The dawn was cold and gray as Joe slipped on his coat and swallowed the last bit of coffee. Last night's research was profitable for his bank account and beneficial to the company. He was glad he followed that tip from his buddy on a new toolkit. It didn't cost much and he more than got his money back with his bonus check.
Sometimes he longed for the good old days as a command line commando. But, now that he's more mature, he likes that the tools allow him to have a personal life with a predictable daily routine. He stepped through the door into the damp mist and headed for home …
The protection of our networks has become much more difficult than in the past when threats focused primarily on manipulating electronic funds and skimming cash from the careless. Over time, our economy has accepted information as a new commodity that is valued and in demand.
In the past and still today, hackers might try to use a stolen or hacked credit card to buy hundreds of dollars of items for resale. But the more lucrative market today is the sale of credit card numbers and personal identities — information.
Credit card numbers with valid account information can fetch up to $5 per account, and bank account numbers with valid account information can yield up to $400 per account, depending on available balances.
The incentive has shifted from the more risky use of the card or account to the sale of information. Figure 1 summarizes the monetary value of this underground economy.
Along with the increase in return for hackers, there has also been an increase in demand for tools or toolkits that automate hacking and identify vulnerabilities for possible exploitation.
The best tools and newly discovered system vulnerabilities are auctioned off to the highest bidders online, creating a thriving market for "black hat" software programmers. The tools automate repetitive techniques and probes, freeing up the user to do other things, or the user can leave the machine unattended and return later to collect the results.
The tools also add precision in targeting systems and information. The ready availability of tools means a hacker no longer has to be an expert in computer languages, or interface through the command line. Some tools even provide an easy to use graphical interface that makes hacking a point-and-click exercise.
When Joe returned that night, he grabbed a cup of coffee before checking his terminal for the results. His trained eye quickly spotted anomalies in the printouts. Eureka! One of the reports identified several improperly configured servers and multiple network and user systems without proper patches.
He quickly went to his computer files and retrieved the account and password information he had gotten several weeks ago by pretending to be a technician on the help desk. He now has all the pieces needed to attack his assigned target.
Joe heard the bump of the office doors closing and the arrival of one of the apprentices. Her youthful exuberance and naivety reminded him of his younger days as an idealistic social activist hacker.
Nothing felt as good as tagging a Web site or using his skills for political statements. As he got older, he got smarter. He realized he was being exploited by causes for the monetary gain of a few, and quit for awhile, until he was tipped off about this gig.
Despite his disillusionment, he still gets a sense of youthful satisfaction from defeating a challenge, but now the rewards are so much more substantial …
The motives of hackers have changed with the increased reliance on the Internet by government and commercial firms for sharing and storing information.
In the earlier days of the Internet, hacking attracted the curious and the thrill seekers. Hackers were more likely to be inspired by the 1983 movie Wargames than any desire to become rich. Most crimes were thefts of telephone service (and later, cellular service) from the phone company or attempts to alter or “graffiti” Web pages. Hackers were motivated primarily by curiosity and for the prestige bestowed by other hackers.
Hacker clubs such as Legion of Doom and Masters of Deception attained great notoriety during this time along with individuals such as Kevin Mitnik and Kevin Poulsen. These early cyber-crimes cost phone companies and businesses money, but there was relatively little monetary gain for the hackers.
Today, with the continuing maturation of Web 2.0 and its emphasis on information sharing, the routine use of networks for information transfer, business transactions and daily organizational needs, the rewards for success have changed. Figure 2 is an illustration of cyber-security motives and their impact.
The availability of sophisticated tools adapted to hacking, the decrease in skills needed for success, the high return of successful exfiltration of information with the low risk of detection have also broadened the threat profile from “kiddie” hackers to well-organized and financed organizations.
Present day hackers may have electronically stolen millions of dollars from bank accounts by transaction skimming and other scams before getting caught. Statistics are not collected on the money lost to cyber-crime but the Government Accountability Office in 2005 estimated $67.2 billion in annual losses for U.S. organizations due to computer crime.
Defending against network threats is a difficult, but not impossible task. Identification of threats or threat actions are complicated since adversaries, allies, governments and the private sector all operate in the same virtual space.
Defenders of networks are overwhelmed by the speed of transactions and the volume caused by the huge Internet user population. Many of the current practices, techniques and technical solutions have lagged behind the increase in user sophistication and the evolution of information sharing technology.
The ability to share information is progressing far more quickly than the ability to prevent unauthorized information sharing because the focus of the Internet evolution is to remove impediments to information sharing and access for users.
The threat to the Defense Department is increasingly unacceptable because ex-filtrated unclassified information could lead to insight about current and future warfighting capabilities.
Information has become a strategic asset to commercial competitors and rogue states because the business of America is conducted on the Internet. Statistics show a huge increase in incidents involving personal, business and government information. Figure 3 provides statistical data regarding the Internet threat.
After a few minutes, Joe was logged into the network on one of the compromised user accounts. Shortly after, he was able to exploit a common vulnerability in the network to establish a separate account with administrative privileges.
A quick scan of the system administrator console showed no active network monitoring engaged, just the usual auditing. That meant he could take as much time as he needed. It would be days or weeks before any review of the audit records would be conducted, if at all.
He used the help desk’s own remote maintenance software to download the data from the hard drives of pre-selected targeted computers. Before logging out, he installed a clandestine program that will operate in the background of the target machines to mine any future information. The program will also spread throughout the network in e-mailed documents to other users …
Exfiltration, the unauthorized transmission of data from a system, is particularly difficult to detect since the user has no indication of data being stolen. Detection requires the recognition that transactions that appear normal, done in certain sequences and at different times, may indicate trouble.
Typically, most users aren’t concerned because the information they process is open and not proprietary or classified. The sense of security from this approach is being shattered by capabilities unleashed by the Internet and the powerful applications available for free.
Data mining software searches for key words or phrases, or uses other parameters to collect relevant information. This technique can download massive volumes of information, allowing the exfiltrator to leisurely search for new information or clues to link to DoD or proprietary commercial capabilities.
While any single piece of data may be unclassified or public, enough pieces put together may reveal sensitive information. For example, a data mining effort focused on an individual may find information in different places, such as date of birth, family members’ names and relationships, address information (including old addresses).
From this information a profile of an individual can be built to allow the creation of accounts online and even determine a partial or complete Social Security number.
Similarly, in the military, compilation of unclassified data could reveal the existence of, and sometimes details about, sensitive or classified information or undertakings. In a simple example, a person could say in an e-mail that he will be unavailable to attend a meeting because he will be attending another meeting at an undisclosed location.
On another computer, orders are being prepared to send him to a named location and an American Express e-ticket is confirmed for a flight to an airport near that location. The timeframe overlaps the meeting he could not attend.
From this unclassified information, one can surmise that there is a sensitive meeting occurring on a classified subject at a specific place and timeframe. More searching through the unclassified data may ultimately reveal the subject, attendees, and possibly, an agenda. Exploitable but sensitive information is the “weapon of choice” in cyber-attacks and exploitations.
Joe removed the DVD he created from his computer and carefully labeled it and put it in a case. He noted in his report where the information on the DVD was collected and a general description of its contents. He was thinking that with this big haul the analysts will have lots of fun going through the proprietary and sensitive information and sorting out personal identification information that can be sold.
He recorded the entire effort in his shift log. He placed copies of the report and DVD in an envelope marked “urgent” and put it in the drop box.
Joe thought it was ironic, as he put on his uniform jacket, that the same technology that allows him to collect this data makes his own network just as vulnerable to information theft, making “snail mail” the preferred method of distributing stolen information.
He paused at the door and looked back at his workstation. He kind of felt sorry for the administrators who will take the brunt of the blame once his work is detected. Joe spoke aloud, “Nuthin’ personal, it’s just a job,” as if they might hear his apology. Then he went outside to begin his celebratory smoke break.
DoD is partnering with companies supporting the defense industry to improve the sharing of cyber security information. This allows better recognition of any interrelated actions that may be occurring across networks with sensitive defense data. Federal, state and local governments have been mobilized into national partnerships that work together to prevent damage to, and the unauthorized use and exploitation of, internal networks.
At the Department of the Navy, a cyber security task force is working to improve cyber security information exchange within the Department. The DON is also working to decrease its vulnerability by deploying data encryption software, improving network monitoring, reducing the number of Internet connections, and ensuring that it has eliminated the most commonly exploited vulnerabilities.
All users, developers and purchasers of DON systems play key roles in defending the Department’s networks. Below are some things users can do to remain vigilant in defending DON networks.
• Report anomalies such as unexplained installations occurring at start-up or an unfamiliar background program using up large amounts of resources.
• Help the private sector become aware of the problem. When working with contractors emphasize and discuss the security of sensitive government information on their networks.
• Collaborate with contractors to solve program security issues.
• Do not process information on public computers (e.g., those available for use by the general public in kiosks, hotel business centers, or the like), or computers that do not have access control.
• Transmit e-mail, text messages and similar communications using technology such as closed networks, virtual private networks (VPN) and public key infrastructure (PKI). Encrypt all wireless connections.
• Transmit facsimiles only when the sender has a reasonable assurance that access is limited to authorized recipients.
• Do not post information to a Web site which is publicly available or has access limited only by domain or IP restriction. Information may be posted to Web sites which control access by user ID and password, user certificates, or other technical means, which also provide protection via use of secure sockets or other equivalent technologies.
As our computer systems become melded into the Global Information Grid, security of the DON’s “administrative” systems should be just as rigorous as the security applied to combat systems.
James Belt provides contract support to the DON CIO Information Assurance Team.