Transcript The Tech Behind Cyber

The Tech Behind
Cyber Attack
October 31 | Part 1: From Packets to IP and the “Ping
of Death”: An Introduction to Cyber
November 28|Part 2: From Stone Knives to Star Wars:
the Tech of Cyber Attack in the Russo-Georgian War
of 2008 and the Threat of W32.Stuxnet
overview
• Review of bits, bytes and things that go bump on
the internet
• Using ping, nslookup and tracert to find your
targets
• Stone Knives: Concept and practice of cyber in
Russo-Georgian Conflict of 2008 – Distributed Denial
of Service attack
• Stare Wars: W32.stuxnet, the attack, how it works,
the complexity of it, who could have made such a
thing?
0
1
bits and bytes
• bit: (binary digit) bit
• The basic unit of information in
computing, the amount of information
stored by a digital device in one of two
possible distinct states, not 1 and 2, off/on
• digital value of 1 = positive voltage, up to
5 volts
• digital value of 0 = 0 volts
• 8 bits = 1 byte, usually, but depends on
hardware
• byte: the number of bits needed to
encode a single character of text in a
computer
binary to letter
01110000 = p
01101001 = i
01111010 = z
01111010 = z
01100001 = a
data and packets
data: binary files, 01010010010010010… etc.
packet: a unit of data
from binary to text or image
packet: control information and payload
control information: data the network needs to
deliver the payload, ex. address, error control
• payload: the content of your “digital letter”
•
•
•
•
•
hosts on networks
• who has the data? who doesn’t … hosts going
global and mobile
• networks: start local, LANs, wireless LANs, AirBears
• client-server model
• addresses, what’s your unique network address?
• Type: ipconfig, find IPv4 numerical address
• ping www.wikipedia.org
• ping ist.berkeley.edu
• ping www.ca.gov
• ping www.usa.gov
• ping, an echo request from host to host
ping, an echo request
ping, the payload
OSI model
OSI model
Network Ports
21: File Transfer Protocol (FTP)
22: Secure Shell (SSH)
23: Telnet remote login service
25: Simple Mail Transfer Protocol (SMTP)
53: Domain Name System (DNS) service
80: Hypertext Transfer Protocol (HTTP) used in the World
Wide Web
110: Post Office Protocol (POP)
119: Network News Transfer Protocol (NNTP)
143: Internet Message Access Protocol (IMAP)
161: Simple Network Management Protocol (SNMP)
443: HTTP Secure (HTTPS)
OSI model
OSI model
internet and the web
•
•
•
•
internet: network of networks, millions of networks
web: system of interlinked hypertext documents
ports: http 80
Try it: http://www.techcomfort.com:81
• Try it: http://www.techcomfort.com:80
ping, nslookup
traceroute
•
•
•
•
•
•
•
•
•
how does the traffic flow?
network devices: hubs, routers, switches
using nslookup, names and numbers
nslookup www.berkeley.edu
nslookup www.usa.gov
using traceroute
tracert www.techcomfort.com
tracert www.berkeley.edu
tracert www.ca.gov
attack!
Professor Nacht has left instructions for you to build
and launch a cyber attack on the nation state of
Vulgaria.
You have everything you need to build it. How would
you do it?
attack!
• Step 0: Recall that an echo request is an ICMP (ping)
message whose data is expected to be received back
in an echo reply. The host must respond to all echo
requests with an echo reply containing the exact data
received in the request message
• Step 1: Create a list of Vulgarian military and civil servers
that should be targeted
• Step 2: Write a simple script (program) that repeats your
ping request many times a second
• Step 3: Plant this script on computers across the globe
• Step 4: “Flood” the Vulgarian servers with ping requests
from multiple hosts…to which it cannot keep up…the
result...
attack!
server failure 
attack!
• You have just conceptualized the opening cyber
salvo used in the Russo-Georgia War of 2008.
• July 19, 2008: The First Salvo of Cyber Attack
o flood http www.president.gov.ge
o flood tcp www.president.gov.ge
o flood icmp www.president.gov.ge
defacement attacks
• Defacement attack on
the Georgia Ministry of
Foreign Affairs website
(evening of Aug. 8,
2008
HTTP flood
• An HTTP flooder
distributed for
regular internet
users for the
purposes of
overloading
Georgian
websites with
traffic
stopgeorgia.ru site
• A screenshot from
stopgeorgia.ru site
on Aug. 10, 2008.
• The table shows the
availability of
different websites
from Russian and
Lithuania; the line
over the table
reads, “priority
targets for attack”
summary of attack
• Static lists of targets were distributed in order to
eliminate centralized coordination of the attack
• DoS tools were provided, available for download,
as well as instructions on how to ping flood
Georgian government web sites
• List of Georgian sites vulnerable to defacement
attack were published
• Abuse of public lists of email addresses of Georgian
politicians for spamming and targeted attacks
characterizing the attack
• A militia-style attack with some advanced
characteristics in targeting and reconnaissance
Part 2:
The Cyber of
W32.Stuxnet
Stone Knives to Star Wars: The Tech Behind the
Cyberattacks launched against Georgia and the
Emergence of W32.Stuxnet
w32.stuxnet
nation-state weaponsgrade attack software
• Stuxnet is a cyber threat targeting a specific
industrial control system likely in Iran, such as a gas
pipeline or power plant. The ultimate goal of
Stuxnet is to sabotage that facility by
reprogramming programmable logic controllers
(PLCs) to operate as the attackers intend them to,
most likely out of their specified boundaries
infections
• As of September 29, 2010, 100,000 infected
computers had been identified
most of them in Iran
• Stuxnet aims to identify those computers which
have the Siemens Step 7 Software installed
built with components
•
•
•
•
•
•
•
•
•
Zero-day Microsoft exploits (4) (vulnerabilities unknown)
Window rootkit (high-level computer access, invisible)
Programmable Logic Controller (PLC) rootkit
Antivirus evasion techniques
Complex process injection and hooking code
Network infection routines
Peer-to-peer updates within a LAN
Contacts a command and control server
The value of components is their ability to be used and
reused in multiple instances and independent
development…from submarines to aircraft to space
stations
centrifuges at US uranium
enrichment plant
centrifuges in Natanz,
Iran
programmable logic
controller
windows root-kit and a
zero-day exploit
command and control
antivirus evasion
• Table 5 describes which
process is used for injection
depending on which
security products are
installed. In addition, Stuxnet
will determine if it needs to
use one of the two currently
undisclosed privilege
escalation vulnerabilities
before injecting. Then,
Stuxnet executes the target
process in suspended mode.
attack setup (theoretical)
• A country wants to develop uranium and needs
industrial centrifuges to do this. Reactor grade
uranium with lots of U-235 is hard to come by. Harder
still is weapons grade uranium. You need a
centrifuge for isotope separation.
• The country purchase centrifuges from Siemens, a
German electronics and engineering company.
Centrifuges are run by industrial control systems (ICS)
• ICS are operated by code on Programmable Logic
Controllers (PLC)
• PLCs may be programmed by Windows machines,
not connected to the internet or any network
Uranium 235
content
•
Here the heavy isotope of
uranium (U-238) is represented in
dark blue, while the lighter
isotope of uranium (U-235) is
represented in light blue. The
input gas (here represented as a
fairly even mix of U-235 and U238, though in reality natural
uranium hexafluoride would have
less than 1% of U-235 in it) is
released into the center of the
centrifuge and the centrifugal
forces force the heavier gas to
concentrate at the edges of the
centrifuge and the lighter gas at
the center. By heating the
bottom of the centrifuge the
lighter gas will be moved by
convection currents to
concentrate at the top while the
heavier gas will concentrate at
the bottom (scoops, not shown,
would then extract the gases).
Centrifuge at work
attack steps
• Step 0: reconnaissance, need ICS’s schematics of
target system , computing environment
• Step 1: setup mirrored environment that would
include ICS hardware, develop stuxnet code
• Step 2: obtain driver files that are “digitally signed”
• Step 3: introduce stuxnet executable into target
computing environment via infecting a willing or
unknowing third party
• Step 4: once installed, stuxnet looks for Windows
computers used to program PLCs and eventually finds
one…
attack steps
• Note: infected Windows machine will not have
outbound access to internet, thus all sabotage
functionality must be embedded in the stuxnet
executable
• Step 5: Once the right computer is found, code on
the PLC is modified
• Step 6: Stuxnet hides its modifications
installation complexity
infection complexity
w32.stuxnet timeline
w32.stuxnet timeline
characterizing the attack
• Significant Development Cycle: six months, five to
ten core developers, many other individuals such as
quality assurance and management
• Advanced reconnaissance or coordination
• High degree of targeting (Iran)
• Highest degree of complexity known in a virus
• The result:
• Stuxnet = nation-state, weapons-grade attack
software
duqu
• Recall that W32.stuxnet is component based…Will
stuxnet components be used again?
• Nov. 1, 2011: W32.Duqu, a remoteaccess Trojan
(RAT). Symantec calls it, “The precursor to the next
Stuxnet”
• Duqu’s purpose is to gather intelligence data and
assets from entities such as industrial infrastructure
and system manufacturers in order to more easily
conduct a future attack
Interested in IT and
Public Policy?
• Consider taking my class next Fall
• Course: PP290: Information Technology and Public
Policy
• Learn real, hands-on IT Skills (HTML, SQL, Python
programming)
• Combine skills knowledge with IT Concepts
(networks, content management systems, IT systems
adoption…)
• Apply your growing IT knowledge to Public Policy
Problems
• Imagine a Public Policy problem for which IT is not
part of the solution?