SPEAR PHISHING SCAM I

Denial of Service

 

CERT describes Denial of Service this way: "A 'denial-of-service' attack is characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service. Examples include: [1]


-  attempts to "flood" a network, thereby preventing legitimate network traffic
-  attempts to disrupt connections between two machines, thereby preventing access to a service
-  attempts to prevent a particular individual from accessing a service
-  attempts to disrupt service to a specific system or person"
-  Or, as we say in information warfare, a denial-of-service attack is an effort to make your opponents' information resources less valuable to them. Of confidentiality, integrity, and availability, this is primarily an availability attack. According to Wikipedia, "A DoS attack can be perpetrated in a number of ways. There are three basic types of attack:


1. consumption of computational resources, such as bandwidth, disk space, or CPU time;
2. disruption of configuration information, such as routing information;
3. disruption of physical network components."[2]
(Three basic types is close, but not quite complete, so let's add)
4. injecting an unexpected value the host computer or network device is not capable of parsing

Consumption of resources

In terms of flooding the network, the authority is a guy named Dave Dittrich. He has a web site[3] with tons of documentation on the growing capabilities of attack tools, especially in the early days. Today, network Distributed Denial of Service is done with bots under the control of a bot herder, and there are three major modes of control:

Centralized

Centralized Command and Control relies on a single host, often a bot itself, to provide command of all of the bots. In large botnets, a pyramid like model may be used where a single bot herder system may pass communications to several agent systems that, in turn, each have thousands of bots connecting to them. The bots can point to multiple servers for redundancy and improved survivability. Centralized was used by the first botnets and has matured over the years. It is still the most commonly implemented model. Advantages of the centralized model are that it is easy to implement, scales to support large botnets (seen as large as 1.5 million systems with the Toxbot trojan botnet and, unofficially, reported to have been significantly larger than this number), and allows for low latency communication between the bot herder and his botnet. The main disadvantage is that, by being in one place, it is more vulnerable to being taken down. Removing the command and control system removes the botnet. Because of the significant advantages of scalability, maturity of the technology, and low latency (bot-herders can push out commands to their botnets relatively quickly.) Centralized is by far the preferred and most widely employed model, and the one model that currently supports large botnets.

Peer2Peer

Peer2Peer Command and Control distributes functionality within the botnet itself, not relying on a single system for administration duties. Advantages of the P2P model are that there is no single host that can be removed to bring down C&C, and that detection may be more difficult since there isn't a single destination in communications. Disadvantages include scalability, since only small quantities of zombies can currently be utilized in a group, and there is no way currently to ensure message delivery or low latency communications. The botnets created by the SpamThru Trojan contain a professional quality P2P command and control, but currently only scales to about 2,000 zombies. While improvements over time may make P2P more viable in the future, right now it isn't capable of supporting large botnets.

Distributed/Random

In the distributed or random model, infected hosts never attempt to contact the command and control. Instead, they sit and wait for communication from the bot herder. To find active bots, the bot herder must scan large blocks of the Internet. This model has not yet been observed in the wild. Advantages include being nearly impossible to detect and taken down as you won't observe infected machines initiating communication in the rallying process, but must wait until they are contacted and instructed by the bot-herder. Disadvantages include latency and scalability. It is very slow and time consuming to scan for, find, and send messages to individual bots. Another disadvantage is the inability to contact successfully infected bots behind NAT routers and firewalls. Because of these disadvantages, botnets based on distributed/random command and control cannot become large botnets.


NOTE: for further information on bot command and control, read the excellent paper, Managing Large Botnets,[4] by Kevin Bong and John Brozycki, from which the section above is taken.


Not all resource exhaustion attacks require bombing a system with packets. "A fork bomb process 'explodes' by recursively spawning copies using the system call fork as already suggested by its name. Eventually it saturates all the process table entries and effectively degrades the system. Saturating the process table makes sure that no new process will be started until some of them kill (or at least one kills itself) themselves. Even if that happens, it is not likely that a useful program may be started since the instances of the bomb program are each waiting to take that slot themselves."[5]

Disruption of configuration information

This happens every time you ground out your boot ROM to reset it to its default configuration because you forgot the password. But other examples include hacking Linksys wireless boxes, "The WRT54G is notable for being the first consumer-level network device that had its firmware source code released to satisfy the obligations of the GNU GPL. This allows programmers to modify the firmware to change or add functionality to the device."[6]


It could also happen intentionally, for instance, feeding router configuration information to a network that made a system with no connection to the Internet the most attractive link to use to get to the Internet. That would disrupt service for a while, no one would be able to get to the Internet until the correct configuration was sent to the routers. Of course, this can be used for good as well; some network and security engineers are experimenting with so-called black hole routing so that malicious traffic can be sent "into a black hole." It remains to be seen if such an idea can ever be production ready.

Physical destruction/disruption

The most famous example of a DOS caused by physical disruption is a backhoe event. We have lived though over 12. Despite all the warnings and the fines, backhoe operators end up digging up fiberoptic cables and disrupting networks. Cars crash into utility poles and knock them down. We do not seem to be able to operate without the physical layer.


Injecting an unexpected value that the host computer or network device is not capable of parsing

A land attack was a denial of service attack with a network signature as shown:

192.168.1.1:80 -> 192.168.1.1:80


When hosts received this spoofed packet from themselves to themselves from port 80 to port 80, many of them would die. Simply put, they could not properly parse this packet. The original blue screen of death, or Win Nuke, exploited earlier Windows machines (because they do not handle the URG flag) by sending a string of Out-of-Band data to TCP port 139 on the victim's machines. The Windows system was unable to parse it properly and died.


Perhaps the most interesting was the Intel f0 or f00f bug; on older Pentiums if you held down the alt key and used the numeric keypad to type in 240 and then released the alt key, the computer would freeze instantly.[7] A great way to get your spouse's attention when he/she is paying more attention to their email than you.


The advanced SANS[8] courses and GIAC certifications[9] that are most concerned with Denial of Service are:


Intrusion Detection In-Depth[10] which prepares you for the GCIA[11] where you learn many attack patterns and what they look like on the network


Perimeter Protection In-Depth[12] which prepares you for the GCFW[13] where you learn to build a series of perimeters to manage this traffic


Hacker Techniques, Exploits and Incident Handling[14] which prepares you for the GCIH[15] where you learn about the software used to create these attacks and the incident response measures you can take if they are used against your organization.


1. http://www.cert.org/tech_tips/denial_of_service.html
2. http://en.wikipedia.org/wiki/Denial_of_service
3. http://staff.washington.edu/dittrich/misc/ddos/
4. http://www.sans.edu/resources/student_projects/200704_001.doc
5. http://www.osweekly.com/index.php?option=com_content&task=view&id=2228&Itemid=0&limit=1&limitstart=1
6. http://en.wikipedia.org/wiki/WRT54G
7. http://linuxmafia.com/faq/Hardware/f00f-bug.html
8. http://www.sans.org/
9. http://www.giac.org/
10. http://www.sans.org/training/description.php?tid=242
11. http://www.giac.org/certifications/security/gcia.php
12. http://www.sans.org/training/description.php?tid=422
13. http://www.giac.org/certifications/security/gcfw.php
14. http://www.sans.org/training/description.php?tid=243
15. http://www.giac.org/certifications/security/gcih.php

Are Satellites Vulnerable to Hackers?

Strictly speaking, having someone attack your satellite would fall under denial of service[1] for most such attacks; however, it could be so damaging that we want to focus on these particular attacks in this paper.

Ministry of Defence Satellite

In 1999, the Telegraph carried the following story, "A group of computer hackers suspected of seizing control of a British military communications satellite using a home computer, triggering a "frenetic" security alert, has been traced to the south of England.


A security source said that, up to a month ago, the hackers found a "cute way" into the control system for one of the Ministry of Defence's Skynet satellites and "changed the characteristics of channels used to convey military communications, satellite television and telephone calls".[2] We were unable to find an additional source for this story, so it may not be valid, but this UK Government document does explain more about the UK space network.[3]


The MoD story certainly gets your attention. However, the question a wise security manager asks is, can it be done, outside of a James Bond or Mission Impossible scenario? Is it possible to hack a satellite? If you mean use the satellite for your own signals, the answer is most certainly, yes. "Simply put, satellites are relay stations suspended 36,000 km (22,000 miles) up above the equator. At this altitude, satellites appear to be fixed in relation to earth, therefore the name geostationary satellites."[4] They use their fuel to maintain their position and so fuel is the primary determinant in the lifespan of a satellite.


"Here's how it is possible to ride over a satellite with an unauthorized uplink:

-  An uplink earth station transmits the desired signal to satellite.
-  The satellite receives and processes the incoming signal by changing the frequency and amplifying it.
-  The satellite transmits the signal back to earth, typically covering large geographical areas.
-  Earth station(s) on earth receive the signal."[5]

So in this sense, this is "just radio signals being repeated." Ever see the 1980 movie Used Cars? They use a microwave transmitter to take over the feed of a TV station--use a slightly different frequency and be closer to the receiver, and it's easy to do. Not much harder to steal satellite space: find an appropriate transmitter, upconverter and a few other things, and a satellite dish (and, know a bit about it.) (Lots of used satellite uplink equipment is out there.)


A communications satellite is simply a radio repeater. Most have 12 or 24 different "transponders" that use a certain frequency block. For C band, the earth station uplink operates in the 6 Ghz range. The satellite receives the signal, changes it to a 4 Ghz frequency, and sends it back to earth. Most satellites don't care what is modulated on the carrier. They just translate it and send it back out. (They could be designed to require security on the carrier for the satellite to repeat it, but I don't think many have been built with that. Most of the interest has been in encoding the video/audio/data itself to prevent unauthorized far-end decoding.)


Each transponder has a certain amount of bandwidth and power. Either one is the limit that can't be exceeded. In the early days, one entire transponder was used for one analog TV signal. Although, even then, Alaska used a bit of left over space to put up pubic radio audio-only signals.


Today, with most video and MPEG of one flavor or another you can get good quality using only part of a transponder, so you can have multiple signals--either multiplexed together onto one carrier (most efficient), or coming up on separate carriers. In that case, the center frequency of each carrier and its power level is chosen so as to not exceed available bandwidth and power for a transponder. (You also have to worry about intermodulation between carriers creating interfering carriers that also use up power.) The National Telecommunications University was one of the first to use multiple digitally encoded video signals on different carriers all on one transponder. When they first tried it, they had the carriers all nicely spaced out--and it didn't work.


If a transponder isn't "full" and has unused bandwidth and power, a person could easily identify an "empty" place on the transponder using a spectrum analyzer hooked up to a satellite receive dish. You can buy software to turn a computer into a spectrum analyzer for a few hundred dollars.


Figure out how much power and bandwidth you can use without messing up anyone else's signal and use most any satellite uplink (check eBay) to create the carrier. What kind of encoding you use really just determines what kind of receivers your end users need. (Again, check eBay for complete systems, including receivers, to send out.)


Like any good Trojan or Zombie, the key is to not be noticed. If you aren't messing up anyone else's feed, and aren't putting a big extra drain on the satellite, chances are no one is going to notice right away. Even when they do, finding your uplink can be difficult."[6]

Double Illumination

An attacker could create a denial of service condition where two or more carriers are on the same frequency at the same time. The carriers may be from the same or different uplinks. The audible effect of double illumination can range from almost no audible change to complete impairment depending on carrier power and other factors.[7] Double illumination is the main reason for the ID legal uplinks have. Someone accidentally turns on an uplink into the wrong satellite space, often when tuning or moving a dish, wiping out other services. But if has been a significant impact accidentally, it could certainly be used on purpose.


Tamil Rebels Hijack US Satellite Signal 2007

In 2007, this discussion moved from theoretical to reality. Rebel independence fighters in Sri Lanka have been pirating the services of a US satellite to send radio and television broadcasts to other countries. In 1997, the US government identified this particular group, the Liberation Tigers of Tamil Eelam, or LTTE, as a terrorist organization. The satellite belongs to Intelstat, a US company. Intelstat officials have been meeting with technical experts and Sri Lanka's Ambassador to the US to discuss measures the company it is taking to prevent the satellite's unauthorized use. The rebels maintain they are not accessing the satellite illegally.[8,9,10]


The worst case, attacking the satellite itself

In, January 2007, the New York Times carried this story:




China successfully carried out its first test of an antisatellite weapon last week, signaling its resolve to play a major role in military space activities and bringing expressions of concern from Washington and other capitals, the Bush administration said yesterday. Only two nations - the Soviet Union and the United States - have previously destroyed spacecraft in antisatellite tests, most recently the United States in the mid-1980s. Arms control experts called the test, in which the weapon destroyed an aging Chinese weather satellite, a troubling development that could foreshadow an antisatellite arms race.[11]


However, to attack a satellite probably does not require nation state space capability. Due to cost saving measures, the command & control channel to the satellite is unencrypted. The security is little more than a password. To hack such a system would require sophisticated & proprietary equipment, although with today's Digital Signal Processing systems it is becoming trivial. But, by the time it was noticed that a bird was put into a spin of death, the fuel is shot, there is very little fuel (and fuel is the primary limitation on the life span of a satellite), and there's a $75 million dollar paperweight spinning in space.[12]


The bottom line

If your organization depends on satellite communications, it would be wise to start thinking about alternatives.


1. http://www.sans.edu/resources/securitylab/denial_of_service.php
2. http://www.telegraph.co.uk/connected/main.jhtml?xml=/connected/1999/03/04/ecnhack04.xml
3. http://www.parliament.uk/documents/upload/postpn273.pdf
4. http://www.panamsat.com/global_network/education.asp
5. See Reference 4 above
6. email Tom McGrane to Stephen Northcutt, 4/18/2007
7. http://www.prss.org/resources/print_glossary.cfm
8. http://australianit.news.com.au/articles/0,7204,21549846%5E15322%5E%5Enbv%5E,00.html
9. http://www.radioaustralia.net.au/news/stories/s1897037.htm
10. http://www.dailynews.lk/2007/04/13/news01.asp
11. http://www.nytimes.com/2007/01/19/world/asia/19china.html?ex=1326862800&en=74a017e997a72c53&ei=5088&partner=rssnyt&emc=rss.
12. email Luke McConoughey to Stephen Northcutt 4/17/2007

 More