cyberterrorism u of m
DESCRIPTION
TRANSCRIPT
1
The Jihadi Cyberterror Threat
SUMIT 07
Dorothy E. DenningNaval Postgraduate School
http://www.nps.navy.mil/da/faculty/DorothyDenning/index.htm [email protected]
2
Outline
• What is cyberterrorism?• Paths to cyberterrorism• Model for assessing cyberterrorism threat of a
particular terrorist group or network• al-Qa’ida and jihadi cyberterrorism threat• Precursors to cyberterrorism
3
What is Cyberterrorism?• What is terrorism? [Webster’s 1991]
– The use of violence and threats– To intimidate or coerce– Especially for political purposes
• Adding prefix “cyber” could be used in 2 ways– A terrorist attack that uses cyber weapons
• Akin to “bioterrorism” and “nuclear terrorism”• Then what is violence in cyberspace?
– Use of cyberspace to support terrorism• Akin to “narcoterrorism”
• Term “cyberterrorism” coined by Barry Collin in 1980’s– Refer to convergence of physical and virtual worlds where cyber weapons
produce physical consequences – i.e., the terrorist act is committed with cyber weapons (1st interpretation above)
4
Barry Collin’s Scenarios• Cyber attack alters processing control system of cereal manufacture,
introducing lethal levels of iron• Cyber attack on air traffic control system causes planes to collide• Cyber attack alters drug formulas of pharmaceutical manufactures, resulting in
unfathomable loss of life• Cyber attack changes pressure in gas lines, causing valve failure, and then
explosions (similar attack against electrical grid)• Cyber attack disrupts banks, international financial transactions, and stock
exchanges – results in lost confidence in economic system– But is it terrorism if there is no violence?
• Deployed bombs communicate through cyberspace – when one stops transmitting, the rest explode
[Barry Collin, “The Future of Cyberterrorism: The Physical and Virtual Worlds Converge,” Crime & Justice International, March 1997]
5
Virtual Terrorism ≠ Cyberterrorism
• Second Life terror campaign– Bombed ABC headquarters– Flew helicopter into Nissan
building– Shot customers in apparel store
• 3 jihadi terrorists registered • 2 jihadi terrorist groups
– Second Life Liberation Army• SL can be used to launder
money across borders
Weapons shopping in Second Life
Natalie O’Brien, “Virtual Terrorists,” The Australian, July 31, 2007http://www.theaustralian.news.com.au/story/0,,22161037-28737,00.html?from=public_rss
6
Paths to Cyberterror
• Evolution of existing terrorist groups– Tech-savvy members or new recruits develop cyber capability, or – Group hires hackers to conduct attacks
• Emergence of new terrorist groups– New group has interest in cyberterror – develops skills or hires
hackers
• Individuals or groups with hacking skills– Operate independently– May align themselves with terrorist networks and objectives– May have insider help
7
Model for Assessing Cyberterror Threat
• Assessment based on indicators/evidence of capability and intent• Indicators grouped into five areas:
1. Conduct of cyber attacks2. Cyber weapons acquisition, development, and training3. Statements about cyber attacks4. Formal education in IT5. General experience with cyberspace
• Populations considered1. Active terrorists associated with a given group or network2. Supporters and sympathizers, especially hackers3. Potential recruits, especially hackers and IT specialists
[Dorothy E. Denning, “A View of Cyberterrorism 5 Years Later,” Chapter 7 in Internet Security: Hacking, Counterhacking, and Society (K. Himma, ed.), Jones and Bartlett, 2006.]
8
1. Conduct of Cyber Attacks
• Objectives– Cause damage and intimidate vs make money or support
organization
• Targets– Critical infrastructures or control systems vs public websites
• Sophistication of attacks– Tools, methods, coordination
• Results and impact• Prevalence
9
2. Cyber WeaponsAcquisition, Development, Training
• Cyber weapons– Hacking tools and methods– Acquired from others or developed in-house
• Terrorist cyber training facilities– Akin to terrorist training camps
• On-line education and training in hacking– Within open or restricted forums
10
3. Statements About Cyber Attacks
• Types of statements– Exploratory discussion of cyber attacks– Advocacy of cyber attacks– Forecast of cyber attacks– Threats of cyber attack– Call to action to conduct cyber attack– Claim responsibility for cyber attack
• Objectives– Cause disruption or severe harm vs– Make money or support organization
• Credibility of statements– Who from?
11
4. IT Formal Education
• General IT education– Computer science– Computer engineering– Information science, etc
• Security studies– Information security– Network security
12
5. Cyber Experience• Internet availability• Technologies used
– Email, chat, IM, web, blogs, forums, groups, etc– Network security: encryption, steganography, web security
• Internet use– Distribution of news, documents, videos, etc– Communications, coordination, command and control– Intelligence collection– Recruitment– Training– Fund raising
• Jobs in IT– Own ISPs, host websites, operate organization networks, etc– Insider with critical infrastructure
13
Al Qa’ida and the Global Jihad
1. Conduct of cyber attacks– Hacking for money and organizational support– Disruptive hacking by cyber jihadists against websites
2. Cyber weapons acquisition, development, and training– Acquiring, developing, and distributing hacking tools and information
3. Statements about CNA– Statements of forecast, advocacy, and calls for action
4. Formal education in IT– A few with formal education
5. Cyberspace experience– Extensive Internet experience– Development and use of cyber tools, including network and data
security tools
14
1. Conduct of Cyber Attacks• Few attacks attributed to al-Qa’ida
– Allegedly broke into diplomats e-mail account and retrieved bank statements using simple hacking tools like L0phtCrack
– Irhabi 007 (Terrorist 007) exploited anonymous FTP sites• Numerous disruptive attacks from cyber jihadists aligned with al-
Qa’ida and Islamic hackers who might be potential recruits– Denial of service (DoS) attacks, often coordinated from jihadi websites – Web defacements
• Cyber attack goals– Support the jihad (e.g., by stealing credit cards or hijacking websites)– Eliminate/damage websites that harm or are offensive to Islam (under
their interpretation)– Inflict damage on Western economy; bring about collapse of West– Revenge
15
16
Irhabi 007 (Terrorist 007)• Used FTP site of Arkansas Highway and
Transportation Dept. to post 70 terrorist-related files, including audio & video files, in July 2004
– David McGuire, Washington Post, 7/13/04– Also used GWU & other sites
• Active on Jihadi forums• Posted 20p “Seminar on Hacking Websites”• Younis Tsouli, 23, sentenced July 2007 10
yrs for inciting terrorist murder on Internet • In UK trio that stole & used credit cards
Links to Arkansas Highway Department website postedon Al Ansar forum by Irhabi 007 [Internet Haganah]
17
Coordinated Cyber Attacks
• Examples– Danish cartoon attacks– Attack against Vatican website– Electronic Battle of Guantanamo
• Web forums used for coordination and to deliver attack tools
18
Danish Cartoon Attacks• Response to publication of cartoons satirizing
Prophet Mohammad in Danish paper Jyllands-Posten
• Web defacements [Zone-h.org]– 2,817 Danish websites [1/21/06 - 2/22/06]– Roberto Preatoni, Zone-h, said that it was about
10-20 times more than normal and “the biggest, most intense assault” he’d seen
• Denial of Service (DoS) attacks– Jyllands-Posten website primary target– 3asfh.com released video purportedly
documenting their attack• Video and still shots at
http://haganah.org.il/harchives/005456.html – Republishers also hit, including Michelle
Malkin’s blog• Coordinated through al-Ghorabaa website
19http://www.zone-h.org/en/defacements/mirror/id=3281674/
ISLAMICSECURITYGUARDS
Defaced 14.dk websites
1/29/06
ProtestingDanish Cartoons
20
3ashf.com DoS Attack
Still shots posted at http://haganah.org.il/harchives/005456.html
21
Attack Against Vatican Website
• Response to Pope Benedict’s statement about the Prophet Mohammad
• DoS attack planned for October, 2006
• Call for volunteers posted on jihadi forums:– “We ask all our brothers to be
present at the hour of the attack for a joint action, because they (Catholics) have struck our religion”
• Attack had little impact• Newsmax, Nov 28, 2006
Benedict XVI
“Show me just what Muhammad brought that was new and there you will findthings only evil and inhuman, such as his command to spread by the sword the faith he preached.”
22
Electronic Battle of Guantanamo
• Planned DoS attack against websites of American stock exchanges and banks
• Announced on jihadi forum Nov 27, 2006 with call for participants• Attack to run from Dec 1 through end of month• Revenge for incarceration of Muslims at Guantanamo Bay• Volunteers advised to use anonymity services• Attack cancelled because banks had been warned• Grant Ross and Robert McMillan, “al-Qaeda ‘Battle of Guantanamo’
Cyberattack a No-Show,” IDG News Services, Dec 1, 2006; E. Alshech, Cyberspace as a Combat Zone
23
Al-Jinan
• Web forum at www.al-jinan.org • Forum to plan, organize, and support electronic jihad on behalf
of all Muslims to defend Islam– Claims electronic jihad can inflict “financial damage that may reach
millions”• Software downloads to simplify DoS attacks
– Electronic Jihad Program 1.5 (Silver Edition) – designed by Saudi national
• Chat room to plan and coordinate attacks• Forum lists websites attacked and impact
– Claims to have shut down Internet Haganah • Source - Terrorism Research Center, August 31, 2006
24
Electronic Jihad Program
• Targets websites critical of Islam– Claims they have had anti-Islamic
websites pulled off web• Version 2.0 features
– Handles different Internet speeds– Use proxies to override website
blocking– Sets up account for each user with
al-jinan.org– Awards to those who spend most
time attacking targets and have most “successful attacks” Version 1.5
Forum Users Improve Electronic Jihad Technology, Terrorism Focus, Vol IV, Issue 20, June 26, 2007, http://jamestown.org/terrorism/news/article.php?articleid=2373496 .
25
Al-Firdaws Forum
• Al-Firdaws at www.alfirdaws.org• Credit card theft
– Forum discusses program that generates and validates credit card numbers, suggesting it could be used to “strike the infidel’s economy” [Terrorism Research Center, Jan 8, 2007]
• Ansar Al-Jihad Hackers Team for Electronic Jihad– Irhabi 11 posted statement May 10, 2007, identifying group– Claimed group had hacked a “crusader website”.– Urged jihad sympathizers to visit group’s website to participate– Sites at logic90.jeeran.com and www.al-ansar.virtue.nu
26
27
More Cyber Jihadists
• Prominent groups identified by MEMRI– Hackboy*– Ansal Al-Jihad Lil-Jihad Al-Electroni*– Munazamat Fursan Al-Jihad Al-
Electroni– Majmu’at Al-Jihad Al-Electroni*– Majma’ Al-Hakar Al-Muslim*– Inhiyar Al-Dolar
* maintain own websites for recruiting volunteers for and coordinating attacks
E. Alshech, Cyberspace as a Combat Zone: The Phenemenon of Electronic Jihad, MEMRI, No. 329, Feb. 27, 2007
28
More Muslim Hackers• Al Qaeda Alliance Online• OBL Crew• Abu Syf3r• Hilf Al-Muhajirin• Q8Army• Cyber Jihad• Hackers for Palestine• Arab Electronic Jihad Team
– Sought to bring down all US websites• Arabian-Fighterz Team
– About 3,000 defacements– http://www.zone-h.org/en/defacements/mirror/id=3672421/
• Muslim Hackers Club– Active in 1998-99– Goal: “a nonstate capability in information warfare, err, research.”– Provided training to local chapters on hacking and network admin
29
Al-Qaeda Alliance Online
• Formed post Sep 11, 2001– Disappeared shortly thereafter
• Three Pakistani hacker groups:• GForce Pakistan
– 212 defacements in alldas.org – Last recorded 10/27/01– Said they weren’t “cyber
terrorists” – Said “all we ask for is PEACE
for everyone”• Pakistan Hackerz Club• Anti India Crew Oct 17, 2001 Gforce Pakistan defacement of
National Oceanic & Atmospheric Administration
30
OBL Crew
• Osama Bin-Laden Crew• Aka Cyber Army of Allah (CA)• Members came from Islamic
hackers / Afghan Hackers• Threatened Internet Haganah &
Anti-Terrorism Coalition in 2004– Tried to recruit 600 Muslim
hackers for attacks • Threatened ATC again in 2007
http://www.jihadicastle.com/e-jihad.htm
31
Hilf Al-Muhajirin
• “Pact of the Immigrants”– Agreement to stand united under the banner of the Muhajirun
Brigades in order to promote cyber warfare and allegiance to leadership
– Goal to wage media jihad and attack websites harmful to Islam and Muslims
• Initiative launched Jan 3, 2007 on Islamic websites• Mujahideen operating on Internet invited to sign• Source: E. Alshech, Cyberspace as a Combat Zone
32
'Abu Syf3r' Defaces Internet Haganah
And brags about iton April 6, 2007
Internet Haganah helped remove over 1,000 jihadi Websites using legal means
http://haganah.org.il/haganah/
33
Q8Army
• Operated botnet• Computers compromised via IM-borne adware that delivered malware
rootkits• Software stole credit card information• Software served up pop-ups that carried URLs of militant Arabic Web
sites endorsing violence to achieve “world domination”• Stolen funds used to buy mobile communications gear and used PCs• Group’s origin traced to Middle East by researchers at FaceTime
Communications• Source: Matt Hines, Botnet Stalkers Share Takedown Tactics at RSA,
Feb 8, 2007, www.eweek.com
34
2. Cyber WeaponsAcquisition, Development, Training
• Hacking tools developed by jihadists and acquired from other hackers
• Terrorist training centers– al-Qa’ida safe house in Pakistan reportedly used for
training in computer hacking and cyber warfare, and cyber reconnaissance of infrastructure and SCADA systems [Magnus Ranstorp, “Al-Qaida in Cyberspace,” in Terrorism in the Information Age, 2004]
• Documents on how to hack• Numerous web forum
35
“Hacking, Why Not?”• By Imam Samudra
– Sentenced to death for 2002 Bali bombings
• Book chapter in Me Against the Terrorist!, 2004– Written in prison
• Advocates cyber attacks to raise money, especially via credit card fraud, and “bring America and its cronies to its knees.”
• Rudimentary guide to hacking (mainly “carding”) methods and resources
• Credit card numbers found on his computer
36
Cyber Weapons & Training Websites
• Minbar ahl al-Sunna wal-Jama (“The Pulpit of the People of the Sunna”) forum– Article posted in fall 2005 on how to become a hacker– Three categories of hacking
• Intrusions into corporate and government networks• Intrusions into personal computers to steal personal information• Interception of sensitive information, e.g., credit cards, in transit
• Al-Ghorabaa website– Site used to coordinate attacks against Jyllands-Posten– Offered an encyclopedia on hacking websites and a 344-page book on
hacking techniques, with step-by-step guide for “terminating pornographic sites and those intended for the Jews and their supporters.”
– Source – Jamestown Foundation• Al-Firdaws and al-Jinan forums (earlier slide)
37
al-Qa’ida University for Jihad Studies
• First announced late 2003 with “college” on electronic jihad
• Announced again in Oct 2005 on al-Farouq web forum
• Forum offers library of hacking tools and instructions for cyber attacks
Keylogger Jihad
38
3. Statements About Cyber Attacks• After 9/11, OBL allegedly told Hadmid Mir (ed. Ausaf newspaper)
“… hundreds of Muslim scientists were with him and who would use their knowledge in chemistry, biology and (sic) ranging from computers to electronics against the infidels.”
• Mohammad Razzak, suspected member of al Qaida, said in Dec 2001– Terrorists had penetrated Microsoft (by gaining employment) and attempted to
plant Trojan horses and bugs in Windows XP. [Newsbytes]• Sheikh Omar Bakri Muhammad, London-based head of al-Muhajiroun,
told Computer World in Nov 2002– “… would not be surprised if tomorrow I hear of a big economic collapse
because of somebody attacking the main technical systems in big companies.”• Principle 34 (electronic jihad) of The 39 Principles of Jihad, 2003
– Directs computer users to use their skills and experience in destroying American, Jewish and secular websites
39
Statements About Cyber Attacks• Fouad Hussein, al-Zarqawi–al-Qaeda’s Second Generation, 2005, in
Arabic – Describes 7 phases of al-Qa’ida’s long-term war based on interviews of
top lieutenants– Phase 4, 2010-2013, includes cyberterrorism against US economy
• jihadi al-Farouq web forum, www.al-farouq.com/vb - 2005– Postings call for cyber attacks against US and allied government websites– Participant “achrafe” proposed forming an operations unit within the
Islamic Hacker Army (Jaish al-Hacker al-Islami)• Al-Ekhlaas web forum posting on Sep 11, 2006
– Proposals to counter “Crusader media campaign in Iraq”– One proposal is for a group of young hackers to disable websites that
attack Islam, jihad, etc, including www.noterror.info • Statements about inflicting economic damage
– Numerous postings about using cyber attacks to achieve this
40
Statements About Attacks on Critical Infrastructures
• Massive DoS attack to disable 13 root name servers– Posting on jihadi forum discusses possibility, but got no response– Claims it “would help destroy all of the west” and cause fall of the global
economy– Source – Terrorism Research Center, Jun 26, 2006
• Attack against Telehouse hub in London– Proposal to infiltrate hub and blow it up– Source – The Sunday Times, Mar 11, 2007
• Disabling all electronic networks around the world– To include military nets that control radars, missiles, and communications– Claims that disabling for a day will bring about total collapse of the West
and breakdown of world economy and stock markets– Source – Alshech, Cyberspace as a Combat Zone, MEMRI, Feb 27, 2007
41
Suggestions for Electronic War• Posting on jihadist website• Objective: provide logistical support to mujahidin on the ground• Admits lack of technical knowledge in viruses and programming
languages• Suggestions include
– Disable and paralyze communication devices for battlefield C2 networks, GPS, GPRS, GSM
– Disrupt enemy banks, oil control grids, navigation techniques– Target enemy’s data flowcharts to paralyze life in country – but “do not
ask me what flow charts are”– Disable American missile attack or redirect missiles to go back to where
they came from
42
4. IT Formal Education
• A few members/supporters with CS/CND education
• Some recruits from countries offering CS/CND education
• Sami Al-Arian– Professor, CSE, U of S. Florida, Tampa– Met with Bush (photo right)– Charged with raising money for
Palestinian Islamic Jihad (PIJ)– Jury found not guilty– Pled guilty to engage in conspiracy to
aid PIJ– In prison as of Oct 2007
President Bush and Sami Al-Arian
43
Computer Science/Security Education
• Sami Omar Al-Hussayen– Saudi CS grad student at U. of Idaho studying
computer security– Charged with operating websites used to recruit
terrorists, raise money, and disseminate inflammatory rhetoric
– Acquitted 2004 and deported to SA• Ali S. Marri
– Went to Bradley U. on 9/10/2001 for grad degree in computer information systems
– Assigned by al-Qa’ida to explore hacking– Seized computers contained 1,000 credit card
numbers and bookmarks for hacking sites, hazardous chemicals, and fake IDs
44
5. Cyber Experience• Technologies used
– Email, chat, IM, etc– Websites, blogs, forums, groups, etc – thousands of sites, many hosted in US– Network security – methods, tools, training
• Software development– Hacking and security tools– Jihadi video games– Jihadi web browser – to restrict user to jihadi websites
• Internet activities– Distributing news, documents, electronic magazines, videos, etc– Discussing, planning and coordinating attacks– Recruiting and cultivating support– Training – manuals, videos, software, virtual worlds– Fund raising– Collecting intelligence
45
Jihadi Electronic Magazines
• Sawt al-Jihad (Voice of Jihad)– Oct 2003 – (with lapses)– AQ in Arabian peninsula
• Sada al-Jihad (Echo of the Jihad) – Jan 2006 -– By Global Islamic Media Front
• Al-Muhahid al-Taqni (The Technical Mujahid)– Oct 2006 -– Focus so far on infosec technologies
• Mu’askar al-Battar (Al Battar Camp) – Jan - Nov 2004– Military training manual
• Al Khansa – Aug 2004 only– For female mujahidin
46
On-line Distribution of Videos• Recruitment
– MTV-quality rap video inspiring viewers to take up jihad against West (right)
• Recordings of terrorist acts– Bombings, hostages,
beheadings, etc• Recorded statements by
– Leaders– Suicide bombers
• Weapons training– Videos and manuals on mixing
explosives, making dirty bombs, using Stinger missiles, etc
47
IRHABEAT Bloghttp://www.irhabeat.blogspot.com/
Some videos posted:– Attack on Iraqi police convoy
(posted 9/21/07)– IED attack on Americans– IED attack in Baghdad– Martyrdom against Iraqi
National Guard– Using stinger missiles– Attack in al-Anbar
48
On-line Training
• Al-Battar Training Camp– 6th issue (cover left) discusses cell
organization and command structure• The Technical Mujahid• al-Qa’ida University for Jihad
Sciences– Colleges for e-jihad, media jihad
• Training manuals and videos– Explosives of all types– Surface-to-air missiles– Flying planes
• 18 videos on flying 747’s
49
Training with Web Videos
http://www.msnbc.msn.com/id/6746756/
50
Talking About Flight Simulator Software
Post #23489 on mohajroon.com Internet Haganah, 1/28/06, http://haganah.org.il/harchives/005435.html
51
Network Security Methods & Tools
• Encryption– Global Islamic Media Front developed
“Mujahideen Secrets” with encryption, compression, and file shredding
• 256 bit symmetric (AES)• 2048 bit asymmetric
– Software can be used from thumb drive• Anonymous accounts• Dead drops
– Draft messages in shared e-mail accounts• Web security
– Password-protected websites and forum• File hiding• Code words• Steganography
Mujahideen Secrets [MEMRI]
52
Security Education and Training
• The Technical Mujahid– Issue 1 (Dec 2006 – at right) discusses
• Password-protected web forum• ChaosMash – free encryption tool with 45
methods• Alternative Data Streams (ADS) – conceal
one file in another• Hacker Defender – Windows rootkit• Pretty Good Privacy (PGP) – not good
enough– Issue 2 (Mar 2007)
• Reviews Mujahideen Secrets• Discusses steganography
– Sources – Global Issues Report; TRC• Numerous other articles and manuals on hiding
data, identity, and activity
53
AQ/Jihadist Cyberterror Summary
• Cyber attacks will continue and cause economic harm– To disrupt websites– Make money through online fraud
• There is some desire to conduct more damaging attacks, but there are no plans or capability to conduct devastating attacks against critical infrastructures or digital control systems
• Terrorists and jihadists make extensive use of Internet to further their strategic and operational objectives– Does not translate into a hacking capability– But does provide opportunity for monitoring and disrupting their activities
• Caveats– Information is based on open sources– This is a fast moving field
54
Precursors to Cyberterror?
• Failed cyber attacks that would be characterized as cyberterror if successful, e.g., against SCADA systems
• Extensive discussions and planning relating to cyber attacks against such – not just vague wishful thinking
• Research and training in methods and tools for attacking such systems, preferably within labs
• Distribution of methods and tools in general hacking/security research community for use against control systems like SCADA– SCADA vulnerabilities are now being disclosed