List of Abbreviations

Chapter 2. Literature Review

2.4 Network Warfare

2.4.1 Network Warfare Attack

Computer network attack covers those activities which seek to exploit, corrupt, degrade or deny the performance of networks or the various components that constitute the network. This may be accomplished through various tactics, which are either active or passive. Active attacks include:

denial-of-service (DoS) attacks; the introduction of malware and backdoors; system penetration;

and various other activities. Passive attacks are more difficult to detect, and usually include the monitoring of networks in order to retrieve more information about that network (Thion, 2008). The availability of hacking tools and malicious code on the World Wide Web provides ready-made IW weapons to any nation or group seeking to obtain an IW capability (Jones, Kovacich, & Luzwick, 2002). The following paragraphs discuss types of attacks.

A denial-of service attack is when a target is flooded with false requests, overloading the gateway or network so that legitimate traffic is severely hampered or is prevented altogether (Peltier, Peltier,

& Blackley, 2005). When the attack originates from multiple machines it is known as a distributed denial of service (DDoS) attack (ibid.).

Viruses are a type of malicious software which requires another program of file to propagate. They may include the following:

41

Boot viruses, which infect the boot sector of a disk and executes every time the system is turned on, and may infect any removable disk that is inserted into a drive (Denning, 1999).

Macro viruses, which are contained in the macros of Microsoft Office documents (Denning, 1999; Hutchinson & Warren, 2001).

Program viruses are contained in, or infect, executable files, primarily of programs (Denning, 1999).

Worms are self-replicating and actively seek to spread to other systems via the network, the intent being to infect the network (Hutchinson & Warren, 2001; Waltz, 1998). Rabbits are also independent and self-replicating, but do not spread to other systems; it replicates continuously exhausting the resources of the infected system (SpyOps, Technolytics Institute, and Intelomics, c.

2008). Waltz (1998) gives this definition to bacteria, whereas (SpyOps, Technolytics Institute, and Intelomics, c. 2008) differentiate the two; they agree that the bacterium exhausts computer resources, yet mention that it specifically attaches itself to the operating system. A Trojan, or Trojan Horse, appears to perform a legitimate function, however it contains additional hidden malicious functions (Hutchinson & Warren, 2001; Waltz, 1998). Backdoors are inserted code fragments or programs that provide a covert means of accessing the system after the initial penetration or infection (SpyOps, Technolytics Institute, and Intelomics, c. 2008), and may be used in conjunction with Trojans (Waltz, 1998). Logic bombs are pieces of code that are inserted into software to trigger potentially malicious activity when certain conditions are met (ibid.).

Two modern versions of malicious code are Rootkits and malware that creates networks of systems controlled by the attacker, called Botnets. Rootkits are a collection of tools that can be used to mask intrusion and gain administrator-level access to computers, networks and related systems (SANS Institute, 2010); they may also mask the running of illegitimate programs or processes, and possibly take control of a system (Poulsen, 2003). In 2005 Sony used a rootkit for to hide software for copyright protection of its CDs. This use was not intended to be malicious; however it was discovered that the rootkit created vulnerabilities that could be exploiting by attackers (BBC, 2005).

Botnets are a network of software bots (short for robot), which run autonomously (SpyOps, Technolytics Institute, and Intelomics, c. 2008). Malicious variants may seize control of computers (these are then called zombies), and the network can be used for conducting DDoS attacks or committing other cyber-crimes (Ajoku, 2009), they may also be used for the distribution of spam emails. For the purposes of this thesis, all forms of viruses, worms, and other malicious code or software will be encompassed by the generic term malware.

42

A man-in-the middle attack is where an eavesdropper manages to intercept communications (particularly those that are encrypted) between two parties; the attacker receives each message sent and then transmits it to the intended recipient, and then receivers and relays the replies. This type of attack is most commonly used against secure websites, particularly e-commerce sites in order to compromise the client‟s credit card details (Whitman & Mattord, 2010). A modern variation is the man-in-the browser attack, which is facilitated through the use of a Trojan, and is effectively a man- in-the-middle attack between the user and the security mechanisms of the web browser application (Gühring, 2006). These attacks are capable of modifying information on the fly, so no fraudulent activity is readily detectable (ibid.). These attacks could also conceivably be used to gain information required to logon to websites or servers that contain other forms of sensitive information. Cross-Site scripting is a popular attack vector against both the average user and organisational networks; this can be used for stealing user sessions, injecting malicious content, and to compromise usernames and passwords (Dhanjani, Rios, & Hardin, 2009). The attacker inserts malicious code into a legitimate dynamic web page; this can be a hyperlink which loads or redirects the user to malicious content (Janczewski & Colarik, 2008; Lawton, 2007). Cross-site request forgery is when an attacker compromises a legitimate user's computer and uses it to send requests to web-sites or organisation intranets for which the user has legitimate authentication (Lawton, 2007).

This allows the attacker to pose as the legitimate user and conduct malicious acts once access is gained to the web sites. Cross-site scripting and cross-site request forgeries are particularly relevant to social networks (ibid.); cross-site scripting has been used to attack both YouTube (Barnett, 2010) and Twitter (Twitter, 2010).

Phishing attacks utilise spam emails to coerce or trick users to go to fake banking sites and enter their online banking details; a modification on this is the chat-in-the-middle attack, where a fake technical support instant messaging chat window is used to trick the user into providing account information. These attacks primarily target online banking to gain access to the victim‟s finances (RSA FraudAction Research Labs, 2009).

Coleman (2008a) describes three components of cyber-weapons: there needs to be a delivery vehicle (also called an attack vector), a security breaching mechanism, and the payload. Delivery may be manual (from a hacker), through an email or webpage, or from hardware (such as a universal serial bus (USB) drive). The weapon then needs to exploit vulnerabilities in the system that is to be infected, and then needs to continue to avoid and protection mechanisms, such as anti-

43

virus software and firewalls that may be in place. Once the system is infected the malicious content, or payload, is activated.

Figure 2.14 shows a network warfare attack process; information is required regarding the interfaces to reach the target network, and information about the target network itself, particularly the vulnerabilities that could potentially be exploited (Jones, Kovacich, & Luzwick, 2002). In this figure GII denotes the global information infrastructure and NII denotes the national information infrastructure. Once the system has been penetrated, the attacker may accomplish the objectives of the attack, and possibly identify additional networks that could be targeted; the attack then proceeds to these new targets. Usually backdoors are left so that the systems and networks may be easily penetrated at a later stage as required (ibid.). A distributed denial of service attack may not require the level of planning indicated in this process; all that is required is that the target is flooded with illegitimate data streams to reduce its performance; therefore all that is required is preliminary scanning to determine the IP range of the target.

Due to the prevalence of wireless technologies, there are a number of attacks that arose from weaknesses in the implementation. These include jamming, Wardriving and related attacks for WLAN; and Bluejacking, sniffing, and DoS attacks on Bluetooth networks. These attacks will be described in more detail in Section 2.8.2.