FREE ELECTRONIC LIBRARY - Theses, dissertations, documentation

Pages:     | 1 || 3 | 4 |   ...   | 6 |

«Untangling Attribution David D. Clark* and Susan Landau** I. Introduction In February 2010, former Director of the National Security Agency Mike ...»

-- [ Page 2 ] --

Distributed denial of service (DDoS) attacks, in which a large number of machines from all over the Internet attack a site or a small set of sites, have the goal of disrupting service by overloading a server or a link.

They have a unique character: visible and intrusive. DDoS attacks are designed to be detected. The attack is done by first penetrating and subverting a large stock of attack machines, forming them into what is called a “bot-net.” A DDoS attack is thus a multi-step activity, first building


–  –  –

the bot-net, then instructing the subverted machines to launch some sort of simultaneous attack on the target system. This step of the attack may be the sending of floods of packets or just overloading the server with apparently legitimate requests.

Before the attack, it may be possible to take active steps to reduce its potency. There are at least two approaches to degrading the attack's strength — making it harder to penetrate and keep control of a machine and identifying machines that are apparently infected, so they can be isolated if they participate in an attack. Machines that are seen as likely ultimate targets for DDoS attack can also prepare themselves by replicating their content on distributed servers, so that an attack must diffuse itself across multiple machines.8 During an attack, the relevant mitigation techniques involve turning off traffic from attacking hosts or discarding the traffic before it reaches the point of overload. This response requires knowing the identity of the attacking machines to identify the traffic. Note that it is not necessary to know all of the machines, just enough to reduce the attack to manageable proportions. And depending on what steps are taken to block traffic from the attacking machines, there may be minimal harm from the occasional misidentification of an attacker.9 After the fact, DDoS attacks represent a challenge for the objective of retribution. The attacker (the so-called bot-master or the client who has rented the bot-net from the bot-master) has usually taken care to be several degrees removed from the machines doing the actual attack. Tracing back through the attacking machines to find the responsible attacker may involve crossing jurisdictional boundaries, which adds complexity and delay. If the actual attack involved falsified source addresses, such trace-back may be very difficult or even impossible. However, the range of attacks that can be For example, a content provider might choose to outsource the hosting of its content to a Content Delivery Network (CDN). A leading provider of CDN service, Akamai, specifically claims that its infrastructure is massive enough that DDoS attacks will be ineffective against


APPLICATIONS 6–7 (2010).

9 For example, if the mitigation technique involved blocking traffic coming from a source for a few minutes, then if an innocent machine were misidentified as part of the attack, the only consequence would be that the user of that machine could not reach the web site for that short time. That sort of failure can occur for many reasons and might well be the outcome that the user perceived in any case while the target machine was under attack.

2011 / Untangling Attribution executed without a two-way exchange of packets is very limited, and for many attacks today, the source address is not forged.10 Because of these factors, there is a question as to whether after-the-fact-retribution is a useful part of dealing with bot-net-based DDoS attacks.

Bot-nets are also used to send bulk unsolicited email — spam. From an attribution perspective, this application is different from DDoS attacks.

When bot-nets are used for sending spam, spam provides trace-back.

Because merchants have to identify themselves in order to be paid, some attribution is possible. Spammers' protection comes not from anonymity, but from jurisdictional distance or legal ambiguity.

B. Identity Theft

The term “identity theft” has received much attention in the press recently, but it is worth separating the different activities that are sometimes lumped together under a single term. The Identity Theft and Assumption Deterrence Act of 199811 criminalized identity theft, which the Federal Trade Commission describes as “someone us[ing] your personally identifying information, like your name, Social Security number, or credit card number, without your permission, to commit fraud or other crimes.”12 Under this definition, up to nine million Americans suffer identity theft annually.13 This broad definition encompasses everything from the theft of a single credit-card number or misuse of a single account to a full-scale impersonation of an identity (involving the establishment of new credit accounts or identity documents in a person's name). The former constitutes the majority of identity theft. In 2006, for example, according to an FTC This statement does not imply that forged source addresses are never seen in current attacks. For example, some attacks are based on the use of the Domain Name System (DNS) as a vector, and those attacks are one-way and involve falsified source addresses. By sending a query to a DNS server with the source address of the machine to be attacked, the server will reply with a packet sent to that machine. See, e.g., Daniel Weseman, DNS Queries, INTERNET STORM CENTER, http://isc.sans.edu/diary.html?storyid=5713 (last visited Feb.

18, 2011).

11 Pub. L. No. 105-318, 112 Stat. 3007 (1998).

12 About Identity Theft, FEDERAL TRADE COMMISSION, http://www.ftc.gov/bcp/edu/microsites/idtheft/consumers/about-identity-theft.html (last visited April 13, 2010).

13 Id.

Harvard National Security Journal / Vol. 2 report, 6.5 million Americans suffered theft of their credit or account information, while 1.8 million had their identity information used to establish fraudulent accounts,14 a ratio of about three-and-a-half to one.

Thus the nine million number somewhat overstates the number of people subjected to full impersonation. The serious case of identity theft, in which new documents are established in someone else's name, happens about two million times a year in the United States.

Identity theft is an interesting crime for a number of reasons. It is a multi-step crime — the identity in question must be stolen and then exploited. The theft can occur in many ways. It may involve infiltration of a computer and installation of spyware that captures identifiers and passwords used for application-level authentication or the penetration of a merchant server and the theft of billing records. Such information may then be used by the original thief or sold to other criminals. Next, the identity must be exploited. If the exploit is on the Internet, this generally involves the use of the stolen credentials to mislead some sort of application-level authentication scheme, e.g., logging in as the user to lay a false attribution trail. Perhaps as a final step, some sort of money-laundering scheme is required to convert the exploit into money that is useful to the criminal.

Early Internet-based identity theft used “phishing,” an attack in which a user is tricked into going to a web site that imitates a legitimate one (e.g., a bank) and typing in his name and password. Phishing attacks surfaced in 1996,15 and by 2005, there were reports of as many as 250,000 phishing attempts being made daily against just one financial institution.16 More lucrative than attempts at obtaining records about single individuals are efforts that download identity information about many individuals at once and then use that information to commit crimes.

One such incident involved a group from Russia and Estonia that, with the help of an insider, broke into a server at RBSWorldPay, an Atlantabased card-processing company. Taking information on customer accounts FEDERAL TRADE COMMISSION, 2006 IDENTITY THEFT SURVEY REPORT 4 (2007), available at http://www.ftc.gov/os/2007/11/SynovateFinalReportIDTheft2006.pdf.


PHISHING ATTACKS 4 (2004), available at http://www.windowsecurity.com/uplarticle/privacy/NISR-WP-Phishing.pdf.

16 Christopher Abad, The Economy of Phishing: A Survey of the Operations of the Phishing Market, 10 FIRST MONDAY, no. 9, Sept. 2005, available at http://firstmonday.org/htbin/cgiwrap/bin/ojs/index.php/fm/article/view/1272/1192.

2011 / Untangling Attribution — the card numbers and associated PINs and decrypting the protected information — the thieves created counterfeit debit cards, raised withdrawal limits on these accounts, and hired people for the day who withdrew 9 million dollars from 21,000 ATMs in 49 cities.17 Another attack involved Heartland Payment Services, a major processor of credit-card and debitcard transactions. Heartland's systems were penetrated, and unencrypted data in transit between merchant point-of-sale devices and Heartland was sniffed (that is, read by the unauthorized software that had penetrated the network). The data collected included account numbers, expiration dates, and sometimes the account holder's name;18 allegedly over 130 million accounts were compromised.19 The fact that internal bank and credit-card account records can now be accessed over the network has made theft of such records much easier.

The pattern such as was employed in the RBSWorldPay case, in which a single insider transferred sensitive personal data to accomplices overseas, appears to be increasing in frequency.20

C. Data Exfiltration and Espionage

Foreign military and industrial espionage have long been problems for the United States. Prior to the ubiquitous use of the network in modern enterprises, such espionage required people-in-place to make contacts at target facilities, receive the stolen information, etc. Moles needed to be in place for years before they had access to desired information. Such an enterprise was an expensive and time-consuming proposition. For example, in order to acquire Western technical expertise, hundreds of Soviet case officers were involved in Soviet-U.S. collaborative working groups in Press Release, U.S. Dep’t of Justice, Office of Public Affairs, Alleged International Hacking Ring Caught in $9 Million Fraud (Nov. 10, 2009), available at http://www.justice.gov/opa/pr/2009/November/09-crm-1212.html.

18 Kevin Poulsen, Card Processor Admits to Large Data Breach, WIRED (Jan. 20, 2009, 12:40 PM), http://www.wired.com/threatlevel/2009/01/card-processor.

19 Press Release, U.S. Dep’t of Justice, Office of Public Affairs, Alleged International Hacker Indicted for Massive Attack on U.S. Retail and Banking Networks (Aug. 17, 2009), available at http://www.justice.gov/opa/pr/2009/August/09-crm-810.html.

20 Dan Schutzer, Research Challenges for Fighting Insider Threat in the Financial Services Industry, in

–  –  –

agriculture, civil aviation, nuclear energy, oceanography, computers, and the environment.21 The Internet has greatly simplified this process. Information that was once clearly inside a large enterprise may now be relatively easily accessible to people on the outside. Instead of all the work devoted to developing people-in-place, competitors, whether corporate or foreign governments, have discovered that the theft of secrets can be done over the network.

Developing contacts, planting moles, and touring U.S. factories and development sites are efforts much less needed than once they were.

The first public reports of massive network-based data exfiltration surfaced in 2005. Time magazine reported a 2004 exploit in which U.S.

military computers at four sites — Fort Huachuca, Arizona, Arlington, Virginia, San Diego, California, and Huntsville, Alabama — were, in a matter of six-and-a-half hours, scanned, and large numbers of sensitive files were taken. These materials were then apparently shipped to Taiwan, South Korea, and Hong Kong, and from there, to mainland China.22 Since then numerous reports have surfaced of similar cyberexploitations, with the attempted intrusion method growing increasingly sophisticated over time.23 The highly publicized intrusion into Google in 2009-2010 apparently followed this pattern.24 Attacks of this sort are stealthy and often of small scale. Frequently they are individually tailored. Their preparation may involve taking over insecure intermediate machines, but only in small quantities, and perhaps only those highly suited to the task. These machines are used to transit the stolen information and hide its ultimate destination. The first step in the theft is to carefully scope out the target, learning where the files of interest Matthew French, Tech Sabotage During the Cold War, FEDERAL COMPUTER WEEK, Apr. 26, 2004, http://fcw.com/articles/2004/04/26/tech-sabotage-during-the-cold-war.aspx.

22 Nathan Thornburgh, The Invasion of the Chinese Cyberspies, TIME, Aug. 29, 2005, http://www.time.com/time/magazine/article/0,9171,1098961,00.html,



EXPLOITATION (2009), available at http://www.uscc.gov/researchpapers/2009/NorthropGrumman_PRC_Cyber_Paper_FIN AL_Approved%20Report_16Oct2009.pdf.

24 See John Markoff & David Barboza, Inquiry Is Said to Link Attack on Google to Chinese Schools, N.Y. TIMES, Feb. 19, 2010, http://query.nytimes.com/gst/fullpage.html?res=9505E7DA1730F93AA25751C0A9669D 8B63.

2011 / Untangling Attribution are, and then, once target material has been located, to quickly pack and exfiltrate them, often in a matter of hours. The downloading may involve intermediate machines — “dead drops” — perhaps in South Korea, Taiwan, or Hong Kong, before the files are downloaded to their final destination (perhaps southern China). The multi-stage nature of the attack helps confound definitive knowledge of the ultimate destination of the files.

Pages:     | 1 || 3 | 4 |   ...   | 6 |

Similar works:

«AMERICAN PSYCHOLOGICAL ASSOCIATION APPROVAL OF SPONSORS OF CONTINUING EDUCATION FOR PSYCHOLOGISTS: Policies and Procedures Manual August 2012 9/13/2012 AMERICAN PSYCHOLOGICAL ASSOCIATION APPROVAL OF SPONSORS OF CONTINUING EDUCATION FOR PSYCHOLOGISTS: Policies and Procedures Manual August 2012 PREFACE This document is the most recent revision of the document originally entitled APA Approval of Sponsors of Continuing Education for Psychologists Criteria and Procedures Manual, first approved by...»

«(1999). Psychoanalytic Inquiry, 19:797-830 Representation, Symbolization, and Affect Regulation in the Concomitant Treatment of a Mother and Child : Attachment Theory and Child Psychotherapy Arietta Slade, Ph.D. AS EVIDENCED BY THE PRESENT ISSUE, the decades' old standoff between psychoanalysis and attachment theory has in recent years slowly begun to give way to mutually enriching dialogue between psychoanalysts and attachment researchers (Slade and Aber, 1992; Diamond and Blatt, 1994;...»

«RESEARCH ON THE EDUCATION AND LEARNING OF ADULTS Adult Education Policy and the European Union Theoretical and Methodological Perspectives Marcella Milana and John Holford (Eds.) Adult Education Policy and the European Union RESEARCH ON THE EDUCATION AND LEARNING OF ADULTS. VOLUME NO. 1 Series editors (on behalf of the European Society for Research on the Education of Adults): Kristiina Brunila (University of Helsinki, Finland) Emilio Lucio-Villegas (University of Seville, Spain) Barbara...»

«Development of a Neuroergonomic Application to Evaluate Arousal Daniel Gartenberg, Ryan McGarry, Dustin Pfannenstiel, Dean Cisler, Tyler Shaw, Raja Parasuraman George Mason University Fairfax, VI 22031, USA ABSTRACT We developed and tested a neuroergonomic smartphone application called Mind Metrics that can be used to evaluate vigilance and working memory under naturalistic conditions. The application met a requirement to the field of neuroergonomics because the cognitive tasks were made for a...»

«International Journal of Peace Studies, Volume 10, Number 2, Autumn/Winter 2005 THEORIES OF CONFLICT AND THE IRAQ WAR Daniel Lieberfeld Abstract The article examines the U.S. decision to invade Iraq from a range of analytic perspectives—realism, liberalism, elite interests, ideological influences, and personal and social psychology—in order to better understand the causes of the invasion decision and implications of the particular case study for general theories of war causes. The analysis...»

«Enlarging the Outlook on Liberal Education and the Educated Person Paper Presented at the Annual Conference of the American Educational Studies Association, St Louis, November 2-6, 2011 By D.G. Mulcahy Central Connecticut State University Mulcahy@ccsu.edu. INTRODUCTION For centuries the interrelated ideals of a liberal education and the educated person have influenced the content and what is nowadays referred to as the delivery of education in schools and colleges. In fact, the expected...»

«Essential TRUTHS OF THE CHRISTIAN FAITH R.C. SPROUL TYNDALE HOUSE PUBLISHERS, INC. WHEATON ILLINOIS Copyright © 1992 by R. C. Sproul PREFACE Orlando July, 1992 Every Christian is a theologian. We are always engaged in the activity of learning about the things of God. We are not all theologians in the professional or academic sense, but theologians we are, for better or for worse. The “for worse” is no small matter. Second Peter warns that heresies are destructive to the people of God and...»

«1 Automaticity in sequence-space synaesthesia RUNNING HEADER: Automaticity in sequence-space synaesthesia NOTICE: this is the author’s version of a work that was accepted for publication in Cortex. A definitive version was subsequently published in Cortex 49: 1165-1186. doi: http://dx.doi.org/10.1016/j.cortex.2012.10.013 Automaticity in sequence-space synaesthesia: A critical appraisal of the evidence. Mark C. Pricea and Jason B. Mattingleyb a Psychology Faculty, University of Bergen, Norway....»

«Boston College Law School Digital Commons @ Boston College Law School Boston College Law School Faculty Papers 3-19-2007 Citizen Journalism and the Reporter’s Privilege Mary-Rose Papandrea Boston College Law School, papandrm@bc.edu Follow this and additional works at: http://lawdigitalcommons.bc.edu/lsfp Part of the Communication Technology and New Media Commons, Computer Law Commons, Constitutional Law Commons, Evidence Commons, Intellectual Property Commons, Journalism Studies Commons, Law...»

«department of Psychology Fall 2010 newsletter Chair’s Column Department of Psychology I am pleased to introduce the first issue of the Department of Psychology’s new electronic newsletter, UB Psych. The purpose of our newsletter is to keep alumni, students, and faculty abreast of the latest events in the Department and to provide a forum through which the greater UB Psychology family can connect. We hope that this will be a lively and engaging venue for keeping everyone affiliated with...»

«Journal of Research in Reading, ISSN 0141-0423 Volume 23, Issue 2, 2000, pp 181±193 Computer-assisted learning to read and spell: results from two pilot studies Victor H.P. van Daal School of Psychology, University of Wales, Bangor, UK Pieter Reitsma Paedologisch Instituut, The Free University, Amsterdam ABSTRACT Because multimedia computer programs may provide promising opportunities for the training of initial reading and spelling skills, two small-scale pilot studies have been conducted...»

«Social Risk Management through Transitional Labour Markets: Theory and Practice related to European Experiences Günther Schmid1 Social Science Research Centre Berlin (WZB) Free University of Berlin Abstract: This essay takes the intrusion of the term ‘risk management’ into the social policy discourse as a ‘moral opportunity’ to reconsider the balance between solidarity and individual responsibility. The argument is developed in four steps: First, the psychology of intuitive beliefs and...»

<<  HOME   |    CONTACTS
2016 www.theses.xlibx.info - Theses, dissertations, documentation

Materials of this site are available for review, all rights belong to their respective owners.
If you do not agree with the fact that your material is placed on this site, please, email us, we will within 1-2 business days delete him.