Matteo Cavallini mc (at) matteocavallini (dot) com
Terrorist use of the Internet: an analysis of the current threat and its potential evolution.
1
Table of Contents Executive Summary Introduction Literature Review 1 – Terrorism, a phenomenon with various definition 2 - Terrorists who use Internet and Cyberterrorists: two different criminal categories 2.1 – Terrorists who use Internet: different ways to use Internet to support terrorist activities 2.2 – Cyberterrorism: what to expect in the near future 3 – Internet as a communication mean 3.1 - The publicity: Websites, videos, forums chatrooms and social networks 3.2 – The secrecy: cryptography, steganography and other approaches 3.2.1 - Naive approaches to secrecy 3.2.2 - Real cryptography: Mujaheddin secrets, TOR and TrueCrypt 3.2.2 - Steganography 4 – Internet as a way to fund groups and cells 4.1 - Main funding sources 4.2 - Money laundering and ways to transfer funds 5 – Internet and the new opportunities for terrorists 5.1 - Maps, geolocalization and smartphones 5.2 - Information gathering 5.3 - Simulators and augmented reality 6 - Cyberterrorism 6.1 - Hacktivism or terrorism 6.1.1 - Is DDoS always only a form of protest? 6.1.2 - Other forms of protest or other attacks? 6.2 - Targets and scenarios 6.2.1 – Critical infrastructure and SCADA systems 6.2.2 – Threat and vulnerabilities of the energy sector 6.2.3 – Are the transportation systems really at risk? 6.3 – New opportunities for the cyber-terrorists 6.3.1 - Crimeware: exploit kit, botnet e financial malware 6.3.2 - Cyberweapons: the future of terrorist attacks? 6.3.3 - SWATing and TDoS
2
6.4 – Assessing the risk of such an event 6.4.1 – Description of the risk assessing method 6.4.2 – The cyber terrorist scenario 6.4.3 – The results of the risk assessment 7 - Conclusion Bibliography
List of figures & tables Figure 1 - Image of an article published in the magazine Inspire (Hypponen, M.) Figure 2 - GUI of “Mujaheddin Secrets” (Danchev, D.) Figure 3 - The layout of a standard TrueCrypt volume before and after a hidden volume was created within it. (TrueCrypt official website) Figure 4 - A screenshot taken from the Long War Journal website (Joscelyn, T. 2013) Figure 5 - A photo taken from the article "Google Buys Image and Gesture Recognition Company Viewdle" Ningauble, 2012 Figure 6 - An image taken from the video "AiRScouter" see-through type head-mounted head-mounted display of Brother, (2011) Figure 7 - An image taken from the blog post “Under the Hood of the Cyber Attack on U.S. Banks” (Atias, 2013) Figure 8 - The attack distribution among critical infrastructure sectors (ICS-CERT, 2013) Figure 9 - A screenshot of the vulnerable web-server web-server in which are accessible the ENEA-ENEL project documents (2013) Figure 10 - A screenshot of the Home page of the management console published by Schneider Electric (2013) Figure 11 - An example of the information that can be accessed using the Schneider Electric’s website (2013) Figure 12 - The article about the possible job reduction in the Schneider Electric’s plant (2012) Figure 13 - A modification of the “Determination of the likelihood” taken from NSSM document Figure 14 - A modification of the “Risk Diagram” taken from NSSM document with the insertion of the Cyber terrorist scenario. Figure 15 - Priority Risks taken from the UK National Security Strategy. Strategy.
3
Executive Summary
This project report is aimed at analysing the present and future use of the big Internet by terrorist groups, with a particular interest in the understanding of the possibilities to realise a cyber attack.
Terrorist groups have been able to adapt their strategies to all specific contexts in they decided to operate; the use of Internet represent one good example of their capacity to model their strategies. Internet is used in almost every way to give a direct or indirect contribute to terrorist operations. In this research I report examples of a lot of these different approaches to use Internet such as the following: ●
realisation of campaigns to raise up the consensus around a cause;
●
diffusion of text and video messages messages bypassing the filter of the traditional media;
●
solicitation on giving help and money;
●
realisation of more efficient ways to transfer and launder launder the money;
●
creation of forums where share ideas, knowledge knowledge and initiatives in a secure way;
●
diffus diffusion ion of manual manualss and materia materials ls to give give the basic basic knowl knowledg edgee in the preparat preparation ion of an attack;
●
combination of cryptography and steganography to communicate secretely and securely
●
use use of navi naviga gato tors, rs, on-li on-line ne maps maps,, smar smartp tpho hone ness and and new new tool toolss to prep prepar aree and and cond conduc uctt operations in field.
Then, looking at the next future, I also explored the new possibilities opened by the technology such as the use of malware or cyberweapons to realise attacks that multiply their effects by the use of Internet or the evil use of a tool such as the Google Glass to support the operations of an active terrorist cell.
Finally in this research I explored the possibilities to realise a cyber terrorist attack, evaluating the pros and cons in such kind of scenario. In this topic I found some blurred elements that, at a t the t he light of some definitions of cyberterrorism, could be considered some first elementary examples of such form of attack.
At the end I assessed the risk of a big cyber attack using a methodolog methodology y derived by the UK National Security Risk Assessment (NSRA) and the National Security and Safety Method (NSSM) of the 4
Netherlands, finding that this kind of risk has a value comparable to some more “traditional” big terroristic attacks and hence this kind of events should be investigated better by the national and international bodies to fully comprehend their real significance.
Introduction
This project report is aimed at analysing the present and future use of the big Internet by terrorist groups, with a particular focus on the characteristics and issues of cyberterrorism in the future. In order to maintain a concrete and easily verifiable project profile I have used real cases as much as possible possible to start the analysis and evaluation. evaluation. In particular particular the objective objective of this project is to answer to the following questions: ●
What is the current use of of the Internet by terrorists?
●
What are the possible evolutions of this use? use?
●
Is it always possible to distinguish between hacktivism hacktivism and terrorism?
●
What are the possible targets and scenarios for cyberterrorism?
●
Is cyberterrorism a credible threat for the near future?
In the first two chapters, I will give a general description of the terrorist phenomenon starting by defining and clearly distinguishing between: the use of Internet as a supporting tool for terrorist activities, and the use of internet as weapon in itself to perform real attacks. The third chapter will be devoted to the possibilities that terrorist groups have to use Internet as a way to directly communicate their messages towards the public and, on the other hand, to use Internet as a very secret way to communicate among cells. The fourth fourth chapter chapter will briefly treat the ways to collect money to fund the terrorist activities activities and the methods to transfer the money to the final users. In the fifth chapter I will analyse the possibilities opened by new technologies and new ways to use Internet by terrorists with a particular attention to the evil side of some innocuous tools. The sixth chapter will be the most complex and articulated of the entire project and will be devoted to cybe cyberte rterr rror orism ism.. This This them themee will will be analy analysed sed to high highli ligh ghtt the the conc concre rete te poss possib ibil iliti ities es of the the realisation of such actions and to spot the soft targets that could be attacked. The chapter ends with an analysis of the likelihood of such events.
5
In the final chapter I will draw the conclusion of the project highlighting the importance of truly understanding the present use of Internet by terrorist groups in order to hypothesise future threats and new scenarios.
Literature Review
My project was developed using texts and papers published by national and international bodies, research performed by academics, and materials produced by independent security research. The main sources for my research project are: ●
United Nations Office on Drugs Drugs and Crime (UNODC)
●
Counter-Terrorism Implementation Task Force Force (CTITF) (CTITF)
●
Europol
●
NATO - Centre Of Excellence - Defence Against Terrorism (COE-DAT) (COE-DAT)
●
National security bodies (UK, (UK, Italy, Netherlands)
●
Istituto Istituto di Alti Studi della Difesa (IASD), the the institute institute of high defence defence studies studies from Defense Defense Joint Staff
●
Presid Presidenz enzaa del Consig Consiglio lio dei Ministr Ministrii - Sistem Sistemaa di Inform Informazi azione one per la sicurezza sicurezza della della Repubblica, the Italian intelligence agency
●
Academic publications
●
Counsil of Europe
●
Journalists and independent security researchers
1 – Terrorism, a phenomenon with various definition
Modern terrorism is a relatively recent but very complex phenomenon. As reported by Wikipedia (2012), (2012), one of the ideologies ideologies behind behind using terrorism to achieve political political objectives, objectives, originat originates es in Europe in the beginning of the 19th century with: “the "Propaganda of the deed" (or "propaganda by the deed," from the French propagande par le fait) theory, a concept that advocates physical violence or other provocative public acts against political enemies in order to inspire inspire mass rebellion rebellion or revolution revolution.. One of the first individuals individuals associated associated with this concept concept was the Italian revolutionary Carlo Pisacane (1818–1857), who wrote in his "Political Testament" (1857) that "ideas spring from
6
deeds and not the other way around." Anarchist Mikhail Bakunin (1814–1876), in his "Letters to a Frenchman on the Present Crisis" (1870) stated that "we must spread our principles, not with words but with deeds, for this is the most popular, the most potent, and the most irresistible form of propaganda."
Current Current terrorism well reflects this kind of approach and Internet Internet is the perfect way to vehiculate vehiculate the news about the “deeds” and also the terrorist ideology. In its evolutions, terrorism presents a varied phenomenology so the very long list of its definitions takes in account this complexity. Moreover, throughout time many governments were tempted to stick stick the the label label of terro terroris rism m on thei theirr enem enemies ies and and in doin doing g so they stretc stretche hed d and and modi modifie fied d its its definition in order to achieve their desired result. Finally, the terrorist groups themselves modified their behavior, tactics and methodology many times over the course of time thus forcing institutions to change their definitions of this elusive phenomenon. The result result of such such an evolut evolution ion is the product production ion of over over one hundred hundred differen differentt defini definitio tions ns of terrorism. Howeve However, r, despit despitee the total total number number of defini definitio tions, ns, some of them them are now well well recogni recognized zed and accepted. For example the definition of “terroristic act” in Art.1 of the “EU Council Framework Decision of 13 June 2002 on combating terrorism” is used as a basis in all the legislation of the Member States of the European Union. In this article terrorist offences are defined as: “acts referred to below in points (a) to (i), as defined as offences under national law, which, given their nature or context, may seriously damage a country or an international organisation where committed with the aim of: — seriously intimidating a population, or — unduly compelling a Government or international organisation to perform or abstain from performing any act, or — seriously destabilising or destroying the fundamental political, constitutional, economic or social structures of a country or an international organisation, shall be deemed to be terrorist offences:
a.
attacks upon a person's person's life which may cause death;
b.
attacks upon the physical integrity of a person;
c.
kidnapping or hostage hostage taking;
d.
causing extensive destruction to a Government or public facility, a transport system, system, an infrastructure infrastructure facility, including an information system, a fixed platform located on the continental shelf, a public place or private property likely to endanger human life or result in major economic loss; 7
e.
seizure of aircraft, aircraft, ships or other means of public public or goods transport; transport;
f.
manufacture, possession, acquisition, transport, supply supply or use of weapons, weapons, explosives or of nuclear, biological or chemical weapons, as well as research into, and development of, biological and chemical weapons;
g.
release release of dangerous dangerous substances, substances, or causing causing fires, fires, floods floods or explosions explosions the effect effect of which which is to endanger human life;
h.
interferi interfering ng with or disrupting disrupting the supply of water, power or any other fundamental fundamental natural natural resource the effect of which is to endanger human life;
i.
threatening to to commit any of the acts listed in (a) to to (h).”
Another important definition is given in the Art.2 of the UN “International Convention for the Suppression of the Financing of Terrorism” which defines an act of terrorism as: “act intended to cause death or serious bodily injury to a civilian, or to any other person not taking an active part in the hostilities in a situation of armed conflict, when the purpose of such act, by its nature or context, is to intimidate a population, or to compel a government or an international organization to do or to abstain from doing any act”
It is quite easy to spot the obvious differences in these two definitions. The consequence of such variability in the definitions makes it very difficult to situate a new and “innovative” approach to terrorism such as cyberterrorism. Gathering the common parts of these definitions is the way in which some researchers have tried to compose a more accepted description of the phenomenon. An example of this kind of effort is the definition produced by Boksette C. (2008) in which: “Terrori “Terrorism sm is defined defined as political political violence violence in an asymmetric asymmetrical al conflict conflict that is designed designed to induce induce terror and psychic fear (sometimes indiscriminate) through the violent victimization and destruction of noncombatant targets (sometimes iconic symbols). Such acts are meant to send a message from an illicit clandestine organization. The purpose of terrorism is to exploit the media in order to achieve maximum attainable publicity as an amplifying force multiplier in order to influence the targeted audience(s) in order to reach short- and midterm political goals and/or desired long-term end states."
2 - Terrorists who use Internet and Cyberterrorists: two different criminal categories
After examining the growing interest of subversive movements to use the net to carry out their tasks, many analysts recently hypothesized that the conditions to exploit the Internet as a weapon are approaching. It has to be highlighted, however, that a big difference exists between the use of Internet to support the terrorist activities and the use of Internet to perform attacks. Only the latter can be fully defined as a cyberterrorist act.
8
In fact, as it is extensively explained, the prerequisite to call an event “cyberterrorism” is the use of Internet to produce violence and/or physical effects, comparable to those created by a kinetic attack. Having this perspective clear in mind it is apparent that terrorists and cyberterrorists are different categories of criminals who have different skill sets and different views regarding targets. It is also apparent that, at the moment, the conditions to perform a cyberterrorist attack are yet far from reality.
2.1 – Terrorists who use Internet: different ways to use Internet to support terrorist activities Internet is a tool that, in little more than twenty years, has resulted in a big change in the real life of everyo everyone ne modify modifying ing the lifest lifestyle yle of people people,, compan companies ies and govern governmen ment. t. Terrori Terrorist st groups groups were were not immun immunee to these changes. Initially, they developed some capabilities at the individual level only to evolve later toward toward a more structured structured approach approach in their use of Internet. Internet. Some authors (Olimpio, (Olimpio, 2008) even state that the expansion of Al-Qaida would not be possible without the use of Internet. At the same same time, time, howeve however, r, also also the intell intellige igence nce and law enforc enforceme ement nt agenci agencies es in every every countr country y develo developed ped Inte Intern rnet et base based d tool toolss to moni monito torr terro terrori rist st acti activi viti ties es and and to perfo perform rm more more comp comple lex x and and effe effect ctiv ivee investigations. At the moment, the main uses of Internet for terrorist purposes are related to the following: ●
diffusion of terrorist propaganda;
●
radicalisation and proselytism;
●
collection and transferring of funds;
●
diffusion of materials related to preparation of attacks;
●
coordination of of activities and the exchange of of secret messages;
●
information and intelligence intelligence gathering;
●
support during the preparation and and the executions executions of attacks.
All these activities however leave traces that are followed by the law enforcement agencies in a never ending battle to foil the planned atrocities before they happen. As a matter of fact, this reality forced the terrorist groups to attempt to use Internet in such a way that would would offer offer the mini minimum mum atta attack ck surfac surfacee for the infilt infiltrat ration ion and invest investiga igatio tion n of law enforc enforceme ement nt and at the same time continue to use Internet to communicate within and outside the cells. Hence, for terrorists the 9
real dilemma to solve became finding a way to attract publicity and to maintain secrecy at the same time. One of the solutions solutions recently adopted adopted by Al-Qaida, Al-Qaida, is the incitation incitation to the so called “individua “individuall jihad”, jihad”, in which which the intera interacti ction on betwee between n the operativ operativee cells cells (or the lone terrori terrorists sts)) is minima minimall becaus becausee the radicalisa radicalisation tion materials materials and the necessary necessary instructio instructions ns to set up a basic form of attack attack are widely widely diffused diffused on Internet. Sadly, as we have seen ourselves in the last few months for example with the case of the Boston Marathon attacks, this kind of approach has proven to have a great capacity in the realisation of simple attacks with a high potential to affect the feeling of the population and diffuse fear. Finally, the effectiveness of the use of Internet for radicalisation was understood by all the subversive organisations, in fact, as noted by the United Nation Counter-Terrorism Implementation Task-Force
(CTITF) in 2009: While Al-Qaida is highly sophisticated in its use of the Internet, it is not unique. Websites and forums are used by almost all terrorist organizations, and sophisticated video productions can be found on the Internet from a number of politically violent groups (Videos, music and similar materials expressing support for politically violent groups as diverse as, for example, ETA, the PKK, the Tamil Tigers, FARC-EP and The Naxalites, can be readily found on the Internet.).
2.2 – Cyberterrorism: what to expect in the near future As it is supported supported by a lot of real cases, it is easy to verify verify that the use of Internet Internet by terrorists terrorists groups is very very practi practical cal.. They They try to exploi exploitt the potentia potentiall of this this techno technolog logy y while while minimi minimisin sing g the relate related d vulnerabilities. So though they are aware that the cyberterrorism could be fundamental in the future they also also know know that, that, at the moment, moment, an attack attack based on the use of the net is out of their their reach. reach. In fact, EUROPOL, EUROPOL, in the report “Counter Terrorism Working Group Conclusion” (2011) states that: “The internet will not only be used as a tool for recruitment, training, planning, as well as being a potential target itself but will also be used as a weapon, for instance on critical infrastructure, and for intelligence gathering. Terrorists will always study and invest in new technologies in any way possible to facilitate their activities, but the traditional means of attack will remain an easy, cost-effective option for the near future.”
In the late 90s/early 90s/early 2000s, due to the increasing increasing dependency dependency of the world on the Internet resources, resources, researchers have started to analyse seriously the use of Internet as a way to perform attacks, so the terms cyberwarfare and cyberterrorism have become very common and frequent. But, as we saw in the previous paragraphs, there are many different views about what terrorism is and in the same way there are a lot of different views about what cyberterrorism is. This blurriness originates a multitude of definitions with a lot of differences from one to another. For example, as reported by Kerr K. of the AusCERT (the Australian Computer Emergency Response Team), the US National
10
Infrastructure Protection Center defined cyberterrorism as: “a criminal criminal act perpetrated perpetrated by the use of computers computers and telecomm telecommunica unications tions capabilit capabilities, ies, resulting resulting in violence, violence, destructio destruction n and/or and/or disruptio disruption n of services services to create create fear by causing causing confusion confusion and uncertainty uncertainty within within a given population, with the goal of influencing a government or population to conform to particular political, social or ideological agenda”
Pollit Pollit M., FBI special special agent, agent, proposed proposed a defini definitio tion n that that extend extendss the concep conceptt expres expressed sed in the previous definition. Pollit indeed wrote: “Cyberterr “Cyberterrorism orism is the premedita premeditated, ted, political politically ly motivated motivated attack attack against against informati information, on, computer computer systems, systems, computer programs, and data which result in violence against noncombatant targets by subnational groups or clandestine agents.”
Finally, as reported by the “Centre of Excellence – Defence against Terrorism”, NATO proposed the following definition in which there is an explicit waiver to the use of the term “violence” in favor of the more blurry concepts of “destruction” and “disruption”. NATO definition in fact is: “A cyberattac cyberattack k using or exploitin exploiting g computer computer or communicat communication ion networks to cause cause sufficient sufficient destruction destruction or disruption to generate fear or to intimidate a society into an ideological goal.”
As prev previo ious usly ly noted noted,, at the the mome moment nt,, ther theree aren’ aren’tt the the righ rightt cond condit itio ions ns to perfo perform rm a terro terrori rist st cyberat cyberattack tack in the real world, world, but taking taking into consider consideratio ation n the evolutio evolutionar nary y rate of the use of Internet for terrorist purposes the researchers and community of experts think that it is just a matter of time and no longer a mere academic hypothesis.
3 – Internet as a communication mean
As stated in Boksette’s definition of terrorism, the publicity of an attack is almost as important as the attack itself. Indeed, some attacks have been perpetrated just because there was a message to communicate via the media exploitation. From this perspective, Internet has been a game changer because it enables terrorist groups to: ●
communicate directly to the intended audience bypassing the filter of of the journalists;
●
expand enormously enormously the exposition of the messages;
●
reach almost every single would-be terrorist or supporter. supporter.
This capability has reached its apex with the rise of Web 2.0, an approach to content publication in whic which h the the boun bounda dary ry betw betwee een n the the audi audien ence ce and and the the info inform rmat atio ion n prod produc ucer er is blur blurre red d and and inter interch chan ange geab able. le. Multi Multime medi diaa tool toolss such such as phot photo, o, vide video o and and audi audio o led to the the reali realisa satio tion n of
11
“profe “professio ssional nal”” commun communicat ication ion campai campaigns gns and by taking taking advant advantage age of blogs, blogs, social social networ networks, ks, websites, forums and chatrooms, terrorists can have at their disposal all the needed tools to recruit and manage manage the new generations generations of operatives. operatives. So, terrorist terrorist groups have started to specialize specialize part or their resources on the use of Internet to expand their capabilities and multiply the effects of their actio actions ns.. As noted noted by Denn Dennin ing g (201 (2010) 0) in “Terr “Terror or’s ’s We Web: b: How How the the Inte Intern rnet et Is Tran Transfo sform rmin ing g Terrorism”: “Superfic “Superficially ially,, terrorists terrorists use the Internet Internet in pretty pretty much the same way that other individual individualss and groups use the Internet. They use it to communicate amongst themselves and to reach out to supporters, the media, governments, and the public. They use it to exchange messages and engage in online discussions. They use the net to distribute information, including text, images, audio, video, and software, and to find information. They use it to learn, transact business, and generally facilitate their activities. And, like other bad actors on the Internet, they use the net to inflict harm. Yet from this seemingly normal usage, the very practice of terrorism is being transformed. This transformation takes the form more of an expansion of options and activities rather than a replacement of traditional ways of operating.”
3.1 - The publicity: Websites, videos, forums chatrooms and social networks
The majority of terrorist formations have well understood the importance of the use of Internet to create attention and to spread their message, and have created a huge number of websites and forums to support their activities. As reported by Ramsay G. (Defence Against Terrorism Review, 2009) around 2008, the total number of the terrorist related websites is ranging between 5,300 (Gabriel (Gabriel Weimann Weimann ‘The Psychology Psychology of Mass-Mediated Mass-Mediated Terrorism’ American American Behavioural Behavioural Scientist Scientist Vol 52, No 1, 2008 pp. 69-86 .) and 50,000 (Eric Swedlund, ‘UA effort sifting web for terror threat data’ Arizona Daily Star 24/09/2007). The FBI in a 2009 report estimates that at that time there were roughly 15,000 terrorist websites of which 80% were hosted in the U.S. (Ryan, J. 2010). These numbers have been increasing over the years and current evaluation are now in the upper range of the previous numbers. Many real cases have shown that the use of Internet has been fundamental in the radicalisation process and in the subsequent recruitment of extremists and terrorist. For sure, one of the most emblem emblemati aticc is the Roshon Roshonara ara Choudr Choudry y case (Dodd, (Dodd, V.) who who in 2010 2010 was was senten sentenced ced for the the attempted murder of a Member of Parliament, Stephen Timms. In one of her declarations, Choudry, previously a brilliant english student well integrated in the society, affirmed that she s he decided to kill a Member of Parliament as an extreme act of protest against the UK’s participation in the Iraq war. Investigators analysing her computer showed that the process of her transformation had started only
12
six months prior to the day of the attack. By her admission (Cavallini, 2013), her radicalisation process was due to: ●
sight of Anwar Anwar al-Awlaki’s al-Awlaki’s videos videos (al-Awlaki, (al-Awlaki, also known known as “Bin Laden of the Internet”, Internet”, published a huge number of islamist videos and text. He was killed with other Al-Qaida terrorists in Yemen during a US drone attack)
●
sight of Abdullah Abdullah Azzam’s videos videos (Azzam, also known known as “Father “Father of the Global Global Jihad”, was the inspirer and mentor of Osama Bin Laden)
●
consultation consultation of the jihadist website www.revolu www.revolutionm tionmuslim uslim.com .com (at that time this this website, was hosted in US servers and it was used to publish links, speeches, texts and videos to promote the jihad)
This episode is emblematic but, sadly, not unique and this kind of use of Internet resources doesn’t belong only to the islamist groups but, as noted before, almost all terrorist and extremist groups have an Internet presence. For example, also right wing extremists use mainly the publication of White Power Music videos to spread their xenophobe messages (Europol TE-SAT, 2012) and as noted noted by the Italian Italian Departme Department nt of Inform Informatio ation n and Security Security in the “Relazion “Relazionee sulla sulla politic politicaa dell’Informazione per la sicurezza” (Report on the policy of information for security) (2013): “In the last few years we have seen a growing interaction between the most radical groups (Germans, Austri Austrians ans,, Spanis Spanish, h, Swiss Swiss and Scandina Scandinavia vians) ns).. The use of Intern Internet et plays plays a releva relevant nt role role in the diffusion diffusion of xenophobe xenophobe messages messages and in the recruitment recruitment of new supporters. supporters. The interactions interactions among different different right wing extremist extremist groups are facilitated by the lack of an homogeneo homogeneous us legislation legislation in all European countries. As reported in the UNODC paper (2012), two other real cases are worth a mention: the Y. Tsouli case and the Hicheur case. The first one regards an individual, also known as Irhabi007 (Terrorist 007) 007),, who who was was sent senten ence ced d to 16 year yearss in pris prison on to have have crea create ted d a lot lot of webs websit ites es diff diffus usin ing g information about: ●
preparation of terrorist attacks, including including the preparation of suicide bomb vest,
●
radical radicalisat isation ion materi material al along along with with videos videos of terrori terrorist st attack attacks, s, includ including ing decapi decapitati tations ons of kidnapped hostages.
The second case, regards a French nuclear phisicist who was sentenced to 5 years of prison for having acted as a moderator in a jihadist website and for taking concrete steps to provide financial support to Al-Qaida in Islamic Maghreb”(AQIM).
13
Finally it is important to note that forums and chatrooms have been more important for terrorists groups groups than websites. websites. In fact, the possibility possibility to interact interact and establish establish a real communication communication between between supporters is a crucial factor for the success of the terrorist use of Internet.
3.2 – The secrecy: cryptography, steganography and other approaches
From From a secur securit ity y persp perspect ectiv ive, e, the the terro terrori rist st use use of Inter Interne nett tool toolss to assu assure re the the secre secrecy cy of thei their r communications is one of the most controversial and fascinating aspect of the entire relationship between terrorists and Internet. There are real cases which show that some islamist groups, in less than ten years, despite despite their initial initial refusal refusal to use internet internet technol technology ogy at all they they have managed managed to arrive at a very sophisticated use of cryptography and steganography. In fact, as mentioned by Denning (2010): “the „Al Qaeda Training Manual, found by British police and released by the Department of Justice in 2001, ‟
says nothing about computers, software, the Internet, cell phones, satellite phones, or other modern information technolog technologies ies known to be used by al-Qaida. al-Qaida. The section on secret secret writing and ciphers ciphers (lesson 13) makes no mention of modern cryptographic systems and is based entirely on manual methods that appear to be at least 50 to 100 years old.”
On the contrary, the present situation is characterized by a large use of sophisticated tools to ensure anonym anonymity ity and confid confident entiali iality ty such such as TOR (The Onion Onion Router) Router) or “Mujah “Mujahedd eddin in secrets” secrets” (see paragraph 3.2.2). However, many researchers (David B. reporting Campbell D. speaking at DeepSec DeepSec conference, conference, 2012) 2012) point point out that these sophisticated sophisticated cases are not representative representative of the real average terrorist user. 3.2.1 - Naive approaches to secrecy
Freque Frequentl ntly, y, there there is an associat association ion betwee between n islamis islamistt ideolo ideology gy and the repudiat repudiation ion of moder modern n techno technolog logy. y. Indeed Indeed,, technol technology ogy is associ associated ated with with the western western (and (and in their their view, view, corrup corrupted ted)) lifestyle and therefor would entail a complete and aprioristic refusal on the part of the islamist terrosrist. In fact, this situation has curbed the diffusion of modern cryptography and a mature IT approach to secrecy. However, in the real world, it is near impossible to maintain a relationship with someone whether they be two cities away or two plane rides away without using modern communication tools such as emails and attachments. This conflicting conflicting situation can sometimes sometimes lead to the adoption adoption of naive solutions solutions that highlights highlights their lack of comprehending the set of problems inherent with trying to keep secrets on the internet and their lack of ability and confidence when it comes to the art of cryptology. 14
The Rajib Karim case is a good example of this naive approach to secrecy. Karim (Dodd, V., 2011) was a British Airways employee who was convicted for fundraising for a terrorist organisation. Moreover, he had been in touch with Anwar al-Awlaki (as recalled in the previous paragraphs he was a well known leading figure of the Al-Qaida), with whom he exchanged a lot of compromising messa message ges. s. Awar Awaree of the the nece necessi ssity ty to find find a solu solutio tion n to guar guaran ante teee the the conf confid iden entia tialit lity y of thei their r communication, and despite Awlaki’s suggestion to use the encryption tool “Mujaheddin secrets” (see next paragraph), Karim adopted his own custom solution. (Mcdonald, A. and Bryan-low, C.) This was his composite approach: ●
he used a website website to exchange files instead of a public email system;
●
he encrypted the files to exchange with the software Pretty Good Good Privacy (PGP);
●
he created a shift cipher to encrypt the texts, using Microsoft Excel; Excel;
●
he used an exchanging exchanging method method to avoid the use of real real names names and places, or compromisi compromising ng words.
All his efforts were worth nothing. After nine months of work the messages were brought back to the investigato investigators rs completely completely decoded by the British intelligence intelligence services. services. Although Although his approach to cryptograph cryptography y was defined defined as sophisticated sophisticated by some journalist journalist and investigators investigators,, it denotes denotes a lack of general comprehension of the mechanics of crypto combined with a mistrust of the open source tools that are normally used to encrypt files and messages. In particular, he missed the importance of using: ●
verified encryption programs without without known known vulnerabilities vulnerabilities
●
very strong passphrase
In fact the robustness of his solution relied solely on the encryption realised by PGP because the shift cipher doesn’t doesn’t add any real contribution contribution to the security security of the messages as it is easily breakable usin using g a stati statisti stical cal appr approa oach ch.. More Moreov over, er, usin using g a subs substi titu tuti tion on mech mechan anis ism m to avoi avoid d the the use use of compromising terms is only of value in so much as it manages to avoid detection and alludes the attention of law enforcement, but it holds almost no value whatsoever when it is used within an encrypted message. Finally, the avoidance of the use of public email systems is a common trait of many terrorist plots and it has to be seen as a mere way to try to circumvent some automatic alert systems but has a very limited value in the case of an investigation. 3.2.2 - Real cryptography: Mujaheddin secrets, TOR and TrueCrypt
15
Besides the naive approaches recalled in the previous paragraph, there are other cases in which terrori terrorists sts use effectiv effectivee crypto cryptogra graphi phicc tools tools to commun communica icate te secretly secretly and to store store confid confident ential ial info inform rmati ation on.. In this this field field,, it is worth worth noti noting ng the the effo effort rtss inve investe sted d in the the deve develo lopm pmen entt of one one comp compreh rehen ensi sive ve crypt crypto o tool tool (also (also in arabi arabicc langu languag age) e) whic which h enco encomp mpas asses ses with within in it a whol wholee collection of open source cryptographic tools. This activity is aimed at introducing a terrorist tool that that is direct directly ly linked linked to and approved approved by Al-Qai Al-Qaida da in the hope of overco overcomin ming g the previous previously ly mentio mentioned ned warine wariness ss in the use of crypto cryptogra graph phy y by the islamis islamistt extrem extremists ists.. This This tool tool is named named “Mujaheddin Secrets” and it is currently available in version 2.0.
Some authors still doubt the authenticity of this tool, viewing it as a “trojan” created by western intelli intelligen gence ce service services. s. Howeve Howeverr we do find find some some endors endorseme ement nt by al-Awla al-Awlaki ki (as in the reported reported Karim case) and by some articles in the magazine “Inspire” “Inspire” (see image below) that give a clear idea about the authorship of this tool.
. Figure 1 - Image of an article published in the magazine Inspire (Hypponen, M.)
As reported by Dancho Danchev, Mujaheddin Secrets version 2.0 (also “Asrar el Mojahedeen” in
16
the arabic version) was released by the Global Islamic Media Front (GIMF) in 2008 and this tool represents a serious improvement of version 1.0 in terms of functionality and in terms of ease of use. In fact, the following following are the features of of both versions: “Key features in the first version :
●
Encryption algorithms algorithms using the best five in cryptography. cryptography. (AES finalist algorithms) algorithms)
●
Symmetrical encryption keys along along the 256-bit (Ultra (Ultra Strong Symmetric Symmetric Encryption) Encryption)
●
Encryption keys for symmetric length of 2048-bit RSA (husband of of a public key and private)
●
Pressure data data ROM (the (the highest levels of pressure)
●
Keys and encryption encryption algorithms algorithms changing technology ghost (Stealthy Cipher)
●
Automatic identification identification algorithm algorithm encryption during during decoding (Cipher (Cipher Auto-detection) Auto-detection)
●
Program Program consisting consisting of one file Facility Facility file does not need assistance assistance to install install and can run from the memory portable
●
Scanning technology security for the files to be cleared with the impossibility impossibility of retrieving retrieving files (Files Shredder)
New features introduced in the second version :
●
Multicast encrypted encrypted via text messages messages supporting the the immediate use use forums (Secure (Secure Messaging)
●
Transfer files files of all kinds to be shared across across texts forums (Files (Files to Text Text Encoding)
●
Production of digital digital signature files and make sure it is correct correct
●
Digital signature signature of messages and files and to ensure the authenticity authenticity of messages messages and files”
As it possible to see in the following image, the Graphical User Interface (GUI) is very simple and it enables the use of cryptographic functions without any particular skills.
17
Figure 2 - GUI of “Mujaheddin Secrets” (Danchev, (Danchev, D.)
The real use of this tool was proven in court in the Hicheur case (UNODC). A French court proved that Hicheur used the Asrar encryption function to produce encrypted files to distribute them via Rapidshare in support of his terrorist activity.
The anonymizer tools are another class of tools well known by terrorists. UNODC, in the recalled 2012 report, stresses on the importance importance of the use of “The Onion Router” Router” for masking the source IP address used to communicate by terrorists. TOR bounces the communications around a distributed network of relays run by volunteers all around the world giving the chance to an Internet user: ●
to prevent somebody somebody from finding finding out what sites are visited;
●
to prevent the visited sites from finding out the physical physical location of the user.
In fact, UNODC wrote about the use of TOR: “For “For exampl example, e, applic applicati ations ons such such as The Onion Onion Router Router may be used used to protect protect the anonym anonymity ity of users users by automatic automatically ally rerouting rerouting Internet Internet activity activity via a network network of proxy servers servers in order to mask its original original source. Rerouting network traffic via multiple proxy servers, potentially located in different jurisdictions, increases the degree of difficulty of accurately identifying the originator of a transmission.”
As further consideration about the use of TOR, I think that it is important to also mention another open source project, a Linux distribution named “Tails - The Amnesic Incognito Live System”. This is a USB (or DVD) Linux live distribution, based on the well known Debian distro with the addition of an embedded use of TOR for external communications and the complete renunciation of the use of the PC’s hard-disk. In Tails official website there is a clear statement about the main functionality offered by this live distro: “Using Tails on a computer doesn't alter or depend on the operating system installed on it. So you can use it in the same way on yours, the computer of a friend or one at your local library. After removing your Tails DVD or USB stick the computer can start again on its usual operating system.
Tails is configured with a special care to not use the computer's hard-disks, even if there is some swap space on it. The only storage space used by Tails is the RAM memory, which is automatically erased when the computer shuts down. So you won't leave any trace neither of the Tails system nor of what you did on the computer. That's why we call it "amnesic".
This allows you to work on sensitive documents on any computer and protect you from data recovery after shutdown. Of course, you can still explicitly save some documents to another USB or external hard-disk and take
18
them aways for future use.”
It is worth noting that Tails has the possibility to be launched with a graphic interface that very much resembles the Windows XP GUI, thus enabling the user to launch it in public places without giving rise to any suspicion. That makes this tool the ideal companion for the terrorist who likes to use Internet cafè to communicate in a very confidential way. Moreover, the use of Tails and TOR give access to a hidden hidden part of Internet, the so called “Dark Web” in which a lot illegal activities activities are running and it is possible to find any kind of resources in a complete anonymity.
In my opin opinio ion, n, the the last last tool tool that that has has to be ment mentio ione ned d is True TrueCr Cryp ypt, t, anot anothe herr robu robust st and and well well documented documented open source source project project aimed at distributing distributing a free encryption encryption tool. tool. Beside Beside the robustness robustness of the solution, there is a specific feature that distinguishes this tool from the other cryptographic tools: the possibility to create a so called “Hidden Volume”. The following is what it is written in the official TrueCrypt website regarding this feature: “It may happen that you are forced by somebody to reveal the password to an encrypted volume. There are many situation situationss where you cannot refuse to reveal reveal the password password (for example, due to extortion) extortion).. Using a so-called so-called hidden volume allows you to solve such situations without revealing the password to your volume.
Figure 3 - The layout of a standard TrueCrypt volume before and after a hidden volume was created within it. (TrueCrypt official website)
The principle principle is that a TrueCryp TrueCryptt volume volume is created within another TrueCrypt TrueCrypt volume (within (within the free space space on 19
the volume). Even when the outer volume is mounted, it should be impossible to prove whether there is a hidden volume within it or not*, because free space on any TrueCrypt volume is always filled with random data when the volume is created** and no part of the (dismounted) hidden volume can be distinguished from random data. Note that TrueCrypt does not modify the file system (information about free space, etc.) within the outer volume in any way.”
It is apparent how such a feature can be useful for a suspect of terrorism to conceal compromising inform informatio ation n regard regarding ing his/he his/herr illicit illicit activit activity y and this this capabi capability lity certainly certainly did not slip slip past past the UNODC which briefly mentioned it in its report. 3.2.2 - Steganography
Steganography is the science of secret writing and has a long history that started in the Middle Ages. As reported by Wikipedia, modern steganography “inclu “includes des the concea concealme lment nt of inform informati ation on withi within n comput computer er files. files. In digita digitall stegan steganogr ograph aphy, y, electr electroni onicc communica communication tionss may include include steganographi steganographicc coding coding inside inside of a transport transport layer, such as a document document file, image file, program or protocol. Media files are ideal for steganographic transmission because of their large size. As a simple example, a sender might start with an innocuous image file and adjust the color of every 100th pixel to correspond to a letter in the alphabet, a change so subtle that someone not specifically looking for it is unlikely to notice it.”
Changing the least significant bit of a range of pixels, steganographic tools leverage the limited capacity of the human eye to perceive the slight differences in images, this makes steganography a powerful tool for exchanging secret information without giving rise to any suspicion. Indeed, the direct use of cryptography cryptography is per is per se something se something that makes a file suspicious for an investigator’s eye. Using a layer which disguises the cryptography allows for the exchange of these kinds of suspicious files to go unnoticed.
There are a lot of cases in which steganography was used to conceal messages and communication between terrorist groups, the most relevant in my opinion are the following two cases (Cavallini, 2013). The first example was Italy in 2004, where after a very complex police operation (as reported by newspapers (Corriere della Sera , 2004), the “Operation Tracia” which was 18 months long and entailed: phone wiretapping, physical and digital interceptions, shadowings and an important work of digital decoding) 82 alleged terrorists were arrested in Turkey and an additional 54 in Belgium, Greece, Germany and in the Netherlands and 5 more in Italy. They were all part of the Turkish left
20
wing wing terro terrori rist st form format atio ion n DHKP DHKP-C -C.. In this this case case UNOD UNODC C repo report rtss that that the the terr terror orist ist used used the the stega stegano nogr grap aphi hicc tool tool “Cam “Camou oufl flag age” e” to hide hide encry encrypt pted ed data data with within in imag images es (JPE (JPEG G and and GIF) GIF) exchanged exchanged via email systems. systems. In this case, the Italian Carabinieri Carabinieri of the Raggruppame Raggruppamento nto Operativo Operativo Specia Speciale le (ROS) (ROS) who carried carried out the invest investiga igatio tion n were were able able to gather gather or interc intercept ept encrypt encryption ion passwords and with a further complex forensic analysis to then identify and recover the hidden messages.
Another example of the use of steganography for terrorist purposes is seen with the arrest of a suspected member of Al-Qaida in Berlin. Maqsood Lodin, a 22 year old, Austrian, on the 16th of May 2011, 2011, was stoppe stopped d and questio questioned ned by the German German Police, Police, after after travelin traveling g to Berlin Berlin from Pakistan via Hungary (Infosecurity, 2012). He was found to have a memory stick hidden in his underpants and as reported in 2012 by Gallagher S.: “he was found with a memory card with a password-protected folder—and the files within it were hidden. But, as the German newspaper Die Zeit reports, computer forensics experts from the German Federal Criminal Police (BKA) (BKA) claim to have eventually eventually uncovered uncovered its contents— contents—what what appeared appeared to be a pornograph pornographic ic video called "KickAss. "KickAss."" Within Within that video, video, they discovere discovered d 141 separate separate text files, containin containing g what officials officials claim are documents detailing al-Qaeda operations and plans for future operations—among them, three entitled "Future Works," "Lessons Learned," and "Report on Operations." So just how does one store a terrorist’s home study library in a pirated porn video file? In this case the files had been hidden (unencrypted) within the video file through a well-known approach for concealing messages in plain sight: steganography.”
Storing information in a video means a lot of free space to hide messages and the added possibility to use different channels such as, audio, video and transitions to create even more space. To detect and recover information that is otherwise concealed by steganographic tools is not too difficult as long long as the the inve investi stiga gato tors rs have have some some susp suspici icion on that that such such tool toolss have have been been used. used. Howe Howeve ver, r, if a combin combinati ation on of crypto cryptogra graph phy y and stegano steganogra graphy phy is used, used, a differ different ent investi investigat gative ive approa approach ch is needed as the DHKP-C case showed well.
Finally, it is worth reporting that recently a Polish researcher, Mazurczyk W. at the Institute of Telecommunications in Warsaw, presented a project named SkypeHide by which it is possibile to use the silence moments in a Skype calls to exchange secret data (Marks, P. 2013). In fact Skype, rather than send no data between spoken words, it sends 70-bit-long data packets instead of the 130-bit ones that carry speech. The receiver ignores the packets carrying secret messages that are decode decode by the SkypeH SkypeHide ide compon component ent.. Since Since these these secret secret packet packetss are indisti indistingu nguish ishabl ablee from from silence-period traffic, their detection is very hard. The project will be presented at a steganography 21
conference in June 2013.
Each one of the above mentioned tools is a very powerful element that could be used by terrorist groups groups to hide hide secret secret messages messages.. Knowi Knowing ng the range of tools the terrorists terrorists have have to work with, with, it would be very desirable desirable at this point to set an international international standard procedure procedure aimed at discovering discovering these instances and carrying out successful investigations.
4 – Internet as a way to fund groups and cells
The relationship relationship between Internet Internet and funding funding terrorist terrorist formations formations is complex but, in essence, there are three main activities in which Internet plays a fundamental role: ●
fundraising
●
money laundering
●
money transferring
Fundraising of terrorist formations via Internet is now an ascertained fact. Terrorists use Internet to spread their message and sollicite radicalised people and magnates to donate some money for their cause. Therefore many terrorist websites are devoted to this objective and some countries are very concerned for the presence these websites because it is very difficult to control them. In fact, many contras contrastin ting g measur measures es such such as the closing closing of the websites websites are often often ineffec ineffectiv tivee or worse worse could could be qualified as censorship. Beside Beside solici solicitati tation on to donate donate some some money money for their cause, many terrorist terrorist formation formationss use more 1
“creativ “creative” e” ways ways to realise realise their fundraisi fundraising ng throu through gh Intern Internet et for example example practis practising ing carding carding or selling computer games with extremist contents (UN-CTITF, 2009).
In the next paragraphs I will analyse the current current scenario in which these illegal activities activities are carried out and I will describe some possible evolutions to expect in the near future.
4.1 - Main funding sources
Terro Terrori rist st fund fundra raisi ising ng camp campaig aigns ns on Inter Interne nett can can be divi divide ded d in thre threee main main typo typolo logi gies: es: dire direct ct solicitations, e-commerce and the illicit use of online payment systems. Regarding the direct solicitations, terrorist formations can use Internet as a mean to create real 1
Carding crimes are offenses in which the Internet is used to traffic in and exploit the stolen credit card, bank account, and other personal identification information 22
“marketing campaigns”. Online tools are so sophisticated and easy to use that the realisation of an effective website to collect funds is something within everybody’s reach. Many studies showed (Burke, 2009) the efficacy of solicitation campaigns mostly when videos are used and for example this is one of the reasons reasons why terrorists terrorists and insurgents insurgents invested so much energy in recording recording attacks during the Iraq war. In this case, the combination composed by video-cameras, PCs and Internet tools was a real game changer changer which allowed terrorist terrorist groups groups to collect collect a huge amount amount of donations donations and recruit a lot of volunteers. Also social networks were used to maintain these kind of point of presence in the net creating a multi faceted fac eted approach a pproach to donations.
Figure 4 - A screenshot taken from the Long War Journal website (Joscelyn, T. 2013)
E-commerce on the contrary has a more limited importance and it is reported only by few nations (UNODC (UNODC). ). The The most most freque frequent nt situatio situation n is linked linked to the sale of goods goods (CDs, DVDs, DVDs, compu computer ter games, books, etc.) by some terrorist supporting organizations, so that a fraction of the collected money can effectively be sent to the operative groups.
Finally, the illicit use of the online payment methods is one of the most interesting and worrying ways to fundraise terrorist formations because, in my view, it has the wider expansion margins. To analy analyse se this this phen phenom omen enon on we can start start from from the the most most clear clear case case prov proved ed in a cour court: t: the Tari Tariq q Al-Daour case. This individual was an accomplice of Y. Tsouli and his main activity was to collect money using stolen credit cards. In the black market he bought roughly 37.000 stolen credit cards along with the personal information needed to use them. Using these cards, Al-Daour was able to 23
finance Tsouli’s online terrorist activity. In my opinion this case has to be perceived as a wake-up call because the situation can only worsen in the future. In fact, the needed skills to become a cybercriminal are even more modest brecause it is easy easy to find find blac blackk-ma mark rket et actor actorss who who sell sell at very very chea cheap p pric prices es the the “expl “exploi oitin ting g kit” kit” and and the the necessary financial malware to start illegal online operations. Furthermore, there are black-market opera operato tors rs who who mimi mimicc the the legi legiti tima mate te cloud cloud comp comput utin ing g prov provid iders ers by selli selling ng their their tool toolss in a “as-a-S “as-a-Serv ervice” ice” form. form. Indeed Indeed,, the so called called “Malwa “Malware-a re-as-as-a-Ser Servic vice” e” (MaaS) (MaaS) scheme scheme is now now fully fully realised because everybody can easily find a “service provider” for all the pieces of software and the expertise needed to realise a botnet based on a financial malware. For example it is easy to find: the financial malware (Zeus, SpyEye, Citadel, etc.), the exploit kit (BlackHole, Phenix, Elenoir, etc.) and the infection service, all sold in forms of services usable also by attackers who are not IT or security experts. Then a would-be terrorist or supporter can propose himself to his referents to become an
operative able to gather a lot of money in a short time and this would be very
appreciated by many terrorist formations. Supporting this vision there is the statement (Holehouse, M. 2012) of Commissioner Adrian Leppard, head of City of London Police who said: “There is “plenty of evidence” that al-Qaeda and other terrorist groups are using the proceeds of online fraud to finance their activities. The police and security services are seeking to disrupt those lines of funding.”
Though I were not able to find many evidences for this statement, I know that, in the moment in which there will be a collaboration on a large scale between cybercriminals and terrorist groups, it will be a big problem because identity theft, credit card theft, wire fraud, stock fraud and auction fraud are felonies easy to commit with large profits and lot less risks than other criminal activities. Furthermore, this collaboration will entail also the following “side benefits” for terrorist groups: ●
access to the malware used for the identity and and data theft;
●
introduction with the criminals who develop develop crimeware (see also 6.3.1); 6.3.1);
●
opening of new scenarios in which the so called “cyberweapons” are used (see also 6.3.2). 6.3.2).
4.2 - Money laundering and ways to transfer funds
Internet is also used as a way to facilitate the distribution of the illegal funds gathered by the supporters of the extremist and terrorist formations. At the moment, one of the main means by which the funds are distributed by terrorists is the so called “Informal Value Transfer System” that is repres represen ente ted d by any any syst system em,, mech mechan anism ism or set set of peop people le who who recei receive ve mone money y just just to pay an equivalent value to someone else in a different geographical location. To avoid to leave traces, the people involved in this form of financial transaction doesn’t have recourse to the conventional
24
banks so, Internet can give a great help to establish and maintain all the needed connections.
Furthermore the following Internet tools are very useful to launder the dirty money: ●
electronic currency such as e-gold or or Bitcoin; or or
●
services like Liberty Reserve to transfer the money.
In essence, all the three fundamental operations to launder the money are easier and more effective by the use of Internet. In fact, the “Placement” (the transformation of the real money in virtual money), money), the “Layering” “Layering” (the subdivision subdivision of the money money in many small financial financial transactions) transactions) and the “Integration” (the final recomposition of the sum) with the use of Internet are simplified and made untraceable.
5 – Internet and the new opportunities for terrorists
Internet represented a big change in everybody’s life. Using Internet tools we can obtain a lot of information about people and companies simply using a search engine or connecting to a social network. We can also interact with people and things at a new level via the use of mobile devices and we can easily reach unknown places guided by our smartphones. This is a world of new opportunities for everyone, unfortunately also for wrongdoers who can leverage these opportunities to create new threats and new attack methodologies. Online tools can enable people to achieve new results and simplify everyday life but this come at the price of the creation of an increasing set of new vulnerabilities and dependencies with the online instruments that are waiting to be exploited by some criminals.
Apparently, terrorist groups aren’t so quick in modifying their consolidated ways to proceed but there are examples that show a multiform reality in which some groups are keen to bring in some import important ant innov innovatio ations. ns. The Mumbai Mumbai attack attack in 2008 2008 is one these. these. In the next paragr paragraph aphss I will will analyse some aspects of that attack to show the real possibilities that Internet, cloud and mobile are opening for terrorists.
5.1 - Maps, geolocalization and smartphones
One of the most important innovations in our daily life is represented by online maps and GPS navigators navigators and above above all those integrated integrated in mobile phones. phones. By the use of these devices we learnt to move through previously unknown places without the necessity to wasting time in precautionary 25
researches or careful plannings. Paper maps are almost completely vanished from our cars and our houses. This This so impo import rtan antt inno innova vatio tion n has has the the side side effec effectt that that a terro terrori rist st cell cell can can move move and and opera operate te in unknown unknown territory territory with a surgical surgical precision. precision. This fact has been already found found on the field during the Mumbai attack. In that bloody attack, a commando composed by ten terrorists was able to move and operate operate in a city where none of them had ever performed a real field reconnaissance. reconnaissance. They were able to execute a very complex complex operation operation comprising comprising three main targets (Taj Mahal Mahal Hotel, Hotel, Oberoi Oberoi Hotel e Nariman House) along with many secondary targets, doing battles with the Indian police firstly and then with the Indian army rushed to stop them. At the end of this folly more the 170 were fallen among civilians and law enforcement agents (Wikipedia, 2013). During the subsequent trial it was cleared that all of this was possible also because: ●
there was a previous accurate planning with the use of Google Google Earth
●
they were able to follow the plan and the established paths with the use of GPS GPS devices
●
they were able to react to the police police actions actions using smartphone smartphone to know know exactly exactly the situatio situation n in real time.
Befo Before re this this attac attack, k, the the clear clear visio vision n of the possi possibl blee evil evil side side of Google Google Eart Earth h or of the use use of smartphones smartphones was not widespread widespread to general public public but was limited to some researchers researchers and military entities. Since this discovery was a shock for the society there were some petitions to ban or limit the information information published by Google Google Earth and Bruce Schneier Schneier in an article on the Guardian (2009) (2009) explained the dangers of the reactions to these kind of fears. I agree with Schneier’s vision but I think that it is also important to analyse in advance the possible impact of new technologies to have plans in case cas e of an emergencies. Knowledge and preparedness are the keys to save lives and minimise the impact of an attack.
5.2 - Information gathering
As for anyone, anyone, one of the most interesting interesting things things that a terrorist terrorist can do on Internet Internet is to surf the web looking looking for some information information.. Then gaining gaining information information about about someone or about some target using Internet (such activity is often qualified as OSINT - Open Source Intelligence - or CYBERINT Cyber Intelligence) Intelligence) is became one of the fundamental fundamental steps during the preparation preparation and the planning planning
26
of an attac attack. k. On Inte Intern rnet et it is poss possib ible le to find find deta detaile iled d info inform rmati ation on abou aboutt the the logi logist stics ics,, the the organi organisati sation on and side side condit condition ionss of every every public public place place and of the majori majority ty of compan companies ies and agen agenci cies. es. More Moreov over er,, with with the the diff diffus usio ion n of the the webc webcam ams, s, it is also also poss possib ible le to verif verify y the the real real conditions on the field without be physically in the place, gaining information and spotting every variation throughout time, about for example: traffic conditions, crowding and dislocation of law enforcement agents. Using only public search engines it is possible to gain a clear and complete view on targets and those data can be used to plan an attack or to multiply the impact of the attack itself. For example, a relatively new search engine that, in my opinion, could be very important in the future, is Shodan. This is a search engine devoted to the data retrieval on the SCADA (Supervisory Control And Data Acquisition) systems. On Shodan, everyone can find information ranging from HVAC (Heating, Ventilation, and Air Conditioning) systems of schools and hospital to public and private surveillance cameras to systems used by large industries to control their manufacturing processes. Moreover, these data can be sorted by country, brand, model, version, etc. using a specific set of queries provided by the site. As it is easy to deduce, the information that can be gathered through Shodan by a terrorist group (but not only) could represent a major threat for all the industrialised countries, so I think that an initiative like Shodan has to be carefully scrutinised to clearly define the impact of the diffusion of these these kind kind of inform informati ation, on, mostly mostly in the case of critical critical infrastru infrastructu ctures. res. I think think that also some relationships with the owner of the site should be established by governmental agencies devoted to the critica criticall infras infrastru tructu cture re protect protection ion to create create a sort sort of alertin alerting g system system in case of disclo disclosur suree of sensitive information. In fact, though it is clear to me that every action toward a limitation of the use of Internet has to be avoided because of the dangers that are implied, this doesn’t mean that some some mitiga mitigatin ting g measur measures es haven’ haven’tt to be adopte adopted. d. For example example a confid confident ential ial tool tool that that sends sends automatic automatic warnings warnings to some governmental governmental agencies in case of the positive positive match for a keyword or a regular expression in the query results could be fundamental to mitigate the evil potentials of the use of such search engine. Finally, OSINT and CYBERINT are made easier for everyone, including terrorists, by the general habit habit to publish publish private private and personal personal inform informati ation on on social social networ networks. ks. This This new situation situation has produced a great mass of data that can be easily and efficiently examined in search of ways to exploit some personal and public vulnerabilities.
27
5.3 - Simulators and augmented reality
Our relationship relationship with reality is profoundl profoundly y changed changed with information information technology technology and Internet, Internet, now we are used to interact with the physical objects with the awareness that, in case of need, we can immediately immediately obtain information, information, help and manuals manuals to guide us. Furthermore Furthermore we know that, in many situa situati tion ons, s, we can easil easily y find find a simul simulat ator or that that can help us to gain gain conf confid iden ence ce with with the the use use of complex objects such as an aeroplane or a racing car. Some real attacks attacks had been prepared prepared with the use of simulators simulators and two cases hit the public public opinion particularly: 9/11 and Oslo attacks. a ttacks. In both cases it was proved in court that the terrorists had prepared their actions with the help of some simulators: in the 9/11 case they used a flight simulator to practice with the manoeuvre to hit towers and in the Oslo case Breivik used a holographic aiming device to develop target acquisition and to transform himself into a cold-blooded killer (Pidd, 2012). Both Both cases cases represe represent nt anothe anotherr kind kind of evil use of innocu innocuous ous tools tools by terrorist terrorist who showed showed the capacity of use the “lateral thinking” to achieve their evil goals. Remaining on the malicious use of innocuous objects I found a new Internet device that, in my opinion, it is the perfect candidate to be the new helping tool in a big terrorist attack: Google Glass. Google Glass is a device fundamentally based on augmented reality that according to Wikipedia definition is: “a live, live, direct direct or indire indirect, ct, view view of a physic physical, al, real-wor real-world ld enviro environme nment nt whose whose elemen elements ts are augmente augmented d (or supplemented) by computer-generated sensory input such as sound, video, graphics or GPS data.”
Wearing this device and giving vocal commands or touching the arm, it is possible: ●
to see contextual contextual information, information,
●
to see the directions to reach a destination
●
to send and receive messages and emails
●
to shot a photo or record a video
●
to perform Internet searches
●
to interact with social networks, and and
●
in the future, to recognize people people obtaining also a set of information about about them.
Substantially, using this device, a tourist will be able to have information about the Colosseum just 28
watching the ancient ruins but a terrorist commando will be guided through an unknown path to attack a target that will be automatically recognized in the moment it will appear.
Figure 5 - A photo taken from the article "Google Buys Image and Gesture Recognition Company Viewdle" Ningauble, Ningauble, 2012
It is also important noting that though at the moment there is a very limited diffusion of this device, the security security of Google Google Glass has been recently violated violated finding finding a procedure procedure to perform the so called “jailbreak” and gain root privileges (Gizmodo, 2013). This condition is very worrying because in this way it is possible for example to install unapproved software and modify the modes of use of hardware forcing the glasses to perform new actions or to be used in an unapproved new way. But Google Glass are not unique, there are other HUD (Head-Up Display) on the market, one of these these is particu particularl larly y interes interestin ting g for my reasoni reasoning: ng: Brothe Brother-A r-AIRS IRScou couter ter.. This This is a tool tool used used in indu indust stry ry to help help work workers ers to perf perfor orm m comp complex lex task taskss with withou outt a prev previo ious us speci specifi ficc know knowled ledge ge interacting with an expert and viewing contextual explanatory images.
29
Figure 6 - An image taken from the video "AiRScouter" see-through type head-mounted display of Brother, (2011)
This This techn technol olog ogy y can can open open a new new worl world d of possi possibi bili litie tiess for for a terro terrori rist st grou group p that that can gain gain an enormous power extending its possibilities to operate and to realising attacks. So, at the moment my hypotheses are only a fantasy but I think that when these devices will be widespread in the public there will be someone ready to exploit their hidden evil side. Hence, a comp comple lete te anal analys ysis is of thes thesee scen scenar ario ioss is need needed ed to be prep prepar ared ed to face face the the poss possib ible le futu future re emergencies.
6 - Cyberterrorism
In the followin following g paragr paragraph aphss I will will analys analysee the complex complex proble problems ms derivi deriving ng from from the use of the Internet to directly attack a target by a terrorist group. It is important to remind (see par. 2.2) that to have have a cybe cyberr terr terror orist ist attac attack k ther theree has has to be a phys physica icall effect effect or, or, as descr describ ibed ed in the NATO NATO definition, a sufficient destruction or disruption to generate fear or to intimidate a society. Due to the bluriness on the definition I will start analysing some borderline phenomenons to arrive, at the end of the chapter, to the assessment of the risk of a specific cyber terrorist attack.
6.1 - Hacktivism or terrorism
Hacktivism is a term derived from the fusion of the word “hacking” and “activism” and it is used to indicate some kind of activities and attacks based on the use of Internet and finalised to the
30
expression of a civil protest. Wikipedia define hacktivism as: “the use of computers and computer networks to promote political ends, chiefly free speech, speech , human rights, rights, and information ethics. ethics. It is carried out under the premise that proper use of technology can produce results similar to those of conventional acts of protest, activism, and civil disobedience.”
But throughout time, this form of civil disobedience has assumed various forms and some of them are not close to the classical intended objectives. In particular, in the last years we saw a marked increase of some actions with questionable purposes, carried out with definitely illegal means. I’m mostly referring to some actions carried out by Anonymous, one of the major responsible for these crimes. At the moment the most diffused forms of (so called) hacktivism actions are the following: ●
Data breaches
●
Distributed Denial Denial of Service (DDoS) (DDoS)
●
Defacements
Due to the nature of these methods, some doubts have arisen on the nature of these attacks and some governmental exponents classified them as real act of terrorism. The question is important because these kind of attacks have the potential to cause the “disruption to generate fear or to intimidate a society into an ideological goal.” referred in the NATO definition of cybercrime. In the next two paragraphs I will analyse some cases just to explore the perimeter of this question and to find a plausible answer. 6.1.1 - Is DDoS always only a form of protest?
DDoS is one of the first form of protest used over the Internet. It was assimilated to a sit-in or a strike where many people occupying occupying a public place stop the traffic or the access to a building. building. For a lot of time, the methods used to perform this kind of actions are representative of such form of protest. In fact, many people are requested to contact an Internet resource (or send an email) at a precise time and, if the virtual crowd was large enough, the DDoS was successful and the site (or the mail server) collapsed under the quantity of connections (or emails). Subsequently, the Internet websites became capable to stand all the connections generated by using simple browsers also in presence of a big amount of protesters, so specific pieces of software were written to multiply the number number of connec connectio tions ns genera generated ted by every every protester protester.. Throug Throughou houtt time time many many of these programs programs were released on the net but, recently, recently, the program called “Low Orbit Orbit Ion Cannon” (LOIC), (LOIC), the one
31
used by Anonymous, gained a very large popularity. Armed with this tool, many hacktivists chose a target and started a coordinated action at the signal “Tango down”. These actions in Italy and in other countries were able to deny the access to many important websites including governmental sites and sites owned by big companies. But But in Italy Italy an inter interest estin ing g phen phenom omen enon on have have been been starte started, d, after after some some arres arrests, ts, the the numb number er of hack hackti tivi vist stss beca became me insu insuffi ffici cien entt to perf perfor orm m succ success essfu full opera operatio tions ns also also usin using g LOIC LOIC,, so some some prominent elements in AnonItaly started to use botnets to achieve the result of blocking their Internet targets. In my opinion, the use of botnets is a clear discriminant from a form of civil protest and a pure felony. In fact, when two or three people decide to impose their will through the use of an illegal tool, typically used by cybercriminals, there can be no form of excuse. This is a crime. Furthe Furthermo rmore, re, there there is a clear clear exampl examplee where where this this crime crime become becomess so disrupti disruptive ve that the NATO definition of terrorism start to be applicable. This example is known as “Operation Ababil”. Operation Ababil is a sequence of impressive DDoS attacks against U.S. financial sector started after the publication publication of the controversial controversial video “The innocence innocence of muslims” muslims” considered insulting insulting by many many muslim muslimss all over over the world. world. A formati formation on self proclai proclaimed med “Izz ad-Din ad-Din al-Qas al-Qassam sam Cyber Cyber Fighters” Fighters” claimed responsibility responsibility for this series of attacks. This formation formation whose name is inspired inspired by a famous famous Palesti Palestinia nian n revolu revolutio tionar nary y also recall recall the name name of the terror terrorist ist formatio formation n “Izz ad-Din ad-Din al-Qassam Brigades” that has the role of Hamas armed force. The peculiarity of these attacks was the use of web servers as enslaved elements of the botnet (Atias, 2013), in fact Incapsula team discovered a piece of malware hidden in a UK web server that was receiving commands from remote forcing it to flood some US bank sites.
32
Figure 7 - An image taken from the blog post “Under the Hood of the Cyber Attack on U.S. Banks” (Atias, 2013)
Using this toolkit toolkit named “itsoknoproblem “itsoknoproblembro” bro” the hackers hackers can utilise utilise more connectivity connectivity than using a simple simple PC, moreove moreoverr in some cases cases they they use also the elastic elasticity ity granted granted by cloud cloud computin computing g infrastructure to obtain even more power. Leveraging the web server vulnerabilities, these attacks have been as large as 60 Gbps with some peak of 100 Gbps. The difficulties in managing these kind of attack was so important that American bank association reques requested ted the governm government ent intervent intervention ion that was granted granted at the beginnin beginning g of 2013 2013 in a form form of collaboration with NSA. Finally, in recent times DDoS attacks showed the potential to disrupt normal way of life, in fact, in 2008 a massive DDoS attack put a strain on a small country with a heavy use of online technologies like Estonia. In that case, an active role of Russia was hypothesised but the potential to produce severe damages to a high-tech country remains very high also if a small group with access to large botnets is involved.
33
6.1.2 - Other forms of protest or other attacks?
Other recent attacks are very close to the NATO definition of cyberterrorism, for example in Israel there was a leakage of a massive number of credit cards by a hacker known as 0xOmar of the “group-xp” a political motivated Saudi Arab crew (Cavallini, 2012). 0xOmar published on Pastebin an announcement in which he pretended to have made available more than 400.000 israeli credit cards along with the necessary data to be used, promising to reach the number of 1 million cards in the future. In Israel there are roughly 6 million of credit cards and the supposed number of the leaked cards was enough to create a very complex problem with a lot of repercussions on the civil society. Luckily the real number of leaked cards was much lower than announced so the damages was limited but but the statement statement of 0xOmar 0xOmar was interesting because because clearly exposed a political political motive and an intention to create disruption in the Israeli society, in fact he wrote: "What's fun for us? - Watching 400,000 people gathered in front of Israeli credit card companies and banks, complaining about cards and that they are stolen - Watching Israeli banks shredding 400,000 credit cards and re-generate new cards (so costly, huh?) - Watching people purchasing stuff for theirself using the cards and making Israeli credit cards untrustable in the world, like Nigerian credit cards - and much more... "
This episode episode showed showed an “innovativ “innovative” e” approach approach in which cybercrime cybercrime techniques techniques were used to create turbulences instead of illegal profits and represents a real episode that sits between hacktivism and cyberterrorism. Furthermore Furthermore,, very recently, recently, The International International Organization Organization of Securities Securities Commissions Commissions (IOSCO), (IOSCO), published the report “Cyber-crime, securities markets and systemic risk” (IOSCO-WFE, 2013) in which is written regarding the cybercrime attacks on exchanges: “Attacks tend to be disruptive in nature (rather than aiming for immediate financial gain). The most common forms forms of attack attack report reported ed in the survey survey are Denial Denial of Servic Servicee attack attackss and maliciou maliciouss code code (virus (viruses) es).. These These catego categorie riess of attack attack were were also also report reported ed as the most most disrup disruptiv tive. e. Finan Financia ciall theft theft did not featur featuree in any of the responses. This suggests a shift in motive for cyber-crime in securities markets, away from financial gain and towards more destabilizing aims. It also distinguishes cyber-crime in securities markets from traditional crimes against the financial sector e.g. fraud, theft.”
34
So, differently differently from which is stated by Pollit about the necessary condition conditionss to spot a cyber terrorist attack, attack, I think think that that the disrup disruptio tion n condit condition ion invoke invoked d by NATO NATO defini definitio tion n is more more suitab suitable le to descr describ ibee futu future re attac attacks ks beca becaus usee the the use use of Inte Intern rnet et tool toolss open open the the poss possib ibil iliti ities es to cause cause larg largee damages and spread fear in the society without having recourse to real violence.
6.2 - Targets and scenarios
Analysing the threat of cyber terrorist attack, it is apparent that not all the possible target and the techniques are suitable, because the majority of the classical Internet attacks are focused on the realisation of a financial gain. But, should an attack be launched against systems and networks, the following would be at risk (Goodman, 2008): ●
The Internet - with attacks against its infrastructure (e.g DNS)
●
Embedded/real-time computing computing - with attacks against: ○
systems for for air traffic control
○
SCADA systems
○
switching of telecommunications
○
bank teller machines
○ ●
floodgates.
Dedicated computing devices - with attacks against against servers and desktop computers
I would like to highlight that an act of cyberterrorism can benefit from some advantages compared to usual kinetic attacks, in fact, on average, a cyber attack is facilitated in the reconnaissance step, can be launched remotely without a physical presence in the attacked place and can leverage the comp comple lexi xity ty of the the mode modern rn infra infrast stru ructu cture ress and and the the gene genera rall diff diffus usio ion n of the the vuln vulnera erabi bilit lities ies.. Furth Furtherm ermor oree the the inve investi stiga gati tion onss coul could d be very very diff difficu icult lt becau because se of the the pres presen ence ce of diff differ eren entt legislations and because of the lacking of a widespread standard for forensic activities.
On the contrary, I think that there are also some disadvantages that have to be considered and among those the most important are: ●
the difficulty difficulty in the attribution attribution (anyone (anyone can claim, or deny, the responsi responsibility bility for such such an attack)
●
these attacks are good for sabotage and denial denial of service service but but are not so “immediate” “immediate” as a car bombing or a shooting
35
●
the recovery time after a cyber attack can be faster than that needed after a physical attack.
Generally speaking the first scenario that comes to mind analysing a possible cyber attack is an attack against a national critical infrastructure (defined by the DHS as the assets, systems, and networks, whether physical or virtual, so vital to a country that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof) . In this scenario, SCADA systems play the major role and I will analyse in detail the impact and the characteristics characteristics of an attack against these systems in the next paragraph.
Fina Finall lly, y, it is worth worth noti noting ng that that Inte Intern rnet et itself itself is a sign signif ifica icant nt targ target et for for an even eventu tual al attac attack. k. Particularly the Domain Name System (DNS) is prone to attacks that have the potential to disrupt the correct structure of Internet. Throughout time there have been attacks against this fundamental component of Internet and recently (June 2013) there were three seemingly coordinated attacks again against st thre threee diff differe erent nt DNS DNS prov provid iders ers - DNSi DNSimp mple le,, easy easyDN DNS S and and TPP TPP Whol Wholes esale ale -. Thes Thesee coordinated attacks highlight the disruptive potential of this kind of attacks (Constantin L., 2013). This wave of attacks was characterised by a DDoS approach that put the provider in a difficult position blocking its service supply. Most of these attacks share the same patterns and were fund fundam amen ental tally ly based based on a DNS DNS refle reflect ctio ion n techn techniq ique ue again against st auth author orit itati ative ve DNS DNS serv server ers, s, an uncomm uncommon on techniq technique ue that that requir requires es an extra extra effort effort by the attacke attackers rs to determ determine ine precis precisely ely the mapp mappin ing g betw betwee een n the the resou resourc rcee and and the the DNS DNS serve server. r. If an attac attack k like like this this is suff suffici icien ently tly large large involving a significant number of DNS providers some real consequences are possible resulting in the impossibility to connect to Internet resources. 6.2.1 – Critical infrastructure and SCADA systems
As previously recalled, one of the main targets of terrorist attacks are critical infrastructure. These represent represent a suitable suitable target for anyone anyone who wants to cause large damages damages to a national state and their protection is a field in which modern countries have invested a lot of efforts and money. By their nature, nature, critical infrastructure infrastructure are vulnerable vulnerable to many attacks attacks both physical and cyber and often have have also many interdependencies that link them with each other. SCADA and ICS systems are the mean by which a layer of automation is put in current productive processes, critical infrastructure included. SCADA systems are used in real time monitoring and process control in many sectors such as the controlling pipeline flows for water, oil and gas, 36
managing transporting systems, managing chemical, nuclear and electrical plants and many more. The problem is that SCADA systems are affected by a large number of vulnerabilities such as the following: ●
Traditionally relied on security by obscurity
●
Increasingly interconnected with private and public networks using common common protocols
●
Increas Increasing ingly ly using using COTS COTS (Comme (Commercia rciall Off-Th Off-The-S e-Shel helf) f) produc products ts and sharin sharing g the same vulnerabilities, threats and challenges as other Internet connected networks.
There are a lot of evidences that these vulnerabilities are exploited by attackers in real episodes and there are many initiatives aimed at the reduction reduction of their vulnerabilities. vulnerabilities. One of the most significant significant is ICS-CE ICS-CERT, RT, the Indust Industria riall Contro Controll System Systemss Cyber Cyber Emerge Emergency ncy Respon Response se Team Team (a team from from DHS) that works to reduce risks within and across all critical critical infrastructu infrastructure re sectors sectors by partnering partnering with law enforcement agencies and the intelligence community and coordinating efforts among govern governmen mentt and contro controll system systemss owners, owners, operator operators, s, and vendors. vendors. In a report report of the Newslet Newsletter ter “ISC-C “ISC-CERT ERT Monito Monitorr April-J April-June une201 2013” 3” there there is an analys analysis is of the cyber incident incidentss in 2012 2012 that high highli ligh ghtt a gene genera rall incr increa ease se of such such atta attack ckss (mor (moree than than 200 200 repo report rted ed atta attack ckss to crit critic ical al infrastructures in the period October 1st 2012-May 2013) and an apparent focus against the energy sector that is the target of more than the half of the attacks. Again a direct financial gain is not an objective of the attackers.
Figure 8 - The attack distribution among critical infrastructure sectors (ICS-CERT, 2013)
Interestingly Ralph Langner, one of the most famous expert on SCADA security, gives an interpretation key for these kind of data. In fact, in 2012 he wrote for The New York Times: “In cyberspace, the real threat comes from non-state actors against which military deterrence is powerless. It does 37
not require the resources of a nation state to develop cyber weapons. I could achieve that by myself with just a handful of freelance experts. Any U.S. power plant, including nuclear, is much easier to cyberattack than the heavily guarded facilities in Iran. An attacker who is not interested in engaging in a long-term campaign with sophisticated disguise (which rogue player would be?) needs to invest only a tiny fraction of effort compared to Stuxnet.”
All these facts suggest that SCADA and ICS could be an ideal target for a cyber terrorist attack. In the following paragraphs I will analyse more closely a couple of specific sectors that are probably good candidates as target. This This analys analysis is is so diffus diffused ed and agreed agreed that on 12 February February 2013 Preside President nt Obama issued issued an executive order titled “Improving Critical Infrastructure Cybersecurity” in which is stated that the cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges that has to be confronted. The core of this executive order is in my opinion opinion the decision decision to sponsor sponsor a program program to develop a “Cybersecurity “Cybersecurity Framework” Framework” that includes includes a set set of stan standa dard rds, s, meth method odol olog ogies ies,, proc proced edur ures, es, and and proc proces esses ses to alig align n polic policy, y, busi busine ness ss,, and and technological approaches in addressing cyber risks. 6.2.2 – Threat and vulnerabilities of the energy sector
Regarding the energy sector there is an interesting situation in which some providers are becoming aware that, to implement smart-grids and other cutting edge technologies that allow an easier and inter interact activ ivee way way to comm commun unica icate te with with ener energy gy mete meters, rs, is nece necessa ssary ry to put put in place place a secur securee environmen environment. t. On the contrary contrary there is a consolidate consolidated d managing managing approach to maintain untouched untouched critical systems in order to maintain the reliability of operational levels. Furthermore, the general consideration to the theme of cybersecurity within many critical infrastructure providers is very low because of some misleading beliefs such as the presence of the so called “air-gaps”, a physical separation between the operational internal network and the big Internet. During my researches I had the opportunity to have proof of this situation. In fact exploring the Internet in search of information about the security of smart-meter I found many documents and sites that put in evidence some real vulnerabilities in operational systems. This situation added another concern: the easiness of finding sensitive information over the Internet. In the following I will treat two examples of my findings. For the first example, example, during my researches researches I found a press release in which is stated that to counter counter the cyber threats, an electric power company company has chosen the a specific specific site (with the the indication indication of 38
the precise physical physical address) as a center for cyber security. security. It is also said that, inside this center, this company reproduced an entire power station and simulated attacks of different types to see how system systemss react. react. The press press released released said that the respons responsee was not the best: "A compu computer ter in the network was able to control the valves that manage the regulation of the fuel to the turbine. At that point the company started a program to cope with these shortcomings with the result of a new and more robust security system that is routinely tested using a simulator.” Using this information I could easily find a (sadly misconfigured) web server in which there are plenty of documents about this project. The majority of the documents are (semi) public but the fact f act to find all the material concentrated in one (vulnerable) web server represent a disturbing event.
39
Figure 9 - A screenshot of the vulnerable web-server in which are accessible the ENEA-ENEL project documents (2013)
This material could be very helpful for someone who is preparing an attack because it lays the groundwork for further and more exhaustive researches and gives a lot of indications about the 40
logic applied in the countermeasures. Regarding the second example, searching for the presence of smart-meters in Internet, I found a web server (again poorly configured) that publish a complete management console in which are accessible all the real functioning parameters of a demo power station located in Belgium.
Figure 10 - A screenshot of the Home page of the management console published by Schneider Electric (2013)
Figure 11 - An example of the information that can be accessed using the Schneider Electric’s website (2013)
To give give a simp simple le exam exampl plee of the the open open sour source ce inte intell llig igen ence ce that that can can be done done usin using g just just an insignificant part of these data, I want to mention the other result I found using the image of the plant on Google Image Search feature. The following article states that 52 jobs are at risk in that plant because of a project of internal reorganisation. This information can be very useful for a 41
terro terrori rist st to infil infiltr trate ate amon among g disg disgru runt ntled led empl employ oyees ees or to cont contact act some someon onee in orde orderr to obta obtain in sensitive information in exchange of money.
Figure 12 - The article about the possible job reduction in the Schneider Electric’s plant (2012)
All the exposed facts contribute to depict a worrying situation in which the possibility to gain the pieces of information necessary to plan and execute an attack in the energy sector against a critical infrastructure and its managing components is real and effective. 6.2.3 – Are the transportation systems really at risk?
Another sector that has been repeatedly reported to be at risk of cyber attack is transportation systems. Many researchers are concordant in considering the computerised systems that manage
42
airp airpla lane nes, s, train trains, s, metro metro and and even even ship shipss are are usua usuall lly y not not upda update ted d and and with with many many unres unresol olve ved d vulnerabilities. This fact is mainly due to the necessity for these systems to be always up and running but having enormous difficulties to set up a clone system in which testing the patches and the fixes prior to deploy them in the operational system. So the most probable situation is that these systems are carefully tweaked once before passing the first test and then remain in the same state for all their operational life. Unfortunately this choice caus causes es the the cont contin inuo uous us wide wideni ning ng of the the atta attack ck surf surfac acee beca becaus usee of the the disc discov over ery y of new new vulnerabilities in the operating systems and in the specific application. A manna for all kind of attackers, cyber-terrorist included. Among Among others, others, a real case happened happened in Poland in 2008 (Baker (Baker G., 2008) shows the hidden potential potential of these kind of attack. A Poland 14 schoolboy in Lodz, after a studying and discovering time was able to prepare a sort of infrared remote control that force the Lodz tram system track points to change change position position causing causing a deviation deviation of the arriving arriving trams. He probably probably underestimates underestimates the power in his hands and the potential consequences of his acts so, using his remote control, he caused the derailment derailment of four trams and many other problems. problems. 12 people were injured injured and just for a lucky case nobody died. Anyo Anyone ne can easily easily imag imagin inee the the powe powerr of such such remo remote te cont contro roll if in posse possess ssio ion n of a grou group p of terrorists.
Changing scenery, there is a recent study about the cyber vulnerabilities of the U.S. port facilities (Kramek J. 2013) that highlights some problems in the management system of the U.S. port. For exampl example, e, Comman Commander der Kramek Kramek highli highlight ghtss that that the Port of Housto Houston n presen presents ts a high high relianc reliancee on networked systems for their terminal operations and security, but the IT department neither has done a cyber security vulnerability assessment on its systems nor has developed a cyber security incident response plan. Sadly, Commander Kramek wrote: “If PHA were the victim of a cyber attack, it does not view any federal government agency as a partner. Rather, it would rely upon in-house IT staff to manage any response.“
But in other parts the Kramek report is definitely less convincing. For example, when he affirms more than once time that: “In the midst of this lacuna of authority is a sobering fact: according to the most recent National Intelligence Estimate (NIE) the next terrorist attack on U.S. Critical Infrastructure and Key Resources (CIKR) is just as likely to be a cyber attack as a kinetic attack”
43
citing an article published published on the Washington Washington Post (Nakashima (Nakashima E. 2013) 2013) that treats only the topic of cyber espionage without writing the word “terrorism” even once. Moreover I couldn’t find another reference or an independent link that supports Kramek’s assertion.
Citing this report I want to show how much confusion is around these themes and how it is easy to leap to not verified conclusion in this field in which the word “cyber” is put before everything to create new scenarios and, sometimes, to disseminate FUD (Fear, Uncertainty and Doubt).
6.3 – New opportunities for the cyber-terrorists
As I stated in the previous chapters a physical effect of some kind is necessary to be able to set a cyber attack as cyberterrorism, alternatively, a disruption of a critical system could be classified as such but it is undeniable that the new cyber-world open up new possibilities for criminals and especially for terrorists creating a blurred territory in which cyber crime and terrorism will mesh together. In the next paragraphs I will analyse the new major opportunities that in my judgement could be more relevant in the next future. 6.3.1 - Crimeware: exploit kit, botnet e financial malware
As I mentioned before, citing the Tsouli case, cyber criminal activities can be a very effective form of funding funding terrorist terrorist groups groups but at the moment I cannot find a real case in which some terrorist terrorist group used directly crimeware (financial malware aimed to commit crimes). At the moment there isn’t a significant collaboration between underground groups that sell financial malware and terrorist. In my opinion there are the basis for a change in this situation. History offers plenty of examples in which terrorists mimicked the behaviour of criminal groups in order to finance their projects. In Italy Italy for for exam exampl ple, e, durin during g the the 70’s 70’s it expl explod oded ed the the phen phenom omen enon on of the the so calle called d “pro “prole letar tarian ian expropriati expropriations”, ons”, real armed robberies robberies carried out by terrorists to finance the operations of small and medium cells. I think that, with a high degree of likelihood, this kind of situation will be replicated in cyberspace and we will be witnesses to the birth of this new form cybercrime. When there will be a well established use of the crimeware such as Zeus or Citadel by the terrorist groups there will be the conditions for new “creative” use of this instruments. Hypothesizing a transport of the up-to-date uses of the crimeware in a terrorist field I can imagine some scenarios such as the following: ●
the use of botnet botnetss to mail mail a massiv massivee numbe numberr of “spam” emails emails with threat threateni ening ng messag messages es 44
during the execution of a kinetic terrorist attack to both conduct a disinformation campaign or to diffuse malware ●
the use of the MITB (Man-in-the-b (Man-in-the-browser rowser)) features features typical typical of Zeus or of SpyEy SpyEyee to conduct conduct or support psyops (e.g. conjuring up false and scary news while a victim used an infected PC to surf news websites)
●
the use of the ransomware techniques to cripple PCs and to scare population
In this view, the use of crimeware would be an essential part of the attack strategy giving real adva advant ntag ages es to terro terroris rist. t. In this this sens sensee we can can desc describ ribee it as cybe cyberr terro terrori rism sm thou though gh the the cybe cyber r component doesn’t cause directly the destruction because it would be impossible to achieve the final effect of the attack without using it.
6.3.2 - Cyberweapons: the future of terrorist attacks?
Very recently Stefano Mele, a lawyer expert of cybersecurity and cyber intelligence, published a study study titled titled :”Cybe :”Cyber-w r-weap eapons ons:: legal legal and strateg strategic ic aspects aspects”” in which which is propos proposed ed the followin following g defintion for a cyberweapon : “A part of equipment, a device or any set of computer instructions used in a conflict among actors, both national and non-national, with the purpose of causing, even indirectly, a physical damage to equipment or people, or rather of sabotaging or damaging in a direct way the information systems of a sensitive target of the attacked subject.“
After Stuxnet, the world discovered that a cyberweapon is something real and effective. With this piece of malicious code, in fact, the U.S. (with the probable collaboration of some other national government) retarded the Iranian nuclear program by sabotaging the uranium enrichment process. For the first time in history a piece of code was used to create a physical damage (the enrichment centrifuges produced something different from the expected uranium and were prone to severe damages) to an enemy infrastructure. This was a game changer because showed to the world that a new a way to attack an enemy was possible, with a lot of advantages such as the following: ●
the attack is remote, no no forces have to be deployed directly on the field
●
the attack is deniable, no one can clearly indicate the culprit of such an attack
●
the attack surface is huge, huge, no one can defend properly properly all infrastructure 45
All these considerations don’t pass unnoticed to the state and non-state actors. Durin During g summ summer er 2012 2012 a malw malwar aree was was relea release se in the the Saud Saudii Aram Aramco co’s ’s netw networ ork k causin causing g a lot lot of damages. damages. In particular particular this malware, malware, called Shamoon (or Wiper) by the antivirus antivirus vendors, was built to erase the information in hard disk, Master-Boot-Record included. This so exhaustive cancellation produced more than 30.000 PC completely unusable also after attempts to reinstall the operative system. All the infected machine have to be replaced. Probably the real objective of this attack was the crude oil production, but also with the reported results the attack was a significant problem to solve for the state company. Regarding the attribution, as recalled before, it is very difficult to have enough information to spot the real responsible for an attack, in this case, even if some researcher indicated Iran as a final sponsor of the attack, there was a plausible claiming of the responsibility for the attack by an islamist group (Bumgarner J., 2013). It is now easy to foresee what an attack like this one could imply for a power provider, for a telecom telecommun municat ication ion provid provider er or for a critical critical infrastru infrastructu cture. re. This This could could be a disaste disasterr capabl capablee to disrupt the normal life of a country. Moreover, if we analyse the use of a cyberweapon by a terrorist group we find that this kind of actor is in the best position to use such a weapon in fact, one of the major problems with the use of cybe cyberr weap weapon on is the the diffi difficu cult lty y to limi limitt the the effec effectt to a singl singlee targ target et with withou outt “side “side effec effects” ts” and collateral damages and this can be a big limitation for a military entity or for a state actor but not for a terrorist group. Hence, at the moment, the most important difficulties to overcome for a terrorist group who wants to attack a target using a cyberweapon are: ●
to gather all the pieces of the information needed to develop and use the weapon weapon
●
to find the right vulnerability/vulnerabilities to exploit during the attack
●
to find people people who has the the knowledge to develop such a weapon
Certainly big problems but not impossible to get over. 6.3.3 - SWATing and TDoS
Looking at the the presen sent and and at the near future we find a lot of vulnera erabilities ies in the the telecommunication field and criminals are quickly learning how to leverage them to make money. Terrorists Terrorists are in the position to include these new attack techniques techniques in their attacks creating blended threats that can mix “old style” attacks and new cyberattacks. Two example of this scenario are the so called SWATing and TDoS.
46
SWAT SW ATin ing g (or (or swatt swattin ing) g) is defi define ned d by Wiki Wikipe pedi diaa (W (Wik ikip iped edia ia,, 2013 2013)) as the the trick trickin ing g of any any emergency service into dispatching an emergency response (deployment of bomb of bomb squads, squads, SWAT units and other police units and the concurrent evacuations of private and public buildings) based on the the false false repor reportt of an on-g on-goi oing ng criti critical cal inci incide dent nt.. Calle Callerr ID spoo spoofi fing ng and and phon phonee phreaking techniques are used to trick 911 systems so the caller typically places a 911 call using a spoofed phone number with the goal of tricking emergency authorities into responding to an address a ddress with a SWAT team to an emergency which doesn't exist. This practice can give a significant contribution in causin causing g massiv massivee disrup disruptio tion n durin during g a terrori terrorist st attack attack by deploy deploying ing the police police and other other civic civic resources such as ambulances and fire departments in wrong places. TDoS TDoS (Tele (Teleph phon ony y Deni Denial al of Serv Servic ice) e) is simp simply ly the the trans transpo posit sitio ion n of a DoS DoS attac attack k in world world of telephony and in the last couple of years is growing fast gaining a place in the ranking of most worris worrisome ome attacks attacks.. Until Until now now it has been used to extort money money from from some some public public and privat privatee entities in a classic ransom scheme: if you don’t pay us we can block your phone damaging your business and your image, but the potential use in case of a terroristic attack is enormous. Just think someone someone can deny the telephone telephone emergency service service during an attack or isolate the attacked building building to comprehend the potential of this technique as impact multiplier. Finally, the increasing use of VoIP VoIP (Voice (Voice over over IP) as telepho telephony ny solution solution has broadene broadened d the possibil possibility ity of realisin realising g such such an attack.
6.4 – Assessing the risk of such an event
One of the key points to analyse a phenomenon like cyberterrorism is to correctly evaluate the risk bound to the realisation of such an event. Since using a complete risk assessment methodology is beyond the scope of this research, in order to produce a reliable evaluation, I took my cue from the national national risk assessment assessment methodolo methodologies gies just because they are tweaked precisely to assess these kind of events. In particular, I used two methodologies as references: the UK National Security Risk Assessment (NSRA) as described in “The National Security Strategy” (2010) and the National Securi Security ty and Safety Safety Method Method (NSSM) (NSSM) of the Netherlan Netherlands ds (Bergm (Bergmans ans H. et al., al., 2009). 2009). With the support of these two methodologies I adjusted a simplified qualitative approach to evaluate the risk of a cyber terrorist attack, assessing the possible impact and its relative likelihood over a 5 years horizon. The plausible worst case scenario of the threat posed by a cyber terrorist attack was scored in terms of its likelihood and its potential impact.
47
6.4.1 – Description of the risk assessing method
To evaluate the impact I used a simplification of the table proposed in the NSSM document. In the following table there are the criteria that I judged relevant for the present case Vital interest
Impact criterion
1. Physical security
1.1 Fatalities, 1.2 Seriously injured and chronically ill, 1.3 Physical suffering (lack of basic necessities of life)
2. Economic security
2.1 Costs
3. Social and political stability
3.1 Disruption to everyday life, 3.2 Violation of the democratic system, 3.3 Social/Psychological impact
For each of the seven listed criteria, the impact is rendered measurable by using five categories classified as follows: A = Limited consequences B = Substantial consequences C = Serious consequences D = Very serious consequences E = Catastrophic consequences To combine the obtained values and calculate the final value for the impact I decided to adopt a linear value function (where the distance between the labels is equal and E again has the value 1 and the interval [0..1] can therefore be divided into five equal parts: X = 0, A = 1/5, B = 2/5, C = 3/5, D = 4/5, E = 5/5) and then calculate the average value.
Regarding the likelihood, this is primarily calculated evaluating two factors: ●
the likelihood that that a terrorist group has has the capabilities and intentions intentions for this specific threat
●
the likelihood that the vulnerabilities vulnerabilities in the targets makes the attack successful
The The asses assessm smen entt of the the like likeli liho hood od of a speci specifi ficc threa threatt scen scenar ario io lead leadss to the the deter determi mina natio tion n of a category (A, B, C, D, E). If vulnerability is evaluated as high (for ICT Systems high vulnerability derives from the presence of one or more of the following conditions: no information policy, large number number of Intern Internet et accesses accesses to system systems, s, limited limited/no /no policy policy and compli complianc ancee regard regarding ing anti-viru anti-viruss
48
protection, firewalls, passwords, no ISO 27001 certification, no disaster disaste r recovery r ecovery plan, incompetent staff members or understaffing) the category is increased by a unit (e.g. C becomes D). In the following following image, image, modified modified from a scheme published in the NSSM document, document, there are the passages passages to evaluate the likelihood of a malicious event.
Figure 13 - A modification of the “Determination of the likelihood” taken from NSSM document
6.4.2 – The cyber terrorist scenario
One of the major objections against the hypothesis of a cyber terrorist attack is that, in the short term, there isn’t a terrorist group that can develop the necessary skills and competence to plan and cond conduc uctt such such an attac attack. k. My opin opinio ion n is that that there there is a poss possib ible le case case in whic which h this this obje objecti ction on is irrelevant. This case is based on the action of a lone actor who already possess the skill and the comp compet eten ence ce to plan plan and and cond conduc uctt a cybe cyberr terro terroris ristt atta attack ck.. This This lone lone acto actorr coul could d be an insid insider, er, someone who works for critical infrastructure and is in the position to have the knowledge and the opportuni opportunity ty to carry out the attack. In support support of this hypothesis hypothesis there is the recalled fact that senior Al Qaeda figures have urged Muslims in the West to conduct attacks without training or direction from from establi establishe shed d groups groups.. Such Such lone lone terrori terrorists sts are inheren inherently tly unpre unpredic dictab table le and their plots plots are difficult difficult to detect. Al Qaeda may consider consider these attacks to attract considerable considerable media attention. attention. This 49
situation is even more complicated by the fact that attack surface is continuously in expansion, in fact while while cybers cyberspac pacee provid provides es opport opportun unitie itiess that that cannot cannot be missed missed,, the risks risks emanat emanating ing from growing dependence on it are huge.
The follow following ing scenari scenario o is a modif modificat ication ion of the “Malici “Maliciou ouss long-l long-lasti asting ng electric electric power cuts” inserted in the “Scenar “Scenarios ios Natio National nal Risk Assessm Assessment ent 2008/2009” 2008/2009” (National Safety and Securi Security, ty, 2009).
Description
A second second generat generation ion immigr immigrant ant employ employee, ee, a skilled skilled IT engine engineer er workin working g for a major major energy energy provider, was in touch with some radical elements in his country of origin. He was determined to conduct an attack aimed to cut off the electricity for a long period of time to protest against the impe imperi riali alist stic ic poli politic ticss of his coun country try..
He set up a hidd hidden en routin routinee that that at a given given time time send sendss
commands to various SCADA systems in the power station causing the overcharge of the grid and finally the explosion of the turbines. The entire power plant was heavily affected by damages and there are also some casualties between the employees. The electricity is cut off in a large part of the country. Daily life grinds to a halt on a wintry morning. Many people are stranded in the morning rush hour because public transport by train comes to a halt and traffic lights fail. In people's homes and offices, radio and TV are no longer working; computers (and Internet connections) fail; fixed and mobile telephony are disrupted; the heating doesn't work anymore; cash machines don't work; production processes are stopped; home dialysis machines are no longer working; etc. However, during the the morning, reports start coming in that a terrorist attack by a jihadi lone terrorist has caused the explosion of one of the largest energy production site in the country. The electric electricity ity indust industry ry indicat indicates es that that the infrast infrastruc ructur turee has been hit very very hard. hard. There have been a number of fatalities. Repairs to the electricity supply infrastructure in the affected area will take between a few days and a few weeks. The electricity el ectricity companies will have to show improvisation to deal with the situation situation because this scenario wasn’t taken in account as possible. A few possibilities possibilities are feedback feedback to the grid by combined combined heat and power systems in large industries industries and the installation installation of gas turbines. This will make a limited amount of electricity available. After approximately three to four four week weeks, s, elect electri ricit city y supp supplie liess will will be back back to norm normal. al. Howe Howeve ver, r, the the netw networ ork k remain remainss vulner vulnerabl able, e, leading leading to possib possible le blacko blackouts uts durin during g the contin continued ued build-up build-up toward towardss the pre-att pre-attack ack situation. Complete recovery of the infrastructure could take more than one month.
50
6.4.3 – The results of the risk assessment
Since a complete analysis is beyond the scope of the present research, the following results are directly directly derived derived from the analysis analysis in the “Malicious “Malicious long-lasting long-lasting electric power cuts” inserted in the “Scenarios National Risk Assessment 2008/2009” (National Safety and Security, 2009).
Likelihood of the event
The scenario is based on malicious acts. The likelihood is rated as unlikely (class B). There is no conc concre rete te indi indica cati tion on and and the the even eventt is deem deemed ed some somewh what at credi credibl ble. e. Due Due to the the relat relativ ivel ely y high high vuln vulner erab abil ility ity of the the secto sectorr and and the the effec effectiv tivee incid inciden ence ce of lone lone terro terroris rists ts attac attacks ks,, the the ulti ultima mate te likelihood is rated as 'possible' (class C).
Impact
1.1 Fatalities As direct consequence of the blast there were some casualties in the plant moreover a few fatalities can be expe expecte cted d on the the road roadss and and at home home,, amon among g pati patien ents ts who who are are depe depend nden entt on medica medicall equipment. Additional people may die, compared with the normal winter deaths due to the lack of heating. In particular, this relates to the elderly and people who live in social isolation. There will also be victims victims of rioting and looting looting as well as in the chaos of evacuation. evacuation. Premature Premature deaths cannot cannot be ruled out, but the assessment is that there will be few victims in the longer term. No empirical data is available. A few dozen fatalities are deemed the most likely by the NSSM analysis. The upper limit of the possible casualties is valued in the few hundred. (B) 1.2 Seriously injured and chronically ill People could be injured in the explosion of plant during the attack, then many injured are possible both in riots and in road traffic accidents. The number of seriously injured will probably be more than 100, but a higher number cannot be ruled out. (B) 1.3 Physical suffering (lack of basic necessities of life) In the first moments after the attack all citizens in the country. All people in the directly affected area will be deprived of electricity for at least a month. Some of them will have no electricity for a long period of time (more than a week) and some will experience many brownouts and blackouts for more than a month. Due to the power blackout, some people will not have drinking water (country-houses and flats higher than the third floor) or any heating. (D) 2.1 Costs
51
There is great economic damage directly resulting from the explosion of the plant and indirectly electricity being cut off. Loss of added value, spoiled food, extra security costs, repair costs, and reduced income from tourism and business travel. An appraisal of the total costs in that first month will be in the rage of billions of Euros. (E) 3.1 Disruption to everyday life During the blackout subsequent to the attack the normal life in the country will be impossible. In the following days, due to the power failures, many people in the affected area will not be in a position to conduct the usual life: to work, to go to school, to use ICT, I CT, to use ATMs or cards, to t o do essenti essential al shopp shopping ing,, to refuel refuel vehicle vehicles. s. Many Many commer commercia ciall busin businesse essess and malls will be closed closed.. A large part of the entire population will suffer some consequence affecting its everyday life. (D) 3.2 Violation of the democratic system The The powe powerr bein being g cut cut off off will will impa impair ir the the func functi tion onin ing g of polit politic ical al repr repres esen entat tatio ion n and and publ public ic administration in the affected area. (B) 3.3 Social/Psychological impact As a direct consequence of the terrorist attack and the long duration of the ensuing power failure, a large number of people will exhibit public anxiety and anger about further attacks. This includes: avoiding public places and public transport, staying at home, no longer flying, leaving the affected area, area, lootin looting g and hoardi hoarding, ng, taking taking money out of the bank. bank. In additi addition, on, a group group of people people will stigmat stigmatise ise immigr immigrant antss and Muslim Muslims, s, becaus becausee the attack attack was carried carried out out by a second second generati generation on immigrant belonging to an Islamist group. Many protest against the government because of the impreparation in the prevention of such an attack and because the restoration of the electricity supply is taking a long time. (D)
1.1
1.2
1.3
2.1
3.1
3.2
3.3
Average Impact
B
B
D
E
D
B
D
C/D
In order to visualise the risk associated with this attack I added this event in a graph published in the NSSM document.
52
Figure 14 - A modification of the “Risk Diagram” taken from NSSM document with the insertion of the Cyber terrorist scenario.
Just as a final notation I would like to cite the Priority Risks emerging from the UK NSRA: “The National Security Council judged that currently – and for the next five years –tackling the risks from terrorism, cyber attack, international military crises, and major accidents or natural hazards should be our highest priority objectives.”
53
Figure 15 - Priority Risks taken from the UK National Security Strategy.
I judge of some interest that the first two risks are terrorism and cyber attacks but an intersection between them t hem is not considered at all. Perhaps a bit of close examination could be appropriate.
7 - Conclusion
Historically, terrorist groups have been able to leverage the benefits offered by Internet in many ways: ●
as a main communication tool, bypassing bypassing the filter of the journalists of the traditional media;
●
as a way to commun communicat icatee securel securely y and secretly secretly to solve solve the proble problem m of maintaini maintaining ng the necessary coordination between scattered and independent cells;
●
as a mean to share know-how know-how and directives;
●
as a tool to facilitate the collection collection and the transfer of the money to fund the operations operations on the field.
Now, a new way to use Internet seems possible, the use of Internet as a weapon to directly conduct real attacks. From a terrorist point of view there are many difficulties to carry out this task but the extension of the attack surface and the possibilities to hit targets otherwise out of reach represent a strong incentive to pursue this objective. Furthermore the strategy adopted by many terrorist group to privilege action based on lone actors or lone terrorists can be a way to circumvent some of the difficulties. In fact, if a cyberattack is planned and carried out by an insider, that is someone who is alread already y in poss possess essio ion n of the the neces necessa sary ry skil skills ls and and he is in a posi positio tion n to gath gather er the the nece necessa ssary ry information, all the difficulties could be overcome. Finally the extensive use of SCADA systems to automate processes and to control industrial and power sites sit es can open new possibilities possibilitie s of massive destruction, very tempting for a terrorist. Given these assumptions, one or more cyberattacks carried out by terrorist groups are possible in the next future, opening a new era in the fatal history of terrorism. As security researchers, we will have the duty to analyse all the possibilities and try to foresee the most likely scenarios in order to give the chance to decision makers to adopt the right decisions to fight terrorism in every form in which it will turn up.
54
Bibliography
Atias At ias,, R. (2 (201 013) 3) “U “Und nder er th thee Ho Hood od of th thee Cy Cybe berr At Atta tack ck on U. U.S. S. Ba Bank nks” s” Th Thee In Inca caps psul ulaa Bl Blog og http://www.incapsula.com/the-incapsula-blog/item/603-cyber-attack-us-banks Retrived 2013-01-10 Baker
G.
(2008)
“ Schoolboy
hacks
into
city's
tram
system”
The
Telegraph
http://www.telegraph.co.uk/news/worldnews/1575293/Schoolboy-hacks-into-citys-tram-system.htm l Retrieved 2013-07-25 Bockst Boc kstette ette,, Car Carsten sten (20 (2008 08)) "Jih "Jihadi adist st Ter Terror rorist ist Use of Str Strateg ategic ic Com Commun munica icatio tion n Man Manage agemen mentt Techniques" Techn iques" (PDF). Georg Georgee C. Marsha Marshall ll Center Occasional Occasional Paper Series (20). ISSN 1863-6039. 1863-6039. Retrieved 2013-01-10 Brot Br othe herr (2 (201 011) 1) “AiRSco AiRScoute uter" r" see-thr see-throug ough h type type head-m head-mou ounte nted d displa display y of Brothe Brother” r” Youtub Youtubee http://www.youtube.com/watch?v=5rtxz1P2Ogw#at=17 Retrieved http://www.youtube.com/watch?v=5rtxz1P2Ogw#at=17 Retrieved 2013-06-20 Burke J. (200 (2009) 9) “Islam radical radicale, e, endocrinement endocrinement et Internet: responsabilit responsabilités és et idées recues” Defense Defense Nationale nr. 3 Bumg Bu mgar arne nerr J. (2 (201 013) 3) “D “Dec ecap apit itat atin ing g Sa Saud udii Ar Aram amco co wi with th Sw Swor ord d of Ju Just stic ice” e” De Defe fenc ncee IQ http://www.defenceiq.com/cyber-defence/articles/decapitating-saudi-aramco-with-the-sword-of-just ic/ Retrieved ic/ Retrieved 2013-01-22 Cavallini, Cavall ini, M. “ (2013 (2013)) “L’us “L’uso o di Intern Internet et quale mezzo di prosel proselitismo itismo e addestramento addestramento di potenziali autori di attentati terroristici” Individual Work of the Frequenter of the 12th Special Session of the “Institute of High Studies of Defence” Cavallini
M.
(2012)
“Tra
Hacktivism
e
Cyberterrorism”
Punto
http://www.matteocavallini.com/2012/01/tra-hacktivism-e-cyberterrorism.html
1
blog
-
Retrived
2012-12-28 Confindust strria
Livorno
(2012)
“Il
centro
anti ti--hac ack ker
per
le
cen ce ntra ralli
elett ttrrich chee”
www.confindustrialivorno.it/comunicazione-e-stampa/rassegna-stampa/parco-eolico_07-03-2012_0 8-45.php?m=4 Retrieved 2013-06-05 Consta Con stanti ntin, n, L. (20 (2013) 13) “Po “Possib ssibly ly rel related ated DDo DDoS S atta attacks cks cau cause se DNS hos hostin ting g out outage ages” s” PCW PCWorl orld d http://www.pcworld.com/article/2040766/possibly-related-ddos-attacks-cause-dns-hosting-outages.
55
html Retrieved html Retrieved 2013-07-18 Corriere
della
Sera,
(2004)
“Te Terr rror oris ismo mo
inte in tern rnaz azio iona nale le,,
arre ar rest stii
e
perq pe rqui uisi sizi zion oni” i”
http://www.corriere.it/Primo_Piano/Cronache/2004/04_Aprile/01/terrorismo.shtml
Retrieved
2013-06-19 Davi David d B. “How “How Terr Terror oris istt Encry Encrypt pt”” part part 1 - 7, repo reporti rting ng Camp Campbe bell ll D. speak speakin ing g at Deep DeepSe Secc conference
(2012),
Privacy
PC
http://privacy-pc.com/articles/how-terrorists-encrypt-threatscape-overview.html
Retrived
Tool
Released”
Retrieved
The
Guardian
2013-06-16 Danchev.
D.
(2008)
“Mujahideen
Secrets
2
Encryption
http://ddanchev.blogspot.it/2008/01/mujahideen-secrets-2-encryption-tool.html 2013-01-24. Dodd,
V.
“Profile:
Roshonara
Choudhry”
(2010)
http://www.guardian.co.uk/uk/2010/nov/02 http://www.guardian.co.uk/u k/2010/nov/02/profile-roshonara-choudhry-stephen-timms /profile-roshonara-choudhry-stephen-timms Retrieved 2013-05-28 Dodd, V. “British “ British Airways worker Rajib Karim convicted of terrorist plot” (2011) The Guardian http://www.guardian.co.uk/uk/2011/feb/28/british-airways-bomb-guilty-karim
Retrieved
2013-06-16 EUROPOL, (2012) “TE-SAT 2012 EU Terrorism Situation and Trend Report”, European Police Office. ISSN Number: 1830-9712 EUROPOL, (2011) “Counter Terrorism Working Group Conclusion”, Europol Public Information. Retrieved 2012-12-30. Gallag Gal lagher her S. (20 (2012 12)) “St “Stega eganog nograp raphy: hy: ho how w alal-Qae Qaeda da hid secret document documentss in a por porn n vid video” eo”,, Ars Technica arstechnica.com/business/2012/05/steganography-how-al-qaeda-hid-secret-documents-in-a-porn-vi deo/ Retrieved deo/ Retrieved 2013-05-09 Goodma Goo dman n S.E S.E., ., (20 (2008) 08) “Cr “Critic itical al Inf Inform ormatio ation n Inf Infrast rastruc ructur turee Pro Protect tection ion”” Res Respon ponses ses to Cyb Cyber er Terr Te rro ori rism sm Ce Cen ntr tree
of Exc xcel elle len nce Def efen ence ce Ag Agai ains nstt
Terr Te rror oris ism m,
IOS IO S
Pres Pr ess, s, 2008 IS ISBN BN
978-1-58603-836-6
56
Holehouse Holeh ouse M., (2012 (2012)) “Britai “Britain n 'losin 'losing g the war on cyber crime' as costs hit £205 million” Telegraph, Telegraph, http://www.telegraph.co.uk/news/uknews/crime/9771627/Britain-losing-the-war-on-cyber-crime-as -costs-hit-205-million.html Retrieved -costs-hit-205-million.html Retrieved 2013-01-31 Hypponen
M.,
(2011)
“Hypponen
page
from
al-Qaeda”
http://threatpost.tumblr.com/post/5162701865/via-mikkoh http://threatpost.tumblr.com/post/51627 01865/via-mikkohypponen-page-from-the-al-qaeda ypponen-page-from-the-al-qaeda Retrieved 2013-01-30. ICS-CERT,
(2013)
“ICS-CERT
Monitor
-
April/May/June
2013”
https://ics-cert.us-cert.gov/sites/default/files/ICS-CERT_Monitor_April-June2013_3.pdf Retrieved https://ics-cert.us-cert.gov/sites/default/files/ICS-CERT_Monitor_April-June2013_3.pdf 2013-07-22 IOSCO-WFE,
“Cyber-crime,
securities
markets
and
systemic
risk”
http://www.iosco.org/research/pdf/swp/Cyber-Crime-Securities-Markets-and-Systemic-Risk.pdf Retrieved 16-07-2013 Infose Infosecur curity ity (2012) (2012) “AlQae “AlQaeda da uses uses stegano steganogra graphy phy docum document entss hidden hidden in porn porn videos videos found found on memory
stick“
http://www.infosecurity-magazine.com/view/25524/alqaeda-uses-steganography-documents-hidden -in-porn-videos-found-on-memory-stick/ Retrieved 2013-01-07 Joscelyn, T. (2013) “Ansar al-Sharia Tunisia honors senior al-Qaeda ‘martyrs’” The Long-War Journal
http://www.longwarjournal.org/archives/2013/01/ansar_al_sharia_tuni_3.php Retrieved
2013-07-05 K e rr
K.,
(2003)
“ Pu Putting
cyberterrorism
into
context”
AusCERT
https://www.auscert.org.au/render.html?it=3552 Retrieved 2013-06-09 Kerr K., (2006) “Risk (2006) “Risk of Cyber Terrorism” Centre of Excellence Defence Against Terrorism NATO http://www.coedat.nato.int/publications/course_report/CCT.zip Retrieved 2013-06-19 Langner
R.,
(2012)
“Why
attack
when
we
can’t
defend?”
http://www.nytimes.com/roomfordebate/2012/06/04/do-cyberattacks-on-iran-make-us-vulnerable-1 2/why-attack-when-we-cant-defend Retrieved 2013-07-23 Mcdon Mcdonald ald,, A. and BryanBryan-low low,, C. (2011) (2011) “ U.K. Case Reveals Terror Tactics Wall Street Journal http://online.wsj.com/article/SB1000142405274870 http://online.wsj.com/article/SB1000142 4052748704570104576 4570104576124231820 124231820312632.html 312632.html Retrieved 57
2013-06-16 Marks,
P.
(2013)
“ Silent
Skype
calls
can
hide
secret
messages”
www.newscientist.com/article/dn23044-silent-skype-calls-can-hide-secret-messages.html Retrieved www.newscientist.com/article/dn23044-silent-skype-calls-can-hide-secret-messages.html 2013-01-05 Mele, S. (2013) “Cyber-weapons: “Cyber-weapons: legal and strategic aspects” http://www.strategicstudies.it/wp-content/uploads/2013/07/Machiavelli-Editions-Cyber-Weapons-L egal-and-Strategic-Aspects-V2.0.pdf Retrieved egal-and-Strategic-Aspects-V2.0.pdf Retrieved 2013-07-31 National
Safety
And
Security
“Scenarios
National
Risk
Assessment
2008/2009”
http://www.hetlocc.nl/aspx/download.aspx?file=/contents/pages/106264/20110127scenariosnrb_en g-finaldef-nietopgemaakt.pdf Retrieved Retrieved 2013-07-31 Ningauble
(2012), “Google Buys Image and Gesture Recognition Company Viewdle”
en.paperblog.com/google-buys-image-and-gesture-recognition-company-v en.paperblog.com/goog le-buys-image-and-gesture-recognition-company-viewdle-321296/ iewdle-321296/ Retrieved 2013-05-28 Olimpio G. (2008) “AlQaeda.com” BUR, Milano ISBN 978-88-17-02350-4 Pidd. Pid d. H, (20 (2012) 12) “An “Ander derss Beh Behrin ring g Bre Breivi ivik k spe spent nt yea years rs trai trainin ning g and plottin plotting g for massacre” massacre” and “And “A nder erss Br Brei eivi vik k 't 'tra rain ined ed'' fo forr sh shoo ooti ting ng at atta tack ckss by pl play ayin ing g Ca Call ll of Du Duty ty”” Th Thee Gu Guar ardi dian an http://www.guardian.co.uk/world/2012/aug/24/and http://www.guardian.co.uk/w orld/2012/aug/24/anders-behring-breivik-profile-oslo?INTCMP=SRC ers-behring-breivik-profile-oslo?INTCMP=SRC H and http://www.guardian.co.uk/world/2012/apr/19/anders-breivik-call-of-duty?INTCMP=SRCH Retrieved 2013-06-29 Pollit
M,
“Cyberterrorism
–
Fact
or
Fancy?”
FBI
Laboratory
http://www.cs.georgetown.edu/~denning/infosec/pollitt.html.. Retrived 2013-01-23. http://www.cs.georgetown.edu/~denning/infosec/pollitt.html R amsay, amsay, G. (2009) “Relocating the Virtual War”, Defence Against Terrorism Review Vol. 2, No. 1, Spring, pp. 31-50 Ryan Ry an J. (2 (201 010) 0) “A “Ame meri rica cann-Br Bred ed Te Terr rror oris ists ts Ca Caus usin ing g Al Alar arm m Fo Forr La Law w En Enfo forc rcem emen ent” t” AB ABC C http://abcnews.go.com/WN/suspected-american-terrorists-islamic-ties-causing-concern-law/story?i d=11230885&page=1#.UbnD-ef0HTo Retrived 2013-06-13 Schneier Schne ier B. (200 (2009) 9) “Terro “Terrorists rists may use Google Earth, Earth, but fear is no reason to ban it” The Guardian, Guardian, 58
http://www.guardian.co.uk/technology/2009/jan/29/read-me-first-google-earth
Retrieved
2013-05-28 The Council of the European Union (2002) “COUNCIL FRAMEWORK DECISION of 13 June 2002
on
combating
terrorism”
2002/475/JHA
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CONSLEG:200 http://eur-lex.europa.eu/LexUriServ/LexUriServ.d o?uri=CONSLEG:2002F0475:2008 2F0475:20081209:EN:PD 1209:EN:PD F Retrieved 2013-06-08 Tails Tails “The “The Amne Amnesic sic Inco Incogn gnit ito o Live Live Syst System em”” offi officia ciall webs websit itee https://tails.boum.org/ Retrived 2013-06-19 TrueCr Tru eCrypt ypt “Th “Thee Hid Hidden den Vol Volume ume”” off offici icial al web website site http://www.truecrypt.org/docs/hidden-volume Retrived 2013-06-19 United Nations (1999) “In Inter terna nati tion onal al Co Conv nven enti tion on fo forr th thee Su Supp ppres ressi sion on of th thee Fi Fina nanc ncin ing g of Terrorism” http://www.un.org/law/cod/finterr.htm http://www.un.org/law/cod/finterr.htm Retrieved Retrieved 2013-07-06 United Nation Counter-Terrorism Implementation Task-Force - CTITF (2009) (2 009) “Countering “Countering the Use of Internet for Terrorist Purposes” www.un.org/terrorism/cttaskforce Unite Un ited d Na Nati tion onss Of Offic ficee on Dr Drug ugss an and d Cr Crim imee (U (UNO NODC DC): ): “T “The he us usee of th thee In Inter terne nett fo forr ter terro rori rist st purposes”, United Nations publication (2012) Wikipe Wikipedia dia (2013 (2013)) “2008 “2008 Mumbai Mumbai attacks attacks”” https://en.wikipedia.org/wiki/2008_Mumbai_attacks Retrieved 2013-02-03 Wiki Wikipe pedi diaa (201 (2012) 2) “His “Histo tory ry of Terro Terrori rism sm”” https://en.wikipedia.org/wiki/History_of_terrorism Retrieved 2013-07-06 Wikipe Wikipedia dia
(2013 (2013))
“Stega “Steganog nograp raphy” hy”
http://en.wikipedia.org/wiki/Steganography Retrieved
2013-19-06 Wikipedia (2013) “Swatting” http://en.wikipedia.org/wiki/Swatting Retrieved 2013-07-30
59