Module 3: Cyber crime and Security

The huge potential for e-business brings with it a dark side that SMEs – and policymakers – should not ignore. Just as the Internet opens opportunities for entrepreneurs and SMEs to engage in e-commerce and transact with ever growing numbers of clients, so too does it create chances for mischief or worse damage.

Just as in the “real” world, there are those who would exploit the Internet for their own selfish interests. This type of conduct makes users vulnerable to a host of possible attacks that compromise the confidentiality, integrity and availability of information that they exchange through the Internet. As a result of such illicit activities, people tend to lose trust on the security of doing business in the Internet and thus forego its huge potential for business, as well as its potential as a tool to promote social justice and equality.

It is therefore necessary that security measures be set in place to thwart would-be attackers who make Internet use unsafe and insecure. Along this line, it becomes of paramount import to establish mechanisms about the standards, policies, rules, and enforcement and dispute resolution procedures to apply to global internetworking activities in order to make the Internet free, fair, reliable, transparent and accessible to all.

e-Commerce can never prosper unless a secured environment for doing business exists. But this can only happen if the correct policies for securing the Internet are put in place.

This is especially true for developing countries. As the level of technological sophistication needed to penetrate (and deter such penetration of) networks in developed countries continues to rise, would-be attackers are shifting their focus to networks found in developing countries. In many cases, developing countries do not yet possess a general awareness of security issues, much less the legal and regulatory issues, nor the technical capability to effectively deter cyber threats.

Is your country equipped to deal with cyber crime, and if not, how is this lack of capability affecting your country’s ability to attract investments and encourage Internet use for business development?

I. Incidents/attacks – trends and internet growth

The same technology that allows us to block spam and set firewalls to prevent unauthorized access to our networks is also available to unscrupulous individuals who manipulate the same technology in order to find cracks in the system that allow them access.

Moreover, the tools available to launch an attack have become more effective, easier to use, and more accessible even to people without an in-depth knowledge of computer systems. Then, too, sophisticated programmers intent on online mischief often embed an attack procedure in their programs and widely distribute the same to the intruder community. Thus, people who have the desire but not the technical skill are increasingly able to break into systems.

Below is a list of observable trends in Internet attacks listed in the Open Regional Dialogue on Internet Governance research paper “Network Stability and Security”.

Trend 1 – Automation; speed of attack tools

The level of automation in attack tools continues to increase. Automated attacks commonly involve four phases, each of which is changing.

• Scanning for potential victims. Widespread scanning has been common since 1997. Today, scanning tools are using more advanced scanning patterns to maximize impact and speed.

• Compromising vulnerable systems. Previously, vulnerabilities were exploited after a widespread scan was complete. Now, attack tools exploit vulnerabilities as a part of the scanning activity, which increases the speed of propagation.

• Propagate the attack. Before 2000, attack tools required a person to initiate additional attack cycles. Today, attack tools can self-initiate new attack cycles. We have seen tools like Code Red and Nimda self-propagate to a point of global saturation in less than 18 hours.

• Coordinated management of attack tools. Since 1999, with the advent of distributed attack tools, attackers have been able to manage and coordinate large numbers of deployed attack tools distributed across many Internet systems. Today, distributed attack tools are capable of launching denial of service attacks more efficiently, scanning for potential victims and compromising vulnerable systems. Coordination functions now take advantage of readily available, public communications protocols such as Internet Relay Chat (IRC) and instant messaging (IM).

Trend 2 – Increasing sophistication of attack tools

Attack tool developers are using more advanced techniques than previously. Attack tool signatures are more difficult to discover through analysis and more difficult to detect through signature-based systems such as antivirus software and intrusion detection systems. Three important characteristics are the anti forensic nature, dynamic behaviour, and modularity of the tools.

• Anti-forensics. Attackers use techniques that obfuscate the nature of attack tools. This makes it more difficult and time-consuming for security experts to analyze new attack tools and to understand new and rapidly developing threats. Analysis often includes laboratory testing and reverse engineering.

• Dynamic behaviour. Early attack tools performed attack steps in single defined sequences. Today’s automated attack tools can vary their patterns and behaviour based on random selection, predefined decision paths, or through direct intruder management.

• Modularity of attack tools. Unlike early attack tools that implemented one type of attack, tools now can be changed quickly by upgrading or replacing portions of the tool. This causes rapidly evolving attacks and, at the extreme, polymorphic tools that self-evolve to be different in each instance. In addition, attack tools are more commonly being developed to execute on multiple operating system platforms.

As an example of the difficulties posed by sophisticated attack tools, main common tools use protocols like IRC or HTTP (Hypertext Transfer Protocol) to send data or commands from the intruder to compromised hosts. As a result, it has become increasingly difficult to distinguish attack signatures from normal, legitimate network traffic.

Trend 3 – Faster discovery of vulnerabilities

The number of newly discovered vulnerabilities reported to the CERT Coordination Centre (CERT/CC) continues to more than double each year. It is difficult for administrators to keep up to date with patches. Additionally, new classes of vulnerabilities are discovered each year. Subsequent reviews of existing code for examples of the new vulnerability class often lead over time to the discovery of examples in hundreds of different software products. Intruders are often able to discover these exemplars before the vendors are able to correct them. Because of the trend toward the automated discovery of new vulnerabilities in technologies, the so-called “time to patch” is becoming increasingly small.

Table 2. Vulnerabilities reported by CERT/CC

Year	1995	1996	1997	1998	1999	2000	2001	2002	2003	2004	2005	Q1-Q2,2006
Vulnerabilities	171	345	311	262	417	1,090	2,437	4,129	3,784	3,780	5,990	3,997

Total vulnerabilities reported (1995 - Q2, 2006): 26,713.

Trend 4 – Increasing permeability of firewalls

Firewalls are often relied upon to provide primary protection from intruders. However, they are not as secure as before:

• Technologies are being designed to bypass typical firewall configurations, for example, IPP (the Internet Printing Protocol) and WebDAV (Web-based Distributed Authoring and Versioning).
• Some protocols marketed as being “firewall friendly” are, in reality, designed to bypass typical firewall configurations.
• Certain aspects of “mobile-code” (ActiveX controls, Java, and JavaScript) make it difficult for vulnerable systems to be protected and for malicious software to be discovered.

Trend 5 – Increasingly asymmetric threats

Security on the Internet is, by its very nature, highly interdependent. Each Internet system’s exposure to attack depends on the state of security of the rest of the systems attached to the global Internet. Owing to advances in attack technology, a single attacker can relatively easily employ a large number of distributed systems to launch devastating attacks against a single victim. As the automation of deployment and the sophistication of attack tool management both increase, the asymmetric nature of the threat will continue to grow.

Trend 6 – Increasing threat from infrastructure attacks

Infrastructure attacks are attacks that broadly affect key components of the Internet. They are of increasing concern because of the number of organizations and users on the Internet and their increasing dependency on the Internet to carry out day-to-day business. Four types of infrastructure attacks are briefly described below.

Attack 1 – Distributed denial of service

Denial-of-service attacks use multiple systems to attack one or more victim systems with the intent of denying service to legitimate users of the victim systems. The degree of automation in attack tools enables a single attacker to install the tools and control tens of thousands of compromised systems for use in attacks. Intruders often search address blocks known to contain high concentrations of vulnerable systems with high-speed connections. Cable modem, digital subscriber lines (DSL), and university address blocks are increasingly targeted by intruders planning to install their attack tools. Denial-of-service attacks are effective because the Internet is comprised of limited and consumable resources, and Internet security is highly interdependent.

Attack 2 – Worms

A worm is self-propagating malicious code. Unlike a virus, which requires a user to do something to continue the propagation, a worm can propagate by itself. The highly-automated nature of the worms coupled with the relatively widespread nature of the vulnerabilities they exploit allows a large number of systems to be compromised within a matter of hours. (Code Red infected more than 250,000 systems in just 9 hours on July 19, 2001.)

Some worms include built-in denial-of-service attack payloads (Code Red) or website defacement payloads (sadmind/IIS, Code Red); and others have dynamic configuration capabilities (W32/Leaves). However, the biggest impact of these worms is that their propagation effectively creates a denial of service in many parts of the Internet because of the huge amounts of scan traffic generated. They also cause much collateral damage (examples include DSL routers that crash; cable modem ISPs whose networks are completely overloaded, not by the scanning itself but by the burst of underlying network management; traffic that the scanning triggers; and printers that crash or print reams of junk output).

Attack 3 – Attacks on the Internet Domain Name System

The Internet Domain Name System (DNS) is the distributed, hierarchical global directory that translates names (www.example.com) to numeric IP addresses (192.168.13.2). The top two layers of the hierarchy are critical to the operation of the Internet. In the top layer are 13 “root” name servers. Next are the “top-level domain” (TLD) servers, which are authoritative for “.com”, “.net” and others, as well as the country code top level domains (ccTLDs – “.us”, “.uk”, “.ru” and so forth.)

Threats to the Domain Name System:

1. Cache poisoning. If DNS is made to cache bogus information, the attacker can redirect traffic intended for a legitimate site to a site under the attacker’s control. A recent survey by CERT/CC shows that over 80 per cent of the TLD domains are running on servers that are potentially vulnerable to this form of attack.
2. Compromised data. Attackers compromise vulnerable DNS servers, giving them the ability to modify the data served to users. Many of the TLD servers run a software program called BIND, in which vulnerabilities are discovered regularly. A CERT/CC survey indicates that at least 20 per cent of TLD domains are running on vulnerable servers; another 70 per cent are “status unknown”.
3. Denial of service. A large denial-of-service attack on some of the name servers for a TLD (for example, “.com”) could cause widespread Internet slowdowns or effective outages.
4. Domain hijacking. By leveraging insecure mechanisms used by customers to update their domain registration information, attackers can co-opt the domain registration processes to take control of legitimate domains.

Attack 4 – Attacks against or using routers

Routers are specialized computers that direct traffic on the Internet (similar to mail routing facilities in the postal service). Threats fall into the following categories:

• Routers as attack platforms. Intruders use poorly secured routers as platforms for generating attack traffic at other sites, for scanning or reconnaissance.
• Denial of service. Although routers are designed to pass large amounts of traffic through them, they often are not capable of handling the same amount of traffic directed at them. (Think of it as the difference between sorting mail and reading it.) Intruders take advantage of this characteristic attacking the routers that lead into a network rather than attacking the systems on the network directly.
• Exploitation of trust relationship between routers. For routers to do their jobs, they have to know where to send the traffic they receive. They do this by sharing routing information between them, which requires the routers to trust the information they receive from their peers.

As a result of these vulnerabilities, it would be relatively easy for an attacker to modify, delete, or inject routes into the global Internet routing tables to redirect traffic destined for one network to another, effectively causing a denial of service to both (one because no traffic is being routed to them, and the other because they are getting more traffic than they should). Although the technology has been widely available for some time, many networks (Internet service providers and large corporations) do not protect themselves with the strong encryption and authentication features available on the routers.