People all around the world have for many years and continue to become more reliant on ICT (Information Communication Technology) systems, from email services to banking, self pay checkouts at the supermarkets, and even computer controlled weapon systems. ICT systems have been subject to attack since their existence and continue to be attacked for various reasons. This report will investigate the history of ICT security, some of the motives of attackers, and some of the current most successful attacks being used today among other issues related to ICT security.
2.0 THE HISTORY OF ICT SECURITY & BEYOND
To understand if we will ever be secure in the future this section will briefly look at the history of security in relation to information and communications, before and after computers were invented. An analysis of the history of information and communication security will help to determine if the security has improved, degraded or remained the same over time, it will also provide details of how attacks and security methods have adapted throughout history.
2.1 INFORMATION & COMMUNICATION SECURITY BEFORE COMPUTERS
The arguable first computer named "Colossus" was created in 1943 to penetrate secure Nazi communications during World War 2 by the British government (Watt, 2010). Attempts to break communications security were being made long before the first computer was invented going back as far as 1919 just after the first world war, the GCCS (Government Code and Cypher School) began, which was an organization of code breakers based in Britain and are now known as GCHQ (Government Communications Headquarters) see (History of Codebreaking n.d.).
Even before the GCCS began, information security methods were being developed to ensure the secrecy of information and various methods were also being used to compromise the developed security methods. In 1587 Queen Mary the first of Scotland was found guilty and beheaded for plotting to assassinate Queen Elizabeth the first of England. Her beheading was the result of the interception and decryption of encrypted messages between Queen Mary and her co-conspirator Anthony Babington which served as evidence at her trial and determined the verdict (Singh, 2000, p. 1 - 43). A cipher is a type of key used to interpret encrypted messages it is held by the source/s and destination/s of encrypted messages the following image illustrates the cipher used by Queen Mary the first:
Secure communications methods were also used in other parts of the world. Around 750 AD Arab administrators relied on cryptography for secure communications, they also invented cryptanalysis the art of deciphering or unscrambling encrypted messages without the cipher used to encrypt them (Singh, 2000, p. 14-15). During the time British code breakers were deciphering Nazi communications the Americans were deciphering the Japanese cipher known as "purple" (Singh, 2000, p. 191). Secure communications methods have been and continue to be used all over the world.
Information and communications security methods have been used for thousands of years, by people all over the world. The world's first documented form of cryptography is believed to be from 1900 BC and originated in the Egyptian town of "Menet Khufu" (A Brief History of Cryptography, n.d.).
Information and communications security was continuously attacked before the invention of computers, it lead to the end of wars, the execution of a Queen, among various other incidents which were not investigated. It seems to have been primarily based on cryptography this raises a few questions: How has information and communications security changed since the invention of computers? Have computers improved information and communications security?
2.2 AN OVERVIEW OF INFORMATION & COMMUNICATION SECURITY AFTER COMPUTERS
In the 1970's a number of people branded as "phone phreaks" were able to make free phone calls by generating tones at specific frequencies and forwarding them into telephones in order to trick the PSTN (Public Switched Telephone Network). The PSTN is the global network of telephones, other end user devices such as fax machines and interconnecting links and devices (Cioara, 2009, p 23 - 24). Famous phone phreaks include Joe Engressia who had the ability to whistle into a telephone and emulate signals at 2600 Hz used to establish calls (Martain, 2007), also John Draper also known as Captain Crunch as he found a whistle in a box of "Captain Crunch" breakfast cereal that could emulate signals at the same frequency (Ward, 2000). Another major incident which occurred during the 1980's was the $70 million computer heist in which the National bank of Chicago US was compromised (Trigaux, 2000). Also in 1999 a virus known as CIH was released which caused an estimate of 20 - 80 million dollars of damage worldwide, it was sourced from Taiwan and is categorised as one of the most dangerous computer viruses as it left computer systems inoperable (Jones, 2006). There have been various incidents of different scales, complexities, which are targeted at different computer systems throughout the history of computers.
As indicated in the chart above the number of catalogued vulnerabilities greatly increased between the years 1995 - 2008. The types of attack described in this section are not based on the decryption of encrypted messages, or sourced/targeted by government organizations, the attacks described have been used for personal gain or to sabotage systems. This inspires more questions including: What types of attacks are currently being used to compromise information and communications security? Where are the attacks sourced from?
3.0 AN OVERVIEW OF RECENT MAJOR CASES INVOLVING ICT SECURITY
This section will investigate some of the recent major attacks and issues involving ICT security to determine the current vulnerabilities being compromised, and the sources of the attacks. Government, financial, and other issues related to information and communications security will be investigated.
3.1 AN OVERVIEW OF GOVERMENT BASED ICT SECURITY ISSUES
There have currently been a lot of reports of incidents related to ICT security involving governments. Recent allegations have been made by companies Google and McAfee that the Vietnamese government has been using malicious software to spy on its citizens Google stated "the attack targeted online critics of the mining", the Vietnamese foreign minister has rejected the claim. As the malicious software blocked access to sites which contained messages in opposition to government politics and also spied on the users of the compromised systems it is likely that the attack was sourced from the government. (Vietnam Dismisses Google Hacking claim, 2010). The attack may also have come from another source and been purposely structured to shift the blame towards the government to avoid the identification of the culprit.
Also a very recent high alert has been raised by CERT to all military and government departments of a possible cyber attack, there are suspicions the attack will come from hackers in china. As previously described CERT is a federal research and development centre that responds to major security incidents no details have been provided for the cause for the alert or the suspicion of hackers in China (Valecha, 2010). The concept of cyber warfare is not new in June of 2007 the US Pentagon computers were compromised and taken offline for 3 weeks as a result of a cyber attack sourced from China, it was believed that the Chinese government was behind the attack (Griffin, 2007).
Another case includes the infiltration of Indian government computer networks across the world by a gang known as "the shadow network", classified information associated with "missile systems, national security and the united nations" is believed to have been compromised. This shows just how important strong information security methods are. The gang used free web services such as Twitter, Yahoo mail, and various others to avoid compromise (Goodin, 2010).
Furthermore cyber spies have compromised various US infrastructure systems such as the power grid and left behind software programs which could be triggered remotely to destroy infrastructure devices. It is believed that these types of attacks have been sourced from China and Russia among other countries (Gorman, 2009).
The majority of the attacks described in this subsection have been or are believed to have been sourced from China. The type of information and systems that have been compromised is worrying and suggests ICT systems are more susceptible to attack now than ever before.
3.2 AN OVERVIEW OF FINANCIAL BASED ICT SECURITY ATTACKS
There are many cases related to the compromise of ICT systems for financial gain, the complexity and scale of these attacks varies greatly. Recent cases include a case in which three Spanish men none of whom have a criminal record have been arrested for the responsibility of one of the world's largest networks of virus infected computers. It consisted of 13 million computers within 190 different countries; one of the men was found to have 800,000 pieces of people's personal data on his system, the compromised systems formed a single unit which is known as a "Botnet" see (Spanish police arrest masterminds of 'massive' Botnet, 2010). The hackers have been identified as "Netkairo", "Jonyloleante", and "Ostiator", they compromised the systems by unleashing a virus which spread via various services including email, which allowed compromised systems to be controlled remotely. They were caught as a result of security services shutting down a controlling server which resulted in one of the hackers using his own computer to logon to the Botnet compromising his IP address and location, they may face up to 6 years in prison if found guilty of hacking charges (Arthur, 2010). No information has currently been released about the financial gain the culprits acquired from using the Botnet, but various news reports have stated that the Botnet was rented to others.
Other cases include an IT worker for the Bank of America who designed and maintained the banks computer systems and ATM machines, he has been charged for the hacking of ATM's so they did not record his transactions (Leyden, 2010). The IT worker has been named as Rodney Reed Caverly, aged 53 he stole $304,000 over a 7 month period, he could face 5 years in prison and a fine up to $250,000 when sentenced in the summer (Zetter, 2010).
A less complex attack includes that in which 80 people in connection with a series of EBay scams have been arrested, 800 people fell victim to the scams and lost a combined total of approximately €800,000. The scams involved the advertising of luxury items that the scammers did not possess and obtained funds for using compromised EBay accounts. The victims of the scam were located across Western Europe, the US, and Canada among other locations, no information has been released about the charges the scammers face (Leyden, 2010).
Also two IT contractors have been caught and charged for the infiltration of the software used to control remote roulette machines, they made the machines print out winning tickets and cashed in a total of up to £33,000 from four Gala casinos in London. They were charged under the Theft Act 1968 and consequently had to pay back £16,000 each and undertake 200 hours of community service (Casinos conned by IT hackers who printed false betting slips, 2010).
As identified in this section attacks are successfully being carried out from various locations around the world, using various attack methods to compromise a range of ICT systems for financial gain. It seems as through the reliance of ICT systems for financial services and commerce has motivated attackers to compromise these systems.
3.3 A BREIF OVERVIEW OF OTHER ICT SECURITY ISSUES
There are other issues related to ICT security in which the result does not lead the attackers to financial gain and are not government based, this subsection will explore these attacks. These attacks include the claimed "Play station 3" hack by George Hotz which allows users to play pirated games on the console. He also hacked the iPhone in 2007, and stated in relation to the Play Station 3 "It's supposed to be unhackable - but nothing is unhackable," (Fildes, 2010). A list of games consoles are also vulnerable to specific hacks including the Xbox 360 (Badbloke, 2010), and Nintendo Wii consoles (How to hack a Wii, 2009), but it's not just games consoles that are vulnerable to attacks. Virgin Media's cable modems are also vulnerable to hacking methods which can allow fraudulent free high speed internet access, and their TV services can be hacked to allow the illegal free viewing of all channels (Williams, 2009). Sky television services are not immune to similar attacks (Greenberk, 2010). Other incidents include the hack of L.A (Los Angeles) traffic control computer which was used to shut down 4 traffic signals (Thomson, 2008), as well as the Brazilian satellite hack in which a US navy satellite was turned into a CB (Civilian Broadcasting) radio (Soares, 2009).
The majority of the attacks described in this subsection have been motivated by personal gain allowing the use of various services without paying the associated charges. These attacks may be motivated by the high cost for the associated services.
This section including subsection related to government, financial and other security issues have lead to the question: What Laws deal with ICT related issues?
4.0 ICT LAWS
There are various laws regarding a range of ICT aspects, the laws define the obligations of the owners of ICT systems, the rules used to govern peoples use of these systems and the penalties associated with breaching the rules. This section will explore some of the major laws and the associated rules, penalties, and obligations.
In the year 1990 the "Computer Misuse Act" was introduced in the UK to ensure the security of computer material from unauthorised access or modification, it covers three categories of criminal offence with penalties ranging from 6 months imprisonment or up to £5,000 fines to 5 years imprisonment and unlimited fines. But in order for the law to apply information must not be displayed which allows, or incites others to obtain unauthorised access, or perform unauthorised modifications to computer material (Computer Misuse Act, n.d.). Another major law in the UK related to ICT security is the "Data Protection Act 1998" which specifies the rules that must be complied with when handling people's personnel information, it also defines the rights of individuals to inquire about information held about them. Organizations compliance with the obligations specified in this law is ensured by the ICO (Information Commissions Office). The obligations of organizations storing people's personnel information include keeping the information secure, and only for the time period necessary as well as only storing relevant, accurate and up to date information among various other obligations (Data Protection Act, n.d.).
Countries around the world have various laws dealing with ICT security one of the major issues is dealing with offenses sourced from different parts of the world in relation to the target/s, Governments around the world are now starting to share information on these types of investigations (Wallace & Watkins, 2008, p 20).
This section has described some of the laws governing ICT issues in the UK but how are ICT security breaches handled in practice?
4.1 RECENT LEGAL CASES INVOLVING ICT SECURITY
This subsection will look at recent major legal cases related to ICT security.
The coordinator of the TJX case "Albert Gonzalez" has been sentenced to 20 years in prison, and fined $20,000 for one of the largest payment card number thefts in history. It involved Gonzalez and his team hacking into various companies' networks and stealing credit and debit card numbers via their wireless networks, one of the main targets was the TJX Company. The sentencing is the largest of its kind for a US hacking offence, also while prosecutors aimed at a sentence of 25 years on the basis that Gonzalez's actions cost banks and their insurers up to $200 million, his attorney presented evidence he suffered from Aspergers syndrome (Goodin, 2010). He was charged for "damage to computer systems, wire fraud, access device fraud, aggravated identity theft and conspiracy" (Qualters, 2010).
Another ongoing major case involves the UK hacker Gary McKinnon, who the US government want extradited for the accessing of secret government files on government computers between the years 2001 and 2002. He is accused of hacking into a series of US government computers in NASA (National Aeronautics and Space Administration), and various military networks including the US navy, and DOD. The US prosecutors say he caused $700,000 of damage, a prosecutor also stated it is "the biggest military computer hack of all time", but Gary rejects the claims stating that he never did anything malicious. He stated he used a tool to scan for computers with blank passwords and obtained access to them (Boyd, 2008). Gary later lost an appeal against extradition to the US where he could face 60 years in a high security prison; also the UK home secretary stated it would be illegal for him to stop the extradition (Culf, 2009). Recently a court judge has ruled that the extradition of Gary is unlawful and has provided evidence that there would be at a high risk Gary will commit suicide in an American jail (Hirsch, 2010) the case continues.
As indicated in this section the laws related to ICT security breaches can be harsh depending on the incident in question. It seems as though the US government in particular are applying harsh sentences to convicts of ICT related issues as a deterrent. This leads to another question: What are the motives of the attackers?
5.0 MOTIVES OF ATTACKERS
This section will explore some of the common and uncommon motives for attacks on ICT systems.
The motive for the hacks sourced by Gary McKinnon are supposedly due to his interest and curiosity with suppressed energy and UFO technologies which he believes exist and are being covered up by governments (Boyd, 2008). Other hackers such as George Hotz responsible for the iPhone and PS3 hacks (Fildes, 2010), and a Russian hacker who states he hacked a series of military resources when he was just 14 (Rainsford, 2010) state their motivation for hacking systems comes from interest and curiosity. The cases described in section 3.2 are finically motivated attacks; others are politically motivated such as the penetration of Nazi communications described in section 2.1, while some attacks are motivated by revenge such as the attack aimed at a chat room user by another user after some comments were made on the chat room (McCue, 2003). Other motives include the creation and propagation of malicious applications for fun, fame and fortune, or even as a hobby (Shelby, 2002). Some attacks on systems are politically motivated the attackers responsible for these types of attacks are sometimes referred to as hacktivists cases of this type include the compromise of the social networking site twitter which caused its users to be forwarded to a webpage stating "This site has been hacked by Iranian cyber army" see (Leyden, 2009). There have also been some attacks which have been motivated by celebrity obsession including the hack of Amor Hiltons face book account (Lau, 2008), it is also likely that the same motive was behind the compromise of various celebrity twitter accounts including Britney Spears (Michaels, 2009), Lindsay Lohan (Cluley, 2009) and even US President Barack Obama's twitter account was compromised (Cassidy, 2010).
As indicated in this section with the increased use of ICT systems the number of motives for attacking these systems has also increased. Various ICT systems and associated threats have been have been described in this and previous sections but what ICT based technologies are currently being deployed? And what types of attack/s are they susceptible to?
6.0 ICT BASED TECHNOLOGIES & ASSOCIATED THREATS
As new ICT based technologies are adopted and deployed new vulnerabilities are often created, this section will explore some of the new technologies being deployed and the associated vulnerabilities. This is section is aimed to determine if the ICT based systems currently being deployed improve or degrade information and communications security.
6.1 BUSINESSES ICT TECHNOLOGIES & THREATS
Virtualization is one of the major technologies currently being deployed and is alleged to be one of the top technology trends of 2010 (Duvall, 2010) but in 2009 100,000 websites were destroyed as a result of an attack on a virtualization application (Goodin, 2009). Virtualization allows multiple operating systems to run simultaneously on a single physical machine while sharing hardware resources (McCabe, 2009) while some believe virtualized systems are less secure than non virtualized systems (Morgan, 2010) others believe an additional layer of security is added (Collins, 2009).
A service currently being implemented by large organizations is cloud based computing it allows people to host their services such as websites within large data centres (Goodin, 2009). It is proposed that this approach for hosting services is more secure and can protect businesses against threats, as a large amount of hardware and bandwidth resources as well as computer and network security expertise will be allocated to the data centres ensuring optimum performance, security and lower operating costs (Howarth, 2010). But a security company has found that cloud based services could be vulnerable to malicious attacks (Evans, 2010).
Another major technology that has been and continues to be deployed is VoIP (Voice over Internet Protocol), which allows telephone calls to be made over IP based networks such as the internet in contrast with the PSTN (Cioara, 2009, p. 34).
An expert previously demonstrated how easy it is to eavesdrop and record multiple calls simultaneously; in an experiment he demonstrated the ease of capturing an entire company's calls (Dunn, 2007).
6.2 HOME ICT TECHNOLOGIES & THREATS
This subsection will provide an overview for some of the ICT based systems that have are aimed for home use and the associated vulnerabilities.
Home automation is a concept which involves the interlinking of multiple home devices such as lighting, heating, curtains, home entertainment systems, CCTV cameras among various others and linking them via a network to a control system. The control system can then be linked to the internet and accessed via a variety of interfaces such as a web browser or custom application to monitor and control these devices (Spink, 2010). This opens up a range of vulnerabilities if the control system is compromised all devices controlled by it are under the control of the hacker. Another interesting device part of the home automation concept is the network based home intercom also known as "IP video door entry systems" which can be used to open a door via local or remote interfaces to a control system (Your smart and friendly doorkeeper, n.d.). This opens up the vulnerability of an attacker being able to open a targets door remotely via the internet.
As indicated in this subsection home based attacks are limited to relatively small amounts of target devices with small incentives in relation to business and government organizations among others. Various issues related to information and communications security from the past and present have been investigated but is it likely that ICT security will improve in the future?
7.0 THE FUTURE OF INFORMATION AND COMMUNICATIONS SECURITY
The standard supermarket checkouts are constantly being replaced by self pay checkouts supermarket chains Asda (Asda Ramps-up self service checkouts, 2009), Tesco (Daily Mail Reporter, 2009), Morrison's (Morrison's plots, self service future, 2008) and Sainsbury's (Parker, 2010) among various others have already replaced a large amount of their standard checkouts. As self pay also known as self service checkouts are specially designed computer systems they are likely to introduce vulnerabilities in to businesses and may be compromised in the future.
RFID (Radio Frequency Identification) microchips which are implanted in people's arms are currently being sold to the public and businesses in various locations around the world including the UK. The RFID tags are primarily aimed at providing hospitals access to patient medical records in the US (Human Barcode, 2009); companies offering the implant include "Positive ID" and IBM. The chip is injected into a person's arm and contains a identification number, when the microchip is scanned using a special scanner data associated with the microchip can be obtained. The UK government planned to implant RFID chips into all children born in the UK to ensure the UK is at the forefront of ICT technology (Grant ,2008) the UK government also devised a plan to implant prisoners with the microchip for tracking purposes (Gultierrez ,2008). This technology could be used to link all of people's information including passport information, banking, driving license among numerous other details which would be very convenient. This could also create major vulnerabilities as the ID values within the microchips are wirelessly accessed by an active device within range of the RFID tag, this could lead to large scale identity fraud among other risks.
The concept of robots is not new and has been widely propagated via popular movies such as the "terminator" trilogy and "I Robot" among others, although robots are not currently walking the streets or owned by members of the public they are now a reality. The car specialist company Honda have been conducting research and development in robotics since 1986 and have created a robot named ASIMO (Advanced Step in Innovative Mobility). It has the ability to recognize people and call them by name once a name has been identified to it, run at a speed of up to 6 Km per hour, climb stairs, jump up to 5cm high, and respond to specific instructions among various other features. It can also be connected to the internet to obtain instructions or to download content such as news reports and weather forecasts which will be described when the ASIMO is asked for the information (ASIMO, n.d).
Robots have been used for many years in specific areas of society such as Medicine but these are not like those illustrated in many movies, an example is a robot with 1cm arms which can move around the inside of a human body to conduct surgical procedures controlled remotely by surgeons (Takata, 2009). If robots such as Honda's ASIMO become widely used it is likely that motives will arise for attacking the systems and they will be compromised, the result of the compromise will be limited by the function of the Robot and the imaginations of the attackers. In relation to what is portrayed in many movies, the concept of robots taking over the planet seems unreal, but as attackers are able to compromise and remotely control 13 million computers located in 190 different countries as described in section 3.3, the concept of a hacker obtaining control of robots around the world seems very real.
"The urge to discover secrets is deeply ingrained in human nature; even the least curious mind is roused by the promise of sharing knowledge withheld by others" (Chadwick, 1990, p. 1.). It seems as though the more reliant people become on ICT systems the less secure people become as the number of vulnerabilities increase. As indicated in section 2.1 for over 4000 years methods of information and communications security have been and continue to be created, although certain methods ensure security for a period of time, when there has been a motive for infiltrating specific security methods the methods have been broken.
As described in section 4.0 harsh penalties have been allocated to people who have committed hacking offenses, with increased severity when the targets have been government organizations, it is assumed that these penalties have been allocated to deter other potential hackers.
The trend towards increased reliance on ICT systems shows no signs of slowing down, the number and diverse range of security breaches ranging from games console hacks to electrical power grid, traffic light network, military network, and satellite system hacks have also increased. The number of vulnerabilities is continuously increasing with the deployments of wireless, VoIP, and virtual networking technologies among others. There has always been and continues to be a compromise between functionality and security, increased functionality normally results in increased vulnerabilities.
As long as there is aspiration by some individual or group to break a form of security a system will remain vulnerable to attack, once a method of security is attacked it is a only a matter of time until it is broken. With the continuous desire for secrecy, information and communications methods will remain insecure, as there will always be a desire to uncover the secret.