Worms, DDoS and Cyber-Terrorism

Written by Kim Fitzer, Hinsdale Central High School, Hinsdale, Illinois
Original Written by David. Stone, University Laboratory High School, Urbana, IL

In addition to viruses, Trojan horses and logic bombs, additional hazards have materialized that may have a much greater impact on our ability to continually and safely access the Internet. These new cyber-threats run the gamut from nothing more than a mere nuisance to affronts on our national security. Furthermore, they seem to be proliferating at a much faster rate than previously observed(1). A government agency responsible for tracking breaches in security reported that incidents involving computer network security breaches rose from almost 10 thousand just two years ago to nearly 35 thousand in the first 9 months of 2001(2). And in the wake of the September 11 attacks, the rate of computer security breaches is dramatically increasing. The new attacks include:

• Worms
  Often incorrectly called a virus, a worm is an independent program that has the ability to replicate itself across networks and from machine to machine. It has the ability to cause significant network congestion and can render a communication system useless if allowed to run unchecked. Recently, two worms, Code Red(3) and Nimda(4) worms wreaked havoc on business and institutional servers throughout the world.

• Blended Threats
  The newest wave of viruses has the characteristics of a virus, worm and Trojan horse combined. Embedded in its sophisticated code are instructions for the worm to sometimes behave like a virus, or a software program which then spreads its code to others computers, or a Trojan horse which may mutate within a victim's computer and cause irreparable harm to the operating system. Most recently, the Klez(5) virus surfaced and spread quickly throughout the world infecting virtually everyone's email system. Seven months after its discovery, it appears to still be at large.

• Distributed Denial of Service Attacks
  DDoS attacks employ armies of "zombie" machines that are controlled by a single master server. These machines will then inundate a target server with thousands of packets of data, in an attempt to overwhelm the server and cause it to crash. Beginning in February of 2000, e-commerce sites were the subject of DDoS attacks(6), and in May of 2001, the whitehouse.gov site fell under a barrage of denial of service assaults (7). DDoS attacks are on the rise and are particularly common after a military attack, such as in Israel, Palestine, India and Pakistan. Any computer that is unprotected by firewalls can be used as a "zombie," and personal computers with high-speed Internet access are especially vulnerable.

• Unauthorized Intrusions
  Sensitive information such as credit card numbers and classified government information are the targets of these assaults on computer systems. Attackers usually seek to pilfer or alter the information they find, and the results can be especially damaging. International organized crime networks and foreign adversaries are the primary culprits (8).

• Schools are generally not seen as targets of cyber-terrorists. However, the presence of technologically savvy teen programmers, or "script kiddies" in schools is a concern, particularly for schools with inadequate security. Young hackers are not usually skilled enough to write their own hacking programs and rely on the 30,000 or so downloadable hacking applications available on the Internet to wreak havoc on their school's servers (9). The damage that they are capable of is usually confined to disabling filters and gateway software, or accessing student information systems. So far, there have been no reports of truly malicious or deadly threats from the teenage hackers. Still, given the violence of the Columbine High incident, it seems that the potential exists.

• Because the authors of viruses, worms and other cyberthreats are difficult to trace, authorities involved with school security have no way of knowing whether a virus entered the system via someone's email, or was generated by a student within the school.

• Recent legislation introduced in both the House (H.R. 3482: The Cyber Security Enhancement Act of 2001) and the Senate (S.1252: The School Website Protection Act) reflect the growing need for schools to recognize the potential of threats to their technological security. These bills would make hacking a federal crime, and also give school administrators advance warning in case of an attack.

• Follow "best practices" in establishing and maintaining a school security system
  It is advised that a regular system of security maintenance be established and followed: regularly update operating systems and software, strictly enforce password policies and AUPs, disable unnecessary services, install and update anti-virus software on a very frequent basis, and employ intrusion detection systems and firewalls. Prevention is the best cure, and it is reported that schools may be the most vulnerable to attacks because they use older systems with unwieldy security programming, or outdated protocols.

• Be On High Alert
  School system administrators should be on high alert for the warning signs of hostile cyber activity. Frequent scanning of internet logs and incoming and outgoing email should be performed regularly, and any suspicious activity should be looked into and reported to the administration, and the local authorities, if necessary. An emergency incident plan should be established as well, in case the system is temporarily or permanently disabled by a virus.

• Employing Ingress and Egress Filtering
  To guard against possible DDoS attacks, schools can program network hardware to discard any outbound packets whose source IP address does not belong to the router's client networks (egress filtering). Likewise, any inbound IP packets with un-trusted source addresses should be filtered out before they have a chance to enter the network (ingress filtering)(10).

• Schools may find themselves subject to lawsuits if unauthorized intrusions result in the access of sensitive student information such as medical information, grade reports, and scheduling.

• Because of the perceived anonymity of the Internet, students that engage in acts of cyber terrorism may not feel the same sense of guilt and wrongness which would be experienced if the transgression were outwardly observable. Creating a virus and releasing it into the school's security system is wrong, but knowing that there is little chance of getting caught may result in being more attractive than defacing school walls, or damaging physical property (11).

What is the best defense against these acts of cyber terrorism?

As stated before, the best defense is a good offense. School security administrators should be on high alert for possible breaches in the firewalls, and frequently update their virus protection software. Severe penalties and a strict enforcing of security policies and AUPs may also have some impact on discouraging student improprieties. Scanning incoming and outgoing email for viruses and worms may also stop a potential intrusion, and programming routers to automatically discard any packet of information that does not originate from a network IP address can also protect school computers.

How real is the threat of cyber-terrorism?

While schools at this point do not seem to be targets of terrorism, there is an increased awareness that the potential for a widespread attack on multiple public institutions exists. Vulnerabilities in our military, air traffic control, financial and power infrastructures have been reported by the Department of Defense, the Center for Strategic and International Studies, the FAA and the National Security Council(12). Already, DDoS attacks have been reported on government websites throughout the world, and worse, they seem to coincide with military, paramilitary and terrorist events and operations. After a Chinese fighter plane and an American surveillance plane collided in May of 2001, U.S. government websites were flooded with DDoS attacks and pro-Chinese defacements(13). Experts agree that worldwide terrorist organizations such as Al Qaeda are increasing their technological sophistication by developing communication cryptography through the Internet; it seems likely that they are also capable of global cyber terrorist acts as well. Beyond the terrorist threat, many governments are working on developing cyber weapons of their own, including the U.S. Department of Defense, in the event of a military attack(14). Because the world has become increasingly dependent on information technology, it also has created an increasingly attractive target.

Much of the information that exists about schools and their relationship to cyber crime can be found on this site. Topics include hacking, AUPs, security precautions, latest viruses, articles of types of viruses, case law, filtering and other pertinent subjects.
http://www.lhric.org/security/

Developed by child Internet safety guru Nancy Willard, this very useful and informative website can be used as a guide for parents, teachers and students for developing an Internet safety plan. Ms. Willard advocates the teaching of responsible use of the Internet, and relies on the teaching of ethics to illustrate her point.
http://responsiblenetizen.org/

(2) 2001. Rodriguez, Ciro D. "Cyberterrorism - An Emerging Threat To National Security." Published on infowar.com http://www.infowar.com/class_3/01/class3_112901a_j.shtml

(3) 2002. "CERT® Advisory CA-2001-19 "Code Red" Worm Exploiting
Buffer Overflow In IIS Indexing Service DLL" Published on Carnegie Mellon University Software Engineering Institute's site. http://www.cert.org/advisories/CA-2001-19.html

(4) 2001. "CERT® Advisory CA-2001-26 Nimda Worm: Published on Carnegie Mellon University Software Engineering Institute's site. http://www.cert.org/advisories/CA-2001-26.html

(5) 2002. Brandt, Andrew. "Klez: The virus that won't die?" Excerpt from PC World Magazine, Published on Newtwork World Fusion. http://www.nwfusion.com/news/2002/0703klez.html

(7) 2001. Lemos, Robert. "Hackers Cripple White House Site." Published on Tech News/CNET.com. http://news.com.com/2100-1001-257068.html?tag=rn

(8) 2001. Vatis, Michael A. "Cyber Terrorism: The State of U.S. Preparedness" Statement prepared for the House Committee on Government Reform Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations.
Statement given on September 26, 2001.

(9) 2002. Reilly, Peter. "Cyberterroriem and Schools: Scriptkiddies, Hacktivists and Cyberterrorists." Published on LHRIC School Security Site. http://www.lhric.org/security/desk/letter7.html

(10) 2001. Vatis, Michael A. "Cyber Terrorism: The State of U.S. Preparedness" Statement prepared for the House Committee on Government Reform Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations.
Statement given on September 26, 2001.

(11) 2000. Willard, Nancy. "What is Right and What is Wrong." Published in Responsible Netizen Center for Advanced Technology at University of Oregon at Eugene. p.2

(12) 2002. Reilly, Peter. "Cyberterrorism and Schools Part II: How Real is the Threat of Cyberterrorism?" Published on LHRIC School Security Site. http://www.lhric.org/security/desk/letter8.html

(13) 2001. Lemos, Robert. "Hackers Cripple White House Site." Published on Tech News/CNET.com. http://news.com.com/2100-1001-257068.html?tag=rn

(14) 2002. Reilly, Peter. "Cyberterrorism and Schools Part II: How Real is the Threat of Cyberterrorism?" Published on LHRIC School Security Site. http://www.lhric.org/security/desk/letter8.html