Destruction: To Break Systems, Corrupt Data, or Steal Sensitive Information

Cyber Self Defense: Group Term Paper


To Break Systems, Corrupt Data, or Steal Sensitive Information


Disclaimer: This was a group term paper. I have not disclosed the contributing authors full name, for the sake of their privacy. If you feel this is against proper citation, please email me.
Authors: Alexander G., K. Kennedy, Jonathon L., Peter M., Byran V.

PDF – Destruction to Break Systems Corrupt Data or Steal



In the realm of Information Security, there are many reasons why a person would want to access information held on a computer system or network. In the midst of the computer breakthrough of the 1980’s, some of the most notable contributors stated that curiosity was their driving point.  Pioneers, such as Steve Wozniak, tried new ideas just to see if he could. He wanted to push the envelope and see if something were in the realm of possibilities.

And although this concept of curiosity is innocent and nostalgic, it is sadly not the only driving force behind innovation. Some realms of the computing world were created out of necessity, due to individuals pushing the limits, not out of pure curiosity, but for personal gain and destruction. This has instilled a need for personal protection for all individuals who use computers out of a fear of exploitation.

There are several methods an attacker can use to break into a system but we would like to cover a few specific areas of attacks, with the purpose of destruction, either of the individual’s personal records, the system the information is held on, or out of malicious intent to disable the user’s ability to use the system or data that it holds.

Attacker’s Gain

So why would one aim for destruction, what gains could one possibly get from inflicting damage to another person’s system or data? There could be multiple answers. First and foremost obvious one is a personal satisfaction. Other gains include but are not limited to: monetary gain, an attempt to disrupt services provided by the target, notoriety; the act of destroying or damaging someone’s data could even be made as a sign of retaliation against some event that the target participated in.

The monetary gain is by far the easiest to understand and the most famous one. The hacker receives money for actions such as destroying the information on the servers of the rivaling company or taking down the machine of the client’s foe. Sometimes there even could be several gains from a single attack, though not necessarily for the same person. Taking for example, that in the hacking of a rivaling company hacker himself does not have any motives to do so except for the payment, yet his client would gain profit from the situation when its competitor is unable to maintain the working pace. Enemy’s loss of reputation, missed contracts, unfinished products – all of those result in benefits for the hacker’s client and thus for the monetary gain.

The crimes committed in order to achieve self satisfaction are usually done by people who don’t really have any knowledge of the subject, but managed to get their hands on a certain types of software. Thus they try to get satisfaction by threatening others with its usage or using it to make others angry. The reason behind such behavior is the fact that those tools make one feel more powerful in the internet and let them gain the satisfaction by tormenting the weaker with seemingly low chances of being persecuted.

However those types of cyber crimes are usually not highlighted in press. The ones that get the most attention are the crimes committed as a means for a hacker to test their skills, gain notoriety or retaliate. And those types of unlawful acts could not be discussed without mentioning the famous “Anonymous” hacker group, as their acts serve as one of the best examples of such activities. ( As a test of skills they break governmental websites. Russian, Chinese (Ferran), United States and Spain (BBC News) governmental website take downs are among the most known in the internet. (Jonsson) Coordination among hackers of this group allows them to make clear statements for or against something as due to multiplicity they can simultaneously attack several places. As retaliation they attacked the websites of organizations affiliated with the closure of a popular hosting source Megaupload (Garg), taking them down with DDoS attack. (Jonsson) Of course it is clear that such acts gained them huge amount of notoriety as well. According to the FBI, “Anonymous” is now considered to be a potential threat to a national security of USA (Mead).

To stay truthful it is necessary to mention that sometimes, in a very rare cases, remote destruction of someone’s data could have a gain which is not malicious. The so called “Internet Vigilantism” is one of the examples. People have been taking down the servers and destroying their content as well as reporting the owners to the officials if the hosted websites were associated with distribution of child pornography, abusive videos or drugs. The other famous hacker group “Alt.Hackers.Malicious” declared a war on the NAMBLA (North American Man/Boy Love Association) due to them advocating for the pedophilia. This resulted into association’s servers being taken down several times (

The reasoning behind destructive hacking attempts is not limited by the points covered in this section. There are many more potential gains which hacker may pursue. However those ones are the most common and have the biggest effect on the internet community and users turning into hackers aiming for the destruction of someone’s data or shutting down someone’s system.


Specific Attacks

Viruses and Worms

Computer viruses and worms are two of the tools that an attacker can use to for many different purposes. They can be used to cause major destruction to computers and computer networks. They can also be used to help an attacker gain access to a system or a network, or they can even be harmless. Most viruses and worms are made with a purpose other than to just spread, giving them a big threat in more ways than one.

Computer viruses, according to Bruce Schneier, are like biological viruses. He explains that “a biological virus is a simple submicroscopic infectious agent that often causes disease in plants, animals, and bacteria. It consists essentially of a core of RNA or DNA surrounded by a protein coat. Viruses are unable to replicate without a host cell, and are typically not considered living organisms.” Like biological viruses, computer viruses are “strings of computer code that attach themselves to another computer program (they can’t live on their own). Once attached, they replicate by co-opting the program’s resources to make copies of themselves and attach them to other programs. And so on.” Computer worms are like viruses in that they replicate and try to spread to other systems. Worms, however, do not “hide in another program, like a virus does. Instead, they exist on their own, meandering through computer networks as best it can, doing whatever damage it is programmed to do.” (Schneier)

Viruses and worms may do more than just replicate. What they are programmed to do is known as a payload. According to SecurityFocus, a payload is the “part of malicious code that performs the destructive operation” (SecurityFocus). Since all viruses and worms are designed to replicate and to infect as many other devices as they can, the payload is what makes one virus or worm more or less destructive than another. Some of the most famous viruses and worms have had payloads that were meant to be harmless, but ended up being extremely destructive, or were meant to cause harm and actually did very little.

A few examples of famous examples of these are the Melissa, ILOVEYOU, Code Red, Slammer, Sobig and Blaster worms. The ILOVEYOU virus used a little bit of social engineering as well as catchy subject lines in order to spread itself rapidly through email. When a user would run the email attachment, ILOVEYOU would send out emails to all of the people in the person’s Microsoft Outlook address book. It was able to spread very rapidly, and is still occasionally seen today. Code Red was a worm that exploited vulnerability in Microsoft’s Internet Information Services (IIS). When the system was infected, all websites being served by IIS would contain the message “Hacked By Chinese!” A month later, all servers that were infected with Code Red were used to launch a distributed-denial-of-service attack against several U.S. government websites. Slammer, like Code Red, spread through vulnerability. This time, it was vulnerability in Microsoft’s SQL Server. Slammer became famous due to the rapid pace at which it spread—infecting 75,000 hosts in the first ten minutes after its release. This rapid spread caused even more damage by taking multiple ISPs around the world offline for extended periods of time. The Blaster worm is one of the most famous worms ever written. Blaster spread to millions of Windows hosts very quickly by taking advantage of a buffer overflow in Windows 2000’s and Windows XP’s DCOM RPC service. Exploiting the overflow would cause all of the infected computers to reboot themselves every 60 seconds, and would also start quickly sending packets to Microsoft’s site which is used to distribute security patches. (

Each of these pieces of malicious software were created to work in different ways and do different things, but they each ended up causing a large amount of damage. While some viruses and worms are created with only the ability to spread, sometimes even this is enough to cause major destruction to the computers that get infected, as well as the networks that those computers are on.


One of the most media orientated attacks is Denial of Service attacks.  This attack is commonly known as a way to attack a company or individual without regard for profit but so that their systems can be brought down or compromised.

Denial of service has been around long before the internet has come along.  Attackers would do this through mail, or “snail” mail as it is termed in today’s society.  The attacker would sign up an individual to receive hundreds of “junk” mail to be delivered to their house for the purpose of hoping the recipient would not receive the important mail.  Since the internet has evolved, it has been upgraded to what is known as “mail bombing”.  In 1995 the Internal Liberation Front (It was just a made up name) sent a flood of email to an author Joshua Quittner and Wire magazine.  “The flood was so great that the computers just crashed” (Schneier).

Even phone lines were, and still are, under attack.  Jerry Falwell’s organization, known as a political activist and pastor, was attacked by denial of service. An attacker configured the phone lines so that no calls would be able to go through Jerry’s 1-800 number.  With the phones tied up, his organization would lose a plethora of money and support.

Denial of service is well known in the internet client server world but can happen anywhere.  For instance, an attacker could block or obstruct the entrance to a restaurant.  With the entrance blocked, the company would lose business and possibly customers.  With this concept in mind, this was then translated to the internet world.  With the internet growing at a rapid rate, it is hard to control and block every single known virus and attacks.  This is one reason why denial of service is so hard to protect against.  Also, the fact that the attacker does not seek personal information is another reason.  The attacker is just looking to crash your system.

In the internet world according to, some of the most common denial of service attacks are: buffer overflow, SYN or SYN flooding, teardrop, smurf attack and, distributed denial of service. (  Buffer overflow is simply a way to overload the traffic going to a network.  With the large amount of data getting sent to the buffer, the buffer cannot support the flow and the system crashes.  SYN or SYN flooding, attacks the transport control program (TCP). Its purpose is to ask for bogus connection requests.  When the system tries to communicate with the request, the request is non-valid.  Back in 1996, computer hackers accomplished this task with Public Access Networks Corporation known as Panix.  The hackers were sent what was known as the “Hello Message”.  “The hackers flooded Panix with as much as 50 “wake up” messages per second” (Scheiner ).  This was the first Denial of service that was publicized.  Teardrop attack assaults the internet protocol (IP). It sends a packet of fragments in a jumble or confused order, and when the system tries to put it back together it gets confused and crashes.  This is common with older software such as, Windows NT, Windows 95, and even some Linux versions prior to 2.1.65.  Smurf attacks will send an internet protocol (IP) ping to a receiving site.  The main purpose is to confuse the system with someone else’s return address, ultimately, flooding the host.  The host would no longer be able to receive or justify real traffic.  Imagine a company that had automated response emails.  The attacker would send a plethora of emails to all employees with a fake return address.  The poor individual with that return address would get bombarded with emails into his or her system and wind up with a possible system crash.  Instead of using one computer, with Distributed Denial of Service (DDOS) the attacker would use multiple computers.  This is one of the deadliest attacks.  This attack typically comes with viruses.  If the attacker was able to gain access to your computer, he or she could set it up to be a chain of computers to infiltrate a system.  Configuring these computers for the attackers to use is what is known as “Zombie” computers.  If this is done on multiple computers, finding out exactly who targeted your system would be endless and time consuming.

Denial of Service (DOS) is mostly not intended for personal gain in which someone is out to gain access to your personal information.  It is used to take down a system and possibly destroy a company.  It is extremely difficult for companies or individuals to control. The best defense for an individual or company to prevent against these attacks is to keep the systems updated and to know what is being downloaded.

Social Engineering

One of the most utilized forms of attack is social engineering, most notably used by the former hacker, Kevin Mitnick. (Mitnick) Social engineering is a form of low tech fraud. The attacker can use his social skills to retrieve information from a person or have the person inadvertently allow the attacker access into areas of a system that they should not have. Individuals can look at social engineering as a new version of the traditional con artist. These people are well liked, or can appear to be, and give individuals the sense that they deserve the information they are asking. Victims of a social engineering attack may not even realize they were victimized until it’s too late and the damage has already been done. (Wikipedia)

As I mentioned earlier, Kevin Mitnick is well known for his social engineering skills that allowed him access into several telephone companies, colleges, and businesses systems. But the key difference in his defense was that he did not have malicious intent. He maintains that his reasons were out of curiosity, to see if he could accomplish the break in, not to steal or damage data. (Mitnick) This curiosity was prevalent in the early days of the personal computer, but once the newness of technology wore off, personal gain stepped in. (Wozniak and Smith) We as individuals have always been told to protect ourselves, and even though it’s widely known that the internet and computers are constantly attacked, very few people guard against social engineering attacks.

First, the reason it’s so difficult for us to guard against this is because it’s not in our nature to. We as a society are extremely naïve; we don’t like to question anything too closely. This is mostly due to a fear of offending or causing problems for other individuals. We dislike getting in the way; we don’t want to be a bother to another hardworking individual who just wants to do their job. ( And an attacker can use this non-confrontational attitude to their advantage. Even if someone were to step in and question it, an attacker can normally swindle information out of a person, with a simple guilt trip. (Slatalla and Quittner) In fact, the attacker knows we will go to extreme lengths to avoid confrontation or conflict, even if it puts us in direct danger or is blatantly against the rules. The individual knows what they are doing is bending or breaking the rules, but feel it’s too much trouble to waste time and energy to play it safe. ‘Why waste company time taking an extra ten minutes to check this person out, when we will just get confirmation that they work for us and could have been doing what they need to?’ An attacker knows this and uses it. (Granger)

Secondly, there is a lack of proper training against social engineering attacks. (Mitnick) Most individuals or employees do not know how to spot an attack, much less how to protect against one. (SANS) Although to the employer or individual’s credit, it’s not the easiest thing to protect against. The only safe way to protect against this is to become suspicious of every situation. But this tactic can be very tedious and individuals tend to slip in their protection.

So once attackers realized how difficult it is for the average individual to defend against this sort of attack, it became an easy way in. Why waste time trying to brute force into a system when you can get the user to hand the information over to you?

I would like to end this section with an example of an attack using a social engineering method called phishing. Phishing is an attack that attempts to gain information such as passwords and usernames by appearing to be a trusted company. Most phishing attacks are in the form of an email or instant message, asking the user to log into their account to verify information. The victim is told that their account has been breached, is insecure, or needs immediate attention. They are given a web link where they are encouraged to sign into their account but the victim is not taken to the actual website of the organization, but rather a mock website where their login information is then kept. The attacker then has the ability to log into the true organization website and retrieve sensitive information about the victim. (Wikipedia)

Although phishing attacks are normally disguised as banking websites or websites that hold financial information for the user, such as PayPal or eBay, it is not limited to these websites. Phishing attacks have also been known to occur under the false pretense of charities. For example, during the aftermath of Hurricane Katrina, several phishing attacks were confirmed, requesting individuals to donate to a Katrina relief fund. According to, during 2005, the FBI found over 60 percent of the 2000 Katrina charity websites, was found to be registered to individuals living outside of the United States and was very likely to be scams. The state of Florida and Missouri filed civil lawsuits against an individual who purchased several web domains, such as and, which sent donations to his private PayPal account. (

According to the United States Computer Emergency Readiness Team, the best way to defend against a phishing attack or any other type of social engineering attack is for every individual to be suspicious of all activity and emails sent to them. Do not give sensitive information over email and to check the URL of the website you are on before typing in your information. If in doubt, double check with the organization or company directly, in a form other than the contact page on that particular website. (US-Cert) But the best method of defense is to stay informed and to be cautious at all times.

Fake Anti-Virus and Security Software

As well documented by Kevin Mitnick and Bruce Schneier, people are susceptible to well-designed social engineering attacks, and generally are willing to lower their guard in order to fulfill requests by others. (Mitnick)  This weakness is exploited by attackers who infect victim’s computers with fake anti-virus and security software under the disguise to the end user that the software will help clean their machine of a virus or worm that might not actually exist.

Many times the victim accidentally installs the rogue security software onto the computer from sources such as additional installs during another legitimate software install, or receiving infected peer-to-peer files.  Other times the victim installs the software by being offered an executable when they visit a website that alleges they are infected and is offering to help. (Sophos)  Attackers have even been using search engine optimization to make sure that poisoned websites containing the executable rank higher in search results. Attackers have also been known to poison search results for current hot topics and current news, in order to attract a click through. (Sophos)

Once infected, victims are usually presented with popups in the system tray generated from the rogue security software informing the user that the machine is infected with various viruses and worms. The rogue security software offers the user the ability to clean their computer, as long as the user pays for the full unlocked version of the software.  These popups will repeat in order to persuade users to pay for the software. Other rogue security software titles have gone as far as to fake a blue screen of death, followed by a fake reboot of the computer, tricking users into thinking that the only way to clean the machine is to purchase software. (Stone-gross et al.)  Most rogue security software contain very little if any security scanning features when compared to legitimate industry standard software titles.

Rogue security software impacts machine performance and usability, because the user is constantly interrupted by the software to make a purchase.  Other times the installed rogue software is very aggressive and rendering the machine completely inoperable, by disabling key parts of the operating system.  Victims may not be able to access task manager, add/remove programs, or even registry editing tools. This can make the task of removing the software programs extremely difficult for infected users.

Because there is software already installed onto the victim’s machine, this makes an easy entry point for an attacker to launch a bot network or compromise security of data on the local machine. (Sophos)  Many of the botnets that are formed by the wide install base of rogue security software are responsible for email spam or can lead to crucial sensitive data being compromised. (Stewart)  Browser windows are also commonly hijacked and when a victim tries to search key terms or visit legitimate security websites, the results are filtered or blocked.  This is done because many legitimate security vendors will detect and attempt to remove rogue security software programs.

When users are fed up with the continuous popups that appear they may make a payment in order to unlock the full software, to clean what is perceived as different active threats.  In order to evade accounting scrutiny most firms are located in countries with less restrictive laws.  It is estimated that at the height of infections that variants of the more popular titles (Bakasoftware and titles) was receiving profits of more than $150,000 every ten days, for a rate of over 5 million dollars per year. (Stewart) Although some of the titles offered refunds to victims who asked, many didn’t and profits far outweighed any chargebacks. (Stewart)

In order to keep end users protected from these types of threats it’s essential that they run a legitimate antivirus scanner and to keep it up to date with the latest virus definitions.   Users should also be wary of any website that insinuates they are infected and offers solutions, before running a full scan with their own virus scanner.

Social Impact

For many people, the idea of being hacked is an extremely scary prospect. From a business standpoint, it can mean crippling monetary loss or customer data compromise. This is the worst possible outcome and the biggest scare for any corporation.

According to a BBC article, in 2004, companies in the United Kingdom lost billions (in pounds) to computer hacking incidents. (Gish) This is not an unusual number, as $5.5 million is the average cost per year, as of 2012, for large companies. ( So we can understand why businesses would have a negative attitude towards being attacked. It has a direct impact on their business goals and budget.

But this doesn’t mean that companies are the only ones at risk, individuals and every day computer users are targets. But it’s no longer a simple matter, in recent years we’ve discovered the gray areas of computer security, hacking, and system compromises. According to an article, we now have entered into situations where the legality of cyber protection has become fuzzy. In a recent Amazon lawsuit, their customer information was leaked. But the reason this is an issue is due to the lack of damages. Customer’s feel that their privacy was violated, regardless of monetary damages; the idea is that the customer’s were not protected. And the possibility of damages has led the lawsuit. (Roberts) The question now is where does the responsibility lie? Who should be held accountable?

But accountability is not the only problem here. As a society, we are hearing words such as “War on Cyber Crime” or “Cyber Threat”, but can the majority explain what that means? (Nakashima) The sad truth is that most of us probably do not. As a society, we are lacking in a proper education of what the risks are, much less how to protect or handle such risks.


In conclusion, our first line of defense needs to be education. People don’t protect against attackers because they don’t know how to and don’t ask or try to find out. It’s too much trouble, time consuming, and there are not enough resources out there that clearly explain it and what the dangers are. (Mitnick) We all want to be able to browse the internet or use our computers without thinking about being cautious. This is a mindset that is extremely damaging in itself. But once, we as a whole are properly aware of the risks and how to handle them, then we can hope to see a dent in computer vulnerability. (Guard Privacy) We must also stay ahead of the game. Attackers are not a new idea, the idea of a ‘villain’ has been around since human kind’s existence and that will not change anytime soon. So, in addition to keeping ourselves well informed and anticipate potential attacks, we must always keep in mind that attackers will constantly test boundaries and limits. Being cautious is not a limitation but an advantage, and it’s an advantage we as a society need to learn and accept as a necessity.

Cited Work

BBC News. “Spanish police website hit by Anonymous hackers”. June
            2011. Web. 22 Apr. 2012. <>. “The Most Famous (or Infamous) Viruses and Worms of All Time.” Web. 21 Apr. 2012. <>.
Ferran, Lee. “Anonymous Lashes Out at Chinese Government.” Apr.
            2012. Web. 22 Apr. 2012.
<     websites/story?id=16079707#.T5SX_dl5cud>.
Garg, Ishaan. “MegaUpload taken down by FBI for Copyright Infringement, Anonymous
            Strikes Back & Threatens FBI”. 2012. Web. 22 Apr. 2012.
Gish, Will. “The Effects of Computer Hacking On An Organization”.
   Web. 22 Apr. 2012.
            <  17975.html>.
Granger, Sarah. “Social Engineering Fundamentals, Part I: Hacker Tactics”.
   Symantec. Dec. 2001. Web. 11 Apr. 2012.
            <    part-i-hacker-tactics>.
Guard Privacy and Online Security. “How Are Our PCs Targeted And What Are The
            Effects Of Computer Hacking?”. 2012.
            Web. 22 Apr. 2012. <            the-effects-of-computer-hacking.html>. “Security Reference Guide” Web 25 Apr. 2012.
Jonsson, Patrik. “SOPA: Feds go after Megaupload as Congress reviews anti-piracy
            bills”. Jan. 2012. Web. 22 Apr. 2012.
<    congress-reviews-anti-piracy-bills>. “Dr. Jerry Falwell” Web 25 Apr. 2012.
Mead, Derek. “Anonymous Isn’t a National Security Threat, but the FBI Wants it to be”.
   Apr. 2012. Web. 22 Apr. 2012.
            <        threat-but-the-fbi-wants-it-to-be–2>.
Mitnick, Kevin D., and William L. Simon. The Art of Deception: Controlling the Human     Element of Security. Hoboken; Wiley, 2002. Print.
Nakashima, Ellen. “Pentagon to fast-track cyberweapons acquisition.” Apr. 2012. Web. 22 Apr. 2012.
            <>.  “Preventing Smurf Attacks” Web 23 Apr. 2012.
             <>. “Operation Fobos-Gone”. Apr. 2012. Web. 22 Apr.
 2012. <>. “Alt. Hackers. Malicious”. Dec. 2005. Web.
            22 Apr. 2012. <>.
Roberts, Jeff John. “Amazon Lawsuit Tests ‘No Harm, No Foul’ Rule For Leaked            Personal Info”. Jan. 2012. Web 22 Apr. 2012. <        rule-for-leaked-personal-info/>.
SANS. “InfoSec Reading Room – Social Engineering”. Apr. 2012. Web. 11
 Apr. 2012. <>.
Schneier, Bruce. Secrets and Lies: Digital Security in a Networked World. Ed. Carol Long          & Micheline Frederick. Indianapolis, Indiana: Wiley Publishing, Inc., 2000. Print.
SecurityFocus. “Glossary.” Web. 22 Apr. 2012. <>. “Hacking costs companies $5.5 Million on average”. Apr.
            2012. Web. 22 Apr. 2012. < bin/article.cgi?f=/c/a/2012/04/04/BU7M1NTNIS.DTL>.
Slatalla, Michelle, and Joshua Quittner. Master’s of Deception. New York; Harper, 1996.
            Print. “ Security Through Education”. Social-
   Social-Engineer. Apr. 2012. Web. 11 Apr. 2012.
Sophos. Stopping Fake Antivirus: How to Keep Scareware Off Your Network. 2011. Print.
Spring, Tom. “Spam Slayer: Katrina Scams Proliferate”. Sep. 2005.
            Web. Apr. 2012.
            <   e.htm>.
Stewart, Joe. “Rogue Antivirus Dissected.” 2008.
Stone-gross, Brett et al. “The Underground Economy of Fake Antivirus Software.” Proceedings of the Tenth Workshop on the Economics of Information Security WEIS (2011): 1-14. “Denial of Service” (DoS) Web                                                                    22 April 2012. <A>
US-Cert, “Avoiding Social Engineering and Phishing Attacks”. Oct. 2009.
            Web. 11 Apr. 2012. <>.
Wikipedia. “Phishing”. Wikipedia. April 2012. Web. 19 Apr. 2012.            <>.
Wikipedia. “Social Engineering (Security)”. Wikipedia. Apr. 2012. Web.
11 Apr. 2012. <>.


Wozniak, Steve, and Gina Smith. iWoz. New York; Norton, 2006. Print.


© Kana Kennedy, Kennedy Info Sec,, and the participating authors, 2011 – 2014. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Kana Kennedy and Kennedy Info Sec with appropriate and specific direction to the original content.