Evolution of Hackers, Low-Tech Hacking Methods and Cybersecurity Threats

Evolution of the Term “Hacker”

How has the term “hacker” evolved since the 1950s?

Describe three “low-tech” methods that hackers have used to obtain login names and passwords.

Why is it dangerous to surf the Web using an open Wi-Fi network?

What is the difference between a computer virus and a worm?

What is the relationship between spyware and backdoor Trojans?

What is the difference between spyware and adware?

How are Trojan horses and drive-by downloads similar?

Why is it dangerous for an email program to open attachments automatically, without waiting for the user to select them?

Give two examples of how criminal organizations have used the Internet to make money.

What is a cyber attack? Give two examples of cyber attacks that have taken place outside the United States.

If converting SCADA systems to the Internet Protocol increases the risk of a hacker taking control of an industrial process, why are companies doing just that?

Explain two different ways a vote thief could cast multiple votes in an online election.

Discussion Questions
In a study done in London, people in subway stations were offered a cheap pen in return for disclosing their passwords. About 90 percent offered their passwords in return for the pen [119]. What can be done to get people to take security more seriously?

The default administrator password on many, if not most, home network routers never gets changed, making these computers vulnerable to malware. What would be the advantages and disadvantages of requiring the manufacturers of network routers to create a unique password for every unit they sell?

Email viruses are typically launched by people who modify header information to hide their identity. Brightmail’s Enrique Salem says that in the future, your email reader will authenticate the sender before putting the message in your inbox. That way, you will know the source of all the emails you read. Alan Nugent of Novell says, “I’m kind of a fan of eliminating anonymity if that is the price for security” [120]. Will eliminating anonymity make computers more secure?

Are there conditions under which the release of a worm, virus, or Trojan horse would be morally justifiable?

Consider a small business that is the victim of a cryptographic ransomware attack. The business does not have adequate backup files, and the cost of paying the ransom is much lower than the expected cost of continuing operations without the encrypted files and recreating the necessary records. Discuss the morality of the owner choosing to pay the ransom in order to recover the business’s files.

Low-Tech Hacking Methods

When his worm program did not perform as expected, Robert Morris Jr. contacted two old friends from Harvard to decide what to do next. One of them, Andy Sudduth, agreed to email an anonymous message apologizing for the worm and describing how to protect computers from it, without disclosing Morris as the creator of the worm [32]. Was this the right thing for Sudduth to do?

Kalamazoo College requires that all computers connected to the campus network be running up-to-date antivirus software. When a student’s computer is discovered to have a virus, its network connection is cut until a staff member can remove the virus. If it turns out that the computer was not running up-to-date antivirus software, the student is fined $100 [121]. Is this a morally justifiable policy?

Adam and Charlene are good friends. Both attend East Dakota State University. One day when Adam is off campus interviewing for a part-time job, someone asks him how many credit hours of computer science courses he has completed. Adam calls Charlene and asks her to access his student records by logging into the campus mainframe as if she were Adam. He provides Charlene with his student identification number and password so that she can do this. Is it wrong for Adam to share this information with Charlene? Is it wrong for Charlene to retrieve this information for Adam?

Carnegie Mellon University, Harvard University, and the Massachusetts Institute of Technology denied admission to more than 100 business school applicants because they took an online peek at the status of their applications. These students learned how to circumvent the program’s security, and they used this knowledge to view their files and see if they had been accepted. Students could see information about their own application, but could not view the status of other students’ applications. In many cases the students learned that no admission decision had yet been made. Do you feel the response of these universities was appropriate?

Millions of American homes are equipped with wireless networks. If the network is not made secure, any nearby computer with a wireless card can use the network. The range of home wireless networks often extends into neighboring homes, particularly in apartment complexes. If your neighbor’s wireless network extends into your home, is it wrong to use that network to get free Internet access?

Is it morally acceptable to use a denial-of-service attack to shut down a Web server that distributes child pornography?

Dangers of Using Open Wi-Fi Networks

Some would argue that technological development is inevitable. If Butler had not created Firesheep, someone else would have. Every invention can be put to good or bad uses. Therefore, creators of new technologies bear no moral responsibility for their inventions. In contrast, the author argues that people who create a tool making it easier for someone to do something immoral share some moral accountability for the misdeeds done by people using the tool. Which perspective do you find more compelling?

Do you support the actions of Anonymous? Would you consider becoming an Anon?

The United States and Israel cooperated to unleash the Stuxnet worm, which apparently slowed down Iran’s nuclear program by damaging centrifuges processing uranium. Was unleashing the Stuxnet worm morally justifiable?

Do you agree with the author that it is a bad idea for a government to allow online voting from home computers?

In-Class Exercises
The FBI obtained a court order for Apple to produce a version of iOS that would enable the FBI to unlock the cell phone of Syed Rizwan Farook and search its contents. Apple refused to comply with the court order.

Divide the class into small groups of about four students each. Half the groups should come up with reasons why Apple should have complied with the court order. Half the groups should come up with reasons why Apple should have refused to comply with the court order. After the teams have had a reasonable amount of time to come up with their reasons, the teams should share their reasoning.

Debate this proposition: Those who create nondestructive malware are doing the computer industry a favor because the patches created to block them make computers more secure. To use an analogy, each virus has the effect of strengthening the immune systems of the computers it targets.

The University of Calgary offered a senior-level computer science course called “Computer Viruses and Malware.” The course taught students how to write viruses, worms, and Trojan horses. It also discussed the history of computer viruses and taught students how to block attacks. All course assignments were done on a closed computer network isolated from the Internet. Some computer security experts criticized the university for offering the course. One researcher said, “No one argues criminology students should commit a murder to understand how a murderer thinks” [122]. Debate whether the University of Calgary was wrong to offer the course.
Debate this proposition: It is wrong for a company to hire a former malicious hacker as a security consultant.

Computer Viruses vs. Worms

A distributed denial-of-service attack makes the Web site for a top electronic retailer inaccessible for an entire day. As a result of the attack, nearly a million customers are inconvenienced, and the retailer loses millions of dollars in sales to its competitors. Law enforcement agencies apprehend the person who launched the attack. Should the punishment be determined strictly by considering the crime that was committed, or should the identity of the culprit be taken into account? If the identity of the perpetrator should be taken into account, what punishment do you think would be appropriate if he were:

A teenager who launched the attack out of curiosity

An adult dedicated to fighting the country’s overly materialistic culture

A member of a terrorist organization attempting to harm the national economy

Divide the class into small groups of about four students. Half of the groups should come up with arguments why the United States should work to create an international ban on cyber attacks, analogous to the Chemical Weapons Convention that outlaws the production and use of chemical weapons. The other half of the groups should come up with arguments why the United States should strive to become preeminent in cyber attack technology.

East Dakota has decided to allow its citizens to vote over the Web in the presidential election, if they so desire. Thirty percent of the eligible voters choose to cast their ballots over the Web. The national election is so closely contested that whoever wins the electoral votes of East Dakota will be the next president. After the election, state elections officials report the vote tally and declare candidate X to be the winner.

Two weeks after the inauguration of President X, state officials uncover evidence of massive electoral fraud. Some voters were tricked into connecting to a phony voting site. The organization running the phony site used the credentials provided by the duped voters to connect to the actual voting site and cast a vote for candidate X.

State officials conclude the electoral fraud may have changed the outcome of the election, but they cannot say for sure. They have no evidence that candidate X knew anything about this scheme to increase his vote tally.

Divide the class into groups representing President X, the other presidential candidates, citizens of East Dakota, and citizens of other states to discuss the proper response to this revelation. For guidance, consult Article II, Section 1, along with Amendment XII, of the United States Constitution.

Spyware vs. Backdoor Trojans

References
[1] Jerry Hildenbrand. “VPNFilter Malware Has Infected a Million Routers—Here’s What You Need to Know.” Androidcentral (Web site), June 11, 2018. www.androidcentral.com/vpnfilter-malware.

[2] Steven Levy. Hackers: Heroes of the Computer Revolution. Anchor Press/Doubleday, Garden City, NY, 1984.
[3] G. Malkin and T. LaQuey Parker, editors. “Hacker.” Internet Users’ Glossary, January 1993. www.rfc-editor.org.

[4] Kevin Granville. “9 Recent Cyberattacks against Big Businesses.” New York Times, February 5, 2015. www.nytimes.com.

[5] Dan Goodin. “Anatomy of a Hack: How Crackers Ransack Passwords Like “qeadzwrsfxv1331.” Ars Technica (Web site), May 27, 2013. arstechnica.com.

[6] William Cheswick. “Rethinking Passwords.” Communications of the ACM, February 2013.

[7] Mat Honan. “Hacked.” Wired, December 2012.

[8] Marcia Savage. “Mitnick Turns Gamekeeper.” TechWeb.com, October 30, 2000.

[9] Michael Arnone. “Hacker Steals Personal Data on Foreign Students at U. of Kansas.” Chronicle of Higher Education, January 24, 2003.

[10] Sara Lipka. “Hacker Breaks into Database for Tracking International Students at UNLV.” Chronicle of Higher Education, March 21, 2005.

[11] Dan Carnevale. “Harvard and MIT Join Carnegie Mellon in Rejecting Applicants Who Broke into Business-School Networks.” Chronicle of Higher Education, March 9, 2005.

[12] John P. Mello Jr. “Sesame Street Hacked, Porn Posted.” PCWorld, October 17, 2011.

[13] Michael S. Schmidt and Richard Péña. “F.B.I. Treating San Bernardino Attack as Terrorism Case.” New York Times, December 4, 2015.

[14] Government’s Motion to Compel Apple Inc. to Comply with This Court’s February 16, 2016 Order Compelling Assistance in Search. US District Court for the Central District of California. February 19, 2016. www.justice.gov/usao-cdca/file/826836/download.

[15] Tim Cook. “A Message to Our Customers.” Apple (public statement), February 16, 2016. www.apple.com/customer-letter/.

[16] “U.S. Says It Has Unlocked iPhone Without Apple.” New York Times, March 28, 2016. www.nytimes.com/2016/03/29/technology/apple-iphone-fbi-justice-department-case.html.

[17] Ellen Nakashima. “Inspector General: FBI Didn’t Fully Explore Whether It Could Hack a Terrorist’s iPhone before Asking Court to Order Apple to Unlock It.” Washington Post, March 28, 2018.

[18] Eric Butler. “Firesheep.” {codebutler} (blog), October 24, 2010. codebutler.com.

[19] Bob Brown. “Father of Firesheep Fires Away after Wild Week in WiFi Security.” NetworkWorld, November 2, 2011. www.networkworld.com.

[20] Tom Anderson. “Firesheep in Wolves’ Clothing: Extension Lets You Hack into Twitter, Facebook Accounts Easily.” TechCrunch, October 24, 2010. techcrunch.com.

[21] Jason Fitzpatrick. “Firesheep Sniffs Out Facebook and Other User Credentials on Wi-Fi Hotspots.” Lifehacker (blog), October 25, 2010. lifehacker.com.

[22] Gregg Keizer. “How to Protect against Firesheep Attacks.” Computerworld, October 26, 2010. www.computerworld.com.

[23] Sharon Machlis. “How to Hijack Facebook Using Firesheep.” PCWorld, October 30, 2010. www.pcworld.com.

The Difference Between Spyware and Adware

[24] Eric Butler. “Firesheep, a Week Later: Ethics and Legality.” {codebutler} (blog), November 1, 2010. codebutler.com.

[25] Alex Rice. “A Continued Commitment to Security.” The Facebook Blog, January 26, 2011. blog.facebook.com.
[26] Paul Ducklin. “Twitter Goes Secure—Say Goodbye to Firesheep with ‘Always use HTTPS’ Option.” nakedsecurity (blog), March 16, 2011. nakedsecurity.sophos.com.

[27] Jessica Goodman. “Firesheep, What Color Is Your Hat?” FeelingElephant’s Weblog, November 30, 2010. feelingelephants.wordpress.com.

[28] David Ferbrache. A Pathology of Computer Viruses. Springer-Verlag, London, England, 1992.

[29] Eurostat. “Nearly One Third of Internet Users in the EU27 Caught a Computer Virus; 84% of Internet Users Use IT Security Software for Protection” (news release). February 7, 2011. europa.eu.

[30] “Google Warns TWO MILLION Users Their Computers Have Been Infected with a Virus.” Mail Online, July 21, 2011. www.dailymail.co.uk.

[31] John Brunner. The Shockwave Rider. Harper & Row, New York, NY, 1975.

[32] Katie Hafner and John Markoff. Cyberpunk: Outlaws and Hackers on the Computer Frontier. Simon & Schuster, New York, NY, 1991.

[33] Paul Graham. “The Submarine.” April 2005. www.paulgraham.com.

[34] “Worm Turns for Teenager Who Befuddled Microsoft.” Times, London, July 6, 2005.

[35] “Hacker behind Sasser, Netsky Worms Gets Job with German Security Company.” San Jose Mercury News, September 28, 2004.

[36] John Leyden. “Sasser Suspect Walks Free.” Register, July 8, 2005. www.theregister.do.uk.

[37] Celeste Biever. “Instant Messaging Falls Prey to Worms.” New Scientist, May 14, 2005.

[38] Hanleigh Daniels. “Palevo Is Worming Its Way via IM Spam.” Tech Smart, May 4, 2010. www.techsmart.co.za.

[39] Ben Nahorney, editor. “The Downadup Codex: A Comprehensive Guide to the Threat’s Mechanics.” Edition 1.0. Symantec Corporation, 2009. www.symantec.com.

[40] “Virus Strikes 15 Million PCs.” UPI, January 26, 2009. www.upi.com.

[41] Patrick Howell O’Neill. “Conficker Worm Still Spreading Despite Being Nearly 10 Years Old.” Cyberscoop (Web site), December 8, 2017. www.cyberscoop.com/conficker-trend-micro-2017/.

[42] John Leyden. “Drive-By Download Menace Spreading Fast.” Register, January 23, 2008. www.theregister.co.uk.

[43] Ryan Naraine. “Drive-By Downloads. The Web under Siege.” Securelist (blog), April 15, 2009. www.securelist.com.

[44] Steve Sechrist. “State of Security: China’s Trojan Horse.” Display Daily, March 18, 2008. displaydaily.com.

[45] Roland Dela Paz. “Ransomware Attacks Continue to Spread Across Europe.” Trend Micro, March 8, 2012. blog.trendmicro.com/trendlabs-security-intelligence/ransomware-attacks-continue-to-spread-across-europe/.

[46] “New Internet Scam: ‘Ransomware’ Locks Computers, Demands Payment.” Federal Bureau of Investigation, August 9, 2012.

[47] Sean Gallagher. “FBI Says Crypto Ransomware Has Raked in > $18 Million for Cybercriminals.” Ars Technica, June 25, 2015. arstechnica.com/information-technology/2015/06/fbi-says-crypto-ransomware-has-raked-in-18-million-for-cybercriminals/.

[48] Webroot. “Spyware Infection Rates Return to Peak 2004 Levels According to Webroot State of Spyware Report.” August 15, 2006. www.webroot.com.
[49] Scott Berinato. “Attack of the Bots.” Wired, November 2006.

Similarities Between Trojan Horses and Drive-by Downloads

[50] Cybersecurity Unit. “Securing Your ‘Internet of Things’ Devices.” US Department of Justice, July 2017. www.justice.gov/criminal-ccips/page/file/984001/download.

[51] Information Solutions Group. “Syntonic 2016 Employer Report: BYOD Usage in the Enterprise,” Syntonic Inc., Summer 2016. syntonic.com/wp-content/uploads/2016/09/Syntonic-2016-BYOD-Usage-in-the-Enterprise.pdf.

[52] Nate Lord. “The Ultimate Guide to BYOD Security: Overcoming Challenges, Creating Effective Policies, and Mitigating Risks to Maximize Benefits.” Digital Guardian, February 27, 2018. digitalguardian.com/blog/ultimate-guide-byod-security-overcoming-challenges-creating-effective-policies-and-mitigating.

[53] “S. Korea Probes Cyberattack on Digital Currency Exchange.” Yonhap News Agency, July 3, 2017. english.yonhapnews.co.kr/national/2017/07/03/52/0302000000AEN20170703010400320F.html.

[54] “Ecommerce Sales Topped $1 Trillion for First Time in 2012.” eMarketer, February 5, 2013. www.emarketer.com.

[55] Greg Aaron and Rod Rasmussen. “Global Phishing Survey 2H2014: Trends and Domain Name Use.” APWG Internet Policy Committee, May 27, 2015. www.apwg.org.

[56] Edward Skoudis. “Evolutionary Trends in Cyberspace.” In Cyberpower and National Security, pp. 163–164, edited by Franklin D. Kramer, Stuart H. Starr, and Larry K. Wentz. Potomac Books, Dulles, Virginia, 2009.

[57] Lorenzo Franceschi-Bicchierai. “How Hackers Broke into John Podesta and Colin Powell’s Gmail Accounts.” Motherboard, October 20, 2016. motherboard.vice.com/en_us/article/mg7xjb/how-hackers-broke-into-john-podesta-and-colin-powells-gmail-accounts.

[58] Lee Fang and Naomi LaChance. “Colin Powell Urged Hillary Clinton’s Team Not to Scapegoat Him for Her Private Server, Leaked Emails Reveal.” The Interceptor, September 13, 2016. theintercept.com/2016/09/13/colin-powell-emails/.

[59] CERT Coordination Center. “Denial of Service Attacks.” June 4, 2001. www.cert.org/tech_tips/denial_of_service.html.

[60] Mike Toner. “Cyberterrorism Danger Lurking.” Atlanta Journal and Constitution, November 2, 2001.

[61] Toni O’Loughlin. “Cyber Terrorism Reaches New Heights.” Australian Financial Review, April 4, 2003.

[62] Sam Thielman and Chris Johnston. “Major Cyber Attack Disrupts Internet Service Across Europe and US.” Guardian, October 21, 2016. www.theguardian.com/technology/2016/oct/21/ddos-attack-dyn-internet-denial-service.

[63] Scott Hilton. “Dyn Analysis Summary of Friday October 21 Attack.” Dyn (public statement), October 26, 2016. dyn.com/blog/dyn-analysis-summary-of-friday-october-21-attack/.

[64] David E. Sanger and Nicole Periroth. “A New Era of Internet Attacks Powered by Everyday Devices.” New York Times, October 22, 2016. www.nytimes.com/2016/10/23/us/politics/a-new-era-of-internet-attacks-powered-by-everyday-devices.html.

[65] “Zombie Master Jeanson Ancheta Pleads Guilty.” Spam Daily News, January 23, 2006. www.spamdailynews.com.
[66] “Zombie Master Jeanson Ancheta Sentenced to 5 Years in Prison.” Spam Daily News, May 9, 2006. www.spamdailynews.com.

[67] Robert Lemos. “Blue Security Folds under Spammer’s Wrath.” SecurityFocus (Web site), May 17, 2006. www.securityfocus.com.

[68] Kim Zetter. “TJX Hacker Charged with Heartland, Hannaford Breaches.” Threat Level: Privacy, Crime and Security Online, Wired, August 17, 2009. www.wired.com.

[69] David Morrison. “Albert Gonzalez, Mastermind Heartland Hacker, Gets 20 Years.” Credit Union Times, April 7, 2010. www.cutimes.com.

[70] “Avalanche Botnet Moves from Distributing Spam to Zeus Lures.” SC Magazine, October 25, 2010. www.scmagazineuk.com.

[71] Kevin O’Shea. “Cyber Attack Investigative Tools and Technologies.” Institute for Security Technology Studies at Dartmouth College, May 7, 2003. www.ists.dartmouth.edu.

The Dangers of Automatically Opening Email Attachments

[72] Joshua Davis. “Hackers Take Down the Most Wired Country in Europe.” Wired, August 21, 2007. www.wired.com.

[73] Mark Lander and John Markoff. “Digital Fears Emerge after Data Siege in Estonia.” New York Times, May 29, 2007. www.nytimes.com.

[74] “A Look at Estonia’s Cyber Attack in 2007.” Associated Press, July 8, 2009. www.msnbc.msn.com.

[75] John Markoff. “Before the Gunfire, Cyberattacks.” New York Times, August 12, 2008. www.nytimes.com.

[76] Kevin Coleman. “Cyber War 2.0—Russia v. Georgia.” Defense Tech (Web site), August 13, 2008. defensetech.org.

[77] “War, Redefined.” Los Angeles Times, August 17, 2008. articles.latimes.com.

[78] Jared Newman. “Twitter Crippled by Denial-of-Service Attack.” PCWorld Blogs, August 6, 2009. www.pcworld.com.

[79] Elinor Mills. “Twitter, Facebook Attack Targeted One User.” CNet News (Web site), August 6, 2009. news.cnet.com.

[80] Graham Cluley. “Was Twitter Denial-of-Service Targeting Anti-Russian Blogger?” Graham Cluley’s Blog, August 7, 2009. www.sophos.com.

[81] “A Chinese Ghost in the Machine?” Economist, April 4, 2009.

[82] John Markoff. “Tracking Cyberspies through the Web Wilderness.” New York Times, May 12, 2009.

[83] Choe Sang-Hun and John Markoff. “Cyberattacks Jam Government and Commercial Web Sites in US and South Korea.” New York Times, July 9, 2009.

[84] John Markoff. “Internet’s Anonymity Makes Cyberattack Hard to Trace.” New York Times, July 17, 2009.

[85] “Hacking the Industrial Network.” Phoenix Contact Inc., Harrisburg, Pennsylvania. www.isa.org.

[86] “Siemens SCADA Systems under Attack by Information Stealing Worm.” Help Net Security, July 20, 2010. www.net-security.org.

[87] “Iran Confirms Stuxnet Worm Halted Centrifuges.” CBS News, November 29, 2010. www.cbsnews.com.

[88] John Markoff. “Malware Aimed at Iran Hit Five Sites, Report Says.” New York Times, February 11, 2011. www.nytimes.com.
[89] Christopher Williams. “Israeli Video Shows Stuxnet as One of Its Successes.” Telegraph, February 15, 2011. www.telegraph.co.uk.

[90] David Sanger. “Obama Order Sped Up Wave of Cyberattacks against Iran.” New York Times, June 1, 2012. www.nytimes.com.

[91] “APT1: Exposing One of China’s Cyber Espionage Units.” Mandiant Corporation, February 18, 2013. www.mandiant.com.

[92] David E. Sanger, David Barboza, and Nicole Perlroth. “Chinese Army Unit Is Seen as Tied to Hacking against U.S.” New York Times, February 18, 2013.

[93] T.P. “Hello, Unit 61398.” Economist, February 19, 2013.

[94] David E. Sanger and Julie Hirschfeld Davis. “Hacking Linked to China Exposes Millions of U.S. Workers.” New York Times, June 4, 2015. www.nytimes.com/2015/06/05/us/breach-in-a-federal-computer-system-exposes-personnel-data.html.

[95] Patricia Zengerle and Megan Cassella. “Millions More Americans Hit by Government Personnel Data Hack.” Reuters, July 9, 2015. www.reuters.com/article/us-cybersecurity-usa/millions-more-americans-hit-by-government-personnel-data-hack-idUSKCN0PJ2M420150709.

[96] Brian B. Kelly. “Investing in a Centralized Cybersecurity Infrastructure: Why ‘Hacktivism’ Can and Should Influence Cybersecurity Reform.” Boston University Law Review, Vol. 92, No. 4, October 2012.

Cybercriminals Using the Internet to Make Money

[97] PRLog. “Internet Group Anonymous Declares ‘War on Scientology’ ” (press release). January 21, 2008. www.prlog.org.

[98] John Leyden. “4chan Launched DDoS against Entertainment Industry.” Register, September 20, 2010. www.theregister.co.uk.

[99] Fahmida Y. Rashid. “PayPal, PostFinance Hit by DoS Attacks, Counter-Attack in Progress.” eWeek, December 6, 2010. www.eweek.com.

[100] Esther Addley and Josh Halliday. “WikiLeaks Supporters Disrupt Visa and MasterCard Sites in ‘Operation Payback.’” Guardian, December 8, 2010. www.guardian.co.uk.

[101] Yasmine Ryan. “Anonymous and the Arab Uprisings.” Al Jazeera, May 19, 2011. www.aljazeera.com.

[102] “Internet Strikes Back: Anonymous’ Operation Megaupload Explained.” RT, January 20, 2012. rt.com.

[103] Adam Clark Estes. “Anonymous Hits Israel with a Massive Cyber Attack, Israel Attacks Back.” Atlantic Wire, April 7, 2013.

[104] David Boroff. “Grieving Dad, Anonymous Lash Out at Cleveland Cops Following Shooting Death of Boy, 12, Armed with BB Gun.” New York Daily News, November 24, 2014. www.nydailynews.com.

[105] Keely Lockhart. “‘Hacktivist’ Group Anonymous Says It Will Avenge Charlie Hebdo Attacks by Shutting Down Jihadist Websites.” Telegraph, January 10, 2015. www.telegraph.co.uk.

[106] Nic Corbett. “Verona Teen Sentenced to Year in Prison for Online Attack of Scientology.” Star-Ledger, New Jersey, November 18, 2009. www.nj.com.

[107] John Leyden. “Second Man Jailed over Scientology DDoS Attacks.” Register, May 25, 2010. www.theregister.co.uk.

[108] Nate Anderson. “Anon on the Run: How Commander X Jumped Bail and Fled to Canada.” Ars Technica (Web site), December 11, 2012. arstechnica.com.
[109] Dave Lee. “Jake Davis: Freed Hacker Faces Strict Tech Rules.” BBC, June 24, 2013. www.bbc.co.uk.

[110] A. Agresti and B. Presnell. “Misvotes, Undervotes, and Overvotes: The 2000 Presidential Election in Florida.” Statistical Science 17(4):436–440, 2002.

[111] Jeremy Hsu. “Alaska’s Online Voting Leaves Cybersecurity Experts Worried.” IEEE Spectrum, November 6, 2014. spectrum.ieee.org.

[112] Rosie Scammell. “Internet Voting a Success in Two European Countries.” European University Institute, February 12, 2013. www.eui.eu/News.

[113] “Early Voting Hits New Highs in NSW and Australia, But Is It a Good Idea?” Conversation, April 8, 2015.

[114] Rebecca Mercuri. “A Better Ballot Box?” IEEE Spectrum, pp. 46–50, October 2002.

[115] Thomas E. Patterson. The Vanishing Voter: Public Involvement in an Age of Uncertainty. Alfred A. Knopf/Random House, New York, NY, 2002.

[116] Bureau of Business of Economic Research, University of New Mexico. “Per Capita Personal Income by State.” April 2, 2013. bber.unm.edu.

[117] Todd R. Weiss. “N.J. to Get E-voting Paper Trail, but Not until 2008; a Legal Battle Continues to Try to Put the Law into Effect Sooner.” Computerworld, July 15, 2005.

Examples of Cyber Attacks Outside the United States

[118] Bruce Schneier. “Technology Was Only Part of the Florida Problem.” Computerworld, December 18, 2000.

[119] John Leyden. “Office Workers Give Away Passwords for a Cheap Pen.” Register, April 17, 2003. www.theregister.co.uk.

[120] “Fighting the Worms of Mass Destruction.” Economist, pp. 65–67, November 29, 2003.

[121] Kalamazoo College Information Technology Services. “Computer Virus Policy.” Accessed July 29, 2011. reason.kzoo.edu.

[122] Brock Read. “How to Write a Computer Virus, for College Credit.” Chronicle of Higher Education, January 16, 2004.

An Interview With
Matt Bishop

Matt Bishop received his PhD in computer science from Purdue University, where he specialized in computer security. He was a research scientist at the Research Institute for Advanced Computer Science and was on the faculty at Dartmouth College before joining the Department of Computer Science at the University of California, Davis. He teaches courses in computer security, operating systems, and programming.

His main research area is the analysis of vulnerabilities in computer systems, including modeling them, building tools to detect vulnerabilities, and ameliorating or eliminating them. This includes detecting and handling all types of malicious logic. He is active in the areas of network security, the study of denial-of-service attacks and defenses, policy modeling, software assurance testing, and formal modeling of access control. He also studies the issue of trust as an underpinning for security policies, procedures, and mechanisms.

He is active in information assurance education, is a charter member of the Colloquium on Information Systems Security Education, and led a project to gather and make available many unpublished seminal works in computer security. He has authored a textbook, Computer Security: Art and Science, published by Addison-Wesley Professional.

What led you to focus your research on system vulnerabilities?

I became interested in this area because of the ubiquity of the problem. We have been designing and building computer systems since the 1950s, and we still don’t know how to secure systems in practice. Why not? How can we find the existing vulnerabilities and improve the security of those existing systems?

Also, there are parallels with nontechnical fields. I find those parallels fascinating, and I enjoy learning and studying other fields to see if any of the methods and ideas from those fields can be applied to analyzing systems and improving their security. Some fields, like military science, political science, and psychology, have obvious connections. Others, such as art and literature, have less obvious connections. But all emphasize the importance of people to computer and software security.

Why Companies Convert SCADA to the Internet Protocol

Do you have an example of what can happen when security is treated as an add-on, rather than designed into a system from the beginning?

Yes. Consider the Internet. When it was first implemented (as the old ARPANET), the protocols were not developed to supply the security services that are now considered important. (The security services that were considered important were various forms of robustness, so that the network would provide connectivity even in the face of multiple failures of systems in the network and even of portions of the network itself. It supplied those services very well.) As a result, security services such as authentication, confidentiality of messages, and integrity of messages are being treated as add-ons rather than the protocols being redesigned to provide those services inherently. So today we have security problems in the descendant of the ARPANET, the Internet.

How can the choice of programming language affect the security of the resulting program?

In two ways. The more obvious one is that some programming languages enforce constraints that limit unsafe practices. For example, in Java, the language prevents indexing beyond the end of an array. In C, the language does not. So you can get buffer overflows in C, but it’s much harder to get buffer overflows in Java. The less obvious one is that the language controls how most programmers think about their algorithms. For example, a language that is functional matches some algorithms better than one that is imperative. This means the programmer will make fewer mistakes, and the mistakes he or she makes will tend to be at the implementation level rather than the conceptual or design level—and mistakes at the implementation level will be much easier to fix.

What can be done about the problem of viruses, worms, and Trojan horses?

These programs run with the authority of the user who triggers them; worms also spread autonomously through the network and most often take advantage of vulnerabilities to enter a system and spread from it. So several things can ameliorate the situation:

Minimize the number of network services you run. In particular, if you don’t need the service, disable it. This will stop the spread of many worms.

Don’t run any attachments you receive in the mail unless you trust the person who sent them to you. Most viruses and many worms spread this way. In particular, some mailers (such as Outlook) can be set up to execute and/or unpack attachments automatically. This feature should be disabled.

Ways a Vote Thief Could Cast Multiple Votes in an Online Election

The user should not be able to alter certain files, such as system programs and system configuration files. If the user must be able to alter them, confirmation should be required. This will limit the effect of most viruses to affecting the user rather than the system as a whole or other users on the system.

Many personal computer users do not update their systems with the latest operating system patches. Should computer manufacturers be given the ability (and the obligation) to keep up-to-date all of their customers’ Internet-connected computers?

I question the wisdom of allowing vendors to update computers remotely. The problem is that vendors do not know the particular environment in which the computers function. The environment determines what “security” means. So a patch that improves security in one realm may weaken it in another.

As an example, suppose a company disallows any connections from the network except through a virtual private network (VPN). Its systems were designed to start all servers in a particular directory that contains all network servers. So to enforce this restriction, all network servers except the VPN are removed from the systems. This prevents the other servers from being started.

The system vendor discovers a security vulnerability in the email server and the login procedure. It fixes both and sends out a patch that includes a new login program and a new email server. The patch installs both and reboots the system so the new login program and email server will be used immediately.

The problem here is that by installing the new email server (which improves security in most systems), the company’s systems now are nonsecure, as they can be connected to via a port other than those used for the VPN (for example, the email port, port 25). The vendor’s patch may therefore damage security.

We saw this with Windows XP SP2. It patched many holes but also broke various third-party applications, some of them very important to their users.

So I believe vendors should be obligated to work with their customers to provide security patches and enhancements, but should not be given the ability to keep the systems up-to-date unless the customer asks for it. Vendors should also provide better configuration interfaces, and default configurations, that are easy to set up and change, as well as (free) support to help customers use them.

Do you expect personal computers a decade from now to be more secure than they are today?

Discussion Questions

In some ways yes, and in other ways no. I expect that they will provide more security services that can be configured to make the systems more secure in various environments—not all environments, though! I also expect that the main problem for securing systems will be configuration, operation, and maintenance, though, and those problems will not be overcome in a decade, because they are primarily people problems and not technical problems.

What advice can you offer students who are seriously interested in creating secure software systems?
Focus on all aspects of the software system. Identify the specific requirements that the software system is to solve, develop a security policy that the software system is to meet (and that will meet the requirements), design and implement the software correctly, and consider the environment in which it will be used when you do all this. Also, make the software system as easy to install and configure as possible, and plan that the users will make errors. People aren’t perfect, and any security that depends upon them doing everything correctly will ultimately fail.

Chapter 8 Summary

Summary
Computers are part of larger systems, and ultimately it is the reliability of the entire system that is important. A well-engineered system can tolerate the malfunction of any single component without failing. This chapter has presented many examples of how the computer or the computer-human interface turned out to be the “weak link” in the system, leading to a failure. These examples provide important lessons for computer scientists and others involved in the design, implementation, and testing of large systems.

Two sources of failure are data-entry errors and data-retrieval errors. While it’s easy to focus on a particular mistake made by the person entering or retrieving the data, the system is larger than the individual person. For example, in the case of the 2000 general election in Florida, incorrect records in the computer database disqualified thousands of voters. The data-entry errors caused the voting system to work incorrectly. Sheila Jackson Stossier was arrested by police who confused her with Shirley Jackson. The data-retrieval error caused the criminal justice system to perform incorrectly.

When the topics are software and billing errors, it is easier to identify the system that is failing. For example, when Qwest sent out 14,000 incorrect bills to its cellular phone customers, it’s clear that the billing system had failed.

In Sections 8.4 and 8.5, we dissected several systems to determine the causes of their failures. The program for the Patriot missile’s radar tracking system had a subtle flaw: a tiny truncation error occurred every time the clock signal was stored in a floating-point variable. Over a period of 100 hours, all those tiny errors added up to a significant amount, causing the radar system to lose its target. The Ariane 5 blew up because a single assignment statement caused the onboard computers to crash. The AT&T long-distance network collapsed because of one faulty line of code.

Conclusion

A well-engineered system does not fail when a single component fails. In the case of hardware, this principle is easier to apply. For example, a jetliner may have three engines. It is designed to be able to fly on any two of the engines, so if a single engine fails, the plane can still fly to the nearest airport and land. When it comes to software, the goal is much harder to meet. If we have two computers in the system, that provides redundancy in case one of the computers has a hardware failure. However, if both computers are running the same software, there is no software redundancy. A software bug that causes one computer to fail will cause both computers to fail. The partial collapse of the AT&T long-distance network is an example of this phenomenon. All 80 switches containing the latest version of the software failed. Fortunately, 34 switches were running an older version of the software, which prevented a total collapse of AT&T’s system.

Imagine what it would take to provide true redundancy in the case of software systems. Should companies maintain two entirely different billing systems so that the bills produced by one system could be double-checked by the other? Should the federal government support two completely different implementations of the National Crime Information Center? These alternatives seem unrealistic. On the other hand, redundancy seems much more feasible when we look at data-entry and data-retrieval operations. Two different data-entry operators could input records into databases, and the computer could check to make sure the records agreed. This would reduce the chance of bad data being entered into databases in the first place. Two different people could look at the results returned from a computer query, using their own common sense and understanding to see if the output made sense. A paper audit trail is a practical way to add redundancy to an electronic voting machine.

While it may be infeasible to provide redundant software systems, safety-critical systems should never rely completely upon a single piece of software. The Therac-25 overdoses occurred because the system lacked the hardware interlocks of the earlier models.

The stories of computer system failures contain other valuable lessons. The Ariane 5 and Therac-25 failures show that it can be dangerous to reuse code. Assumptions that were valid when the code was originally written may no longer be true when the code is reused. Since some of these assumptions may not be documented, the new design team may not have the opportunity to check if these assumptions still hold true in the new system.

The automated baggage system at the Denver International Airport demonstrates the difficulty of debugging a complex system. Tackling one problem at a time, solving it, and moving on to the next problem proved to be a poor approach, because the overall system design had serious flaws. For example, BAE did not even realize that simply getting luggage carts to where they were needed in a fair and efficient manner was an incredibly difficult problem. Even if BAE had solved all the low-level technical problems, this high-level problem would have prevented the system from meeting its performance goals during the busiest times.
Systems can fail because of miscommunications among people. The Mars Climate Orbiter is an example of this kind of failure. The software written by the team in Colorado used English units, while the software written by the team in California used metric units. The output of one program was incompatible with the input to the other program, but a poorly specified interface allowed this error to remain undetected until after the spacecraft was destroyed.

A self-driving automobile is a system, too. A computer may be responsible for driving the vehicle 99 percent of the time, but the human driver is supposed to take over when the situation is more than the computer can handle. Unfortunately, the Tesla Autopilot accident and the Uber test-vehicle accident demonstrate that humans do not perform well when they have nothing to do for long periods of time and then are required to snap to attention and immediately take over during an emergency.

Computer simulations are used to perform numerical experiments that lead to new scientific discoveries and help engineers create better products. For this reason, it is important that simulations provide reliable results. Simulations are validated by comparing predicted results with reality. If a simulation is designed to predict future events, it can be validated by giving it data about the past and asking it to predict the present. Finally, simulations are validated when their results are believed by domain experts and policymakers.

The discipline of software engineering emerged from a growing realization of a “software crisis.” While small programs can be written in an ad hoc manner, large programs must be carefully constructed if they are to be reliable. Software engineering is the application of engineering methodologies to the creation and evolution of software artifacts. Surveys of the IT industry reveal that more projects are being completed on time and on budget, and fewer projects are being canceled. This may be evidence that software engineering is having a positive impact. However, since most projects are still not completed on time and on budget, there remains much room for improvement. For many companies, shipping a product by a particular date continues to be a higher priority than following a strict software-development methodology.

There is also a growing awareness that unconscious bias on the part of male-dominated software-development teams may lead to products being designed that are not truly gender-neutral. For this reason, some companies are taking steps to increase the number of women on software-development teams.

The development of artificial-intelligence systems based on machine learning is another area in which unconscious bias can have harmful results to underrepresented populations. The data sets used for training machine-learning systems must be carefully chosen to reflect the diversity of the population on which the artificial-intelligence system will be operating.

Should software manufacturers be held accountable for the quality of their software, or is a program a completely different kind of product from a socket wrench? An examination of the software warranties manufacturers include in their licensing agreements reveals that they do not want to be held liable for any damages that occur from the use of their software. Courts seem willing to treat software as goods, which means the damages and warranty provisions of the Uniform Commercial Code may apply, despite what may appear in a software warranty. However, courts have been reluctant to treat software programs as products, which would expose software manufacturers to the theory of strict liability.