Cyber Terrorism:Cyber Terrorism:Strategic Problem Solving and Strategic Problem Solving and Fresh InsightsFresh Insights

Yu Chien SiangMinistry of Home Affairs

Singapore

AgendaAgenda• Introduction• Cyber-terrorism – why be

concerned?• Some Attack Scenarios• Singapore Experience Sharing

and Insights• Conclusion

Cyber-terrorism: Why be Cyber-terrorism: Why be concerned?concerned?

The main targets have been the websites of:– the Estonian presidency and its

parliament– almost all of the country‘s

government ministries– political parties– three of the country‘s six big

news organisations– two of the biggest banks; and

firms specializing in communications

Cyber-terrorism: Why be Cyber-terrorism: Why be concerned?concerned?

• DDoS attack involved systems: – More then 300 Systems worldwide– There is one System, coordinating the

DDOS attacks - 65.19.154.94, known as a US Spamserver

– Russian Systems seems to be involved as Command Server

• Impact Assessment– Cyber attack on Estonia was

significant - the first time that a country’s Internet system had been attacked over a period of time, and users were not able to access the Internet across a range of functions and services.

– Impact on real world - simultaneous disruption to various parts of society, causing some inconvenience and probably financial costs. However, there have been no known direct fatalities or permanent loss of information or data so far.

Cyber-terrorism: Why be Cyber-terrorism: Why be concerned?concerned?

SCADASCADASupervisory, Control And Data Acquisition Supervisory, Control And Data Acquisition SysSys

• Or Industrial Control System (ICS)• Critical Infrastructure

– Traffic control system (air, land, sea)– The MRT– The water in your country– The energy generators and distribution– …

SCADA IncidentsSCADA Incidents

• Incident Worcester Air Traffic Communications– In March 1997, a teenager in Worcester,

Massachusetts disabled part of the public switching network using a dial-up modem connected to the system. This knocked out phone service at the control tower, airport security, the airport fire department, the weather service, and carriers that use the airport.

SCADA IncidentsSCADA Incidents

• Incident Davis-Besse – In August 2003, the Nuclear Regulatory

Commission confirmed that in January 2003, the Microsoft SQL Server worm known as Slammer infected a private computer network at the idled Davis-Besse nuclear power plant in Oak Harbor, Ohio, disabling a safety monitoring system for nearly five hours.

– In addition, the plant’s process computer failed, and it took about six hours for it to become available again. Slammer reportedly also affected communications on the control networks of at least five other utilities by propagating so quickly that control system traffic was blocked.

SCADA IncidentsSCADA Incidents

• Incident CSX Train Signaling System – In August 2003, the Sobig computer virus was

blamed for shutting down train signaling systems throughout the east coast of the U.S. The virus infected the computer system at CSX Corp.’s Jacksonville, Florida headquarters, shutting down signaling, dispatching, and other systems

SCADA Threat Simulation SCADA Threat Simulation ReportReport

It’s a Digital It’s a Digital LifeStyle!LifeStyle!

Social Social NetworksNetworks

Cyber security – Why be Cyber security – Why be concerned?concerned?

• Mobile Devices – lost and stolen notebooks, PDAs, storage devices (e.g. USB devices)

• VOIP – eavesdropping of communications, backdoor into our network

• Spam/Phishing – never-ending emails!• Wireless Network – unauthenticated devices,

spoofed APs, MITM-attack, theft of credentials• USB Devices– proxy for data theft and

propagation of malwares

Example of TrojanExample of Trojan

• Poison Ivy– ‘Remote Administration’ software (Trojan?)– Free for download

• Capabilities– Bypass of Anti-virus & Firewall– Monitoring of User’s Screen– Key logging– File Transfer– Killing of Processes– Cleaning of traces

Demo …

Mpack – New Mpack – New Generation of Generation of MalwareMalware

• Malware kit produced by Russians, DTC (Dream Coders’ Team), and sold as commercial software– First released in December 2006,

currently version 0.94 – Approximately US$500-1000– Technical support & regular

updates of exploit codes.– Customised exploits, e.g. evade

AV software (US$50-150)• Built-in intelligence

– Selective attacks, based on targeted country domain

– Highly efficient. No brute-force, target browser type

– Systematic. Keep track of its victim (e.g. compromised websites)

Layered Attack (Demo)Layered Attack (Demo)

Victim MPack1

2

3

4

5 & 6

1. Victim visits YouTube video recommended by unknown person.2. He finds the video interesting and decides to click on one of the links to a blog site

that has more to say about the video.3. This blog turns out to be injected with an iframe that points to an MPack server.4. Without his knowledge, the iframe will request for a page from the MPack server.5. A downloader file is pushed to the victim’s web browser.6. Downloader file will then download a malicious payload from MPack Server.

Attacks on Legitimate Attacks on Legitimate WebsitesWebsites

MITM AttackMITM Attack

• New Phishing Attacks using “Man in the Middle (MITM)” technique– WSNPOEM are the new Generation worm– Successful attacks against Banks like ABN

Amro– All these Banks used 2 Factor Authentication

with Hardware token

MITM AttackMITM Attack

Bank Server

Victim

Redirected Network Traffic

Original Flow

Attacker

ImplicationsImplications

• Can terrorist groups make use of malware to their advantage?– Gather funds– Build up botnets (cyber-army?) for DDoS against critical

networks– Hack into critical systems

• SCADA• Financial systems• Etc

– Many other unthinkable possibilities

• Underground economy making it easy to acquire capabilities– Hackers for hire– Malware toolkits for sale

$

Singapore Experience Singapore Experience

• IT Security Masterplan– Formulated to combat cyber-threats

• Hacking,• Virus attacks,• Cyber-terrorism

– Some Key Initiatives• National Cyberthreat Monitoring Centre (NCMC)• National Authentication Framework (NAF)• National Infocomm Security Awareness Programme• Critical Infocomm Infrastructure Surety Assessment (CII-SA)• Business Continuity Readiness Assessment Framework

• http://www.ida.gov.sg/Programmes/infrastructure.aspx

Innovative Problem SolvingInnovative Problem Solving

• Economics of Security• Post Regulatory State• Personal Security System and

Responsive Regulation• Training and Security Awareness

Economics of SecurityEconomics of Security

• People have realized that security failure is caused at least as often by bad incentives as by bad design. Systems are particularly prone to failure when the person guarding them is not the person who suffers when they fail.

• Is this like the Global Warming problem?

http://www.cl.cam.ac.uk/~twm29/science-econ.pdf

• Government cannot micromanage the information security business, most of which is in any case outside the UK. What it can do, and should do, is to ensure that people and companies have the necessary incentives to take responsibility for the consequences of their actions, online as well as offline. Ross Anderson, Cambridge, 23 2006

Lose-loseLose-lose• As the network is interdependent, a successful

attack on one system is then likely to succeed on other systems as well since they typically share the same vulnerabilities via a common platform. This means that one organization’s security is negatively affected by the poor security behaviour of another member of the network.

• Companies could never achieve 100% security on their own because their risks are often created by the behaviors of others who also lack the incentive to heighten security. Theoretically, it follows that an organization’s “perverse incentives” not to invest drive others to underinvest as well.

Perverse IncentivesPerverse Incentives

• An incentive that has an unintended and undesirable effect. E.g. – In Hanoi, under French colonial rule, a program paying

people a bounty for each rat pelt handed in was intended to exterminate rats. Instead it led to the farming of rats.

– Internet airline tickets sale via credit card promotes air travel, but allows a Sep 11 attack to be executed quasi-free.

• Users are encouraged to use long passwords that are difficult for an attacker to guess. However, such strong passwords are hard to remember, leading users to write them down rather than memorizing them.

• Digital Rights Management schemes are often used to discourage illegal piracy by preventing copying of content, which also has the effect of reducing its utility to paying customers who want to play their purchased material on multiple machines, or make backups. Since pirated content usually does not contain DRM, user who do not want DRM restrictions on their content will then pirate it.

Post Regulatory Post Regulatory StateState

• Law’s capacity is limited. Control based on law is marginal. State law is only effective if linked to other processes.

• People do what they do, not because of the law but because of : education, training, habit and incentive etc. Regulations can’t work if against economic benefits.

• Form: variety in norms, control mechanisms, controller, controllees.

• Colin Scott, Regulation in the Age of Governance: The Rise of the Post- Regulatory State, June 2003, http://www.anu.edu.au/NEC/NEC%20EVENTS/Events%202003/scott1.pdf

Personal Security SystemPersonal Security System• Digital Online Registration and Identification

System (DORIS)– Our first vision of a Personal Security

Device in hardware. – The core of DORIS is a smart chip that

supports tri-interface, meaning contact, contactless and USB.

– Multi form factor - plastic cards, watches, key fobs, flash drives, SIM-overlay and other handheld devices such as mobile phones.

– Provides• Authentication• Digital Signature• Stores personal records (eg. Medical)• etc

Personal Security SystemPersonal Security System

• Dynamic Isolation of Virtualised Applications (DIVA)– The enhanced vision of a Personal

Security System that can support soft or hard tokens like DORIS

– Trusted applications auto run from any storage media under a ‘sandbox’ environment

– No requirements for administrator privileges

– Compatible with any flash storage

Responsive RegulationResponsive Regulation

• The Personal Security strategy is a clever way of exercising Responsive Regulation by bringing in a new key actor, namely the citizen user.

• When the citizen becomes a principal part of the regulatory community, it creates – the opportunity of contractual agreements with

negotiated but enforceable conditions, and – his need for diverse public services like e-

government would create the possibility of a hierarchy of sanctions, to match the degree of infringement, which could be cost effectively monitored using electronic means based on government standard protocols.

• Ian Ayres and John Braithwaite, Oxford University Press, Responsive Regulation, Transcending the Deregulation Debate.

Training & Security AwarenessTraining & Security Awareness

• Training– Annual Governmentware Seminar

• Into its 16th year• Brings together professionals from

government, academia and industry

• Raises awareness of latest security threats

– CXO Training• Instil within senior management the

need for security• First-hand experience of cyber-

threats

ConclusionConclusion

• Issues of Cyber-terrorism are related to:– Infocomm convergence, hence dependency increases– Transnational cybercrime, new forms e.g. cyber attacks

leading to cyber-extortion, cyber espionage which could be the prelude to discovering infrastructure weaknesses and social engineering, credit card attacks which could lead to a massive financial system assault, money laundering via electronic payments etc.

• Signals a need for greater cooperation and knowledge sharing between countries

• A good way to network would be Governmentware 2008– Theme: Positive Security: Empowering Business Models

for the Future– Venue: Singapore– See you there!