NETWORK SECURITY

Case Study – CyberterrorismA New Reality:

When hackers claiming to support the Syrian regime of Bashar Al-Assad attacked and disabled the website of Al Jazeera, the Qatar-based satellite news channel, in September 2012, the act was another act of hacktivism, purporting to promote a specific political agenda over another. Hacktivism has become a very visible form of expressing dissent. Even though there have been numerous incidents reported by the media, the first case of hacktivism was documented in 1989 when a member of the Cult of the Dead Cow hacker collective named Omega coined the term in 1996. However, hacktivism is not the only form of cyber protest and conflict that has everyone from ICT professionals to governments scrambling for solutions. Individuals, enterprises, and governments alike rely in many instances almost completely on network computing technologies, including cloud computing. The international and ever-evolving nature of the Internet along with inadequate law enforcement and the anonymity the global architecture offers creates opportunities for hackers to attack vulnerable nodes for personal, financial, or political gain. 

The Internet is also rapidly becoming the political and advocacy platform of choice, bringing with it both positive and negative consequences. Increasingly sophisticated off-the-shelf technologies and easy access to the Internet are significantly increasing incidents of cyberterrorism, netwars, and cyberwarfare. The following are a few examples. 

According to The Israel Electric Company, Israel is attacked 1,000 times a minute by cyberterrorists targeting the countrys infrastructurewater, electricity, communications, and other services. The New York Times, quoting military officials, said there was a seventeen-fold increase in cyberattacks targeting the US critical infrastructure between 2009 and 2011. The 2010 Data Breach Investigations Report has data recording more than 900 instances of computer hacking and other data breaches in the past seven years, resulting in some 900 million compromised records. In 2012, the same study listed 855 breaches, resulting in 174 million compromised records in 2011 alone, up from 4 million in 2010. Another study of 49 breaches in 2011 reported that the average organizational cost of a data breach (including detection, internal response, notification, post notification cost) was $5.5 million. This number was down from $7.2 million in 2010.14 The Telegraph (London) reported that India blamed a new cyber-jihad by Pakistani militant groups for the exodus of thousands of people from Indias north-eastern minorities from its main southern cities in August after text messages warning them to flee went viral.

There have been recorded instances of nations allegedly engaging in cyberwarfare. The Center for the Study of Technology and Society has identified five methods by which cyberwarfare can be used as a means of military action. These include defacing or disrupting websites to spread propaganda, to conduct espionage and gain access to critical information, to disrupt enemy military operations, and to attack critical infrastructure. In 1999, pro-Serbian hacker groups, including the Black Hand, broke into NATO, US, and UK computers during the Kosovo conflict. In 2000, both pro-Israeli and pro-Palestinian groups created panic for government and financial networks, and in 2001, the world saw hacking with a patriotic flavor when Chinese and US hackers traded attacks on computers in both countries. 

One of the first widely documented cases was the cyberattack on the Republic of Georgia in 2007. On April 26, a series of distributed denial of service (DDoS) attacks targeted government, media, and financial networks and Internet infrastructure. Many other servers were hacked, and websites changed to display pro-Russian messages. Many of the initial attacks were said to have originated from Russia and, in some cases, allegedly from Russian government computers. The first wave of attacks against Estonian websites fizzled out after the Estonian foreign minister publicly declared that many of the attacks had originated from Russian government computers. 

The Estonian Internet infrastructure was subjected to more attacks. On April 30, 2007, attackers utilized so-called robot networks (botnets) from numerous sources around the world. About a week later, there were more DDoS attacks, including one on Estonias Hansabank, which reported a loss of about $1 million because of the attacks. The attacks continued intermittently for a few weeks before finally dying off in the summer of 2007. 

Another incident was the South Ossetia conflict between Russia and Georgia in 2008. This Russian-Georgian conflict is classified as the first cyberspace conflict that was synchronized with traditional combat actions. Just as Russian troops were crossing the border, websites for communications, finance, government, and many international organizations in Georgia became inaccessible. These actions included various DDoS attacks that disrupted communications and information networks in Georgia. The attackers also defaced Georgian websites, adding pro-Russian images, supposedly for propaganda purposes. One of the first networks attacked was a popular hacker forum in Georgia. Consequently, pro-Georgian hackers made successful attacks against Russian networks as well. 

Although both the Estonian and Georgian attacks were widely believed to be the work of state-sponsored Russian hackers, no proof has ever been found conclusively linking Russian authorities to the incidents. 

The First Cyberwarfare Weapon: Stuxnet 

In June 2010, an Iranian nuclear facility in Natanz was said to have been attacked by a sophisticated, standalone malicious malware that replicated itself to spread to other computers. The malware, called Stuxnet, initially spread via Microsoft Windows operating system and targeted industrial software and equipmentin particular, certain specific industrial control systems made by Siemens. In all, versions of Stuxnet targeted five Iranian organizations, all allegedly linked to the Iranian nuclear program, and may have caused significant damage to the Iranian nuclear enrichment program facility located at Natanz. Stuxnet is said to have been in use since 2009 and was first identified in July 2010 by VirusBlokAda, an information-technology security company in Belarus, after it was said to have accidently spread beyond its intended target, Natanz, via infected USB sticks. However, some experts have argued that Stuxnet is not a worm, since it was propagated via removable mediaCDs, DVDs, thumbdrivesand did not distribute through self-replication over the Internet. 

In any event, the 2010 version of Stuxnet has been called the largest and most sophisticated attack software ever built, and one investigative article said that the event foreshadowed the destructive new face of 21st century warfare, writing that Stuxnet is the Hiroshima of cyberwar. According to a report by Symantec, data from the early days of the Stuxnet attack showed that Iran, Indonesia, and India accounted for the bulk of the infected computers. The report also said that Stuxnet was the first piece of malware to exploit the Microsoft Windows shortcut LNK/PIF files automatic file execution vulnerability36 to spread. 

Overview of Stuxnet Symantec found that not only did versions of Stuxnet exploit up to four zero-day vulnerabilities in the Microsoft Windows operating system, at half a megabyte it was unusually large in size and seemed to have been written in several languages, including portions in C and C++. Another sign of the sophistication was the use of stolen digital certificates from Taiwanese companies, the first from Realtek Semiconductor in January 2010 and the other from JMicronTechnology in July 2010. The size, sophistication, and the level of effort has led experts to suggest that the production of the malware was state-sponsored, and that it is the first-ever cyberwarfare weapon. The effects of Stuxnet have been likened to a smart bomb or stealth drone, since it sought out a specific target (programmable-logic controllers made by Siemens), masked its presence and effects until after it had done the damage (the operation of the connected motors by changing their rotational speed), and deleted itself from the USB flash drive after the third infection. As programmed, Stuxnet stopped operating on June 23, 2012, after infecting about 130,000 computers worldwide, with most of them said to be in Iran. 

THE QUESTION IS

-What does the threat do?