Terrorist use of the internetTerrorists are using web technology to help them launch cyber attacks. What are the current and future threats?

by Matteo Cavallini, MSc (Royal Holloway) and John Austen, ISG, Royal Holloway

thinksto

ck

Royal Holloway Information Security Thesis Series | Terrorist use of the internet

Royal Holloway Information Security Thesis Series | Terrorist use of the internet

-2-

The internet is a tool that, after about 30 years, has resulted in a huge change in everyday life, modifying the lifestyle of the public, companies and government. Terrorist groups have not been immune to these changes. Initially, they developed some capabilities at an individual level, but these have evolved over time towards a more structured approach in the use of the internet.

At the moment, the proven, main uses of the internet for terrorist purposes are related to the activities listed in the box (right). This great interest by subversive movements in using the net to carry out their activities has recently driven many analysts to hypothesise that the conditions to exploit the internet as a weapon are now very close.

It is important to note that there is a big difference between using the internet to support terrorist activities and using it to launch attacks. Only the latter can be fully defined as a cyber-terrorist act. In fact, the prerequisite to assess an event as “cyber-terrorism” is the use of the internet to produce violence and/or physical effects, as in a “traditional” kinetic attack. Bearing this in mind, it is apparent that terrorists and cyber-terrorists are different categories of criminal with different skillsets and different views about targets.

Use of malware

At the moment, the likelihood of a “pure” cyber-terrorist attack is not very high. Looking at the near future, what seems more likely is the use of malware or

Terrorist use of the internet: an analysis of the current threat and its potential evolutionAs internet technology evolves, so the possibilities increase for terrorists to make use of web tools to help them carry out attacks. The race is on for security researchers to analyse and predict internet-based tactics that might be used, helping law enforcement authorities to develop countermeasures

by Matteo Cavallini and John Austen

Terrorist use of the internetn Diffusion of terrorist propaganda.n Radicalisation and proselytism.n Collection and transfer of funds.n Diffusion of materials related to

preparation of attacks.n Co-ordination of activities.n Communication of secret

messages.n Information and intelligence

gathering.n Support during the preparation and

execution of attacks.

Illustration by the author

Royal Holloway Information Security Thesis Series | Terrorist use of the internet

-3-

other internet tools to support and multiply the effects of traditional terrorist attacks. For example, a terrorist group could easily use crimeware such as Zeus or Citadel in a new, creative way to reinforce the fear generated by a kinetic attack within the population. Such use of crimeware during a terrorist attack can include the following:

n Use of botnets to mail a huge number of “spam” emails with threatening messages to conduct a disinformation campaign and to diffuse malware.

n Use of the man-in-the-browser features typical of Zeus and SpyEye to conduct or support psyops (for example, conjuring up false and scary news while a victim uses an infected PC to surf news websites).

n Use of ransomware to cripple PCs and to scare the population.

SWATing and TDoS

Cyber-terrorists can also use two other online techniques to increase the impact of a terroristic attack: SWATing and TDoS.

SWATing (or swatting) is a way of tricking emergency services into an unnecessary response, for example deploying bomb squads, SWAT units and other police units and simultaneously evacuating private and public buildings, based on a false report of an ongoing critical incident.

Specifically, caller ID spoofing can be used to trick telephone systems to force the authorities into responding to a non-existent emergency. This can cause massive extra disruption during a terrorist attack by raising false alarms or by causing the police and other public resources, such as ambulances and fire engines, to be deployed in the wrong places.

Meanwhile, TDoS (telephony denial of service), involves targeting a DoS attack on the world of telephony. Over the last couple of years, this tactic has grown rapidly, becoming one of the most worrying cyber attacks. Until now, it has been used to extort money from public and private organisations in a classic ransom scheme: if you don’t pay us, we can block your phone, damaging your business and your image.

However, the potential use of TDoS in a terroristic attack is enormous. Imagine being denied access to telephone emergency services during an attack, or the attacker’s target being isolated. Then you can comprehend the potential of this technique to create havoc.

VoIP

Finally, the increasing use of VoIP (Voice over Internet Protocol) as a telephony method has broadened the possibilities for cyber attacks.

GPS and Google Earth

To assess the new dangers of online tools being used during a terrorist attack, we must evaluate the potential for misuse of some of the ordinary internet tools that are part of our everyday lives. For example, one of the most important innovations is online maps and GPS navigators, particularly when they are integrated into mobile phones. We use these devices to find a route to a location without needing to spend time on research, planning or training. Paper maps have almost completely vanished from our cars and homes.

But this essential technology can also benefit a terrorist cell, enabling it to move and operate in unfamiliar territory with surgical precision. This fact has already been proved in the field during the Mumbai attack of 2008, when a commando group of 10 terrorists were able to move around and operate in a city where

A terrorist group could easily use crimeware such as Zeus or Citadel in a new, creative way

Royal Holloway Information Security Thesis Series | Terrorist use of the internet

-4-

none of them had ever performed real field reconnaissance. The terrorists were able to conduct a complex operation involving three main targets and many secondary targets, engaging in conflict, first with the Indian police and then with the Indian army. The attack resulted in more than 160 fatalities and 300 other casualties among civilians and law enforcement agents.

During the subsequent trial, it was proved that all of this was possible because:

n The attack was planned accurately with the use of Google Earth.n The terrorists were able to follow their plan and their selected routes with the

use of GPS devices.n They were able to react to police action by using smartphones to

communicate details of the situation in real time.

Before this attack, the general public did not appreciate the possibilities of terrorist use of Google Earth or smartphones. Such insight was limited to some researchers and military entities.

Google Glass

At this point, we should consider how terrorist use of internet technology might evolve. Which tools could enable a terrorist cell to take the next cyber-leap to launch an attack? One of the main candidates for this scenario is Google Glass.

Google Glass is a device fundamentally based on augmented reality: a live, direct or indirect view of a physical, real-world environment whose elements are supplemented by computer-generated sensory input, such as sound, video, graphics or GPS data.

By wearing a Google Glass device and giving vocal commands or by touching the user’s arm, it is possible to:

n See contextual information.n See directions to reach a destination.n Send and receive messages and emails.n Take a photo or record a video.n Perform internet searches.n Interact with social networks.n Recognise people and obtain information about them (see Figure 1).

For example, by using Google Glass, a tourist would be able to receive

Before this attack, the general public did not appreciate the possibilities of terrorist use of Google Earth

Figure 1: Image recognition (from “Google buys image and gesture recognition company Viewdle”)

Royal Holloway Information Security Thesis Series | Terrorist use of the internet

-5-

information while exploring the Colosseum in Rome just by looking at the ancient ruins. Similarly, a terrorist commando can be guided through an unfamiliar path to attack a target that will be automatically recognised the moment it appears. It is also important to note that even though Google Glass is currently not in widespread use, its security aspect has recently been violated by the development of a procedure to perform a “jailbreak” and gain root privileges. This is not unexpected but very worrying because it then becomes possible, for example, to install unapproved software and modify the modes of use of the hardware, forcing the device to perform new actions or to be used in unapproved ways.

Google Glass is not unique; there are other head-up displays on the market. One of these is particularly interesting – Brother’s AiRScouter. This is a tool used in industry to help workers perform complex tasks without having any previous specific knowledge or expertise. It interacts with an online expert system and provides views of contextual explanatory images (see Figure 2). This technology opens a new world of possibilities for terrorist groups, which can gain enormous power by increasing their ability to realise and execute attacks. At the moment, such ideas are only hypotheses, but sooner or later someone will be ready to exploit them. Hence, a complete analysis of these scenarios is needed to be ready to face possible future emergencies.

Preparedness

Finally, to be fully prepared for the future, it is necessary to perform a risk assessment of a major terrorist cyber attack, particularly one involving critical infrastructure (see Figure 3, page 6).

Using a methodology derived by the UK’s National Security Risk Assessment (NSRA) and the Netherlands’ National Security and Safety Method (NSSM), these risks can be compared with some more “traditional” big terroristic attacks. Such events should be investigated in this wider context by national and international bodies to fully comprehend their real significance.

Conclusion

From a terrorist’s point of view, there are many difficulties in carrying out these kinds of attack, but the extension of the area of attack and the possibility of

A terrorist can be guided to attack a target that will be automatically recognised the moment it appears

Figure 2: Scene from AiRScouter movie

Royal Holloway Information Security Thesis Series | Terrorist use of the internet

-6-

hitting targets that are otherwise out of reach are strong incentives for terrorists to overcome the problems. The strategy adopted by many terrorist groups to encourage action by lone individuals can be a way to circumvent some of the difficulties of cyber attacks.

In fact, if a cyber attack is planned and carried out by an insider (someone who already has the necessary skills and is in a position to gather the necessary information), then all the difficulties could be overcome. Given these assumptions, cyber attacks carried out by terrorist groups are possible in the medium term, opening a new chapter in terrorism’s deadly history.

As security researchers, we are duty-bound to analyse all the possibilities and try to predict the most likely scenarios, to give decision- and policy-makers the chance to develop and adopt effective countermeasures to fight terrorism in any form it might take. n

About the authorsMatteo Cavallini has 15 years’ experience in information security, both for industry and government. At present, he works for Consip, the Italian governmental procurement agency, as head of security and IT unit (CIO). He is also leader of the Internal Computer Emergency Response Team. Since 2010, he has been in charge of co-ordinating Consip’s activities and tasks on cloud security. In July 2011, Consip published his ebook, Cloud Security: a challenge for the future, as an official paper. He is also vice-president of the Italian chapter of the Cloud Security Alliance, a permanent member of the European Electronic Crime Task Force and one of the authors of the annual Clusit report on ICT security in Italy.

John Austen is a consultant lecturer on the MSc in information security at Royal Holloway University of London. He was head of the Computer Crime Unit at New Scotland Yard until September 1996. He was the first chairman of the Interpol Computer Crime Committee, from 1991 to 1996 and was responsible for worldwide standardisation of police procedure.

Figure 3: Risk diagram for some critical infrastructure incidents. (Adapted from “Working with scenarios, risk assessment and capabilities in the National Safety and Security Strategy of the Netherlands,” October 2009)