1.

Write in one or two pages discussing 3 reasons why cyber attacks occur and exploits
security vulnerabilities.

The digital world emerges since last few decades have reached the hype cycle of its
age. There are positive and negative effect of this new technology and one of the
negative effects is the cyber attack. Cyber attack can be described as the crimes that
occur in a virtual world as opposed to tangible attacks such as war [1]. There are
many reasons why cyber attack occurs, but the main objective of all this attack is to
cause damage and demolition to all range of people, economics or politics.

a) Personal Anger – The attack being launched because of the angry feeling towards
the company or organization. The example of reasons is being left out of
promotions or not being treated accordingly after all the hard work done. The
person that is doing this attack is known as malicious insider. A study performed
by the U.S. Secret Service and the Carnegie Mellon Software Engineering
Institute on security incidents, found that the insider with authorized access
launched attacks on computer systems that cause lost of data and industry millions
of dollars. One of the vulnerability that can be exploited by the insider is the
weakness of cyber access monitoring system. The legal access had by insider
employees enabled them to perform threat in the form of malicious code into the
important system or software that is currently being used by the organization [2].

b) Industrial Espionage – Competitor in business specifically in the same industry

trying hard to conquer the similar area. Research is a valuable asset and some
organizations might choose to foul play and fund industrial espionage to catch up
with a competitive firm. Conducting cyber attack is a way to steal competitor’s
useful research that will be used in research and development for a given product
or service and will benefit millions of dollars to the company [3]. Microsoft faced
this problem when the security updates address the undisclosed vulnerability
exploited by the notorious Stuxnet malware. The attack begins with the vulnerable
system allowing attacker remote access execution. Then the attacker or industrial
spies can collect information by sending the malware to gain full control of the
infected system [4].
c) Political War – There are some people who get politically angry because their
view or wishes are against those in power. Cyber attack can be one of the
alternative to display their “people’s power” or dislike towards the chief. Attack
can be in forms of performing the damage the system directly or just blackmailed.
One way as a warning is planting “logic bombs” with a ransom note that says
unless the demands are met then the logic bomb will go off. This is typical against
governments or organization/union of governments like “World Economic
Forum”, “APEC Summit” etc and can be classified as a political group digital
terrorism [5].
2. Choose a domain for example (military, healthcare, governments, corporations,
financial institutions or private business) and discuss about emerging challenges of
cyberspace related to the selected domain.

Financial institutions in many developing countries worldwide have taken the

opportunity of making use the digital technology to implementing the Internet and
computers in their transactions. Internet banking services become popular and have
been used ever since by people worldwide [6]. Unfortunately, the cyber crime and
internet issues are also become more advance corresponding to the emerging
technology in financial institution and risked the legitimate businesses and consumers.
One of the fraudulent activities pertaining to Internet Banking is well known in the
industry as “phishing”. In this scheme, the fraudster will send an email to a consumer,
directing him or her to a fraudulent website. The fraudsters has designed the
fraudulent website with branding that is trusted many consumers. The website has feel
and look closely look like that the genuine financial institution. The fraudulent
website normally asks consumers to update sensitive personal and financial
information i.e. login name, password, date of birth and other “security” details so
that the same can be “updated” on the financial institution server. The data captured in
the background by the fraudsters is then used by identity thieves to commit fraud [7].

Another attack of cyber crime occur in financial institution is hacking into

customer accounts on online stock brokerages. The two online stock brokers, TD
Ameritrade Holding Corp. and E-Trade Financial Corp. have lost at least $22 million
in a “pump and dump” stock trading scheme [8]. The technique used by the attacker
was Trojan horses or other malware and embedded the keylogging software to pinch
users’ confidential information that obtained when they logged onto public computers
or their own infected machines. The hackers then logged into existing customer
accounts with the information gained to perform buying transaction in rarely traded
stocks to drive up the prices so that they might sell their own prior purchased shares
for a profit [8].
 The attack techniques to perform cyber criminals in financial institutions can
generally be divided into two, as described below:

i) Trojan Attack

When users download some programs on certain websites, the attacker take
this opportunity to install a Trojan, such as key logger program, on a user’s computer
without their knowledge. When users log into their bank’s website, the important
information such as username and password keyed in during that session will be
captured and sent to the attacker. Here, the attacker uses the Trojan as an agent to
piggyback information from the user’s computer to his backyard and make any
fraudulent transactions whenever he wants [9].

ii) Man-in-the-Middle Attack.

Also known as phishing, the attacker catches users attention to use a fake
created by him. The attacker usually was able to scam the users by disguising their
identity and make the message be like it was coming from a trusted source. The user
will be directed to the fraudster’s website without realize it as the website look similar
to the designated website. The information keyed in during that session will be
captured and the fraudsters can make their own transactions at the same time [9].

Such criminal cost the financial institutions and consumer lost millions of
dollar every year. These incidents also wear away the consumer’s confidence in the
financial industry, specifically the new technology way of offering services such as
internet banking and phone banking that financial institution are increasingly
implemented in offering convenience and to enhance profits. Financial institutions are
consequently taking actions very seriously to this matter.

A step taken by the financial institutions where they hired the security firms to
constantly monitor the internet and report for any phishing or spoofed websites.
Security technology and products such as security software, firewalls and IDS are also
been deployed to protect the consumer’s information that has privacy or account
related implications. Each security issue will be mitigated quickly to avoid
interruption in providing the best services to the consumers.
3. State the advantages of trusted computing. Discuss in two or three pages the common
critics on trusted computing and how trusted computing can be abused.

Trusted Computing (TC) is the information technology industry’s response to the

ever-increasing need to protect the privacy of information. While the need for data
security is not new, the Trusted Computing approach – an inexpensive method of
ensuring laptop, desktop, and server security at the hardware level – is still in its
infancy. Understanding how Trusted Computing works, what it will protect against,
and how to best implement it with existing secure data practices is crucial to the
ultimate success of Trusted Computing. The Trusted Computing Group (TCG), an
incorporated, notfor-profit alliance of IT hardware companies, was formed in 2003 to
develop and support open industry specifications for Trusted Computing across
multiple platform types. One result ofTCG’s work is an inexpensive chip, generally
known as the Trusted Platform Module (TPM), that can help users protect information
assets from compromise due to external software attack and physical theft.

The advantage of trusted computing

The TPM itself has the potential for much more than just theft protection. It can be
used to prevent virus attacks and memory incursions, and to protect input/output
communications and the actual integrity of the operating systems. And then, there’s
storage. The biggest strength of Trusted Computing – what makes it most important to
today’s government – is secure storage. Data stored on the laptop is protected from
access by individuals without proper credentials and is also encrypted via the TPM
and the operating system itself. The icing on the cake is how the chip also protects
data stored on the laptop from software without proper credentials. Any software –
even a program working off the Internet – that attempts to run on the laptop without
perfect authorization and credentials will be sealed off from memory and disabled.

The overall strength of Trusted Computing also presents its biggest challenge.
Because the protected computer essentially treats every user and every program as an
adversary, losing one’s credentials or forgetting a password can have dire
consequences. The best defense against this adversarial relationship with Trusted
Computing is an organization-wide system of good data practices, which should be in
place independent of the Trusted Computing platform (see sidebar, Best Data
Practices). The protection of Trusted Computing combined with good data practices
means that the organization has protected the data from unauthorized access, and that
the organization has protected itself against losing the data altogether. The Trusted
Computing laptop, for example, should be disposable from a data protection
standpoint. Access to data by unauthorized persons or programs is unequivocably
blocked, and good data practices mean that the organization has a fall-back strategy if
the laptop is stolen or if its contents are encrypted. Visitor rights management is
another area of weakness in terms of the requirement for authorized credentials. This
may be more of an issue in the private sector or for personal-use computers than for
government. The same goes for digital rights management. While there is a general
hubbub regarding the manner in which Trusted Computing may block downloads of
copyrighted images and video, this issue should be a non-starter for government or
corporate users.

Common critics and how trusted can be abused

TC is controversial as the hardware is not only secured for its owner, but also secured
against its owner as well. Such controversy has led opponents of trusted computing,
such as Richard Stallman, to refer to it instead as "treacherous computing", even to
the point where some scholarly articles have begun to place scare quotes around
"trusted computing".[3][4]

Trusted Computing opponents such as the Electronic Frontier Foundation and Free
Software Foundation claim trust in the underlying companies is not deserved and that
the technology puts too much power and control into the hands of those who design
systems and software. They also believe that it may cause consumers to lose
anonymity in their online interactions, as well as mandating technologies Trusted
Computing opponents deem unnecessary. They suggest Trusted Computing as a
possible enabler for future versions of mandatory access control, copy protection, and
digital rights management.

Some security experts[5][6] have spoken out against Trusted Computing, believing it
will provide computer manufacturers and software authors with increased control to
impose restrictions on what users are able to do with their computers. There are
concerns that Trusted Computing would have an anti-competitive effect on
competition in the IT market.[7]

There is concern amongst critics that it will not always be possible to examine the
hardware components on which Trusted Computing relies, the Trusted Platform
Module, which is the ultimate hardware system where the core 'root' of trust in the
platform has to lie.[7] If not implemented correctly, it presents a security risk to
overall platform integrity and protected data. The specifications, as published by the
Trusted Computing Group, are open and are available for anyone to review. However,
the final implementations by commercial vendors will not necessarily be subjected to
the same review process. In addition, the world of cryptography can often move
quickly, and that hardware implementations of algorithms might create an inadvertent
obsolescence. Trusting networked computers to controlling authorities rather than to
individuals may create digital imprimaturs.

The Cambridge cryptographer Ross Anderson has great concerns that "TC can
support remote censorship [...] In general, digital objects created using TC systems
remain under the control of their creators, rather than under the control of the person
who owns the machine on which they happen to be stored (as at present) [...] So
someone who writes a paper that a court decides is defamatory can be compelled to
censor it — and the software company that wrote the word processor could be ordered
to do the deletion if she refuses. Given such possibilities, we can expect TC to be used
to suppress everything from pornography to writings that criticize political
leaders."[7] He goes on to state that:
[...] software suppliers can make it much harder for you to switch to their competitors'
products. At a simple level, Word could encrypt all your documents using keys that
only Microsoft products have access to; this would mean that you could only read
them using Microsoft products, not with any competing word processor. [...]

The [...] most important benefit for Microsoft is that TC will dramatically increase the
costs of switching away from Microsoft products (such as Office) to rival products
(such as OpenOffice). For example, a law firm that wants to change from Office to
OpenOffice right now merely has to install the software, train the staff and convert
their existing files. In five years' time, once they have received TC-protected
documents from perhaps a thousand different clients, they would have to get
permission (in the form of signed digital certificates) from each of these clients in
order to migrate their files to a new platform. The law firm won't in practice want to
do this, so they will be much more tightly locked in, which will enable Microsoft to
hike its prices.[7]

Anderson summarizes the case by saying "The fundamental issue is that whoever
controls the TC infrastructure will acquire a huge amount of power. Having this single
point of control is like making everyone use the same bank, or the same accountant,
or the same lawyer. There are many ways in which this power could be abused."[7]

Abused

Although the Trusted Computing system renders its computing platform less
vulnerable to some security flaws, it enhances other potential security vulnerabilities.
One of these is an increased vulnerability to Denial of Service attacks. Denial of
Service (DoS) attacks involve an attacker using up the resources of a victim to
effectively disable it. This can be accomplished through starving the victim’s network
of usable bandwidth, filling up hard disk space, file handle and process table
exhaustion, or any other method in which limited resources can be exhausted [Schuba,
2000]. These attacks can come from several computers
at once, in a malicious orchestrated campaign. The attacking computers are often ones
that have been hacked into or made vulnerable by viruses, worms, or mis-
management (through not updating software, or misconfiguring software), because
using such computers makes it easy to obscure the origin of the perpetrator. DoS
attacks can clearly be aimed at Trusted Computing remote attestation services —
either at an attesting computer, or at companies that require remote attestation. By
flooding the bandwidth required for remote attestation, the attestation service can be
stifled. But DoS attacks are not only used against remote computers. They can also be
used against applications or hardware within one computer. The problem of protecting
against this popular attack is where Trusted Computing is most vulnerable. The TPM
itself is open to attacks against crucial functions which require authorisation. Because
the TPM does not keep track of previous authorisation requests [Trusted Computing
Group, 2003], failed attempts at authorisation are not noted against other failed
attempts; that is, the current authentication attempt is not corresponded back to any
others. However, because this leaves the TPM open to brute-force dictionary attacks
(that is, trying every possible combination of characters in order to eventually guess
the password, which can also potentially be used to flood the bandwidth to the TPM
in a DoS as well), countermeasures against this sort of attack must be implemented.
Such countermeasures can lead to the opening of the TPM to DoS attacks, crippling
the TPM for other authentication requirements at the time of attack. For this reason,
the TCG specification recommends implementing software-based services outside the
TPM to monitor attempts at authentication, and to balance the response to such
problems; but the software services that the specification calls for will themselves be
open to DoS attacks. The Trusted Computing Group specification is not fixing the
problem, merely failing to take responsibility for it, and will rely on software
implementations to adequately protect it against DoS attacks.

Other vulnerabilities in Trusted Computing could well be discovered if the hardware

could be simulated or monitored physically. IBM states it is not attempting to secure
the TPM against its user, and so its chip is able to be monitored and is susceptible to
power, radio, or timing analysis. “We simply are not concerned with threats based on
the user attacking the chip,” they claim [Safford, 2002b]. Microsoft, however, is a
little more cautious with its approach, aiming at offering users a “secure pathway
from the keyboard through the computer to the monitor screen, preventing it from
being secretly intercepted or spied on” [Microsoft, 2003b], and considers the
possibility of someone attacking the hardware as being “technically feasible” but an
“extreme case” [Microsoft, 2003a], which implies that they are most certainly
concerned with attacks against the chip. Whether or not Microsoft will be using
IBM’s chip is as yet unknown. If they do, there will be either an interesting conflict or
some eating of words.

It is important to note that other security systems are also vulnerable to DoS attacks
similar to those described above. Whether there is a security system as broadly useful
as Trusted Computing which is less vulnerable to DoS attacks is a difficult question
which I cannot answer (and which is perhaps too vague to answer). Whether or not it
is better to have smaller, more targeted security systems that could fail under a DoS
but not incapacitate the greater platform is also a subject that would require further
research. However, it is safe to say that these vulnerabilities preclude Trusted
Computing from claiming its magic bullet status, and that shuffling hardware
problems off into software domains will only abstract the security of Trusted
Computing and make it harder to keep implementations standardised.