Team 12 Main
Edit this outline as necessary, adding in details where they fit.
Contents
I. Information about the attack
A. Report from each engineering member on techniques used, difficulty of attack, feasibility of automating attacks.
1. Simple buffer overflow attack, as described in the readings. Ended up needing a hard-coded address to stick in the return address portion of the stack. This leads to less effective mechanism for a remote attack. A more dynamic method for determining the address of the buffer that contains the exploit code is required to be feasible, especially for automating the attacks.
Interestingly, availability of the source code of the target program allowed a much quicker exploit. Thus, obfuscation does indeed have value, but should obviously not be the primary form of defense.
--Dennis Galvin 20:27, 21 October 2005 (PDT)
The initial attack was based on methods gleaned from information freely available on the internet. Although specific links to the material were provided in our assignment, a Google search will easily locate the information required to mount such an attack. The aleph one article (http://www.phrack.org/phrack/49/P49-14) was particularly instrumental in mounting a successful attack. In this paper from 1996, Elias Levy (alias Aleph One (http://en.wikipedia.org/wiki/Elias_Levy)) provides an excellent tutorial for individuals with a small amount of background to successfully exploit buffer overflows. Levy advocates strongly for full disclosure of security vulnerabilities, and moderated the BugTraq mailing list (which encourages vendors to fix their software by fully disclosing vulnerabilities), and has been active in computer security endeavors (see Wikipedia article and links from there).
We were provided accounts on two separate machines at UC San Diego. On each of the machines was a copy of the vulnerable program. One of the machines had the program installed in a way which allowed a successful buffer overflow exploit to gain 'root' (administrative) privelege even though the user executing the exploit did not have that privelege.
The initial approach was to read the Aleph One paper, trying various experiments as I followed the progression of the tutorial. Estimated time for completion of the tutorial was approximately 4 hours. At the end of the tutorial, I attempted the final exploit in the paper 'exploit4.c' by copying and pasting the code from the article into a source file, compiling the file using tools on one of the target computers. Following directions in the article, I then ran the program using increasing size of command line argument (which contained the exploit code). This program set up a command shell which had the exploit code in an environment variable. For each size of buffer I used, I then attempted to run the vulnerable program. The progression of sizes tried was 64 bytes (the size of the exploitable buffer in the target program), 80 bytes, 96 bytes. Aleph One suggested that a size of 100 bytes greater than the exploitable buffer size was adequate, but clearly less was required, as both the 80 and 96 byte attempts succeeded in generating a shell prompt with non-administrative privelege. At this point, I logged onto the machine where the target program was installed to be run with administrative (root) priveleges. The success was instant. Unfortunately, I neglected to read the little file with the assignment indicating we weren't allowed to use one of Aleph One's tricks for getting the address of the stack pointer. At this point Chris took over....
--Chris DuPuis 21:42, 21 October 2005 (PDT) Technical note on the attack: the value of stack pointer is influenced by the size of the environment, the current working directory, and the filename passed to execl(). (I used fork() and execl() instead of system().) A hard-coded value for the stack pointer can be used if you clear out the environ with a call to clearenv(), set the cwd with a call to chdir("/"), and hard code the filename.
--Cmckenzie 11:39, 21 October 2005 (PDT) I'm concerned about our ability to describe this effectively in 'plain english'. I don't think a cut and paste from the readings will do the trick.
--Chris DuPuis 14:04, 23 October 2005 (PDT) Here is a bit of expanatory material about the exploit. It needs some work, but it should be easy enough to understand. (It's just not really a complete description.)
The flaw that was exploited is called a "stack overflow". In basic terms, it may be described as follows:
A computer program is composed of a sequence of simple computer instructions (such as "add two numbers" and "store a value in memory") and complex procedures that do more complicated tasks (such as "prompt the user for a password" or "send a document via email"). These complex procedures go by many names--functions, subroutines, methods, and procedures--but we will call them "procedures" here. A program makes a "call" to a procedure, which causes the procedure to do its particular task. The procedure then "returns" to the program, at the point immediately after the call that activated it. The procedure knows where this point is because it has a "pointer", something like a bookmark, that indicates where the next instruction may be found.
When a program is started, the computer reads the first instruction in the program, and does what the instruction says to do. Then it moves on to the second instruction, and does what that says to do, and so forth. When the next instruction is a call to a procedure, the computer stores the current location in the program and jumps to the procedure (think of it as putting a bookmark in a book, and flipping to the back to read an endnote). Under normal conditions, when the procedure is finished, the computer reads this stored location, and jumps back to where it was interrupted. (Just as a reader would go back to the passage following the reference to the endnote.)
Our exploit takes advantage of a flaw in the program to modify this pointer (the current location in the program), so that the procedure returns to the wrong location when it finishes. In fact, we make the procedure return to some instructions that we provided as input to the program.
--Cmckenzie 16:18, 23 October 2005 (PDT) This is a very clean explanation, thanks. I'm not sure if you need to put it in the assignment, but for my own interest, is there a plain english way to describe how you modify the pointer?
--Chris DuPuis 20:12, 23 October 2005 (PDT) Sure. The target program is very simple. The program takes one argument. (Arguments are all of the stuff on the command line after the name of the program. For example, when you enter "mail john_doe@example.com", the program "mail" (a very simple Unix email program) is started, and the one argument to the mail program is "john_doe@example.com". (In the case of the mail program, this is interpreted to mean "compose a new mail message to john_doe@example.com", but other programs use arguments differently.))
So, our program lets the user enter one argument. It copies the value of that argument to an empty place in memory (usually called a "buffer"), much like a student might copy a question from a textbook onto his homework paper.
However, the program doesn't check that there is enough space before it starts copying, and it doesn't stop copying until it gets to the end of the argument. This becomes a problem if the argument is larger than the buffer. Picture a student copying out of a textbook, filling up his paper, and continuing to write all over the surface of the desk, on the floor, the walls, the TA, etc.
This copying of the argument into places where it shouldn't be copied is how the pointer gets overwritten.
II. Estimated dollar value of damage caused by an attack
--Cmckenzie 19:24, 23 October 2005 (PDT)
Methodology The potential dollar value of an attack is difficult to quantify as many/most things that can be targeted by the attack fall into two categories which defy easy economic assessment. Firstly, targets may have no clearly established market value. This category includes private business information, non-financial personal information, etc, the value of which depends on private judgements or specific conditions of business that are not generalisable. Secondly, there are things that are inherently incapable of valuation under most economic schema, though they affect economic relationships. This category includes intangibles like trust, relationships, emotional affects. Some of these intangibles may be capable of rough valuation ex post. For example, by assessing the fall-off in the dollar value of a business relationship after an attack due to a lack of trust or sense of security. However, such assessments are case specific and not capable of ex ante estimation or extension to the general case.
This report will provide dollar value estimates for reasonable upper and lower bounds for damage as well as expected values where discernible. Discussion will also highlight areas where dollar value estimates are difficult or impossible due to either inherently or practically unquantifiable variables. Finally, discussion will extend to the likely allocation of cost amongst different institutions.
1.Home Computer
Direct financial fraud E(x)=$1,289.50 Although not enormously complicated, significant technical expertise over and above implementing the buffer overflow exploit is required to install keystroke monitors and screen capture devices that collect credit card or bank account information and enable this kind of fraud.
--Chris DuPuis 23:16, 23 October 2005 (PDT) Most web browsers have a "cache" of recently-loaded pages, and many (certainly Firefox, probably others) have a capability of saving values entered into web forms for future use. It is quite possible that the needed credit card numbers are already stored on the computer.
--Cmckenzie 18:17, 24 October 2005 (PDT)This is a good point Chris. I will mention it in my final version.
Users who employ internet banking or make purchases with credit/debit cards are far more vulnerable to direct financial loss. Currently 44% of internet users bank online1 and 34% shop online2. One would expect that there is a significant overlap between these groups, though this was not looked at in the research cited – I will thus make the assumption that 50% of internet users engage in at least one of these activities. The average value of an incident of internet based financial fraud is $2,579 for January-June 20053. Given that approximately 50% of US based internet users are vulnerable, the expected value of a single attack on a single terminal for the purpose of financial gain is $1289.50 (the probability of a successful attack multiplied by the average value thereof - 0.5 X $2,579). Clearly, the ability to automate and scale up such attacks significantly increases the potential gain linearly in proportion to the number of terminals that may be attacked. The minimum value of a single incident is $0 for users who do not bank or shop online, and the maximum is the total sum value of any credit lines and bank accounts which the user employs online.
Intangibles may contribute further to losses – the effect of a single case is small but if many incidents occur merchant and consumer confidence may be undermined and the effeciency of e-commerce could be jeopardised.
In this case the loss may be borne in a number of different ways, depending on the specifics. Legislation sets the limit of user liability for credit card fraud at $504. However a massive loss can be borne by the merchant. If they have shipped or sold a fraudulently purchased item, they lose the entire value as the credit card issuer will 'chargeback' the fraudulent charge and the merchant has no recourse5. The position is similar in the case of debit cards, as most major financial institutions have voluntarily commited to a $50 limit for consumer liability in cases of fraud, but this may be shirked by smaller and less reputable institutions and the obligation to report theft is stronger – consumer losses up to $500 may occur if notification of the card's issuing institution does not occur within 48 hours of the consumer gaining knowledge of the theft, or the whole value of the checking account if the consumer does not notify within 60 days. As with credit cards, chargebacks mean the loss falls almost exclusively on merchants.
Identity Theft
Using similar technology to that employed in direct financial fraud, identity theft can often lead to substantially larger losses. Attacks targeting identity theft have a smaller chance of success as more information is needed than for a credit card or bank account fraud, but if an incident does occur it can lead to great losses. A 2003 study found that the average incident of identity theft lead to $92,893 in fraudulent charges6 – often from opening lines of credit in the victims name. The loss is normally born by the financial institution, but it can take huge efforts on the part of the victim to overcome poor credit ratings and to deal with creditors. Consequently the ultimate economic impact is substantially greater than the amount of money stolen.
Botnet/DDOS
Beyond direct financial fraud, the installation of malware can also facilitate denial of service (DDOS) attacks on networks secondary to the computer that has been attacked. These techniques involve the co-opting of many computers which all simultaneously request information from the same server, essentially congesting the network and preventing it from functioning. It is worth noting that significant further work would be required to use buffer overflow techniques to successfully set up DDOS schemes, as the time and labour intensive technique we used will only allow small numbers of computers to be captured. The marginal benefit (to the DDOS attack) of gaining control of any one machine is very small, so automation would be essential to gain sufficient scale to effectively carry out an attack. Such attacks could be carried out by a terrorist group to engage in protection rackets for fundraising purposes, to inflict a financial loss on an ideological enemy, or to disrupt any internet based service. The damages inflicted are largely dependent on the goal of the attack and the nature of the target. Of particular concern is that terrorists could coordinate a physical and web based attack to disrupt emergency services and other coordination heavy post-disaster essential services, or to prevent technology based aggregation and dissemination of important information. As such a DDOS attack involves much more than a buffer overflow exploit on a single computer, its impact will be considered only in general terms. The impact on the co-opted computer is negligible.
(i)Protection racket/fundraising The economic impact is proportional to the rate at which the disrupted service earns money and the length of time for which the attack is sustained before the deployment of effective countermeasures. The cost of countermeasures also needs to be taken into account.
(ii)Infliction of financial harm for ideological/non-financial reasons As above, the economic impact is proportional to the rate at which the disrupted service earns money, the length of time for which the attack is sustained before the deployment of effective countermeasures and the cost of countermeasures.
(iii)Disruption of internet based services There is now significant coordination of government, non-profit and business activity via the internet. Disruption via DDOS could have drastic consequences, especially if it was coordinated with the aftermath of a physical terrorist attack in a large population center.
2.Walmart VP Computer
The use of a buffer overflow to gain control of a Walmart computer could have many of the same consequences as an attack on a personal computer. It is likely walmart would disallow the use of their computers for personal shopping and banking, making fraud and identity theft less likely, but the Walmart computer could definitely be exploited for use in a DDOS attack. Obviously the larger and fundamentally different concern is that, given the VP's responsibility and authority with respect to ordering from China, is that the computer could be used to inflict a large cost on Walmart or its suppliers by placing false orders, cancelling orders or otherwise maliciously manipulating the supply chain. Walmart is a sufficiently large entity that large scale malfeasance in the supply chain could have serious flow-on costs to the whole US economy. Clearly, ordering unnecessary product will cost walmart the difference between what they paid and the price at which they are ultimately able to sell the product combined with the opportunity cost of not ordering something more profitable with the money. The precise cost will vary across different markets according to consumer demand, the durability of the good, the lucrativeness of the missed opportunities, etc.
Several factors concerning the corporate structure and legal architecture of the supply chain protect against too substantial a loss being inflicted. Firstly, it is legally necessary for a supplier to know they are dealing with someone with authority to bind a corporation in contract. Secondly, it is likely that a supplier would be inclined to question an abnormal transaction – in fact, even without human intervention, software to filter for this sort of incident is likely to be installed already and may give rise to an alert. Whilst Walmart's conduct in honouring orders from the computer before may go some way to giving the supplier the right to assume such orders will be honoured, if a particularly large or abnormal order comes through, it is likely that the supplier will make further inquiries, both to ensure that the order is binding on Walmart due to the corporate authority of the orderer and also out of normal business courtesy. Walmart can also limit their potential losses by conferring corporate authority on the VP to make orders only up to a certain necessary amount, so that abnormal orders are non-binding.
It is likely that, given the protections built into the corporate mechanism where limited authority is given to any one VP and where abnormal transactions are likely to be both non-binding and to give rise to human intervention, the damage caused by a buffer overflow exploit on the VP's computer is likely to be primarily nuisance - lost work hours for the VP and colleagues and for the supplier in China. The economic impact will be measurable, though it is contingent on too many factors to estimate. Nonetheless, it is unlikely to be significant in the scale of Walmart's day to day operations.
A. Home computer
1. Credit card fraud - This can be exploited several different ways, but in the end, the consumer's liability is limited to $50.00. Thus, it is a more significant risk for the financial institutions than for the consumer.
--Cmckenzie 11:39, 21 October 2005 (PDT)We still need to assess the risk, whoever is ultimately legally liable for the loss. There is a useful statistic on the average cost of an incident of internet credit card fraud which places the value in the US at around $2K (I misplaced the stat but I'll find it again). Losses are potentially very great if this vulnerability allows the implementation of an automated system for credit card fraud - $2K every how many seconds? Also worth thinking about the different implications for high/low net worth individuals.
2. Identity theft - This can have much more serious financial consequences for the individual and can take several years to sort out.
--Cmckenzie 11:39, 21 October 2005 (PDT)There's a stat somewhere on this too, I'll try to find it if noone else does.
3. Botnet/DDOS applications
--Cmckenzie 11:39, 21 October 2005 (PDT)Cost is entirely borne by others. The incremental increase in cost of having a single computer added to a DOS is, I would guess, very low, so the cost here depends on scalability.
4. Reporting incorrect information.
--Cmckenzie 11:39, 21 October 2005 (PDT)5. Ability to execute/enter financial transactions (online trading, loan apps, etc) outside the authority of the normal user.
B. Walmart ordering computer
1. All of the home computer items, and...
--Cmckenzie 11:39, 21 October 2005 (PDT)Probably not identity theft or cc fraud, if Walmart have 1/10th of no concept of security. Perhaps low level staff would be allowed to use their computers for personal business, but it would pay to not allow this if a computer had large ordering authority.
2. Ordering things inappropriately.
--Cmckenzie 11:39, 21 October 2005 (PDT)Potential cost - if ordering is done with no further communication, potentially write-off entire value of order. Potential loss = ordering authority of computer.
3. Failing to order things when requested.
--Cmckenzie 11:39, 21 October 2005 (PDT)Probably not as bad. Potential loss = loss on profit per item rather than write off of entire cost.
4. Business strategy advantage for either supplier, competitor of supplier, or competitor of Walmart (depending on who compromises the computer)
C. This is a link to the section on attacks on a trading computer at Charles Schwab
Team_12_Trading_Computer_Attack
III. Applications of value to terrorists
(Brian's written up some of this in e-mail - please paste it in Brian)
--brianmcg 18:40, 21 October 2005 (PDT)
Attack Scalability, Feasibility and Value
The scalability, feasibility and potential value of a buffer overflow attack varies with the type and age of the attack used and the target of the attack. The overflow exploit itself grants access to a system, but the real damage is determined by the quality of the attack carried out after the system is controlled. In general, as the value of the attack increases, the scalability and feasibility of the attack decreases. This is due to the increased difficulty in exploiting more valued targets due to better security, requiring additional technical and financial resources be used by the attackers.
A. Scalability
--brianmcg 18:40, 21 October 2005 (PDT) The scalability of the attack is determined by how easily the attack could be expanded form a single exploit to something that could either be use against multiple targets or by multiple groups of attackers for greater effect. A widespread and quickly carried out attack would be required to do maximum damage before it is identified and systems are secured against it. Highly scalable attacks would require fewer, smaller teams (since the more and larger the teams the more difficult the coordination would be) with less technical capabilities (since highly technical people are harder to find). The most scalable attack would be one that required a single person and was designed to self propagating quickly over a network, exploiting and then searching for hosts to infect. Less scalable attacks might require multiple steps, wouldn’t propagate on their own or require a human for any stage of the attack.
Attacks can be placed into one of two categories – general and targeted. General attacks are against any system publicly accessible from the Internet using an exploit against flawed service accepting connections on publicly accessible ports. Targeted attacks are against systems that are not directly accessible from the internet as they are protected by a firewall or run on a separate network infrastructure. These targets are presumable more valuable because they are better secured, but would require a more complicated strategy to attack, decreasing the scalability and likelihood of such an attack.
In the case where a buffer overflow attack is against a system that is directly accessible over the Internet and exposes a flaw that is part of a network service, the attack is inherently scalable. The attackers would only be limited by the speed with which they could scan systems for the flaw and exploit them. The rate of scanning systems for the flaw would be determined by the number of systems the attackers have at their disposal to carry out the search. If the exploit includes changing the exploited system into one of the attacking systems, then the attack can propagate very quickly, which is why worms of this type are the most likely to make the news and cause major disruptions to the Internet.
For a buffer overflow attack against a system that isn’t directly accessible over the internet or against software accessible only after logging in to the targeted computer, the difficulty in penetrating the security to reach the flawed program causes the attack to be far less scalable. Breaking through a DMZ to access a computer on an internal company or government network would require more specialized skill sets and exploratory attacks as the defenses are not known until they are reached. For this reason attacks that target systems or software that are not directly accessible over the internet are not as scalable.
--Chris DuPuis 21:51, 21 October 2005 (PDT) Note: While local exploits are less dangerous as targets for outside attackers, they provide a huge hole that can be exploited by insider hackers, which (according to this article account for 70% of all malicious attacks. So in some sense, local root exploits scale to the space of all companies that have disgruntled employees.
--Chris DuPuis 20:31, 22 October 2005 (PDT) (Note that this was 70% in 2000. Outside attacks have certainly gone up since then. Have inside attacks also gone up? An insider would have a foot up in knowing which systems to target, which attacks would be least defended against, and how best to take advantage of the exploit.
B. Feasibility of acquiring the technical and financial resources
--brianmcg 18:40, 21 October 2005 (PDT) The feasibility of the attack is determined by the likelihood of a flaw in software, the difficulty inherent in carrying it out, and affected by the technical and financial resources needed to execute the attack. Buffer overflow flaws in software are fairly common, and are routinely discovered and patched. There are almost certainly flaws remaining in software running on Windows and *nix systems, and new software (with new flaws) is being written all of the time. As we saw in this exercise, exploiting flawed software with a buffer overflow attack is not difficult for a programmer who has time to research the system that will be attacked. However, the targets we exploited were much easier to understand than actual software running on most systems. The technical feasibility is determined by how easy it is to find or otherwise procure an exploit that is not widely protected against.
Technical Feasibility
Assuming that shortly after an exploit is publicly known, most computers are upgraded to be secured from the attack, one of two things would be needed to carry out a new attack on a large scale. Either the terrorist organization would need to have skilled members who are actively researching systems for previously unknown exploits, or they would need to have members who have achieved enough trust or credibility in a cracker community such that they have access to online resources where zero day (that is, knowledge of an attack as it is discovered and before security companies are aware of it) attack information is posted by those who have done the primary research and first identified the exploit. The assumption that most attacks are only useful shortly after an exploit is identified is likely correct for valuable targets, since the more valuable a system, the more likely it will be patched, upgraded and protected from older attacks. While some systems are not kept up to date with security patches, they are likely less valuable, though they can be used to propagate other new attacks. This yields the requirements that skilled technical resources are needed for an attack against a valuable target.
Less technical resources would be needed to carry out attacks using known exploits since by the time an attack is commonly known, usually a kit has been put together for carrying it out. The user of a rootkit (a user friendly tool used to gain root access to a system) need not understand the software being exploited or the security flaw, but simply needs to understand how to use the tools provided. Waiting for an exploit to be available in this format would reduce the technical requirements of the attack but also significantly reduces the value of the attack as more potential targets are secured against it, making it more feasible, but likely less valuable.
A terrorist group that wants to research its own attacks would require skilled individuals being supported while they research potential targets. The terrorist organization would not be able to guarantee any amount of output of new exploits since the frequency and quality of the new exploits would be completely dependant on the skill of the their members. People with these skills would not have to be university trained, but would need a significant education in programming. Technical people with these skills are readily available in many countries and would not be difficult to identify. However, building a team of such members is likely not very feasible unless they fund placing its own members through training to become programmers. Because of limited resources such research by a terrorist group is not very likely.
As an alternative, a terrorist group could rely on others for the exploit research. This requires less technical skill, since they need only understand the exploit, not discover it, making it more feasible for them to have the technical resources since the more complicated work is done for them by others. This however would be more difficult from as social perspective since gaining access to 0day information requires an established presence in a community that may not be easy for many terrorist organizations to acquire. So the technical feasibility is greater, but other barriers would arise.
For better secured, more valuable systems that are not directly reachable over the internet, it would be significantly harder for the terrorist group to find technical resources required for such an attack. Buffer overflow attacks could be used to gain root access to such a system, but multiple exploits would likely be needed to carry out the complete attack. In addition the quality of the attack would need to be significantly higher because the attack takes more time. The longer and more complicated the attack, the more likely that the attack will be discovered before it is completed, requiring that the attackers take additional precautions to avoid leaving a trail (only storing in memory, hiding processes and effects of the early stages of the attack or exploration).
Financial Feasibility
The financial resources required depend on the method of acquiring and implementing the exploit. The resources needed for the terrorist organization to generate their own exploits would be significant as the organization would need to employ, train or recruit technical personnel who would otherwise be able to have legitimate jobs that pay well. The likelihood of discovering an exploit is completely dependant on the skill of the engineer, and it is likely that more money would be needed to entice better technical members to join or work for the organization. If the group has a member with access to information about newly discovered exploits, far less financing would be required for this type of attack as anyone with enough charisma and enough technical knowledge to pass could potentially gain access to information about newly discovered exploits. It might be possible to buy 0day exploits from those who have access to them (not necessarily the person who first discovered the exploit). The cost would likely be far less than funding the research on its own, but more than the cost if the group has a member that has connections among those researching 0day exploits.
C. Potential value of cyberattack as a tool for accomplishing the aims of terrorists (David C would like to work on this section)
--brianmcg 18:40, 21 October 2005 (PDT) Value
The value of an attack would be judged based on the amount of disruption caused, the notoriety of the attack and/or the amount of money or information it would yield the terrorist organization.
A buffer overflow attack carried out against systems that can be exploited over a network connection would likely impact the largest number of systems, causing the most disruption to the average user. The impact would likely be to inconvenience people temporarily until a fix is provided depending on the effect of the code propagated by the exploit. Because a large number of people would be affected, it is likely that the attack would gain significant publicity for the terrorist organization, though it would be up to the group to claim responsibility for the attack if they wished. The financial impacts of the attack would include a temporary stop in commerce for effected users, the sum total of which might be significant, but the impact would be spread out over so many people that no one organization might be heavily impacted.
A significant amount of money could be made by the terrorist organization if the once the host is compromised by the buffer overflow, the system is scanned for credit card, bank information, passwords, etc. If this information is relayed back to the terrorist organization and resold or used quickly, a large amount of revenue could be generated. The terrorist organization might choose to target a specific target for political or other reasons. Law enforcement agencies that might be attempting to track the group would have information useful to the terrorists including potential spies, locations under surveillance and other intelligence gathering methods.
--David Coleman The question of the value of a cyberattack to a terrorist organization is an interesting one. It is very clear that more “conventionally” attacks have certain strategic value to certain types of terrorist organization, with different types of attacks having different value to different organizations. While it is unlikely that a cyberattack by itself could become a tool that results in one or more terrorist organizations achieving their primary goals, a cyberattack could be used effectively to attack the economy, change the way ordinary citizens act in their daily lives, finance their organizations, and amplify the effect of a more conventional attack when coordinated with a cyberattack.
Just as other terrorist tactics can cause people to alter their behavior, cyberattacks can convince people to change their cyber patterns. Convincing people that online banking, shopping, and the like are too risky would likely cause them to rely upon more traditional establishments (i.e. brick and mortar). This would have several net negative effects for individuals, corporate America, and the general economy. Using the Internet to conduct transactions allows for more convenience for the customer (resulting in more overall transactions taking place), has created both new businesses and entirely new markets for products and services, and has allowed businesses to lower costs thus increasing profitability and passing that lower cost on to the consumer. Any sort of cyberattack, or series of cyberattacks, that compromised confidence in the Internet by individuals would have the effect of reducing their usage of it. That reduced usage would likely result in fewer overall transactions taking place which would lower revenue for the affected businesses. This would impact businesses that relied upon the Internet to lower costs or extended services to have to invest in other types of infrastructure in order to support their customers. System performance would probably suffer resulting in fewer transactions. Additionally, that would drive costs significantly higher which would further impact revenue. So, by reducing consumer (and business) usage of the Internet would not only result in decreased revenues due to fewer transactions taking place, the costs of the remaining transactions would be higher, resulting in a “double whammy” that significantly reduces profitability. This reduced profitability would negatively impact financial markets and consumer confidence which could result in a downward spiral for the economy.
Cybercrime, with cyberattacks being used to commit them, can be very financially lucrative. Phishing schemes, stealing passwords via keystroke loggers, identify theft from unsecured computers and transactions all allow for significant income with fairly low investment and a low probability of being apprehended. As such, it can become a valuable tool for raising money to support more conventional forms of terrorism. In this scenario the cyberattack doesn’t directly result in the organization achieving its goals, but it does directly benefit the terrorists and enable them to use other types of attacks to do so.
Successfully attacking financial market computer systems would have a drastic, negative impact on domestic and international confidence in our financial markets. Financial markets run on the backbone of confidence. Remove that confidence and the market comes tumbling down. Enron, WorldCom, and others that came to light in 2001 were more damaging to America than the 9/11 attacks ever could have been because it caused a crisis of confidence; investors simply did not trust the financial information reported and elected not to participate in those markets because of that lack of trust. If a situation were created where the infrastructure of the financial markets could not be trusted, not because of greed, but because of intentional disruptions, an even more serious reaction would occur. It would represent a lack of control to the players who are most involved in the markets. Greed and market manipulation, while unlawful and immoral, are well-understood (and somewhat expected) phenomena to the participants, so it is annoying, but not particularly worrisome. It would be a much more serious issue if, for example, the trades reported could not be trusted to have actually been executed.
The final scenario, and probably the most worrisome one, is when a cyberattack is coordinated with another, conventional attack to maximize its effectiveness. The Internet is used widely as an information dissemination tool and any type of attack that disrupted the Internet would clearly disrupt any of those efforts. Disrupting the Internet would also have the effect of appearing to magnify the size of the attack. By affecting one of the crucial services this country relies upon, it would add the feeling of vulnerability and unrest that an attack would surely cause. A hidden effect is the impact disrupting the Internet would have on responding to another attack. Either knowingly or unknowingly, a large portion of the military, coordinated emergency response, etc. relies upon the Internet. A significant disruption of the Internet (measured in terms of size of area of the country affected or length of time disrupted, or both) could, and probably would, hamper response efforts. So coordinating a cyberattack with a more conventional terrorist activity would act as a force multiplier and increase, at the very minimum, the perception of the scale of the attack if not actually increasing the magnitude or the effect of the attack itself.
Of the strategies and options discussed, using a cyberattack coordinated with a conventional attack to amplify its effect is probably the most realistic scenario. Using a long-term, systematic attack on the Internet, or attacking the financial systems, in the hopes of disrupting the economy is probably more the domain of a State, not a terrorist organization. Additionally, terrorists could, and probably are, use the cybercrime aspects of attacks on the Internet to finance their activities.
--Cmckenzie 19:58, 24 October 2005 (PDT) [this is from George logged in as Cameron]
I'm late to the game here, so take this with a grain of salt, but I have trouble understanding why a terrorist organization would take part in the money making schemes, or cyber terrorist attacks in this project. Nihilists, or anti-capitalists, or anarchists perhaps. But cyberterrorism, while relatively anonymous, is far less anonymous than being in a sleeper cell preparing for a conventional attack. Opening your group up to computer and financial forensics seems like a huge risk to take, for very little payoff. The money to be made in phishing, et al. is far more likely to appeal to organized criminals than terrorists. The 9/11 attacks, for example, were executed for under $1 million with with box cutters. That isn't to say that we shouldn't protect these systems, just that the threat comes from outside the terrorist world.
Also, I don't think the US economy is at risk of serious damage from these types of attacks. Individual businesses are, for sure. But we just had a hurricane destroy a major metropolitan area leading to little more than a blip on the national economy. (The economic effects of 9/11 were just as small.) Again, if they could take down the internet for, say, a month, there might be significant economic damage. But I don't think that an attack like the ones described here would trigger a negative chain reaction in the economy.
Strategic Value for Al Qaeda
Al Qaeda’s goal is to drive American and western influence from the Muslim world and establish a fundamentalist Islamic Caliphate governing the Ummah. The core leadership of Al Qaeda hopes to build a movement of radical Islamist insurgents through public diplomacy, spectacular terrorist attacks, luring the west into public relations disasters. These actions are directed at increasingly sympathetic audiences in the Muslim world.
Isolated in the hinterlands of Afghanistan and Pakistan, the core leadership of Al Qaeda is incapable of launching cyber-terror attacks. Its “franchise” operations in India, Pakistan, the West, and East Asia certainly have access to the expertise and technical resources needed. However, these attacks do not fit into Al Qaeda’s typical attack portfolio: they are not spectacular media-driven events; they only indirectly attack America’s strategic strength, the US economy; they do not lend themselves to recruiting drives centered on appeals to suicide jihad. Despite how easy and cheap cyber-terrorist attacks are, most Al Qaeda attacks are cheap, low-tech operations. Al Qaeda seems unlikely to risk unraveling their network of cells for a cyber attack.
If Al Qaeda attacks our technological infrastructure, these attacks would be peripheral to their overall strategy. Given Al Qaeda’s appeal in much of the world, computer-expert terrorists will inevitably join the movement. The ease of evading capture in Qaeda-sympathetic countries like Indonesia and Pakistan will raise the probability of repeat success. Ultimately, however, Al Qaeda will consider its resources better spent elsewhere.
Strategic Value for Lone Wolves and Small Group Terrorists
Far more likely is a tech-savvy Lone Wolves or small independent groups of terrorists targeting US information technology. Like their hacker brethren, cyber terrorists need only be single agents. As computer skills proliferate globally, groups with various anti-capitalist or anti-technology grievances will attack the internet as a symbol of globalization. Disgruntled former employees, eco-terrorists, neo-Luddites, millenarian cultists and others groups thinking more personally than strategically than Al Qaeda, will have opportunity, expertise, and motive to attack internet-based technologies. Groups who shrink from violence, but nonetheless seek publicity (and do not fear incarceration) will view the Internet as a target of opportunity.
IV.Defenses
The wiki page is getting too big, so section IV is at:
http://cubist.cs.washington.edu/CyberSecurity/index.php/Team_12_Main_SectIV
