The Tech Behind

gorgeousvassalSoftware and s/w Development

Nov 7, 2013 (3 years and 5 months ago)

32 views

The Tech Behind
Cyber Attack

October 31

| Part 1:
From Packets to IP and the “Ping
of Death”
: An Introduction to Cyber



November 28
|Part 2:
From Stone Knives to Star Wars
:
the Tech of Cyber Attack in the Russo
-
Georgian War
of 2008 and the Threat of W32.Stuxnet

overview


Review of bits, bytes and things that go bump on
the internet


Using
ping
,
nslookup

and
tracert

to find your
targets


Stone Knives: Concept and practice of cyber in
Russo
-
Georgian Conflict of 2008


Distributed Denial
of Service attack


Stare Wars: W32.stuxnet, the attack, how it works,
the complexity of it, who could have made such a
thing?







0

1

b
its and bytes


bit: (
b
inary dig
it
)
bit


The basic unit of information in
computing, the amount of information
stored by a digital device in one of two
possible distinct
states
, not 1 and 2, off/on


d
igital value of 1 = positive voltage, up to
5

volts


d
igital value of 0 =
0

volts


8 bits = 1 byte,
usually
, but depends on
hardware


b
yte
: the number of bits needed to
encode a single character of text in a
computer

b
inary to letter


01110000 =
p

01101001 =
i

01111010 =
z

01111010 =
z

01100001 =
a

d
ata and packets


data
: binary files, 01010010010010010… etc.


packet
: a unit of data


from binary to text or image


packet:
control information
and
payload


control information: data the network needs to
deliver the payload, ex. address, error control


payload: the content of your “digital letter”

hosts on networks


w
ho has the data? who doesn’t … hosts going
global and mobile


n
etworks: start local, LANs, wireless LANs,
AirBears


c
lient
-
server model


addresses
, what’s your
unique

network address?


Type:

ipconfig
, find IPv4 numerical address


ping

www.wikipedia.org


p
ing

ist.berkeley.edu


ping

www.ca.gov


ping

www.usa.gov


p
ing, an echo request from host to host



ping, an echo request



ping, the payload



OSI model

OSI model

Network Ports


21
:
File Transfer Protocol

(FTP)

22
:
Secure Shell

(SSH)

23
:
Telnet

remote login service

25
:
Simple Mail Transfer Protocol

(SMTP)

53
:
Domain Name System

(DNS) service

80
:
Hypertext Transfer Protocol

(HTTP) used in the
World
Wide Web

110
:
Post Office Protocol

(POP)

119
:
Network News Transfer Protocol

(NNTP)

143
:
Internet Message Access Protocol

(IMAP)

161
:
Simple Network Management Protocol

(SNMP)

443
:
HTTP Secure

(HTTPS)


OSI model

OSI model

i
nternet and the web


internet
: network of networks, millions of networks


web
:
system

of interlinked hypertext documents


ports: http
80


Try it:

http://www.techcomfort.com:81








Try it:

http://www.techcomfort.com:80




ping,
nslookup

traceroute


h
ow does the traffic flow?


network devices: hubs, routers, switches


using
nslookup
, names and numbers


n
slookup

www.berkeley.edu


n
slookup

www.usa.gov


u
sing
traceroute


t
racert

www.techcomfort.com


t
racert

www.berkeley.edu


t
racert

www.ca.gov

attack!

Professor Nacht has left instructions for you to build
and launch a cyber attack on the nation state of
Vulgaria.


You have everything you need to build it. How would
you do it?

attack!


Step 0
: Recall that an echo request is an ICMP (ping)
message whose data is expected to be received back
in an echo reply. The host
must respond

to all echo
requests with an echo reply containing the exact data
received in the request message


Step 1
: Create a list of
Vulgarian

military and civil servers
that should be targeted


Step 2
: Write a simple script (program) that repeats your
ping request many times a second


Step 3
: Plant this script on computers across the globe


Step 4
: “Flood” the
Vulgarian

servers with ping requests
from multiple hosts…to which it cannot keep up…the
result...

attack!

s
erver failure


attack!


You have just conceptualized the opening cyber
salvo used in the
Russo
-
Georgia War of 2008
.



July 19, 2008: The First Salvo of Cyber Attack

o
flood http
www.president.gov.ge

o
flood tcp
www.president.gov.ge

o
flood icmp
www.president.gov.ge


d
efacement attacks


Defacement attack on
the Georgia Ministry of
Foreign Affairs website
(evening of Aug. 8,
2008

HTTP flood


An HTTP flooder
distributed for
regular internet
users for the
purposes of
overloading
Georgian
websites with
traffic

s
topgeorgia.ru site


A screenshot from
stopgeorgia.ru site
on Aug. 10, 2008.



The table shows the
availability of
different websites
from Russian and
Lithuania; the line
over the table
reads, “priority
targets for attack”

s
ummary of attack


Static lists of targets were distributed in order to
eliminate centralized coordination of the attack


DoS tools were provided, available for download,
as well as instructions on how to ping flood
Georgian government web sites


List of Georgian sites vulnerable to defacement
attack were published


Abuse of public lists of email addresses of Georgian
politicians for spamming and targeted attacks

c
haracterizing the attack


A militia
-
style attack with some advanced
characteristics in targeting and reconnaissance

Part 2:


The Cyber of
W32.Stuxnet

Stone Knives to Star Wars
: The Tech Behind the
Cyberattacks launched against Georgia and the
Emergence of W32.Stuxnet

w32.stuxnet

nation
-
state weapons
-
grade attack software


Stuxnet is a cyber threat targeting a
specific
industrial control system

likely in
Iran
, such as a gas
pipeline or power plant. The ultimate goal of
Stuxnet is to
sabotage

that facility by
reprogramming programmable logic controllers
(
PLC
s) to operate as the attackers intend them to,
most likely
out of their specified boundaries

infections


As of September 29, 2010, 100,000 infected
computers had been identified

m
ost of them in Iran


Stuxnet aims to identify those computers which
have the Siemens Step 7 Software installed

b
uilt with components


Zero
-
day Microsoft exploits (4) (vulnerabilities unknown)


Window rootkit (high
-
level computer access, invisible)


Programmable Logic Controller (PLC) rootkit


Antivirus evasion techniques


Complex process injection and hooking code


Network infection routines


Peer
-
to
-
peer updates within a LAN


Contacts a command and control server


The value of components is their ability to be used and
reused in multiple instances and independent
development…from submarines to aircraft to space
stations


c
entrifuges at US uranium
enrichment plant

c
entrifuges in
Natanz
,
Iran

p
rogrammable logic
controller

w
indows root
-
kit and a
zero
-
day exploit

c
ommand and control

a
ntivirus evasion


Table 5 describes which
process is used for injection
depending on which
security products are
installed. In addition, Stuxnet
will determine if it needs to
use one of the two currently
undisclosed privilege
escalation vulnerabilities
before injecting. Then,
Stuxnet executes the target
process in suspended mode.

attack setup (theoretical)


A country wants to develop
uranium

and needs
industrial centrifuges to do this. Reactor grade
uranium with lots of U
-
235 is hard to come by. Harder
still is weapons grade uranium. You need a
centrifuge

for isotope separation.


The country purchase centrifuges from Siemens, a
German electronics and engineering company.
Centrifuges are run by industrial control systems (
ICS
)


ICS are operated by code on Programmable Logic
Controllers (
PLC
)


PLCs may be programmed by
Windows

machines,
not connected to the internet or any network

Uranium 235
content


Here the heavy isotope of
uranium (U
-
238) is represented in
dark blue, while the lighter
isotope of uranium (U
-
235) is
represented in light blue. The
input gas (here represented as a
fairly even mix of U
-
235 and U
-
238, though in reality natural
uranium hexafluoride would have
less than 1% of U
-
235 in it) is
released into the center of the
centrifuge and the centrifugal
forces force the heavier gas to
concentrate at the edges of the
centrifuge and the lighter gas at
the center. By heating the
bottom of the centrifuge the
lighter gas will be moved by
convection currents to
concentrate at the top while the
heavier gas will concentrate at
the bottom (scoops, not shown,
would then extract the gases).

Centrifuge at work

a
ttack steps


Step 0:
reconnaissance
, need ICS’s schematics of
target system , computing environment


Step 1: setup
mirrored

environment that would
include ICS hardware, develop stuxnet code


Step 2: obtain driver files that are “
digitally signed



Step 3:
introduce stuxnet executable

into target
computing environment via infecting a willing or
unknowing third party


Step 4: once installed, stuxnet looks for Windows
computers used to program PLCs and eventually finds
one…

a
ttack steps


Note: infected Windows machine will not have
outbound access to internet, thus all sabotage
functionality must be embedded in the stuxnet
executable


Step 5: Once the right computer is found, code on
the
PLC is modified


Step 6:
Stuxnet hides

its modifications

installation complexity

infection complexity

w32.stuxnet timeline

w
32.stuxnet timeline

c
haracterizing the attack


Significant Development Cycle: six months, five to
ten core developers, many other individuals such as
quality assurance and management


Advanced reconnaissance or coordination


High degree of targeting (Iran)


Highest degree of complexity known in a virus


The result:


Stuxnet = nation
-
state, weapons
-
grade attack
software

duqu


Recall that W32.stuxnet is component based…Will
stuxnet

components be used again?



Nov. 1, 2011:
W32.Duqu
, a
remoteaccess

Trojan
(RAT). Symantec calls it, “The precursor to the next
Stuxnet




Duqu’s

purpose is to gather intelligence data and
assets from entities such as industrial infrastructure
and system manufacturers in order to more easily
conduct a future attack


Interested in IT and
Public Policy?


Consider taking my class next Fall


Course: PP290: Information Technology and Public
Policy


Learn real, hands
-
on IT Skills (HTML, SQL, Python
programming)


Combine skills knowledge with IT Concepts
(networks, content management systems, IT systems
adoption…)


Apply your growing IT knowledge to Public Policy
Problems


Imagine a Public Policy problem for which IT is not
part of the solution?