Abstract
Understanding the end game of potential adversaries is the first step to modeling which attack vector(s) are likely to be the most profitable or least costly. Hacking activity may be motivated by gain, pain, or fear. Specific attack techniques are linked to challenges against specific security objectives (i.e., confidentiality, integrity, availability). For example, eavesdropping and aircracking are associated with confidentiality attacks. By analyzing attacker behavior in terms of market opportunity and the rational drive to maximize return of investment/effort, we can arrive at a better understanding of how to adapt prevention, detection, and control mechanisms to specific real-world contexts. Use case scenarios can capture insights about where the value resides that meets an attacker’s preference for acceptable risk, exploitable attack surfaces, planning/executing time horizon, available tools/skills, reasonable cost, and sufficient payoff.
Keywords
Hacker profile; hacker motivation; ransomware; fixed wireless access point; mobile wireless access point; aircracking; commjacking; skyjacking; SSID; attack vector
The Hacking End Game
Chapter 2, Wireless Adoption, presented a number of successful hack attack strategies that can help the malicious achieve their goals and that present challenges to defenders. The back stories for these and other evolving attack strategies presented in this and subsequent chapters can be instructive. To deconstruct these and other attacks and how they play out in specific contexts, it is useful to attempt an understanding of the motivation behind them by posing the questions: Why do hackers hack? What are the desired outcomes?
The back stories are as varied as the targets and techniques. Numerous academics, researchers, and industry analysts have attempted to define hacker profiles. According to the UN Hacker Profiling Project (HPP), a joint initiative between the UN Interregional Crime and Justice Research (UNICRI) and the Institute for Security and Open Methodologies (ISECOM), profiles have shifted since the 1970s. Opportunistic lone wolves and script kiddies hacking for knowledge, curiosity, or mischief are being replaced by structured groups and cyber mercenaries with a focused, long-term perspective for achieving desired results. Thus the study sees APTs and more sophisticated activities carried out by malware factories, political hacktivists, and cyber mercenaries working on behalf of nation-states, industrial interests, and organized crime.1
Although divisible into multiple subsets, the basic motivations of the threat agents and those who manage them—including those classified as ethical hackers—resonate with those that motivate most human actions: gain, pain, and fear. Table 3.1 shows the relationships between different motivations, end games, manifestations, and hacker profiles. Hackers can, of course, act in response to a combination of motivations. The table indicates some of this overlap. A specific incident may represent a combination of these factors.
Table 3.1
Hacker Motivation, End Game, Manifestation, and Profile Type
Although financial gain frequently comes to mind first, a hacker can also measure “gain” as increases in competitive advantage, intellectual property, reputation, and privileged access (e.g., to online entertainment, system resources that include distributed computing power, ICS). Monetary gain is realized through fraud, accessing financial assets illicitly (often by impersonation), and buying and selling information (e.g., social security numbers, account numbers, medical credentials) to others in the hacking or criminal communities. Ransomware is another modality: threatening to disclose information, destroy, modify, or deny access to information if a cash equivalent payment is not made. Industrial spies realize financial gain by penetrating a company’s information resources and obtaining proprietary information and intellectual property. Sale of this information can be arranged on a contract basis or to the highest bidder on a speculative basis.
Pain as a motivation is demonstrated by causing pain, as well as relieving or avoiding pain. Thus, ethical hackers are motivated primarily by relieving or avoiding pain for others through the identification and often mitigation of vulnerabilities. Clearly, they have the skills to pursue financial and other forms of gain. Fear as a motivation is demonstrated by actions like using active cyber defense as a preventive mechanism. For such a mechanism to be effective, at least at the nation-state level, the defender must communicate credibly its limited tolerance for attacks by others, signal willingness to retaliate successfully and appropriately (i.e., proportionately), and be able to deconstruct triggering events to justify responses.2 The 2007 massive Russian cyberattacks against private and public sector organizations in Estonia inspired fear among Estonian citizens, who are highly dependent on digital communications for banking and news reports.3 It is easy to imagine how to create citizen fear or distrust of current governmental or industrial reliability for the hacker by other acts of disabling or degrading critical infrastructure sectors used by the public (e.g., water, electricity, transportation).
To achieve their end game, hackers must gain access to information assets. Even when physical access is the primary stratagem used by the attacker, it is often enabled or intensified by first performing reconnaissance to determine what weaknesses exist in the protection of these assets—and how to exploit them. Fixed and mobile WAPs often provide convenient entryways for this discovery.
Differentiation Between Fixed and Mobile WAPs
If we start with the premise that any device capable of receiving and transmitting radio frequencies can be considered a WAP—even if being used as a relay station—the number of fixed WAPs is significant. For our purposes, we will define “fixed” WAPs as those with a long-term commitment to place and geographic location, as opposed to those fixed in situ, but not in loco. A car’s factory-installed navigation system, for example, is fixed in situ behind the dashboard; one would not remove it after parking the car for use as an electronic guide while hiking in a national park. And yet, the system is not fixed in loco: Its geographic location changes as the vehicle travels down the road. Meanwhile, a portable navigation system when used in a car is not necessarily fixed in place or geographic location for the long term. Similarly, individuals can create their own mobile wireless hotspot through personal devices, rather than relying on wireless routers that are fixed in place.
Hacking Opportunities in Hybrid Networks and Communications Channels
Wireline connections are less “leaky” than wireless connections due to the innate characteristics of the network media over which signals travel. Still, copper used as the network media is vulnerable to electromagnetic interference (EMI) within the environment from intense, electrical energy sources like motors, transformers, and fluorescent lights. Copper is also subject to crosstalk interference, which occurs when wires are bundled together.4 A copper-wire connection can be tapped by exposing the internal wires and connecting them to a listening device (a phone or less perceptible “bug”). The tap can be located within the target phone or anywhere along the phone line, including lines on a telephone utility pole. The latter approach is also used to hijack phone connectivity to save the expense (or inconvenience) of subscribing to individual phone service. Of course, such intentional eavesdropping requires physical access to the wire—and is prohibited under Federal and state law (with some specific exceptions).5
Businesses and organizations of any size, as well as individuals, may experience wire-based service compromise that generates excessive billing for phone service. Computer users can unintentionally approve a modem hijacking by clicking on web-based ads for “free” content or services.6 The computer’s connection to a legitimate modem is reprogrammed to connect via an international or for-fee phone number.7 Other phone scams are perpetrated by individuals who call to promote various services (charity donations, credit card assistance, extended car warranties, travel packages) and by robocallers (automated dialing techniques using prerecorded messages rather than live operators).8
Fiber optic media, as opposed to copper, are not susceptible to EMI or RF interference and crosstalk. They may, however, be less resilient to physical damage if not adequately protected in conduit, and may be tapped by splicing fiber strands. Coaxial and unshielded twisted pair (UTP) cable are susceptible to EMI interference and can also be physically compromised for eavesdropping.9 At the physical layer, even transmissions over wired lines can be intercepted, although they are more contained than transmissions over wireless radio frequencies. The important thing to acknowledge is that the vulnerabilities of wired systems carry over into wireless systems. The latter systems also add their own exploit flavors. When considering how to hack (or protect) any communications systems, the characteristics of each element—network media, protocols, architecture, connected devices, applications, physical location, data, users, policies—become part of the calculation for attack (or protection).
Challenges for Securing Hybrid Networks and Communications Channels
Wireless exploits and their tools have generated numerous catchy nicknames and trademarks, often based on the particular 802.11x protocol targeted, which include the following:
Aircracking—password cracking tool used against Wired equivalent privacy and WPA protections; captures wireless packets to recover password using Fluhrer, Mantin, and Shamir (FMS) attack10
Airjacking—tool for injecting forged packets to support a MITM or DoS attack10
Bluejacking—sends unsolicited, often anonymous, messages over Bluetooth to Bluetooth-enabled devices; messages may contain a vCard (typically for connection to another Bluetooth-enabled device via object exchange (OBEX) protocol; uses include bluedating and bluechatting)11
Bluesnarfing—unauthorized access of information from one Bluetooth-enabled device by another
Caller ID spoofing—falsifying the caller ID to a number other than the actual calling station’s12,13
Commjacking—intercepting transmissions between any device and the Wi-Fi or cellular networks to which it is connected14
Drone skyjacking—drone engineered to take control of other drones within wireless or flying range
Juice jacking—gaining user access to phone and its contents while it is being charged over a public kiosk using a common USB connection (can compromise privacy and lead to malware injection)15
Skyjacking—exploiting over-the-air provisioning (OTAP) protocols to trap WAPs into connecting to a rogue wireless LAN controller (WLC) or access point; works by transmitting fake radio resource management (RRM) messages with information about the fake WLC; supporting tools include packet injection software16
Implications for Connections With Wired (Legacy) Networks and Systems
The attacks mentioned above are carried out at different layers of the entire communications system and so are included in the taxonomy of network and device attacks that affect all information systems, regardless of whether they are wired, wireless, or hybrid. Any wired network that can be accessed through a WAP, even if that access is indirect (e.g., an approved desktop that has been used to synch calendars with a compromised wireless device), may be susceptible. Although less colorful than the names applied to the foregoing wireless attacks and tools, the following taxonomy of attacks from Lisa Phifer (published by TechTarget)17 corresponds to familiar categories and information security principles (e.g., the confidentiality, integrity, and availability—or CIA—triad; the authentication, authorization, and accounting—or AAA—triad):
war driving, rogue access points, ad hoc associations, machine address code spoofing, 802.1x remote authentication dial-in user service (RADIUS) cracking
eavesdropping, wired equivalent privacy key cracking, evil twin AP, AP phishing, MITM
802.11 frame injection, 802.11 data replay, 802.1x Extensible Authentication Protocol (EAP) replay, 802.1x RADIUS replay
AP theft, Queensland DoS, 802.11 beacon flood, 802.11 associate/authenticate flood, 802.11 Temporal Key Integrity Protocol Message Integrity Check exploit, 802.11 deauthenticate flood, 802.1x EAP-Start flood, 802.1x EAP-Failure, 802.1x EAP length attacks
application login theft, domain login cracking, VPN login cracking, 802.1x identify theft, 802.1x password guessing, 802.1x Lightweight Extensible Authentication Protocol guessing, 802.1x EAP downgrade
Network Penetration Attacks
As in conventional wired networks, penetrating the network is often number one on the attacker’s to-do list. The trick with a wireless network is that defining the network’s perimeter (or parameters, for that matter) is complicated by radio frequency signal leaks (i.e., the ability to receive signals from outside a trusted building or other assumed enclosure). War driving—picking up WAP signals using a mobile device—can be a great learning tool for novice wireless attackers (or defenders). Free software tools are available for installation on common platforms. The tools identify and record device characteristics like name, MAC address, SSID, encryption technology, AP manufacturers, geo-location. From this information it is possible to determine where an unprotected or inadequately protected signal is coming from and, if the default device registration name has not been changed, the likely default password for that device.
Rogue access points are unauthorized installations that may be attributed to a trusted user—or an opportunistic attacker. They function in a wireless installation as a wiretap does in one that is wired. Ad hoc associations, on the other hand, represent a different potential for a kind of rogue access point. Peer-to-peer networking, facilitated through SSID broadcasting by wireless devices, is often a default setting that is left enabled. Accidental, incidental, and malicious eavesdropping can result.
Confidentiality Attacks
Confidentiality is the first element of the security triad and the one associated with privacy: limiting privileged information to those who own it or have an owner-acknowledged need to know it. Concerns about the confidentiality of personally identifiable information have led to enactment of numerous laws globally. Among them are the European Data Protection Directive (1995), the Australian Privacy Act (1998), the US Children’s Online Privacy Protection Act (COPPA, 1998), and the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA, 2000).18
Integrity Attacks
Integrity is the second element of the security triad and the one associated with the reliability of information: the assurance that the content and/or associated metadata has not been tampered with. Integrity has not received the kind of attention that incidents involving confidentiality (e.g., data breaches) have received. And yet, compromise of data or message integrity is at the core of some of the most disturbing attacks involving critical infrastructure (e.g., Stuxnet) or critical systems (e.g., Jeep engine hacking demonstration). Data integrity is also critical in medical environments, especially with increased reliance on electronic medical records (EMRs) to minimize undesirable outcomes (e.g., harmful drug interactions). Within the legal sector, the integrity of metadata is critical for date, attribution (or provenance), and time “stamping” of information events and document versions.
Availability Attacks
Availability is the third element of the security triad and the one associated with the reliability, accessibility, and performance of computing resources (e.g., communication networks, data processing applications, servers) and data. DoS attacks have historically been among the most disruptive for large numbers of individuals and organizations. For critical industrial infrastructure sectors like energy and water, the availability of systems that manage physical controls of distribution networks and pipelines is the most important one of the CIA triad. And in a medical context, this dependency on the digital availability of equipment and information (again, those EMRs) is a life-and-death matter for individuals.
Authentication Attacks
Authentication is associated with artifacts that validate the identity of the claimant (individual, system, or process) that is attempting to access an information asset. Various credentials may be presented for authentication. Credential theft and compromise are leading factors in data breaches. Concerns about the inherent vulnerabilities in magnetic stripe credit cards, for example, ultimately forced US companies to adopt Europay, MasterCard, and Visa (EMV) technology for the embedded chip credit cards rolled out in 2015. The theft of credentials is a key factor in multilayered attacks—by allowing privileged access to key host systems—as well as in credit card fraud, identity theft, and unauthorized building access.
C&C Attacks on Automated Processes
Most networks and attached devices are based on a set of automated (i.e., C&C) processes. The ultimate prize for a hacker is to obtain control over the C&C processes using a combination of the above attacks, which then allows the hacker access to all resources, meanwhile either masking or hiding evidence of that activity. C&C servers can continue working for years and are no longer limited to botnet activity or Internet relay chat servers to direct victims. They have been found among cloud infrastructure service providers and a range of Internet domains. Table 3.2 indicates known malware families that reside in C&C servers that affect cloud infrastructure services.
Table 3.2
Malware Families with Command and Control (C&C) Servers on Cloud Infrastructure Servicesa
Malware Family | Description |
ZeuS | Cybercrime |
POISON | RAT, targeted attacks |
CLACK | Adware |
BOZOK | RAT, targeted attacks |
IXESHE | Targeted attacks |
ESILE | Targeted attacks |
DUNIHI | RAT, targeted attacks |
KELIHOS | Cybercrime |
C&C attacks against critical infrastructure elements also take advantages of known vulnerabilities in legacy software that cannot be patched or updated reliably.
Recommendations for Wireless/Hybrid Systems
The challenges of securing wireless technologies should not obscure their advantages. Fixed wireless access connections are now widely regarded as desirable in terms of installation cost and ease,19 especially in conditions where access to the cable or wiring plant or plenum access is difficult or restricted, time schedules are tight, few walls or other environmental obstructions exist, no competing telecommunications infrastructure is in place, or coverage areas are widely separated or underutilized. The cost of protecting wireless communications, however, must be calculated when building the business case for a wireless or hybrid system. The challenges simply speak to the importance of understanding what your assets are, where they are located, who has access to them, how they are being accessed, and how they should be protected. The objective of such situational awareness is to be aware of what should be and what is. The objective is also to be aware of what could be, thus learn to think like an adversary as Sun Tzu advised: “To know your Enemy, you must become your Enemy.”
Know Your Enemy
By looking at your environment from the perspective of a likely attacker, priorities about where to invest in protection efforts become clearer. Considerable investment may be necessary to achieve a successful attack. The rational attacker will make a deliberate calculation about what constitutes success and the desired return on investment (in terms of time, tool, financial, and skill resources) and weigh these against the probability of success—and the probability of failure or adverse outcomes (e.g., discovery, legal conviction, professional ostracism). Understanding the end game of potential adversaries is the first step to modeling which attack vector(s) are likely to be the most profitable or least costly.
This analysis assumes intentionality and sophistication rather than opportunistic digital vandalism. The latter category can include acts as insipid as keylogging and remote terminal experiments performed by grad students against staff in a university setting to the devastating Morris Worm, launched in 1988 from MIT by Cornell grad student Robert Morris. Estimates vary as to how many computer systems were crashed as a consequence, but 10% of systems connected to the Internet is often cited in articles. At that point in time, about 50,000–60,000 computer systems were connected to the Internet.22 (As a point of reference, a 2015 report estimated that 1.2 billion devices were connected to the Internet; 10% of that would be 120,000,000 devices.) Morris earned fame for his eponymous malware, in addition to 3 years’ probation, a fine for his intentional unauthorized access of others’ computers, and conviction under the federal Computer Fraud and Abuse Act23 (enacted in 1986 as an amendment to the 1984 Counterfeit Access Device and Abuse Act).24
Acts of digital vandalism perpetrated over wireless systems include object lessons designed to create awareness about unsafe practices. A regular feature at the hacker conference DefCon is the large video display, the Wall of Sheep. These are the accounts compromised through the Wi-Fi hotspot by transmitting usernames and passwords in clear text. (It is an educational conference, after all.) This public shaming is, in effect, close captioned, and has not carried the same fatal results as have public shaming through social media bullying.
As a defender of your network and assets, you should:
Monitor traffic details and understand behavior patterns to determine what is normal
Recognize anomalous behavior on the network and investigate
Quickly assess and share relevant traffic and contextual information with security resources
Ensure your network has active tools for consistent sensing and detection of both intense and low-level (but persistent) attack or reconnaissance activities, in addition to robust information processing, anomaly detection, signaling, reporting, and dissemination
Perform ad hoc and scheduled “attacks” on your network to determine the effectiveness of your defenses and design improvements to those defenses
Importance of Context (Use Case Scenarios)
Initially considered an expensive alternative to conventional circuits, and thus relegated to implementation as a backup to wired communications, wireless is an important feature of most communications infrastructure being built today. As discussed in Chapter 2, Wireless Adoption, wireless connectivity has become the preferred choice in countries that have not historically deployed significant wired infrastructure. Without the legacy of managing communications security and following safe information handling practices, the protection of information assets in these countries may become more complicated.
Although the academic exercise of planning an attack or its defense can be entertaining, looking at real-world instances gets to the operational, legal, regulatory, and behavioral environments in which WAPs are found. The chapters that follow explore the characteristics of specific applications for WAPs in a range of contexts: individual (personal, social, recreational), commercial (retail, multifamily, office).
These use case scenarios will attempt to capture insights about where the value resides that meets an attacker’s preference for acceptable risk, exploitable attack surfaces, planning/executing time horizon, available tools/skills, reasonable cost, and sufficient payoff. By analyzing attacker behavior in terms of market opportunity and the rational drive to maximize return of investment/effort, we can arrive at a better understanding of how to adapt prevention, detection, and control mechanisms to specific real-world contexts.
Comments
Post a Comment