Threat - Building an Information Security Awareness Program: Defending Against Social Engineering and Technical Threats, First Edition (2014)

Building an Information Security Awareness Program: Defending Against Social Engineering and Technical Threats, First Edition (2014)

CHAPTER 2. Threat

Bill Gardner Marshall University, Huntington, WV, USA

Abstract

Online attackers are motivated by a number of factors. Most are seeking to steal money or protected online information such as credit card numbers or intellectual property that can be used to make money. Other motivations are rooted in political protest in the case of hacktivism or rooted in furthering the interests of nation-states as the case of cyber war. The granddaddy of all motivations is bragging rights. Showing off your technical prowess and your advanced technical ability has long been held in high esteem in the digital underground.

Keywords

Motivation of attackers

Money

Hacktivism

Bragging rights

Cyber war

The Motivations of Online Attackers

In order to properly train user, the first order of business is to get them to understand the threats they face online, the threat actors, and the motivation of online criminals. Many times, users do not understand the value of the information they access every day to do their work. In the case of a law firm, the firm will have gathered a larger amount of confidential data to use representing the interests of their clients. In the case accounting firms, the firm has access to sensitive financial documents of their clients. Doctors, hospitals, and insurance companies have access to sensitive health data. Employers collect personal and financial information, such as social security numbers, and other personal information from their employees in order to process insurance and payroll. In the case of an employee with a family, the employer needs to collect the social security numbers and other personal information of family members.

Think about the information in your own organization. How much do you have to lose if your employer lost your personal and financial information? How much does your organization have to lose if it lost the confidential and privileged information it has been entrusted with by its employees, clients, and business partners?

Money

The chief goal of online attackers is money. Online criminals make billions of dollars from online schemes, fraud, and thievery [1]. Some groups target computers to steal personal information and credit card information [2]. Stolen credit card information can be either used directly or sold to other criminals.

Industrial Espionage/Trade Secrets

Other more sophisticated attackers seek to steal confidential information and intellectual property for sale. If an online criminal could steal the formula for Coke, for example, they could sell it for a lot of money [3].

Hacktivism

Hacktivists are motivated by political causes [4]. The most widely known hacktivist group is Anonymous and its affiliated groups [5]. Hacktivism is defined as “the nonviolent use of illegal or legally ambiguous digital tools in pursuit of political ends. These tools include web site defacements, redirects, denial-of-service attacks, information theft…” [6].

There are many different examples of hacktivism, but the largest, most successful, and most well known was Operation Sony. Also known as Op Sony, the operation Anonymous calls their cause de jour was the case of George Hotz who is also known as the first hacker to “jailbreak” the iPhone. George, known online by his handle GeoHot, also wanted to “jailbreak” his PlayStation 3, which would allow users the ability to play and share homemade games. On December 29th, 2010, George Hotz and the rest of hacker collective known as fail0verflow announced they had retrieved the root key of Sony's PlayStation 3 gaming console at the 29th Chaos Communications Congress. On January 3rd, 2011, George Hotz published his findings on his website, geohot.com. On January 11th, 2011, Sony filed a lawsuit against George Hotz and other members of fail0verflow for releasing the PlayStation 3's root key [7].

In April 2011, Anonymous fired the first salvo in what came to be known as Op Sony, by taking the PlayStation Network (PSN) and several PlayStation-related domains, including the PlayStation Store, offline [8]. It was later learned that the attacks not only resulted in an outage of the PSN service but also turned out to be one of the largest data breaches in history involving over 70 million records including personally identifiable information (PII) and credit card information [9].

This period of time also saw the rise of a subgroup of Anonymous known as LulzSec. This brash subgroup of Anonymous ultimately took credit for stealing 24.6 million records in the PlayStation Network [10]. The group then went on an extensive hacking spree that involved a number of high-profile targets from Fox.com to PBS and the game company Bethesda Game Studios while tweaking the noses and taunting law enforcement the entire time. The group saw themselves as modern-day Robin Hoods that were exposing the insecurities of the websites they breached. As their hacking spree continued, they continued to garner public attention and the attention of law enforcement though the summer of 2011. The group's activities became more brazen and outlandish [10]. By the beginning of the fall of 2011, the group began to unravel when it was reported that the group's leader Sabu, whose real name is Hector Xavier Monsegur, was arrested on June 7, 2011, and had turned FBI informant [11]. By the end of 2011, all the members of the LulzSec crew would be arrested and jailed. While the reign of the LulzSec crew had ended, the various groups known as Anonymous live on.

Anonymous got its start in 2003 on the Internet image site 4chan.org where each user posted as an Anonymous user. As the site evolved, many of the “Anonymous” users found that they had certain goals and political views in common. The message board on4chan.org, mainly a message board called /b/, is for the posting of random information that contains calls to action. While Anonymous has been involved in a number of data breaches, they are mainly known for distributed denial-of-service (DDoS) attacks on government, religious, and corporate websites. Some of the high-profile targets of such attacks include the Westboro Baptist Church, Church of Scientology, PayPal, MasterCard, and Visa [12]. Many members of Anonymous learned of the Sony lawsuit against George Hotz on the site, and ongoing operations were often discussed and coordinated on 4chan, but Anonymous now shares operational details on Pastebin.com. Pastebin was developed as a site to share information for a certain period of time [13], but it's unclear that the developers ever dreamed that it would become the focal point of an ongoing Anonymous operation at it is today. Anonymous and Anonymous-associated hacking groups also use the site to dump personal information about their enemies, known in the Internet underworld as doxing, and share confidential information taken from data breaches such as e-mail, passwords, usernames, and password hashes.

Cyber War

Cyber war is defined as nation-state versus nation-state. In some cases, it appears that nation-states have used patriotic hackers and hacker gangs to further their national interest. We refer to these actions as cyber war as well. Cyber war has recently become a hot button issue, with most of the blame for intrusions being directed to the Chinese government. What we today call cyber war is not new. Titan Rain is the code name given to a series of coordinated attacks on American computer systems, attributed to the Chinese government, since 2003 by the US government [14].

One of the most talked about and widely cited incidents of cyber war happened in Estonia in 2007, when a disagreement with Russia over the relocation of the “Bronze Soldier of Tallinn” and war graves in Tallinn (the capital of Estonia) resulted in a series of massive coordinated cyber attacks on the Estonian public and private sectors. Estonian banks, parliament, ministries, newspapers, and TV were knocked offline [15].

Recently, the headlines have been filled with news about new types of targeted weapons being used in what we now call cyber war. The most notable of these new “cyber weapons” is Stuxnet [16]. Stuxnet targeted centrifuges at the Natanz uranium enrichment plant in Iran. The cyber attack set back the Iranian nuclear program years according to some experts. It also might have saved lives since conventional military action was not necessary to destroy the centrifuges [17].

A subset of cyber war is cyber espionage. It is the most immediate threat to businesses and other organizations. In September 2010, a number of Canadian-based law firms where reportedly breached by China-based hackers looking to derail the $40 billion acquisition of the world's largest potash producer by an Australian mining company [18]. On February 18, 2013, the Internet security firm Mandiant released a report, which claims that it has hard evidence that the Chinese army is behind supplicated intrusions into US networks to steal sensitive data and trade secrets from both governmental and nongovernmental organizations [19].

Bragging Rights

Doing something other people say is impossible gives a hacker a lot of “cred” and followers in the digital underground. Reputation is currency in the dark world of Internet criminals. In 2011, hackers founded a site called “RankMyHack.com” (now offline) to score hacks. The more sophisticated the hack, the higher the score [20].

Long before hackers were stealing money and intellectual property, they were showing off to other hackers. While the common use of the word hacker today refers to someone who breaks into computers, the word originally came out the student culture at MIT in the 1970s. If a student came up with a particularly eloquent solution to a complicated problem in the fewest steps, they were called a hacker, and the solution was called a hack. Later, the word hacker was applied to complicated practical jokes the students played on the MIT administration. These pranks date back to 1947 when the students of MIT used primer cord to burn the letters MIT in the football field at Harvard. Other pranks included putting a replica of an MIT police car on top of a campus building complete with flashing blue lights [21].

Notes

[1] Sizing the Market for Cybercrime. http://www.guardiannetworksolutions.com/cyber-crime-costs/ [accessed on 13.06.13].

[2] The terrifying rise of cyber crime: Your computer is currently being targeted by criminal gangs looking to harvest your personal details and steal your money. http://www.dailymail.co.uk/home/moslive/article-2260221/Cyber-crime-Your-currently-targeted-criminal-gangs-looking-steal-money.html [accessed on 13.06.13].

[3] Has this man found the original recipe for Coca-Cola in an old drawer? Antiques dealer puts 'secret formula' on eBay for $15 MILLION. http://www.dailymail.co.uk/news/article-2324106/Coca-Cola-formula-Georgia-man-says-secret-1943-recipe-Coke.html[accessed on 13.06.13].

[4] Hacktivism: A Short History. http://www.foreignpolicy.com/articles/2013/04/29/hacktivism [accessed on 13.06.13].

[5] Anonymous: From the Lulz to Collective Action. http://mediacommons.futureofthebook.org/tne/pieces/anonymous-lulz-collective-action [accessed on 21.05.14].

[6] Hacktivism and the Future of Political Participation. http://www.alexandrasamuel.com/dissertation/index.html [accessed on 18.06.13].

[7] Know Your Meme: Operation Sony. http://knowyourmeme.com/memes/events/operation-sony [accessed on 18.06.13].

[8] Anonymous' Operation: Sony is a double-edged sword. http://www.thetechherald.com/articles/Anonymous-Operation-Sony-is-a-double-edged-sword/13239/ [accessed on 18.06.13].

[9] Security experts: PlayStation Network breach one of largest ever. http://content.usatoday.com/communities/gamehunters/post/2011/04/security-experts-playstation-network-breach-one-of-largest-ever/1#.UcD1ufZgahg [accessed on 18.06.13].

[10] LulzSec: what they did, who they were and how they were caught. http://www.guardian.co.uk/technology/2013/may/16/lulzsec-hacking-fbi-jail [accessed on 18.06.13].

[11] LulzSec Leader Betrays All of Anonymous. http://gizmodo.com/5890825/lulzsec-leader-betrays-all-of-anonymous [accessed on 21.05.14].

[12] SERIOUS BUSINESS: Anonymous Takes On Scientology (and Doesn't Afraid of Anything) http://www2.citypaper.com/columns/story.asp?id=15543 [accessed on 21.05.14].

[13] Pastebin Surpasses 10 Million “Active” Pastes. http://techcrunch.com/2011/10/26/pastebin-surpasses-10-million-active-pastes/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29 [accessed on 21.05.14].

[14] Security experts lift lid on Chinese hack attacks. http://web.archive.org/web/20061211145201/http://news.zdnet.com/2100-1009_22-5969516.html [accessed on 21.05.14].

[15] Estonia's Lessons in Cyberwarfare. http://www.usnews.com/opinion/blogs/world-report/2013/01/14/estonia-shows-how-to-build-a-defense-against-cyberwarfare [accessed on 23.06.13].

[16] Legal Experts: Stuxnet Attack on Iran Was Illegal 'Act of Force'. http://www.wired.com/threatlevel/2013/03/stuxnet-act-of-force/ [accessed on 22.06.13].

[17] Did a U.S. Government Lab Help Israel Develop Stuxnet?. http://www.wired.com/threatlevel/2011/01/inl-and-stuxnet/all/ [accessed on 22.06.13].

[18] China-Based Hackers Target Law Firms to Get Secret Deal Data. http://www.bloomberg.com/news/2012-01-31/china-based-hackers-target-law-firms.html [accessed on 22.06.13].

[19] APT1 Three Months Later - Significantly Impacted, Though Active & Rebuilding. https://www.mandiant.com/blog/apt1-months-significantly-impacted-active-rebuilding/ [accessed on 22.06.13].

[20] Web Site Ranks Hacks and Bestows Bragging Rights http://www.nytimes.com/2011/08/22/technology/web-site-ranks-hacks-and-bestows-bragging-rights.html [accessed on 23.06.13].

[21] Hacks on the Great Dome (Bldg. 10). http://hacks.mit.edu/Hacks/by_location/great_dome.html [accessed on 21.05.14].