Cyber Attack Taxonomy – (unfinished draft)

script kiddies, newbies, novices This is the least sophisticated category of adversaries, comprised of individuals with limited programming skills. They are new to hacking and rely on pre-written scripts known as „toolkits‟ in their exploits; examples of these include NeoSploit, WebAttacker, and IcePack (Westervelt, 2007) . The primary motivation of these adversaries is boredom and thrill-seeking; they are often young and eager for acceptance from the hacker subculture. Though they are attracted to deviant behavior, their overall maliciousness level tends to be low, because of their limited skills. With the increasing sophistication of the available toolkits, their ability to pull off larger-scale attacks is on the rise, as in the case of the denial-of-service attacks perpetuated by „Mafia Boy‟ in Canada (Rogers, 2006).

hacktivists, political activists These adversaries are different than the other classes in that they are motivated by a political cause rather than a form of personal gain. Their attacks consist primarily of denial of service and defacement attacks against the sites of rival organizations, though they have also been known to employ worms and viruses (Denning, 2001). Their maliciousness is highly focused against the targeted organizations, though it can still have broad-reaching consequences. Some examples of hacktivism include the „virtual sit-ins‟ perpetuated by Electronic Disturbance Theater against the Pentagon and other agencies, in protest of perceived civil rights violations; email bombs used by the Internet Black Tigers throughout Sri Lanka to gain publicity for the Tamil Tigers; and worm propagation by WANK (Worms Against Nuclear Killers) on computers in NASA‟s Goddard Space Flight center, protesting an upcoming launch (Denning, 2001).

cyber punks, crashers, thugsAdversaries in this class have similar motivations but greater skills than those in the novice category. They are capable of writing their own (limited) scripts and engaging in malicious acts such as spamming, defacing, and identity theft. These hackers seek attention and prestige and are most likely to be featured in the media, often because they pick high-profile targets and come under the notice of authorities (Rogers, 2006). Occasionally such adversaries will go on to become internet security consultants, as in the case of Kevin Mitnick, who combined his hacking skills with social engineering to gain access to restricted systems (Mitnick, 2002; Rogers, 2006).

insiders, user malcontentsThis group of adversaries represents arguably the greatest risk to companies, and yet is often the least publicized (Rogers, 2006; Gelles et al., 2008). Insiders are most frequently motivated by revenge, usually in response to a negative work-related event; this frustration leads them to deliberately attack their own company (Kowalski et al., 2008). The scope of insider damage can be extremely large, as these individuals are often very familiar with the systems that they are attacking and often hold elevated access privileges. Insiders often seek to sabotage systems, as in the case of Michael Lauffenberger, who planted a logic bomb to delete data in a system that he designed and envisioned subsequently coming to „rescue‟ his company (Shaw et al., 1998).

coders, writersAdversaries in this category are primarily involved in writing the codes and exploits that are used by others, especially those in the novice category. Their motivation is power and prestige: they see themselves as the mentors to the younger hackers and like feeling important (Rogers, 2006). There is a

continuum of ability within individuals in the category, and it has been suggested that many such writers eventually „age out‟ of this behavior (Gordon, 2006). In general, such writers can be quite dangerous, as their software can be widely distributed and acquire a life of its own.white hat hackers, old guard, sneakersIndividuals in this category consider themselves „purists‟ and ascribe to the flavor of hacking initially popularized at MIT in the early days of computers. They are not malicious hackers and do not wish to cause damage, though they often show a lack of regard for personal privacy (Rogers, 2006). White hat hackers are primarily motivated by the intellectual challenge of testing security systems and creating new programming. They are often hired as security analysts, paid to test a company‟s defenses by trying to break into their system and assessing its response (Barber, 2001). The National Security Agency even offers certification in such „ethical hacking‟ activities (Taylor et al., 2006). Although these individuals probably should not be considered “adversaries,” we include them in our treatment for the sake of completeness.

black hat hackers, professionals, eliteThe adversaries in this category are professional criminals, who use their technical skills in pursuance of their criminal activities. Similar to criminals outside the cyber domain, they are motivated by money and greed. Rather than seeking fame, they prefer to lay low and evade authorities (Rogers, 2006). These hackers are both rare and very dangerous, as they have strong technical skills and are often able to support themselves through their criminal exploits. Such adversaries are often employed by organized crime, and can be described as „guns for hire‟. Although this is one of the most dangerous types of cyber adversaries, it is also the one about which the least is known (Rogers, 2006).

cyber terroristsThe most dangerous and skilled of all cyber adversary classes, cyber terrorists engage in state-sponsored information technology warfare. Their job is to conduct attacks that destabilize, disrupt, and destroy the cyber assets and data of an enemy nation or government organization (Rogers, 2006). Attacks by cyber terrorists are typically well-funded and highly secretive; individuals engaging in such activities have extremely high skills and are motivated by ideology. One of the best known examples of such terrorism occurred in Estonia in 2007, following the removal of a Russian World War II monument; a massive denial of service attack crippled the websites of Parliament, several national newspapers, and the central bank (Landler & Markoff, 2007). A similarly crippling DDoS attack preceded the conflict between Russia and the Republic of Georgia in 2008 (Markoff, 2008). Such attacks are hard to prosecute, which makes them even more dangerous, and guarding against these attacks has become a top national priority.

viruses A computer virus is a program that can copy itself and infect system files without knowledge of the user. Viruses are transferred when their host is connected with the target system, either via a computer network, the internet, or a form of removable media. The spread of viruses is dependent on user interaction, in particular in the execution of the corresponding virus code; for this reason many viruses are attached to legitimate program executables. The term „computer virus‟ was first used in 1983 by Frederick Cohen, who likened the spread of the program to a biological system (Highland, 1997). Possibly the most destructive virus to date is the ILOVEYOU virus, a visual basic scripting virus that originated in the Philippines and caused 10 to 15 billion dollars of damage worldwide in the year 2000 (Jones, 2006).

File InfectorsFile infector viruses infect files on the victim’s computer by inserting themselves into a file. Usually the file is an executable file, such as a .EXE or .COM in Windows. When the infected file is run, the virus executes as well.The Infector Virus is an example of a file infector virus obtained from [65]. The Infector Virus infects .COM files in Windows based systems by attaching itself to the end of the target file. Infection occurs when the infected file is run with the virus selecting one .COM file in the current directory as the target file.

System and Boot Record InfectorsSystem and boot record infectors were the most common type of virus until the mid 1990s. These types of viruses infect system areas of a computer such as the Master Boot Record (MBR) on hard disks and the DOS boot record on floppy disks. By installing itself into boot records, the virus can run itself every time the computer is booted up. Floppy disks are often infected as users tend to leave floppy disks in the floppy drive. If left in the floppy drive, on reboot the computer may boot from the floppy disk. Thus, the virus has a chance to execute. These types of viruses were very common in the early days of personal computing. However, with the introduction of more modern operating systems, and virus checks being enabled in the Basic Input Output System (BIOS), few of these viruses are being created today. New means of propagation, such as the Internet, are also much more attractive to virus creators.

Macro VirusesMacro viruses are simply macros for popular programs, such as Microsoft Word, that are malicious. For example, they may delete information from a document or insert phrases into it. Propagation is usually through the infected files. If a user opens a document that is infected, the virus may install itself so that any subsequent documents are also infected. Some macro viruses propagate via email1, such as the Melissa virus covered in the next section. Often the macro virus will be attached as an apparently benign file to fool the user into infecting themselves.The Melissa virus is the best known macro virus. It was released in March 1999, and targeted Microsoft Word 97 and 2000. The virus worked by emailing a victim with an email that appeared to come from an acquaintance. The email contained an Microsoft Word document as an attachment, that if opened, would infect Microsoft Word and if the victim used the Microsoft Outlook 97 or 98 email client, the virus would be forwarded to the first 50 contacts in the victim’s address book. Melissa caused a significant amount of damage, as the email sent by the virus flooded email servers. ICSA estimated that Melissa could have caused damage as high as USD $385 million. The classification of Melissa is interesting. Some consider it a virus, others consider it a worm. Under the proposed taxonomy in Chapter 4, Melissa is considered to be a mass-mailing worm with a viral payload.

Virus PropertiesViruses often have additional properties, beyond being an infector or macro virus. A virus may also be multi-partite, stealth, encrypted or polymorphic. Multi-partite viruses are hybrid viruses that infect both files and system and/or boot-records. This means multi-partite viruses have the potential to be more damaging, and resistant. Which makes them type of blended attack. A stealth virus is one that attempts to hide its presence. This may involve attaching itself to files that are not usually seen by the user. Viruses can use encryption to hide their payload. A virus using encryption will know how to decrypt itself to run. As the bulk of the virus is encrypted, it is

harder to detect and analyze. Some viruses have the ability to change themselves as either time goes by, or when they replicate themselves. Such viruses are called polymorphic viruses. Polymorphic viruses can usually avoid being eradicated longer than other types of viruses as their signature changes.

worms A computer worm is a self-replicating program that uses a host network to send copies of itself to other computers on the network. As opposed to viruses, worms do not need to attach themselves to existing programs and can be spread without any user interaction; moreover, they seek to infect the network infrastructure rather than individual files. Worms spread primarily by exploiting vulnerabilities in operating systems, most often striking unupdated systems after a major security patch. Commonly, worms install a „backdoor‟ on infected systems to allow remote control; using this, the Sobig worms were able to create a massive „botnet‟ of systems dedicated to sending spam (Levy, 2003). Worms can spread very quickly, as in the case of SQL Slammer, which shut down all of South Korea‟s online capacity for 12 hours after its launch in 2003 (Jones, 2006).

Mass-Mailing WormsMass-mailing worms are an interesting category as many attacks in this category could quite easily be classified as a worm, virus or both. For the purpose of this research and the taxonomy, a mass-mailing worm is a worm that spreads through email. Once the email has reached its target it may have a payload in the form of a virus or trojan. Email, although it may become a file on its journey, is more abstract than a file. Therefore, while some attacks may use email attachments to send viruses, the attack vector2 is still email. A case could be made that a mass-mailing virus category would be more appropriate, but the proposed taxonomy attempts touse the attack vector as the first means of classification. Therefore, an attack such as Melissa should be classified first as a mass-mailing worm.

Network-Aware WormsNetwork-aware worms are a major problem for the Internet. Worms such as SQL Slammer have shown that the Internet can be degraded by a well written worm. Network-aware worms generally follow a four stage propagation model. Although this is a generalization, most network-aware worms will fit into this model. Four stages of network worm propagation:The first step is target selection. The compromised host3 targets a host. The compromised host then attempts to gain access to the target host by exploitation. For example, the SQL Slammer worm exploited a known vulnerability in Microsoft SQL Server 2000 and Microsoft Desktop Engine. Once the worm has access to the target host, it can infect it. Infection may include loading trojans onto the target host, creating back doors or modifying files. Once infection is complete, the target host is now compromised and can be used by the worm to continue propagation.

trojans Much like the mythical Trojan horse, trojan attacks function by concealing their malicious intent. They masquerade as a piece of software that performs a desired function, while secretly executing malicious content. Users can are fooled into installing the trojan via one of many vectors, most often online downloads or email links. The most common types of trojans install a „backdoor‟ on infected systems to allow remote access, or engage in data destruction. As opposed to viruses and worms, trojans do not self-replicate and rely entirely on the distribution of their host program to propagate. The earliest trojan

horse dates back to 1975, when the computer game ANIMAL housed the subroutine PERVADE, which copied itself into every directory in which the user had access (Walker, 1996). More recently, in 2008 the Chinese password-collecting trojan Mocmex was found housed in digital photo frames (Soper, 2008).

buffer overflows In programming, a buffer overflow occurs when a program writes more information into the buffer (temporary memory storage) than the space allocated to it in memory. During a buffer overflow attack, malicious users exploit this property by forcing a buffer overflow to overwrite local variables and alter program execution, forcing the process to execute malicious code introduced by the user. Such techniques are well-documented and most often used to gain control of host systems (Levy, 1996). This buffer overflow technique may be used as a method of enabling other attacks such as worms to be executed on a system. This method was used in both the Code Red and SQL Slammer worms, which exploited overflow vulnerabilities in Microsoft‟s Internet Information Services and SQL server respectively (Chen & Robert, 2004).

denial of service A denial of service attack functions by making a computer network or resource inaccessible to legitimate users. Most often this is accomplished by “flooding” the target with data, so that it is overloaded with such requests. Common targets of these attacks include network routers (resulting in very slow network performance), DNS servers (resulting in an inability to access websites), and email accounts (resulting in a “mail bomb” deluge of spam). In a distributed denial of service attack, multiple systems combine to flood the bandwidth and resources of the target. The first widely publicized distributed attack occurred in 2000, when numerous high-profile websites (including Amazon.com, Yahoo, eBay, and CNN) were crippled for several hours (Garber, 2000). Such attacks can also have political overtones, as in the bombardment of Georgian government websites shortly preceding conflict with Russia (Markoff, 2008).

Buffer OverflowsBuffer overflows are probably the most widely used means of attacking a computer or network. They are rarely launched on their own, and are usually part of a blended attack. Buffer overflows are used to exploit flawed programming, in which buffers are allowed to be overfilled. If a buffer is filled beyond its capacity, the data filling it can then overflow into the adjacent memory, and then can either corrupt data or be used to change the execution of the program. There are two main types of buffer overflows described below.

Stack Buffer OverflowA stack is an area of memory that a process uses to store data such as local variables, method parameters and return addresses. Often buffers are declared at the start of a program and so are stored in the stack. Each process has its own stack, and its own heap (as explained in the next section). Stack overflows are the most common form of buffer overflows. Overflowing a stack buffer was one of the first types of buffer overflows and is one that is commonly used to gain control of a process. In this type of buffer overflow, a buffer is declared with a certain size.If the process controlling the buffer does not make adequate checks, an attacker can attempt to put in data that is larger than the size of the buffer. This means once the buffer is full, the remaining data being put into it overflows the buffer and overwrites the adjacent memory. An attacker may place malicious code in the buffer. Part of the adjacent memory will often contain the pointer to the next line of code to execute. Thus, the buffer overflow can overwrite the

pointer to point to the beginning of the buffer, and hence the beginning of the malicious code. Thus, the stack buffer overflow can give control of a process to an attacker.

Heap OverflowsHeap overflows are similar to stack overflows but are generally more difficult to create. The heap is similar to the stack, but stores dynamically allocated data. The difference between stack allocated data and heap allocated data is shown below:

#include <stdlib.h>int main(){char stack_buffer[256];char *heap_buffer = (char *) malloc(256 * sizeof(char));return 0;}

The heap does not usually contain return addresses like the stack, so it is harder to gain control over a process than if the stack is used. However, the heap contains pointers to data and to functions. A successful buffer overflow will allow the attacker to manipulate the process’s execution. An example would be to overflow a string buffer containing a filename, so that the filename is now an important system file. The attacker could then use the process to overwrite the system file (if the process has the correct privileges).

Denial of Service AttacksDenial of Service (DoS) attacks, sometimes known as nuke attacks, are designed to deny legitimate users of a system from accessing or using the system in a satisfactory manner. DoS attacks usually disrupt the service of a network or a computer, so that it is either impossible to use, or its performance is seriously degraded. There are three main types of DoS attacks: host based, network based and distributed.

Host BasedHost based DoS attacks aim at attacking computers. Either a vulnerability in the operating system, application software or in the configuration of the host are targeted.

Resource HogSome host based DoS are designed to use up (hog) resources on a computer. Resources such as CPU time and memory use are the most common targets. For example, a trivial resource hog is the fork bomb. A fork bomb simply spawns child processes continually, thus over time, more and more resources are taken up by the bomb and its children. A Unix based fork bomb4, written in C, is shown below:

#include <stdlib.h>int main(){while(1){fork();}return 0;}

Fork bombs, while very effective, are usually easily detected, either through the marked increase in processes, or through logging. They can also be easily prevented by configuring the operating system correctly. Another type of resource hogs access memory in certain patterns, so

that thrashing5 occurs. CPU hogs such as Snork, exploit vulnerabilities in the operating system. The Snork attack consumes 100% of the target’s CPU time. Snork also has a network based DoS component that allows Snork to reduce network bandwidth for legitimate users by continuously bouncing packets between hosts on the network.

CrashersCrashers are a form of host based DoS that are simply designed to crash the host system, so that it must be restarted. Crashers usually target a vulnerability in the host’s operating system. Many crashers work by exploiting the implementation of network protocols by various operating systems. Some operating systems cannot handle certain packets, and if received cause the operating system to hang or crash. Some examples of crashers include Land and Teardrop, and the Ping o’ Death.

Network BasedNetwork based DoS attacks target network resources in an attempt to disrupt legitimate use. Network based DoS usually flood the network and the target with packets. To succeed in flooding, more packets than the target can handle must be sent, or if the attacker is attacking the network, enough packets must be flooded so that the bandwidth left for legitimate users is severely reduced.

Three main methods of flooding have been identified in: TCP Floods: TCP packets are streamed to the target. ICMP Echo Request/Reply: ICMP packets are streamed to the target.When run on a Gentoo Linux 1.4 box, the fork bomb caused an almost instantaneous lock up. Where more memory pages are accessed than can fit in the physical memory. This results in writing and reading memory pages to and from the hard disk repeatedly, which slows the system significantly down. Essentially “pinging” the target UDP Floods: UDP packets are streamed to the target.

In addition to a high volume of packets, often packets have certain flags set to make them more difficult to process. If the target is the network, the broadcast address7 of the network is often targeted. One simple way of reducing network bandwidth is through a ping flood. Ping floods can be created by sending ICMP request packets of a large size to a large number of addresses (perhaps through the broadcast address) at a fast rate. On most modern operating systems, root access is required to run the ping utility in that way.

DistributedThe last type of DoS attack is perhaps the most interesting. Distributed DoS (DDoS) attacks are a recent development in computer and network attack methodologies. The DDoS attack methodology was first seen in 1999 with the introduction of attack tools such as The DoS Project’s Trinoo, The Tribe Flood Network and Stacheldraht. Between February 7 and 11, 2000, DDoS attacks were put into the spotlight when DDoS attacks were launched at a number of high-profile web-sites, including Ebay.com, Amazon.com, Yahoo.com and CNN.com. The DDoS attacks were effective enough to disrupt the websites’ operation for several hours. DDoS attacks work by using a large number of attack hosts to direct a simultaneous attack on a target or targets. A number of master nodes are used to control a larger number of daemon nodes10 which launch the attack on the target. The master nodes then order all daemon nodes under them to launch

the attack. Finally, the daemon nodes attack the target simultaneously, causing a denial of service. With enough daemon nodes, even a simple web page request will stop the target from serving legitimate user requests.

network attacks Within our taxonomy, a network attack is one in which network protocols are manipulated to exploit other users or systems. Examples of such attacks include IP spoofing, in which the source IP address is falsified (Heberlein & Bishop, 1996); web/email phishing, in which a legitimate website or email is reproduced by a hacker (Emigh, 2005); session hijacking, in which the theft of a session cookie leads to exploitation of a valid computer session (Xia & Brustoloni, 2004); and cross-site scripting attacks, in which malicious code is injected into web applications (Di Lucca et al., 2004). These attacks are often used in conjunction with other attacks in the taxonomy, such as denial of service attacks. They can also be quite costly: an estimated $1.2 billion were lost in phishing attacks in the year 2003 (Emigh, 2005).

SpoofingNetwork spoofing is the process in which an attacker passes themselves off as someone else. There are several ways of spoofing in the standard TCP/IP network protocol stack, including: MAC address spoofing at the data-link layer and IP spoofing at the network layer. By spoofing who they are, an attacker can pretend to be a legitimate user or can manipulate existing communications from the victim host.

MAC Address SpoofingMedium Access Control (MAC) address spoofing is where the hardware address, that is, the MAC address, is changed so that either the attacker’s computer is no longer identifiable as theirs, or the MAC address is the same as a victim’s MAC address. This can be used by the attacker to pretend to be someone other than themselves and potentially take over the victim’s communications with other computers on the network In Linux for example, the procedure is simply:

bash$ ifconfig eth0 downbash$ ifconfig eth0 hw ether 00:00:00:00:00:00bash$ ifconfig eth0 up

Where 00:00:00:00:00:00 is the new MAC address. In Windows, the procedure is more complicated and involves modifying the registry. MAC address spoofing is only useful to an attacker if their target is on the same subnet as they are. MAC operates at the data-link layer, and so is only used locally. To spoof beyond the local subnet, an attacker must spoof at a higher layer, for example the network layer.

IP SpoofingInternet Protocol (IP) spoofing is similar to MAC address spoofing described above. However, the attacker’s IP address is now spoofed. IP address ranges are often used to determine whether or not a host has access to certain services, so through IP spoofing unauthorized access may be obtained. IP spoofing is often used to inject commands or data into a existing stream of data between the host and other hosts. To completely take over the data stream, the attacker must change the routing tables so that the packets are routed to the spoofed host.

Session HijackingSession hijacking is the process by which an attacker takes over a session taking place between two victim hosts. The attack essentially cuts in and takes over the place of one of the hosts. Session hijacking usually takes place at the TCP layer, and is used to take over sessions of applications such as Telnet and FTP. TCP session hijacking involves use of IP spoofing, as mentioned above, and TCP sequence number guessing. To carry out a successful TCP session hijacking, the attacker will attempt to predict the TCP sequence number that the session being hijacked is up to. Once the sequence number has been identified, the attacker can spoof their IP address to match the host they are cutting out and send a TCP packet with the correct sequence number. The other host will accept the TCP packet, as the sequence number is correct, and willstart sending packets to the attacker. The cut out host will be ignored by the other host as it will no longer have the correct sequence number. Sequence number prediction is most easily done if the attacker has access to the IP packets passing between the two victim hosts. The attacker simply needs to capture packets and analyze them to determine the sequence number. If the attacker does not have access to the IP packets, then the attacker must guess the sequence number. Sequence numbers are generated in three ways:

1. 64K rule: The initial sequence counter is incremented with a constant value every second, usually 128 000. Which if done incorrectly could damage the Windows installation. The spoofed host is the host which has its IP address spoofed to the victim host’s address.2. Time related generation: The counter is increased at regular intervals by a number of time-units.3. Pseudo-random generation: The counter is increased by a pseudo-random number.

Prediction is easy when the first method is used. The second is significantly harder, while the third is so hard that most attackers would not bother trying to predict the sequence. Once a session has been hijacked, the attacker is able to do a wide variety of malicious activities. Forexample, if a Telnet session has been hijacked, the attacker may be able to access the victim’s account.

Wireless Network AttacksWireless networks, especially those based on the IEEE 802.11x standards are growing in popularity. However, there are a number of inherent weaknesses in wireless networks that are not an issue in traditional wired networks. Most wireless networks are not configured securely and usually only require MAC address spoofing to gain full access.

Web Application AttacksWeb application attacks are network attacks that are aimed against web applications. Essentially the application layer of the TCP/IP protocol stack is attacked. Web applications are run through a web browser, but are more than a simple web site. They are usually connected to a database, or at the least have some programs or scripts controlling the web site. An example of a common web application is Internet banking. Web application attacks are different to attacks that target normal applications, as web applications build upon and use network protocols extensively. Described below are a number of ways in which web applications can be attacked.

Cross Site Scripting

Cross Site Scripting involves embedding a script within a web application. Usually it occurs on pages that allow for input, such as a guest book or a web forum. The attacker posts a message that contains an embedded script that serves some malicious purpose. For example, the script may prompt other users browsing that page for a user name and password. Other threats include session and account hijacking, cookie theft, and cookie poisoning.

Parameter TamperingParameter tampering is a simple web application attack in which the attacker identifies parameters used to drive a web application and modifies a URL header to manipulate the parameters. On a poorly designed site, parameter tampering could be used to maliciously modify stored data. To prevent a parameter tampering attack, parameters should be checked carefully by the web application before processing them.Cookie PoisoningToday cookie poisoning is not a large threat, as cookies are usually encrypted. However, it still remains a common form of attack. Cookie poisoning involves modifying a cookie so that the web application is deceived into giving away sensitive data. It is usually used to steal the identity of a user, so that the web application treats the attacker as the victim. Thus, the attacker can access the web application as the victim, and can then gain, damage or delete confidential information.

Database AttacksDatabase attacks are web application attacks aimed at accessing the underlying database that drives the web application. The most common form of this type of attack is SQL injection. SQL injection involves submitting a request to the web application with SQL commands appended in a way that the web application passes them on to the database to be processed. For example, suppose the script running the website used the following query (written in PHP):

$result = mysql_query("SELECT * FROM atable WHERE login=’$user’ and password=’$password’");If the attacker enters a valid user name in the user name field and in the password field enters:password’ or ’x’=xThen the query becomes:SELECT * FROM some_table WHERE login=’usernameand password=’password’ or ’x’=x

Thus, the password has effectively been made useless, and the attacker can log on to the database as any legitimate user without having to know their passwords.

Hidden Field ManipulationHidden field manipulation is a very simple way of attacking a web application. The attacker downloads an HTML page and modifies hidden fields contained in the page. The attacker then reposts the page to the server. Hidden fields may contain important information such as session IDs and user data. Some hidden fields may even contain information such as prices for products being sold through the web applications, so it is possible for an attacker to change prices so that they can buy or sell products at a price that benefits the attacker.

physical attacks

Some of the most frightening cyber attacks are physical in nature, such as those using electromagnetic radiation waves to disrupt or damage the electrical parts of a system or decode its signals. A high-energy radio frequency (HERF) gun blasts a high-power electromagnetic pulse capable of physically destroying a computer‟s motherboard and other components (Schwartau, 1996). Similar to this but even stronger is the electromagnetic pulse transformer (EMP/T) bomb, which can generate a thousand times the damage of HERF (Schwartau, 1996). Using a different mechanism, in a Van Eck attack the electromagnetic signals of a computer can be hacked to reveal the signal‟s data content, using equipment costing as little as $15 (Van Eck, 1985). The US government‟s TEMPEST component standards are designed to mitigate the risk of all these kinds of attacks, but they do not eliminate the problem (Russell & Gangemi, 1991).

Basic AttacksBasic physical attacks on computers and networks can be done by almost anyone. They simply involve using low technological means to cause damage or disruption to a computer or network. There are many different ways an attack could be carried out in this way, for example: cutting a network cable; damaging a computer by hitting it; or using explosives to destroy or disrupt a computer or network. Because of the nature of these attacks, they are very simple to carry out. However, attacks such as these are not at all subtle, and if someone carried out such an attack it would be hard for them to remain anonymous.

Energy Weapon AttacksThere are currently three main types of energy weapon attacks that can be used to attack computers and networks: high and low energy radio frequency (HERF and LERF) attacks and electro-magnetic pulse (EMP) attacks. While these attacks are more general attacks in that they target the electronics, they are devastating when used against computers and network devices.HERF weapons focus high energy radio frequency (RF) on a narrow frequency spectrum. HERF can be used quite accurately due to the narrow frequency spectrum. The damage caused by HERF weapons is due to the concentration of energy on electronic components. LERF weapons on the other hand, use a wide frequency spectrum, but with low energy RF. LERF is effective due to the wide frequency range as it is likely that the frequencies will match the resonance frequencies of the target’s electronic components. The Electromagnetic Pulse (EMP) effect was first discovered when the United States was testing high altitude air burst nuclear weapons. The nuclear blast created a very powerful, but short, electromagnetic pulse. When electronic components are exposed to such a pulse, the pulse may create a short transient voltage. The voltage produced can be enough to render the electronic components useless. Nuclear explosions are not the only way to produce an EMP as explained in. EMP bombs can be produced to achieve similar results to a nuclear explosion’s EMP.

Van Eck AttacksThe Van Eck effect16 was popularized by Wim Van Eck in a paper published in 1985. Before the paper was published, it was thought that reconstructing electromagnetic radiation was very difficult and would require expensive equipment and highly trained professionals. Van Eck showed that it was possible to use a television equipped with an extended antenna and two oscillators to reconstruct the signal from a computer monitor. This showed that it was possible

for anyone with some electronics knowledge to build such a device and use it to obtain data from a wide range of electronics. By using the Van Eck effect, an attacker can gain sensitive information from the target computer. However, the attacker can gain much more as a recent paper showed. By using optical emanations, the attacker can potentially gain access to data flowing through network equipment.

password attacks/user compromise Password attacks have the objective of gaining control of a particular system or user‟s account. There are three basic kinds of such attacks: guessing, based on knowledge of the user‟s personal details; dictionary attacks, which loop through a list of dictionary words and try to find a match; and brute force attacks, which loop through sequences of random characters. In a recent study of MySpace passwords, fully 4% consisted of dictionary words, and another 12% were a word followed by a single number (Evers, 2006). In a user compromise attack, the implementation of a system or program is exploited to gain access to sensitive information, such as credit card numbers. Hackers Ian Goldberg and David Wagner found such a problem in the random number generator used for secure sockets layer (SSL) transactions in Netscape 1.1, allowing for easy decoding of encrypted communications (Goldberg & Wagner, 1996).

Password Guessing/Dictionary AttackPassword guessing is the most simplest of password attacks. It simply involves the attacker attempting to guess the password. This method succeeds more often than would be expected, as many users are. This is often referred to as a TEMPEST attack. predictable in their password choice. Passwords such as names of family members or pets are common. Often the attacker will use a form of social engineering to gain clues as to what the password is. A dictionary attack is similar, but is a more automated attack. The attacker uses a dictionary of words containing possible passwords and uses a tool to see if any are the required password. Passwords that areEnglish words such as “elephant”, will be very quickly discovered with this form of attack.

Brute ForceBrute force attacks work by calculating every possible combination that could make up a password and testing it to see if it is the correct password. Brute force attacks on passwords are guaranteed to succeed. The only question is how long the brute force attack will take to find the correct password. As the password’s length increases, the amount of time, on average, to find the correct password increases exponentially. This means short passwords can usually be discovered quite quickly, but longer passwords may take decades.

Exploiting the ImplementationExploiting the implementation involves examining the programs that provide the password protection and finding flaws. If the flaw is significant enough it is possible to circumvent the password protection, or to reveal the password. For example, Microsoft Word 6.0.

info gathering/resource misuse The last category of attacks is not inherently malicious, but is often found as a precursor or component of other attacks. These attacks are used to gather information about the target in an attempt to exploit its defenses and learn more about the system. A mapping exploit is used to gain information on the hosts in a network, including what programs are running and what operating system is used. Security scanning is similar, but involves testing the host for known vulnerabilities in the hardware or software it

is using. A packet sniffer is designed to intercept and log traffic on a network, which can potentially be decoded later (Hansman, 2003). Worms such as Sasser, Slammer, and Code Red also use scanning as a method of determining vulnerable hosts to compromise (Kikuchi et al., 2008).

SniffingPacket sniffers are a simple but invaluable tool for anyone wishing to gather information about a network or computer. For the attacker, packet sniffers provide a way to glean information about the host or person they wish to attack, and even gain access to unauthorized information.Traditional packet sniffers work by putting the attacker’s Ethernet card into promiscuous mode. An Ethernet card in promiscuous mode accepts all traffic from the network, even when a packet is not addressed to it. This means the attacker can gain access to any packet that is traversing on the network they are on. By gathering enough of the right packets the attacker can gain information such as login names and passwords. Other information can also be gathered, such a MAC and IP addresses and what services and operating systems are being run on specific hosts. This form of attack is very passive. The attacker is not sending any packets out, they are only listening to packets on the network.MappingMapping is used to gather information about hosts on a network. Information such as what hosts are online, what services are running and what operating system a host is using, can all be gathered via mapping. Thus potential targets and the layout of the network, are identifiedHost detection is achieved through a variety of methods. Simple ICMP queries can be used to determine if a host is on-line. TCP SYN messages can be used to determine whether or not a port on a host is open and thus, whether or not the host is on-line.After detecting if a host is on-line, mapping tools can be used to determine what operating system and what services are running on the host. There are a wide range of techniques that can be used. Simply examining the service banners18 may reveal the operating system. More advanced techniques include analyzing the network protocol stack used by the operating system. Running services are usually identified by attempting to connect to a host’s ports. Port scanners are programs that an attacker can use to automate this process. Basic port scanners work by connecting to every TCP port on a host and reporting back which ports were open. More sophisticated port scanners, such as Nmap, use additional techniques to avoid detection and to gain more information. Mapping identifies potential targets, such as a version 6.0 IIS web server, but specific vulnerabilities that could be exploited are not identified. Either the attacker has to choose an attack using the information gathered, or more information needs to be gathered through security scanning.

Security ScanningSecurity scanning is similar to mapping, but is more active and more information is gathered. Security scanning involves testing a host for known vulnerabilities or weaknesses that could be exploited by the attacker. For example, a security scanning tool may be able to tell the attacker that port 80 of the target is running an HTTP server, with a specific vulnerability. Security scanning is more easily detected than mapping, as attack patterns testing the vulnerabilities can usually be detected by intrusion detection systems.

Blended Attacks

While blended attacks are not a new development, they have recently become popular with attacks such as Code Red and Nimda. Blended attacks are attacks that contain multiple threats, for example multiple means of propagation or multiple attack payloads. Many of the attacks mentioned previously herein can be considered as blended. The first instance of a blended attack occurred in 1988 with the first Internet worm: the Morris Worm. The Morris Worm attacked and propagated through multiple vulnerabilities in Unix based systems. Newer attacks such as Code Red and Nimda work in a similar way by exploiting multiple vulnerabilities and by launching multiple attacks.

Code Red is the most famous blended attack. It was the first of the new wave of blended attacks and it came as a surprise to the security industry. Code Red was also the first worm to spread through memory rather than through file uploads. Microsoft’s Internet Information Services (IIS) web server was Code Red’s target. IIS versions from 4.0 to 6.0b all contained a buffer overflow vulnerability in the Indexing Service DLL of IIS. Code Red spread by using a buffer overflow to compromise susceptible hosts and once a host was infected, Code Red would do the following, depending on which day of the month it was:

Day 1 - 19: Code Red would try to spread by attempting to connect to vulnerable hosts.

Day 20 - 27: A denial of service attack would be launched against a fixed IP address. Day 28 - end of month: No activity.

Code Red is a blended attack as it is a worm that utilizes a buffer overflow attack and launches a denial of service attack. Blended attacks have become one of the leading security threats and will no doubt continue to be asignificant problem in the future. While blended attacks have existed for some time, a new wave of highly damaging attacks started with the release of Code Red. The Internet is especially susceptible to blended threats, as was shown by the recent SQL Slammer attack, in which the Internet suffered a significant loss of performance.

Dimensions of the Attack – After the fact

Damage: A damage dimension would attempt to measure the amount of damage that the attack does. Attacks have different degrees of damage. An attack such as the recent SoBig virus cause more damage than a simple virus such as the Infector virus.

Cost: Cleaning up after an attack costs money. In some cases billions of dollars are spent on attack recovery.

Propagation: This category applies more to replicating attacks. The propagation of an attack is the speed at which it reproduces or spreads. For attacks such as worms and viruses, a dimension covering this aspect would be useful.

Defense: The methods in how an attack has been defended against could be made into a further defense dimension.

Analysis

Before examining the requirements that the taxonomy is supposed to meet, a brief analysis of the classification process is given. In general, it was found the taxonomy worked well and that most attacks were easily (with the appropriate information) classified. However, there were a number of issues that were identified:

Blended Attacks: While the taxonomy deals with blended attacks well, some blended attacks (especially Nimda) were hard to classify. This was due to the complexity of the attacks as they contained multiple sub-attacks.

Targets: The second (target) dimension overall worked well. However, in some cases it was hard to determine what the target was. For example, a worm like Nimda attacks specific versions of Internet Explorer (IE) but email clients were affected the most1. However, attacks must made specific, that is, it is the specific versions of IE that are being attacked and not the email clients.

Blended Sub-Attacks: One problem occurred when classifying the Melissa attack. The Melissa attack contains a macro virus payload in a Microsoft Word document. The document is a trojan in the sense that it appears to be benign. The taxonomy was unable to account for both the payload being a virus and a trojan. However, the main feature of the payload is that it is a virus, therefore Melissa was categorized in the fourth dimension as a macro virus.

Ranges: Ranges of classifications, especially in the second (target) dimension could be handled better. Ranges such as DOS versions 2.4 to 4.1 require every DOS version in the range to be added to the classification. As many email clients use IE to view HTML emails.

Requirements: One problem that the taxonomy cannot handle fully is when an attack requires a combination of targets to be successful. For example, an attack may require that a certain operating system run a certain service. If the service and operating system are not in the certain combination, then the attack fails. Thus, there is a relationship between the two targets. This relationship is currently not accounted for, so in the above situation, each target will simply be listed in the second dimension. The same problem exists for the third (vulnerabilities) dimension.

Level of Automation and Rate

During the attack preparation, the attacker needs to locate prospective agent machines and infect them with the attack code. Based on the degree of automation of the attack, we differentiate between manual, semi-automatic and automatic DDoS attacks.

Manual Attacks

Only the early DDoS attacks belonged to the manual category. The attacker scanned remote machines for vulnerabilities, broke into them and installed the attack code, and then commanded the onset of the attack. All of these actions were soon automated, leading to

development of semiautomatic DDoS attacks, the category where most contemporary attacks belong.

Semi-Automatic Attacks

In semi-automatic attacks, the DDoS network consists of handler (master) and agent (slave, daemon) machines. The attacker deploys automated scripts for scanning and compromise of those machines and installation of the attack code. He then uses handler machines to specify the attack type and the victim's address and to command the onset of the attack to agents, who send packets to the victim. Based on the communication mechanism deployed between agent and handler machines we divide semi-automatic attacks into attacks with direct communication and attacks with indirect communication.

Attacks with direct communication During attacks with direct communication, the agent and handler machines need to know each other's identity in order to communicate. This is achieved by hard-coding the IP address of the handler machines in the attack code that is later installed on the agent. Each agent then reports its readiness to the handlers, who store its IP address in a file for later communication. The obvious drawback of this approach is that discovery of one compromised machine can expose the whole DDoS network. Also, since agents and handlers listen to network connections, they are identifiable by network scanners.

Attacks with indirect communication deploy a level of indirection to increase the survivability of a DDoS network. Recent attacks provide the example of using IRC channels for agent/handler communication. The use of IRC services replaces the function of a handler, since the IRC channel offers sufficient anonymity to the attacker. Since DDoS agents establish outbound connections to a standard service port used by a legitimate network service, agent communications to the control point may not be easily differentiated from legitimate network traffic. The agents do not incorporate a listening port that is easily detectable with network scanners. An attacker controls the agents using IRC communications channels. Thus, discovery of a single agent may lead no further than the identification of one or more IRC servers and channel names used by the DDoS network. From there, identification of the DDoS network depends on the ability to track agents currently connected to the IRC server. Although the IRC service is the only current example of indirect communication, there is nothing to prevent attackers from subverting other legitimate services for similar purposes.

Automatic Attacks

Automatic DDoS attacks additionally automate the attack phase, thus avoiding the need for communication between attacker and agent machines. The time of the onset of the attack, attack type, duration and victim's address is preprogrammed in the attack code. It is obvious that such deployment mechanisms offer minimal exposure to the attacker, since

he is only involved in issuing a single command – the start of the attack script. The hardcoded attack specification suggests a single-purpose use of the DDoS network. However, the propagation mechanisms usually leave the backdoor to the compromised

References 1. R. Barber. Hackers profiled: who are they and what are their motivations? Computer Fraud and Security, 2(1):14-17, 2001.

2. D. Bell and L. La Padula. Secure computer system: unified exposition and multics interpretation. Technical Report MTR-2997, MITRE Corporation, 1976. Accessed at http://csrc.nist.gov/publications/history/bell76.pdf.

3. L. Bridwell. ICSA labs 10th annual computer virus prevalence survey. Technical Report, ICSA Labs, 2005. Accessed at http://www.icsa.net/icsa/docs/html/library/whitepapers/VPS2004.pdf.

4. N. Chantler. Profile of a Computer Hacker. Infowar, 1996.

5. S. Chapa and R. Craig. The anatomy of cracking. Online Publication, University of Texas, 1996. Accessed at http://www.actlab.utexas.edu/~aviva/compsec/cracker/crakhome.html.

6. T. Chen and J. Robert. Worm epidemics in high-speed networks. Computer, 37(6):48-53, 2004. Accessed at http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=1306386.

7. M. Collins, C. Gates, and G. Kataria. A model for opportunistic network exploits: the case of P2P worms. In Proceedings of the Fifth Workshop on the Economics of Information Security, Cambridge, England, 2006. Accessed at http://weis2006.econinfosec.org/docs/30.pdf.

8. D. Denning. Activism, hacktivism, and cyberterrorism: the internet as a tool for influencing foreign policy. Chapter 8 of Networks and Netwars: the Future of Terror, Crime, and Militancy, Rand Monograph MR-1382, 2001. Accessed at http://www.rand.org/pubs/monograph_reports/MR1382/index.html.

9. G. Di Lucca, A. Fasolino, M. Mastoanni, and P. Tramontana. Identifying cross-site scripting vulnerabilities in web applications. In Proceedings of the Sixth International IEEE Workshop on Website Evolution, pages 71-80, Benevento, Italy, 2004. Accessed at http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=1410997.

10. S. Eltringham (editor), Computer Crime and Intellectual Property Section, US Department of Justice. Prosecuting Computer Crimes. Office of Legal Education Executive Office for US Attorneys, 2007. Accessed at http://www.usdoj.gov/criminal/cybercrime/ccmanual/index.html.

11. A. Emigh. Online identity theft: phishing technology, chokepoints, and countermeasures. Technical Report, Infosec Technology Transition Council, Department of Homeland Security, 2005. Accessed at http://www.cyber.st.dhs.gov/docs/phishing-dhs-report.pdf.

12. J. Evers. Report: net users picking safer passwords. ZDNet News, December 16, 2006. Accessed at http://news.zdnet.com/2100-1009_22-150640.html.

13. C. Fötinger and W. Ziegler. Understanding a hacker‟s mind- a psychological insight into the hijacking of identities. Technical Report, Danube University, Krems, Austria, 2004. Accessed at http://www.safetybelt.at/download/danubeuniversityhackersstudy.pdf.

14. L. Garber. Denial-of-service attacks rip the internet. Computer, 33(4):12-17, 2000. Accessed at http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=839316.

15. M. Gelles, D. Brant, and B. Geffert. Building a secure workforce: guard against insider threat. Technical Report, Deloitte Federal Consulting Services, 2008. Accessed at http://www.deloitte.com/dtt/article/0,1002,cid%253D226369,00.html. 19

16. J. Glave. Cracking the mind of a hacker. WIRED Magazine, January 20, 1999. Accessed at http://www.wired.com/science/discoveries/news/1999/01/17427.

17. I. Goldberg and D. Wagner. Randomness and the Netscape browser. Dr. Dobb’s Journal, January 2006. Accessed at http://www.cs.berkeley.edu/~daw/papers/ddj-netscape.html.

18. S. Gordon. Virus writers: the end of the innocence? In Proceedings of the 10th International Virus Bulletin Conference, Orlando, FL, 2000. Virus Bulletin.

19. S. Gordon. Understanding the adversary: virus writers and beyond. IEEE Security and Privacy, September 2006, 67-70.

20. T. Gorman. The cracker cracks up? Phrack Magazine, December 21, 1986. Accessed at http://www.phrack.com/issues.html?issue=11&id=11.

21. Government Accountability Office (GAO). Cybercrime: public and private entities face challenges in addressing cyber threats. Technical Report GAO-07-705, US Government Accountability Office, 2007. Accessed at http://www.gao.gov/products/GAO-07-705.

22. S. Hansman. A taxonomy of network and computer attack methodologies. Master‟s Thesis, University of Canterbury, New Zealand, 2003. Accessed at http://nzcsrsc08.canterbury.ac.nz/research/reports/HonsReps/2003/hons_0306.pdf.

23. S. Hansman and R. Hunt. A taxonomy of network and computer attacks. Computers and Security, 21:31-43, 2005. Accessed at http://linkinghub.elsevier.com/retrieve/pii/S0167404804001804.

24. L. Heberlein and M. Bishop. Attack class: address spoofing. In Proceedings of the National Information Systems Security Conference, pages 371-377, Baltimore, MD, 1996. NIST. Accessed at http://seclab.cs.ucdavis.edu/papers/spoof-paper.pdf.

25. H. Highland. A history of computer viruses- introduction. Computers and Security, 16(5):412-415, 1997. Accessed at http://linkinghub.elsevier.com/retrieve/pii/S0167404897822456.

26. R. Hollinger. Computer hackers follow a Guttman-like progression. Sociology and Social Research, 72:199-200, 1988. Accessed at http://www.phrack.com/issues.html?issue=22&id=7.

27. J. Howard. An analysis of security incidents on the internet, 1989-1995. Ph.D. Thesis, Carnegie Mellon University, 1997. Accessed at http://www.cert.org/archive/pdf/JHThesis.pdf.

28. J. Howard and T. Longstaff. A common language for computer security incidents. Technical Report SAND98-8667, Sandia National Laboratories, 1998. Accessed at http://www.cert.org/research/taxonomy_988667.pdf.

29. Internet Crime Complaint Center. 2008 Internet crime complaint report. Technical Report, Internet Crime Complaint Center, 2008. Accessed at http://www.ic3.gov/media/annualreports.aspx.

30. R. Jennings. A (partial) spammer taxonomy. Computer World, June 21, 2007. Accessed at http://blogs.computerworld.com/node/5720.

31. G. Jones. The 10 most destructive PC viruses of all time. VARBusiness Magazine, July 7, 2006. Accessed at http://www.crn.com/it-channel/190301109.

32. S. Keats. Mapping the mal web, revisited. Technical Report, McAfee Inc., 2008. Accessed at http://www.siteadvisor.com/studies/map_malweb_jun2008.pdf.

33. B. Kehoe. Zen and the Art of the Internet: a Beginner’s Guide. Prentice Hall, 1992. Accessed at http://www-rohan.sdsu.edu/doc/zen/zen-1.0_toc.html. 20

34. H. Kikuchi, M. Terada, N. Fukuno, and N. Doi. Estimation of increase of scanners based on ISDAS distributed sensors. Journal of Information Processing, 16:100-109, 2008. Accessed at http://www.jstage.jst.go.jp/article/ipsjjip/16/0/16_100/_article.

35. M. Kjaerland. A classification of computer security incidents based on reported attack data. Journal of Investigative Psychology and Offender Profiling, 2:105-120, 2005. Accessed at http://doi.wiley.com/10.1002/jip.31.

36. M. Kjaerland. A taxonomy and comparison of computer security incidents from the commercial and government sectors. Computers and Security, 25:522-538, 2006. Accessed at http://linkinghub.elsevier.com/retrieve/pii/S0167404806001234.

37. E. Kowalksi, D. Cappelli, and A. Moore. Insider threat study: illicit cyber activity in the information technology and telecommunications sector. Technical Report, National Threat Assessment Center, United States Secret Service, 2008. Accessed at http://www.secretservice.gov/ntac.shtml.

38. M. Landler and J. Markoff. Digital fears emerge after data siege in Estonia. The New York Times, May 29, 2007. Accessed at http://www.nytimes.com/2007/05/29/technology/29estonia.html.

39. B. Landreth. Out of the Inner Circle: a Hacker’s Guide to Computer Security. Microsoft Press, 1985.

40. C. Landwehr. Formal models for computer security. Computing Surveys, 3(13):247-278, 1981. Accessed at http://portal.acm.org/citation.cfm?id=356852.

41. C. Landwehr, A. Bull, J. McDermott, and W. Choi. A taxonomy of computer program security flaws, with examples. ACM Computing Surveys, 26(3):211-254, 1994. Accessed at http://chacs.nrl.navy.mil/publications/CHACS/1994/1994landwehr-acmcs.pdf.

42. L. Lawson. You say cracker; I say hacker: a hacking lexicon. Tech Republic, April 13, 2001. Accessed at http://articles.techrepublic.com.com/5100-10878_11-1041788.html.

43. E. Levy (under alias Aleph One). Smashing the stack for fun and profit. Phrack Magazine, November 8, 1996. Accessed at http://www.cs.wright.edu/people/faculty/tkprasad/courses/cs781/alephOne.html.

44. E. Levy. The making of a spam zombie army: dissecting the Sobig worms. IEEE Security and Privacy, 1(4):58-59, 2003. Accessed at http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=1219071.

45. H. Lipson. Tracking and tracing cyber attacks: technical challenges and global policy issues. Technical Report CMU/SEI-2002-SR-009, Carnegie Mellon University, 2002. Accessed at http://www.sei.cmu.edu/pub/documents/02.reports/pdf/02sr009.pdf.

46. D. Lough. A taxonomy of computer attacks with applications to wireless networks. Ph.D. Thesis, Virginia Polytechnic Institute, 2001. Accessed at http://scholar.lib.vt.edu/theses/available/etd-04252001-234145/.

47. J. Markoff. Before the gunfire, cyberattacks. New York Times, August 12, 2008. Accessed at http://www.nytimes.com/2008/08/13/technology/13cyber.html.

48. K. Mitnick. The Art of Deception: Controlling the Human Element of Security. Wiley, 2002.

49. J. Murphy, P. Elmer-Dewitt, and M. Krance. The 414 gang strikes again. TIME Magazine, August 29, 1983. Accessed at http://www.time.com/time/magazine/article/0,9171,949797,00.html.

50. G. Popek and C. Kline. A verifiable protection system. ACM SIGPLAN Notices, 10(6):294-304, 1975. Accessed at http://portal.acm.org/citation.cfm?id=390016.808451.

21

51. J. Post. The dangerous information systems insider: psychological perspectives. Technical Report, George Washington University, 1998. Retrieved from an archive of http://www.infowar.com.

52. R. Rantala. Bureau of Justice Statistics special report: Cybercrime against businesses, 2005. Technical Report NCJ 221943, US Department of Justice, 2008. Accessed at http://www.ojp.usdoj.gov/bjs/abstract/cb05.htm.

53. E. Raymond. The Art of Unix Programming. Addison-Wesley Professional Computing Series, 2003. Accessed at http://www.faqs.org/docs/artu/.

54. R. Richardson. 2008 CSI computer crime and security survey. Technical Report, Computer Security Institute, 2008. Accessed at http://www.gocsi.com/forms/csi_survey.jhtml.

55. M. Rogers. A new hacker taxonomy. Technical Report, University of Manitoba, 1999. Accessed at http://homes.cerias.purdue.edu/~mkr/hacker.doc.

56. M. Rogers. Psychological theories of crime and hacking. Technical Report, University of Manitoba, 2000. Accessed at http://homes.cerias.purdue.edu/~mkr/crime.doc.

57. M. Rogers. A social learning theory and moral disengagement analysis of criminal computer behavior: an exploratory study. Ph.D. Thesis, University of Manitoba, 2001. Accessed at http://homes.cerias.purdue.edu/~mkr/cybercrime-thesis.pdf.

58. M. Rogers. A two-dimensional circumplex approach to the development of a hacker taxonomy. Digital Investigation, 3:97-102, 2006.

59. D. Russell and G. Gangemi. Computer Security Basics. O‟Reilly, 1991.

60. J. Rutkowska. Introducing stealth malware taxonomy. Technical Report, COSEINC Advanced Malware Labs, 2006. Accessed at http://www.invisiblethings.org/papers/malware-taxonomy.pdf.

61. W. Scherlis. DARPA establishes computer response team. Press Release, Defense Advanced Research Projects Agency (DARPA), 1988. Accessed at http://www.cert.org/about/1988press-rel.html.

62. W. Schwartau. Information Warfare: Cyberterrorism: Protecting Your Security in the Electronic Age. Thunder‟s Mouth Press, 1996. Accessed at http://www.winnschwartau.com/resources/IW1.pdf.

63. E. Shaw, K. Ruby, and J. Post. The insider threat to information systems: the psychology of the dangerous insider. Security Awareness Bulletin, 2:1-10, 1998. Accessed at http://www.pol-psych.com/sab.pdf.

64. A. Smith and W. Rupp. Issues in cybersecurity: understanding the potential risks associated with hackers/crackers. Information Management and Computer Security, 10(4):178-183, 2002. Accessed at http://www.emeraldinsight.com/Insight/viewContentItem.do?contentType=Article&contentId=862828.

65. M. Soper. Digital picture frames- now with free malware! MaximumPC Magazine, February 16, 2008. Accessed at http://www.maximumpc.com/article/digital_picture_frames_now_with_free_malware.

66. S. Specht and R. Lee. Distributed denial of service: taxonomies of attacks, tools, and countermeasures. In Proceedings of the 17th International Conference on Parallel and Distributed Computing and Systems, pages 543-550, Cambridge, MA, 2004. ACTA Press. Accessed at http://palms.ee.princeton.edu/PALMSopen/DDoS%20Final%20PDCS%20Paper.pdf.

67. S. Steele and C. Wargo. An introduction to insider threat management. Information Systems Security, 16(1):23-33, 2007. Accessed at http://www.infolocktech.com/download/ITM_Whitepaper.pdf.

68. B. Sterling. The Hacker Crackdown: Law and Disorder on the Electronic Frontier. Bantam Books, 1993. Accessed at http://www.mit.edu/hacker/hacker.html. 22

69. C. Stoll. Stalking the wily hacker. Communications of the ACM, 31(5):484-497, 1988. Accessed at http://pdf.textfiles.com/academics/wilyhacker.pdf.

70. C. Taylor, J. Alves-Foss, and V. Freeman. An academic perspective on the CNSS standards: a survey. In Proceedings of the 10th Colloquium for Information Systems Security Education, pages 39-46, Adelphi, MD, 2006. Springer. Accessed at http://www.cisse.info/colloquia/cisse10/proceedings10/pdfs/papers/S02P01.pdf.

71. United States Computer Emergency Readiness Team (US-CERT). Quarterly trends and analysis report, Volume 3, Issue 4. Technical Report, US-CERT, 2008. Accessed at http://www.us-cert.gov/reading_room/.

72. W. Van Eck. Electromagnetic radiation from video display units: an eavesdropping risk? Computers and Security, 4:269-286, 1985.

73. L. Walleij. Copyright Does Not Exist. Online Book, 1998. Accessed at http://home.c2i.net/nirgendwo/cdne/.

74. J. Walker. The ANIMAL episode. Technical Report, Fourmilab Switzerland, 1996. Accessed at http://www.fourmilab.ch/documents/univac/animal.html.

75. K. Walter, S. Schaen, W. Ogden, W. Rounds, D. Shumway, D. Schaeffer, K. Biba, F. Bradshaw, S. Ames, and J. Gilligan. Structured specification of a security kernel. ACM SIGPLAN Notices, 10(6)285-293, 1975. Accessed at http://portal.acm.org/citation.cfm?id=390016.808450.

76. N. Weaver, V. Paxson, S. Staniford, and R. Cullingham. A taxonomy of computer worms. In Proceedings of the 2003 Workshop on Recurring Malcode, pages 11-18, Washington, DC, 2003. ACM Press. Accessed at http://www.icir.org/vern/papers/taxonomy.pdf.

77. R. Westervelt. Cybercriminals employ toolkits in rising numbers to steal data. Search Security, September 6, 2007. Accessed at http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1271024,00.html.

78. A. Wood and J. Stankovic. A taxonomy for denial-of-service attacks in wireless sensor networks. Chapter 32 of Handbook of Sensor Networks: Compact Wireless and Wired Sensing Systems, CRC Press, 2004. Accessed at http://www.cs.virginia.edu/~adw5p/pubs/handbook04-dos-preprint.pdf.

79. H. Xia and J. Brustoloni. Detecting and blocking unauthorized access in wi-fi networks. In Proceedings of the Third International IFIP-TC6 Networking Conference, LNCS 3042, Athens, Greece, 2004. Springer. Accessed at http://www.springerlink.com/content/xbq6gt5uypnrabm5/.