, your colleagues or competing groups will also be very glad to hack you, in order to demonstrate their superiority.