FREE ELECTRONIC LIBRARY - Theses, dissertations, documentation

Pages:     | 1 || 3 | 4 |   ...   | 6 |

«Untangling Attribution David D. Clark* and Susan Landau** I. Introduction In February 2010, former Director of the National Security Agency Mike ...»

-- [ Page 2 ] --

Distributed denial of service (DDoS) attacks, in which a large number of machines from all over the Internet attack a site or a small set of sites, have the goal of disrupting service by overloading a server or a link.

They have a unique character: visible and intrusive. DDoS attacks are designed to be detected. The attack is done by first penetrating and subverting a large stock of attack machines, forming them into what is called a "bot-net." A DDoS attack is thus a multi-step activity, first building

–  –  –

the bot-net, then instructing the subverted machines to launch some sort of simultaneous attack on the target system. This step of the attack may be the sending of floods of packets or just overloading the server with apparently legitimate requests.

Before the attack, it may be possible to take active steps to reduce its potency. There are at least two approaches to degrading the attack's strength making it harder to penetrate and keep control of a machine and identifying machines that are apparently infected, so they can be isolated if they participate in an attack. Machines that are seen as likely ultimate targets for DDoS attack can also prepare themselves by replicating their content on distributed servers, so that an attack must diffuse itself across multiple machines. 8 During an attack, the relevant mitigation techniques involve turning off traffic from attacking hosts or discarding the traffic before it reaches the point of overload. This response requires knowing the identity of the attacking machines to identify the traffic. Note that it is not necessary to know all of the machines, just enough to reduce the attack to manageable proportions. And depending on what steps are taken to block traffic from the attacking machines, there may be minimal harm from the occasional misidentification of an attacker.9 After the fact, DDoS attacks represent a challenge for the objective of retribution. The attacker (the so-called bot-master or the client who has rented the bot-net from the bot-master) has usually taken care to be several degrees removed from the machines doing the actual attack. Tracing back through the attacking machines to find the responsible attacker may involve crossing jurisdictional boundaries, which adds complexity and delay. If the actual attack involved falsified source addresses, such trace-back may be very difficult or even impossible. However, the range of attacks that can be 8For example., a content provider might choose to outsource the hosting of its content to a Content Delivery Network (CDN). A leading provider of CDN service, Akamai, specifically claims that its infrastructure is massive enough that DDoS attacks will be ineffective against


APPLICATIONS 6-7 (2010).

9 For example., if the mitigation technique involved blocking traffic coming from a source for a few minutes, then if an innocent machine were misidentified as part of the attack, the only consequence would be that the user of that machine could not reach the web site for that short time. That sort of failure can occur for many reasons and might well be the outcome that the user perceived in any case while the target machine was under attack.

2011 / UntanglingAttribution executed without a two-way exchange of packets is very limited, and for many attacks today, the source address is not forged.1 0 Because of these factors, there is a question as to whether after-the-fact-retribution is a useful part of dealing with bot-net-based DDoS attacks.

Bot-nets are also used to send bulk unsolicited email - spam. From an attribution perspective, this application is different from DDoS attacks.

When bot-nets are used for sending spam, spam provides trace-back.

Because merchants have to identify themselves in order to be paid, some attribution is possible. Spammers' protection comes not from anonymity, but from jurisdictional distance or legal ambiguity.

B. Identity Theft

The term "identity theft" has received much attention in the press recently, but it is worth separating the different activities that are sometimes lumped together under a single term. The Identity Theft and Assumption Deterrence Act of 199811 criminalized identity theft, which the Federal Trade Commission describes as "someone us[ing] your personally identifying information, like your name, Social Security number, or credit card number, without your permission, to commit fraud or other crimes."12 Under this definition, up to nine million Americans suffer identity theft annually. 3 This broad definition encompasses everything from the theft of a single credit-card number or misuse of a single account to a full-scale impersonation of an identity (involving the establishment of new credit accounts or identity documents in a person's name). The former constitutes the majority of identity theft. In 2006, for example, according to an FTC 10This statement does not imply that forged source addresses are never seen in current attacks. For example., some attacks are based on the use of the Domain Name System (DNS) as a vector, and those attacks are one-way and involve falsified source addresses. By sending a query to a DNS server with the source address of the machine to be attacked, the server will reply with a packet sent to that machine. See, e.g., Daniel Weseman, DNS Queries, INTLRNLT STORM CLNTLR, http://isc.sans.edu/diary.html?storvid=5713 (last visited Feb.


11Pub. L. No. 105-318, 112 Stat. 3007 (1998).

12 About Identity Theft, FLDLRAL TRADL COMMISSION, htt://wwxwftc.gov/bc /edu/microsites/idtheft/consumers/about-identity-theft.html (last visited April 13, 2010).

13 Id.

HarvardNationalSecurity Journal/ Vol. 2 report, 6.5 million Americans suffered theft of their credit or account information, while 1.8 million had their identity information used to establish fraudulent accounts,1 4 a ratio of about three-and-a-half to one.

Thus the nine million number somewhat overstates the number of people subjected to full impersonation. The serious case of identity theft, in which new documents are established in someone else's name, happens about two million times a year in the United States.

Identity theft is an interesting crime for a number of reasons. It is a multi-step crime - the identity in question must be stolen and then exploited. The theft can occur in many ways. It may involve infiltration of a computer and installation of spyware that captures identifiers and passwords used for application-level authentication or the penetration of a merchant server and the theft of billing records. Such information may then be used by the original thief or sold to other criminals. Next, the identity must be exploited. If the exploit is on the Internet, this generally involves the use of the stolen credentials to mislead some sort of application-level authentication scheme, e.g., logging in as the user to lay a false attribution trail. Perhaps as a final step, some sort of money-laundering scheme is required to convert the exploit into money that is useful to the criminal.

Early Internet-based identity theft used "phishing," an attack in which a user is tricked into going to a web site that imitates a legitimate one (e.g., a bank) and typing in his name and password. Phishing attacks surfaced in 1996,15 and by 2005, there were reports of as many as 250,000 phishing attempts being made daily against just one financial institution. 16 More lucrative than attempts at obtaining records about single individuals are efforts that download identity information about many individuals at once and then use that information to commit crimes.

One such incident involved a group from Russia and Estonia that, with the help of an insider, broke into a server at RBSWorldPay, an Atlantabased card-processing company. Taking information on customer accounts 14 FEDERAL TRADE COMMISSION, 2006 IDENTITY THEFT SURVEY REPORT 4 (2007), available at htt:/x/www.ftc.ov/os/2007/1 /SynovateFinalRep)ortJDTheft2006df.


PHISHING ATTACKS 4 (2004), available at http://wwxwwindowsecurity corn/ularticle/ rivacy/NISR-WP-Phishino )df.

16Christopher Abad, The Economy of Phishing:A Suney of the Operations of the PhishingMarket, 10 FIRST MONDAY, no. 9, Sept. 2005, available at htb//firstmondavorv/hthin /ciwran /hin /ois /index nhn /fm /Article /view/1979/1 19 2011 / UntanglingAttribution the card numbers and associated PINs and decrypting the protected information - the thieves created counterfeit debit cards, raised withdrawal limits on these accounts, and hired people for the day who withdrew 9 million dollars from 21,000 ATMs in 49 cities.17 Another attack involved Heartland Payment Services, a major processor of credit-card and debitcard transactions. Heartland's systems were penetrated, and unencrypted data in transit between merchant point-of-sale devices and Heartland was sniffed (that is, read by the unauthorized software that had penetrated the network). The data collected included account numbers, expiration dates, and sometimes the account holder's name;' 8 allegedly over 130 million accounts were compromised.19 The fact that internal bank and credit-card account records can now be accessed over the network has made theft of such records much easier.

The pattern such as was employed in the RBSWorldPay case, in which a single insider transferred sensitive personal data to accomplices overseas, appears to be increasing in frequency.20

C. Data Exfiltration and Espionage

Foreign military and industrial espionage have long been problems for the United States. Prior to the ubiquitous use of the network in modern enterprises, such espionage required people-in-place to make contacts at target facilities, receive the stolen information, etc. Moles needed to be in place for years before they had access to desired information. Such an enterprise was an expensive and time-consuming proposition. For example, in order to acquire Western technical expertise, hundreds of Soviet case officers were involved in Soviet-U.S. collaborative working groups in Press Release, U.S. Dep't of Justice, Office of Public Affairs, Alleged International Hacking Ring Caught in $9 Million Fraud (Nov. 10, 2009), available at htt://wwwjustice.gov/opa/)r/2009/November/09-crm-1212.html.

18 Kevin Poulsen, Card Processor Admits to Laige Data Breach.,WIRED Jan. 20, 2009, 12:40 PM), htt://wvv.wired.com/threatlevel/2009/01/card-l)rocessor.

19)Press Release, U.S. Dep't of Justice, Office of Public Affairs., Alleged International Hacker Indicted for Massive Attack on U.S. Retail and Banking Networks (Aug. 17, 2009), available at htt:/x/www.iustice.gov/o a/ r/2009/Auoust/09-crm-810.html.

for 20Dan Schutzer, Research Challenges FightingInsider Threat in the FinancialServices Industry, in INSIDLR ATTACK AND CYBER SECURITY: BLYOND THL HACKLR 215 (Salvatore J. Stolfo et al. eds., 2008).

HarvardNationalSecurity Journal/ Vol. 2 agriculture, civil aviation, nuclear energy, oceanography, computers, and the environment.2 1 The Internet has greatly simplified this process. Information that was once clearly inside a large enterprise may now be relatively easily accessible to people on the outside. Instead of all the work devoted to developing people-in-place, competitors, whether corporate or foreign governments, have discovered that the theft of secrets can be done over the network.

Developing contacts, planting moles, and touring U.S. factories and development sites are efforts much less needed than once they were.

The first public reports of massive network-based data exfiltration surfaced in 2005. Time magazine reported a 2004 exploit in which U.S.

military computers at four sites - Fort Huachuca, Arizona, Arlington, Virginia, San Diego, California, and Huntsville, Alabama - were, in a matter of six-and-a-half hours, scanned, and large numbers of sensitive files were taken. These materials were then apparently shipped to Taiwan, South Korea, and Hong Kong, and from there, to mainland China.22 Since then numerous reports have surfaced of similar cyberexploitations, with the attempted intrusion method growing increasingly sophisticated over time.2 3 The highly publicized intrusion into Google in 2009-2010 apparently followed this pattern.2 4 Attacks of this sort are stealthy and often of small scale. Frequently they are individually tailored. Their preparation may involve taking over insecure intermediate machines, but only in small quantities, and perhaps only those highly suited to the task. These machines are used to transit the stolen information and hide its ultimate destination. The first step in the theft is to carefully scope out the target, learning where the files of interest Matthew French, Tech Sabotage Dining the Cold War, FLDLRAL COMPUTLR WLLK, Apr. 26, 2004, httj://fcw.com/articles /2004/04/26/tech-sabota e-durin -the-cold-war.asex.

22 Nathan Thornburgh, The Invasion of the Chinese Cyberspies, TIME, Aug.

29, 2005, http://www.time.com/time/magazine/article/0,9171,1098961,00.html,



EXPLOITATION (2009), available at htt://wwxwuscc.oov/research a ers/2009/Northro Grumman PRC Cyber Paper FIN AL Approved%20Report 160ct2009.pxdf.

24 SeeJohn Markoff & David Barboza., Inquiry Is Said to Link Attack on Google to Chinese Schools, N.Y TIMES, Feb. 19, 2010, http://queri.nytimes.com/gst/fullpage.htmlres=9505E7DA 730F93AA25751COA9669D 2011 / UntanglingAttribution are, and then, once target material has been located, to quickly pack and exfiltrate them, often in a matter of hours. The downloading may involve intermediate machines - "dead drops" - perhaps in South Korea, Taiwan, or Hong Kong, before the files are downloaded to their final destination (perhaps southern China). The multi-stage nature of the attack helps confound definitive knowledge of the ultimate destination of the files.

Pages:     | 1 || 3 | 4 |   ...   | 6 |

Similar works:

«A Linguistically and Educationally Oriented Theory of Learning Based on Situated Meaning James Paul Gee Mary Lou Fulton Presidential Professor Regents’ Professor Arizona State University james.gee@asu.edu INTRODUCTION In this paper I lay out a linguistically-oriented theory of learning. The theory is based on the concept of “situated meaning” (Gee 2004, 2014a, 2015a), a linguistic notion that is related to the concept of embodied cognition or situated cognition in psychology (the two...»

«Supporting Collaborative Task Management in Email Steve Whittaker Sheffield University RUNNING HEAD: SUPPORTING COLLABORATIVE TASK MANAGEMENT Corresponding Author’s Contact Information: Department of Information Studies University of Sheffield 211 Portobello St Sheffield, S1 4DP, UK Tel: +44 114 222 6340 Email: s.whittaker@shef.ac.uk Brief Author’s Biography: Steve Whittaker is a Cognitive Psychologist with interests in the application of cognitive science principles and methods to the...»

«Home insurance terms and conditions We want our Home Insurance to be of benefit to you and give you peace of mind in unexpected turn of events. Home insurance terms and conditions No. MA 0311 Approved by Resolution of the Board of Swedbank P&C Insurance AS In force from 1 March 2010 Together with Real Estate Insurance, you can select Home Contents Insurance and/or homeowner’s Liability Insurance. The selected insurance products are shown on the Insurance Policy. Please carefully read the Home...»

«NEWSLETTER SPRING 2012 ISSUE 11 Editor: STATE OF THE DEPARTMENT J. D. Ball, Ph.D., ABPP I am delighted to report that our Department was selected to be highlighted at the 2012 Annual Meeting of Associate Editor: the American Psychiatric Association; an ―around-the-clock‖ video presentation of our Department will be shown in all viewing areas of Philadelphia’s large Convention Center and in the private hotel rooms of all David E. Elkins, M.S. registered attendees via their televisions. I...»

«Enlarging the Outlook on Liberal Education and the Educated Person Paper Presented at the Annual Conference of the American Educational Studies Association, St Louis, November 2-6, 2011 By D.G. Mulcahy Central Connecticut State University Mulcahy@ccsu.edu. INTRODUCTION For centuries the interrelated ideals of a liberal education and the educated person have influenced the content and what is nowadays referred to as the delivery of education in schools and colleges. In fact, the expected...»

«Chapter 2 What Drove Her to Do It? Theories of Depression and Suicide Like many versions of La Llorona, there are different explanations for what leads a young woman to choose to end her life. It is for this reason that we turn now to theoretical perspectives on depression and suicide in order to consider the primary factors that may contribute to Latina adolescents’ high rates of depression and suicide attempts. We will focus on those psychosocial theories that seem to provide the most...»

«‘Has multiculturalism failed?’ The importance of lay knowledge and everyday practice Caroline Howarth1 & Eleni Andreouli2 Abstract Multiculturalism has been a heavily debated term within Western political discourse and academic discussions. In the British political sphere, multiculturalism is increasingly seen as a failed project that encourages inter-group segregation. By contrast, academic discussions have focused on the institutional frameworks to be employed in order to advance cultural...»

«Oracle® Cloud Using Oracle Process Cloud Service E68292-05 July 2016 Documentation for Oracle Process Cloud Service that describes how developers create process applications in Composer, how administrators monitor process instances and assign user roles in Workspace, and how end users work on application tasks in Workspace from a browser or the mobile app. Oracle Cloud Using Oracle Process Cloud Service, E68292-05 Copyright © 2015, 2016, Oracle and/or its affiliates. All rights reserved....»

«Contradictory transformations: observations on the intellectual dynamics of South African universities Professor Helena Sheehan Dublin City University, Dublin 9 Ireland Journal for Critical Education Policy Studies, vol.7. no.1 ABSTRACT What sort of expectations of transformation of higher education have been aroused by liberation movements? Has the new South Africa fulfilled such expectations? This paper explores the promises and processes that have enveloped South African universities in...»

«Oracle® Customers Online Implementation Guide Release 12.1 Part No. E13573-04 August 2010 Oracle Customers Online Implementation Guide, Release 12.1 Part No. E13573-04 Copyright © 2002, 2010, Oracle and/or its affiliates. All rights reserved. Primary Author:     Ashita Mathur Contributor:     Ajai Singh, Amy Wu, Anish Stephen, Avinash Jha, Harikrishnan Radhakrishnan, Leela Krishna, Nishant Singhai, Ramanasudhir Gokavarapu, Shankar Bharadwaj Oracle is a registered trademark of Oracle...»

«The TIP Book Internship descriptions and advice provided by Tufts students for Tufts students Welcome to the fourth edition of the TIP Book! The Tufts Career Center is excited to provide you with internship profiles packed with helpful advice from your classmates. This book is arranged in alphabetical order by name of organization. At the end of this book, you will also find a breakdown by industry.As you review the internship profiles, keep the following in mind: · A successful internship...»

«Meaning in context 0 Meaning in Context: Metacognitive Experiences Norbert Schwarz University of Michigan Sep 2008 The reference for this paper is: Schwarz, N. (2010). Meaning in context: Metacognitive experiences. In B. Mesquita, L. F. Barrett, & E. R. Smith (eds.), The mind in context (pp. 105 -125). New York: Guilford Address correspondence to Norbert Schwarz, Institute for Social Research, University of Michigan, Ann Arbor, MI 41806-1248; nschwarz@umich.edu Meaning in context 1 As...»

<<  HOME   |    CONTACTS
2016 www.theses.xlibx.info - Theses, dissertations, documentation

Materials of this site are available for review, all rights belong to their respective owners.
If you do not agree with the fact that your material is placed on this site, please, email us, we will within 1-2 business days delete him.