Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Piggybacking (Internet access) wikipedia , lookup
Airborne Networking wikipedia , lookup
Internet protocol suite wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Deep packet inspection wikipedia , lookup
Zero-configuration networking wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
The Tech Behind Cyber Attack October 31 | Part 1: From Packets to IP and the “Ping of Death”: An Introduction to Cyber November 28|Part 2: From Stone Knives to Star Wars: the Tech of Cyber Attack in the Russo-Georgian War of 2008 and the Threat of W32.Stuxnet overview • Review of bits, bytes and things that go bump on the internet • Using ping, nslookup and tracert to find your targets • Stone Knives: Concept and practice of cyber in Russo-Georgian Conflict of 2008 – Distributed Denial of Service attack • Stare Wars: W32.stuxnet, the attack, how it works, the complexity of it, who could have made such a thing? 0 1 bits and bytes • bit: (binary digit) bit • The basic unit of information in computing, the amount of information stored by a digital device in one of two possible distinct states, not 1 and 2, off/on • digital value of 1 = positive voltage, up to 5 volts • digital value of 0 = 0 volts • 8 bits = 1 byte, usually, but depends on hardware • byte: the number of bits needed to encode a single character of text in a computer binary to letter 01110000 = p 01101001 = i 01111010 = z 01111010 = z 01100001 = a data and packets data: binary files, 01010010010010010… etc. packet: a unit of data from binary to text or image packet: control information and payload control information: data the network needs to deliver the payload, ex. address, error control • payload: the content of your “digital letter” • • • • • hosts on networks • who has the data? who doesn’t … hosts going global and mobile • networks: start local, LANs, wireless LANs, AirBears • client-server model • addresses, what’s your unique network address? • Type: ipconfig, find IPv4 numerical address • ping www.wikipedia.org • ping ist.berkeley.edu • ping www.ca.gov • ping www.usa.gov • ping, an echo request from host to host ping, an echo request ping, the payload OSI model OSI model Network Ports 21: File Transfer Protocol (FTP) 22: Secure Shell (SSH) 23: Telnet remote login service 25: Simple Mail Transfer Protocol (SMTP) 53: Domain Name System (DNS) service 80: Hypertext Transfer Protocol (HTTP) used in the World Wide Web 110: Post Office Protocol (POP) 119: Network News Transfer Protocol (NNTP) 143: Internet Message Access Protocol (IMAP) 161: Simple Network Management Protocol (SNMP) 443: HTTP Secure (HTTPS) OSI model OSI model internet and the web • • • • internet: network of networks, millions of networks web: system of interlinked hypertext documents ports: http 80 Try it: http://www.techcomfort.com:81 • Try it: http://www.techcomfort.com:80 ping, nslookup traceroute • • • • • • • • • how does the traffic flow? network devices: hubs, routers, switches using nslookup, names and numbers nslookup www.berkeley.edu nslookup www.usa.gov using traceroute tracert www.techcomfort.com tracert www.berkeley.edu tracert www.ca.gov attack! Professor Nacht has left instructions for you to build and launch a cyber attack on the nation state of Vulgaria. You have everything you need to build it. How would you do it? attack! • Step 0: Recall that an echo request is an ICMP (ping) message whose data is expected to be received back in an echo reply. The host must respond to all echo requests with an echo reply containing the exact data received in the request message • Step 1: Create a list of Vulgarian military and civil servers that should be targeted • Step 2: Write a simple script (program) that repeats your ping request many times a second • Step 3: Plant this script on computers across the globe • Step 4: “Flood” the Vulgarian servers with ping requests from multiple hosts…to which it cannot keep up…the result... attack! server failure attack! • You have just conceptualized the opening cyber salvo used in the Russo-Georgia War of 2008. • July 19, 2008: The First Salvo of Cyber Attack o flood http www.president.gov.ge o flood tcp www.president.gov.ge o flood icmp www.president.gov.ge defacement attacks • Defacement attack on the Georgia Ministry of Foreign Affairs website (evening of Aug. 8, 2008 HTTP flood • An HTTP flooder distributed for regular internet users for the purposes of overloading Georgian websites with traffic stopgeorgia.ru site • A screenshot from stopgeorgia.ru site on Aug. 10, 2008. • The table shows the availability of different websites from Russian and Lithuania; the line over the table reads, “priority targets for attack” summary of attack • Static lists of targets were distributed in order to eliminate centralized coordination of the attack • DoS tools were provided, available for download, as well as instructions on how to ping flood Georgian government web sites • List of Georgian sites vulnerable to defacement attack were published • Abuse of public lists of email addresses of Georgian politicians for spamming and targeted attacks characterizing the attack • A militia-style attack with some advanced characteristics in targeting and reconnaissance Part 2: The Cyber of W32.Stuxnet Stone Knives to Star Wars: The Tech Behind the Cyberattacks launched against Georgia and the Emergence of W32.Stuxnet w32.stuxnet nation-state weaponsgrade attack software • Stuxnet is a cyber threat targeting a specific industrial control system likely in Iran, such as a gas pipeline or power plant. The ultimate goal of Stuxnet is to sabotage that facility by reprogramming programmable logic controllers (PLCs) to operate as the attackers intend them to, most likely out of their specified boundaries infections • As of September 29, 2010, 100,000 infected computers had been identified most of them in Iran • Stuxnet aims to identify those computers which have the Siemens Step 7 Software installed built with components • • • • • • • • • Zero-day Microsoft exploits (4) (vulnerabilities unknown) Window rootkit (high-level computer access, invisible) Programmable Logic Controller (PLC) rootkit Antivirus evasion techniques Complex process injection and hooking code Network infection routines Peer-to-peer updates within a LAN Contacts a command and control server The value of components is their ability to be used and reused in multiple instances and independent development…from submarines to aircraft to space stations centrifuges at US uranium enrichment plant centrifuges in Natanz, Iran programmable logic controller windows root-kit and a zero-day exploit command and control antivirus evasion • Table 5 describes which process is used for injection depending on which security products are installed. In addition, Stuxnet will determine if it needs to use one of the two currently undisclosed privilege escalation vulnerabilities before injecting. Then, Stuxnet executes the target process in suspended mode. attack setup (theoretical) • A country wants to develop uranium and needs industrial centrifuges to do this. Reactor grade uranium with lots of U-235 is hard to come by. Harder still is weapons grade uranium. You need a centrifuge for isotope separation. • The country purchase centrifuges from Siemens, a German electronics and engineering company. Centrifuges are run by industrial control systems (ICS) • ICS are operated by code on Programmable Logic Controllers (PLC) • PLCs may be programmed by Windows machines, not connected to the internet or any network Uranium 235 content • Here the heavy isotope of uranium (U-238) is represented in dark blue, while the lighter isotope of uranium (U-235) is represented in light blue. The input gas (here represented as a fairly even mix of U-235 and U238, though in reality natural uranium hexafluoride would have less than 1% of U-235 in it) is released into the center of the centrifuge and the centrifugal forces force the heavier gas to concentrate at the edges of the centrifuge and the lighter gas at the center. By heating the bottom of the centrifuge the lighter gas will be moved by convection currents to concentrate at the top while the heavier gas will concentrate at the bottom (scoops, not shown, would then extract the gases). Centrifuge at work attack steps • Step 0: reconnaissance, need ICS’s schematics of target system , computing environment • Step 1: setup mirrored environment that would include ICS hardware, develop stuxnet code • Step 2: obtain driver files that are “digitally signed” • Step 3: introduce stuxnet executable into target computing environment via infecting a willing or unknowing third party • Step 4: once installed, stuxnet looks for Windows computers used to program PLCs and eventually finds one… attack steps • Note: infected Windows machine will not have outbound access to internet, thus all sabotage functionality must be embedded in the stuxnet executable • Step 5: Once the right computer is found, code on the PLC is modified • Step 6: Stuxnet hides its modifications installation complexity infection complexity w32.stuxnet timeline w32.stuxnet timeline characterizing the attack • Significant Development Cycle: six months, five to ten core developers, many other individuals such as quality assurance and management • Advanced reconnaissance or coordination • High degree of targeting (Iran) • Highest degree of complexity known in a virus • The result: • Stuxnet = nation-state, weapons-grade attack software duqu • Recall that W32.stuxnet is component based…Will stuxnet components be used again? • Nov. 1, 2011: W32.Duqu, a remoteaccess Trojan (RAT). Symantec calls it, “The precursor to the next Stuxnet” • Duqu’s purpose is to gather intelligence data and assets from entities such as industrial infrastructure and system manufacturers in order to more easily conduct a future attack Interested in IT and Public Policy? • Consider taking my class next Fall • Course: PP290: Information Technology and Public Policy • Learn real, hands-on IT Skills (HTML, SQL, Python programming) • Combine skills knowledge with IT Concepts (networks, content management systems, IT systems adoption…) • Apply your growing IT knowledge to Public Policy Problems • Imagine a Public Policy problem for which IT is not part of the solution?