Popular Posts

Friday, 27 August 2010

What is Cyber –terrorism?

What is Cyber –terrorism?

The FBI defines terrorism as the unlawful use of force or violence against persons or property to intimidate or coerce a government, civilian population, or any segment thereof, in furtherance of political or social objectives.  Cyber terrorism could thus be defined as the use of computing resources to intimidate or coerce others.  An example of cyber terrorism could be hacking into a hospital computer system and changing someone’s medicine prescription to a lethal dosage as an act of revenge.  These things can and do happen.

Cyber-terrorist continues to give the computing profession a bad reputation.  It is important for computing professionals to understand cyber-terrorism for the benefit of themselves, their profession, and society as a whole.

Cyber terrorism is an increasing problem in our society; everyone needs to be aware of what it is and what dangers it presents.  It is becoming easier for terrorists to do damage to others computers by means of viruses.

A computer and a connection to the Internet are all that is really needed to wreak havoc.  The public and the private sectors are relatively ignorant of just how much their life depends on computers as well as the vulnerability of those computers.  The crime must be solved. (i.e. who were the perpetrators and where were they when they attacked you) before it can be decided who has the actual authority to investigate the crime.  The critical systems should be isolated from outside connection or protected by adequate firewalls, use best practices for password control and protection, and use protected action logs.

The CIA created its own group the Information Warfare Center, staffed with 1000 people and a 24-hour response team.  The FBI investigates hackers and similar cases.  The Secret Service pursues banking,

fraud and wiretapping cases.  Air Force created its own group.  Electronic Security Engineering Teams (ESETs).

How can I protect myself?
There are no fool proof ways to protect a system.  Most of the militaries classified information is kept on machines with no outside connection, as a form of prevention of cyber terrorism. The most common method of protection is encryption.  The Director of the FBI’s stance is that the Internet was not intended to go unpoliced and that the police need to protect people’s privacy and public safety rights there.  Encryption’s draw back is that it does not protect the entire system, an attack designed to cripple the whole system, such as a virus, is unaffected by encryption.

Promote the use of firewalls to screen all communications to a system, including e-mail messages, which may carry logic bombs.  Firewall is a generic term for methods of filtering access to a network.  They may come in the form of a computer, router other communications device or in the form of a network configuration.  Firewalls serve to define the services and access that are permitted to each user.  One method is to screen user requests to check if they come from a previously defined domain or Internet Protocol (IP) address.  Another method is to prohibit Telnet access into the system.

  1. All accounts should have passwords and the passwords should be unusual, difficult to guess.
  2. Change the network configuration when defects become known
  3. Check with venders for upgrades and patches
  4. Audit systems and check logs to help in detecting and tracing an intruder
  5. If you are ever unsure about the safety of a site, or receive suspicious email from an unknown address, don’t access it.  It could be trouble.

The illegal altering medical records are unethical.  Spreading disinformation in unethical in its lack of regard for the truth.  Altering, destroying or stealing others data is a violation of their privacy. 

Who is at risk of an attack?
The Military installations, power plants, air traffic control centers, banks and telecommunication networks are the most likely targets.  Other targets include police, medical, fire and rescue systems, water systems etc.

The amateur hackers are by fat the biggest threat on the Internet.  They are responsible for about 90% of all hacking activity.

Pentagon’s systems that contain sensitive, but unclassified information had been accessed via networks illegally 250,000 times and only 150 of the intrusions were detected.  The U.S businesses loose $ 138 million every year to hackers.

According to a source in Great Britain, terrorists have gained at least up to 400 million pounds from 1993 to 1995 by threatening institutions.  A brokerage house paid out 10 million pounds after receiving a threat and one of their machines crashed.  A blue-chip bank paid blackmailers 12.5 million pounds after receiving threats.  Brokerage house paid out 10 million pounds on the twenty ninth incident.  A Russian hacker tapped into Citibank’s funds transfer system and took $ 10 million.

Why would a terrorist decide to use the Internet, rather than using the usual methods of assassination, hostage taking and guerrilla warfare?  Removing one official from office only causes another to take the officials place, which may not cause the result the terrorist wished to achieve.  By using the Internet the terrorist can affect much wider damage or change to a country than one could by killing some people.  From disabling, countries military defenses to shutting off the power in a large area, the terrorist can affect more people at less risk to him or herself, than through other means.

Cyber terrorism takes many forms.  One of the most popular is to threaten a large bank.  The terrorists hack into the system and then leave an encrypted message for senior directors, which threaten the bank.  The message says that if they do not pay a set amount of money, then the terrorists will use anything from logic bombs to electromagnetic pulses and high-emission radio frequency guns to destroy the banks files.  The difficulty to catch the criminals is that the criminals may be in another country.

Cyber terrorists often commit acts of terrorism simply for personal gain.  They had created an Active X Control for the Internet that can trick the quicken accounting program into removing money from a user’s


bank account.  This could easily be used to steal money from users all over the world that have the quicken software installed on their computer.

Cyber terrorist are many times interested in gaining, publicity in any possible way.  Trojan horse viruses and network worms are often used to not only do damage to computing resources, but also as a way for the designer of the viruses to “show off”.  Many people are affected by these cases.  The viruses can consume system resources until networks become useless, costing companies lots of time and money.  Depending on the type of work done on the affected computers, the damage to the beneficiaries of that work could be lethal.

Cyber terrorism can be used for an assassination.  A mob boss was shot but survived the shooting.  That night while he was in the hospital, the assassins hacked into the hospital computer and changed his medication so that he would he given a lethal injection.  He was dead a few hours later.  They can change the medication order back to its correct form, after it had been incorrectly administered, to cover their tracks so that the nurse would be flamed for the “accident”.  Ethical issues involved a man was killed the life of the nurse was probably ruined, along with the reputation of the hospital and all its employees.  There are often more stakeholders in a terrorist situation that the immediate recipient of the terrorism.

Terrorism can also come in the form of disinformation.  In a recent incident, the rumor that a group of people were stealing people’s kidneys for sale was spread via the Internet.  The rumor panicked thousands of people.  This is an ethical issue similar to screaming ‘fire” in a crowded theater.  Thousands of people were scared by this and could have suffered emotionally.

“Data diddling”, where information in the computer is changed.  This may involve changing medical or financial records or stealing of passwords.  Hackers may even prevent users who should have access from gaining access to the machine.  Ethical issues invasion of privacy and ownership conflicts.  The person who needed access to the machine was trying to save someone’s life in a hospital and could not access the machine.  The patient could die waiting for help because the computer would not allow the necessary access for the doctor to save his or her life.

Cryptography from its initial and limited use by the Egyptians some 4000 years ago, to the 20th century where it played a crucial role in the outcome of both World Wars.  In 1963, Kahn’s book covers those aspects of history that were most significant to the development of the subject.

The predominant practitioners of the art were those associated with the military, the diplomatic service and Government in general.  It was used as a tool to protect national secrets and strategies.

DES, the Data Encryption Standard, is the most well known cryptographic mechanism in history. DES began with the work of Feistal at IBM in the USA in the early 1970s and culminated in 1977 with its adoption as a US Federal Information Processing Standard for encrypting information.

The concept of public-key cryptography is also provided a new and ingenious method for key exchange.  In 1978, USA discovered the first practical public-key encryption and signature scheme.  One of the most significant contributions provided by public-key cryptography is the digital signature.  In 1991, the first international standard for digital signatures was adopted.  The passage of the IT Act on October 17, 2000 has legalized digital signatures in India.

The objectives associated with Information Security are:
  • Privacy or confidentiality
  • Data integrity
  • Entity authentication or identification
  • Message authentication
  • Signature
  • Authorization
  • Validation
  • Access control
  • Certification
  • Time Stamping
  • Witnessing
  • Receipt
  • Confirmation
  • Ownership
  • Anonymity
  • Non-repudiation
  • Revocation: retraction of certification or authorization

Often the objectives of information security cannot solely be achieved through mathematical algorithms.  But require procedural techniques and obedience of laws to achieve the desired result.

For example, privacy of letters is provided by sealed enveloped delivered by an accepted mail service, which make it a criminal offense to open mail for which one is not authorized.

Security is achieved through the physical document recording it.  For example, currency notes require special links and material to prevent counterfeiting.

One of the fundamental tools used in information security is the signature.  At the age of 18, the signature evolves to taken on a very integral part of the person’s identity.  This signature is intended to be unique to the individual and serve as a means to identify, authorize and validate.  With electronic information the concept of a signature is provided through cryptography.

What is Cryptography?

Cryptography is the science of using mathematics to encrypt and decrypt data.  Cryptography enables you to store sensitive information or transmit it across insecure networks (like the Internet) so that it cannot be read by anyone except the intended recipient.  Cryptography is the science of securing data; cryptanalysis is the science of analyzing and breaking secure communication.

Classical cryptanalysis involves an interesting combination of analytical reasoning, application of mathematical tools, pattern finding, patience, determination and luck.  Cryptanalysts are also called attackers.  Cryptology embraces both cryptography and cryptanalysis.

This mathematical function works in combination with a key-a word number, or phrase-to encrypt the plaintext.  The security of encrypted data is entirely dependent on two things; the strength of the cryptographic algorithm and the secrecy of the key.  A cryptographic algorithm, plus all possible keys and all the protocols that make it work comprise a cryptosystem.  

Data that can be read and understood without any special measures is called plaintext or clear text.  The method of disguising plaintext in such a way as to hide its substance is called encryption.  Encryption plaintext results in unreadable gibberish called cipher text.  Encryption is used to ensure that information is hidden from anyone for whom it is not intended, even those who can see the encrypted data.  The process of reverting cipher text to its original plaintext is called decryption.  Cryptography is about the prevention and detection of cheating and other malicious activities.

Symmetric Cryptography
One key is used both for encryption and decryption.

Caesar’s Cipher

When Julius Caesar sent messages to his generals, he did not trust his messengers. So he replaced every A in his messages with a D, every B with an E, and so on through the alphabet.  Only someone who knew the “shift by 3” rule could decipher his messages.

For example, if we encode the word “SECRET” using Caesar’s key value of 3, it encrypts as “VHFUHW”.  To allow some one else to read the cipher text, you tell them that the key is 3.

Conventional encryption has certain benefits.  It is very fast.  For a sender and recipient to communicated securely using conventional encryption, they must agree upon a key and keep it secret between themselves.  If they are in different physical locations, they must trust a courier or some other secure communication medium to prevent the disclosure of the secret key during transmission.  Any one who over hears or intercepts the key in transit can later read modify, and forge all information encrypted or authenticated with that key.

The problems of key distribution are solved by public key cryptography.  Public key cryptography is an asymmetric scheme that uses a pair of keys for encryption: a public key, which encrypts data, and a

corresponding private, or secret key for decryption.  Publish your public key to the world while keeping your private key secret.  Anyone with a copy of your public key can then encrypt information that only you can read.  Even people you have never met.

Only the person who has the corresponding private key can decrypt the information.  The primary benefit of public key cryptography is that it allows people who have no preexisting, security arrangement to exchange messages securely.  The need for sender and receiver to share secret keys via some secure channel is eliminated.  Public key encryption is the technological revolution that provides strong cryptography to the masses.

Keys

A key is a value that works with a cryptographic algorithm to produce a specific cipher text.  The public and the private keys are mathematically related.

The purpose of the digital signature on a certificate is to state that the certificate information has been attested to do by some other person or entity.  It vouches only that the information, which the Certifying Authority has signed, goes along with, or is bound to, the public key listed in the certificate.  Thus a certificate is basically a public key with one or two forms of ID attached, plus a stamp of approval from some other trusted individual.

A certificate requires someone to validate that a public key and the name of the key’s owner go together.  With X.509 certificates, the validator is always a Certification Authority or someone designated be a CA.

An X.509 certificate is a collection of a standard set of fields containing information about a user or device and their corresponding public key.  What information goes into the certificate and describes how to encode it.

  1. The certificate holder’s public key - Which cryptosystem the key, belongs to and any associated key parameters.
  2. The serial number – A unique serial number to distinguish it from other certificates it issues.  For example, when a certificate is revoked, its serial number is placed in a Certificate Revocation List or CRL.
  3. Holder’s unique identifier (or DN-Distinguished Name) – This name is intended to be unique across the Internet.  (These refer to the subject’s common name, Organizational Unit, Organization, Location, State, Country and Email ID).
  4. Certificate’s validity period – It start date/time and expiration date/time – indicates when the certificate will expire.
  5. Unique name of the certificate issuer – the unique name of the entity that signed the certificate. 
  6. The signature using the private key of the entity that issued the certificate.
  7. The signature algorithm identifier- identifies the algorithm used by the CA to sign the certificate.

Those come in the form of storage-only repositories called Certificate Servers, or more structured systems that provide additional key management features and are called Public Key Infrastructures (PKIs).

A certificate server also called a cert server or a key server that allows users to submit and retrieve digital certificates.  That enable a company to maintain its security policies-for example, allowing only those keys that meet certain requirements to be stored.

Public Key Infrastructures

A PKI contains the certificate storage facilities of a certificate server, but also provides certificate management facilities.  The introduction of Certificate Authority of CA, which is a human-entity a person, group, department, company or other association-that an organization has authorized to issue certificates to its computer users.  (A CA’s role is analogous to a country’s government’s Passport Office).  Because of its role in creating certificates, the CA is the central component of a PKI.  Using the CA’s public key, to verify a certificate’s authenticity, the integrity of the contents of the certificate.

Certifying Authorities

The certifying authority is an entity that binds the identity of a person to his public key.  It certifies that a person is the holder of a valid key pair and that person’s identity has been authenticated by the certifying

authority or its agents.  The certifying authority thus performs functions that are quasi-governmental and require a high amount of trust and security.

A certifying authority creates the digital certificate and digitally signs it using its own private key.  When any third person wished to verify the authenticity of a subscriber’s certificate, he uses the CA’s public key.  Thus validates the certificate and establishes a trust model for the third party to enter into a transaction with the subscriber.

No comments:

Related Posts Plugin for WordPress, Blogger...