Chapter 6

Chapter 6. The State of the Net: A World at War

IN THIS CHAPTER

·         Hacking, Cracking, and Other Malicious Behavior

·         Governments at War

·         The State of the Government

·         The State of the Corporate Sector

·         A Warning

Since 1973, Internet sites have been breached on a regular basis. Although it's difficult to compare the Internet of the late '70s and '80s with the network known as the Internet today, it is safe to say that the attack trends are not decreasing . This chapter was designed to give the reader a tour of some of the chaos that exists on the Internet today, as well as to provide some insight into what could possibly lie ahead. We will examine the fact that every type of organization in existence has been broken into, ranging from educational institutions to corporations to the U.S. Department of Defense (DoD). There is evidence that Internet-based attacks could be used to cripple organizations and government agencies for political purposes. Today, security technologies are complex, but the Internet is still easily cracked. This chapter discusses who can, and has been, broken into and why.

Hacking, Cracking, and Other Malicious Behavior

Although most people have succumbed to using the term hacked when they refer to an illegal intrusions, the term cracked might be more proper. Cracked refers to that condition in which the victim network has suffered an unauthorized intrusion. There are various degrees of this condition. Here are a few examples:

·         The intruder gains access and nothing more ( access being defined as simple unauthorized entry on a network that requires—at a minimum—a login and password).

·         The intruder gains access and destroys, corrupts, or otherwise alters data.

·         The intruder gains access and seizes control of a compartmentalized portion of the system or the whole system, perhaps denying access even to privileged users.

·         The intruder does not gain access, but instead forges messages from your system. (Folks often do this to send unsolicited mail or spam.)

·         The intruder does not gain access, but instead implements malicious procedures that cause that network to fail, reboot, hang, or otherwise manifest an inoperable condition, either permanently or temporarily. These type of attacks are usually classified as Denial of Service (DoS) attacks.

Modern security techniques have made cracking more difficult. However, the distance between the word difficult and the word impossible is still wide. Today, crackers have access to a wealth of security information, much of which is freely available on the Internet. The balance of knowledge between crackers and bona fide security specialists is not greatly disproportionate. In fact, it is arguable that each side possesses components that the other side lacks, which makes the balance all the more interesting.

This chapter shows that cracking is a common activity—so common that assurances from anyone that the Internet is secure should be viewed with extreme suspicion. To drive that point home, I will begin with governmental entities. After all, defense and intelligence agencies form the basis of our national security infrastructure. They, more than any other group , must be secure.

Governments at War

If I asked you who your friends were, you'd answer without hesitation. That's because human relationships are based on mutual interest and affection, simple qualities that are largely subjective . If I asked you to identify friends of the United States, again, you would answer without hesitation. In that instance, however, your answer would probably be dead wrong.

In diplomatic circles, the word ally describes any foreign nation that shares common territorial, ideological, or economic interests with your own. We call this or that foreign state an ally based on various treaties , a handful of assurances, and on occasion, binding contracts.

For example, we count France and Israel as allies . Each occupies a geographical region that we have interest in protecting, and each shares with us a vision of democracy. (The French stood with us against the Nazis, and we have long supported Israel in the repatriation of Jews driven from Soviet Russia.) If these nations are our friends, why are they spying on us?

In the last decade , the United States has been the target of widespread technological and industrial espionage, often perpetrated by friends and allies. In 1997, the American Society for Industrial Security identified several nations that routinely conduct industrial espionage against the United States. Of those, these nations were most prominent:

·         France

·         Germany

·         Israel

·         China

·         South Korea

Four are considered U.S. allies.

Caution

Do you fly Air France? If so, watch what you say on the telephone. Air France has been caught intercepting electronic communications of American tourists in transit to Europe.

France's espionage activities are particularly prominent. On January 12, 1998, the Los Angeles Times reported that French intelligence had penetrated some 70 U.S. corporations, including Boeing and Texas Instruments. Like most nations spying on us, France employs these generic intelligence-gathering techniques:

·         Eavesdropping

·         Penetrating computer networks

·         Stealing proprietary information

Do you still believe that France is an ally?

You're probably shocked that I would say all this. Let me take a different angle. If you're a French, Israeli, German, or South Korean national, know this: The U.S. government spies on your countrymen 24 hours a day, 7 days a week. In fact, every industrialized country does it. That's simply the way it is; nations have their own economic and political agendas. These agendas naturally—and necessarily —have far greater priority than pacts made with allies. In other words, we can't blame France for trying.

The problem is, times have changed drastically. For 10,000 years , spying, sabotage , and warfare have all required human participation. Indeed, the spy's face has changed little throughout the ages. Whether he was a stealthy infiltrator, an agent-of-influence, or an agent provocateur, he was, above all, human.

The rules have since changed. Telecommunications and computer technology have made electronic espionage and warfare not simply fanciful notions, but hard realities. Therefore, hostile foreign nations need not send human spies anymore. Instead, they can send packets—and why not? Packets are cheaper. Packets don't drink or smoke (that we know of), they don't gamble, and they cannot be compromised by virtue of reputation, sexual indiscretion, or criminal record. Most importantly, packets are invisible (at least to folks who maintain poor security practices).

From this, it's only a small step to imagine the Internet as a superb espionage tool. Unfortunately, many government sources have been slow to recognize this. Instead, the Internet spy scenario was considered pulp fiction —wildly exaggerated fantasies of military and intelligence experts who had no war to keep them occupied and therefore turned to conjecture for amusement .

Can the Internet Be Used for Espionage?

The better question is, how often is the Internet used for espionage? Analysts have hotly debated for quite some time now whether the Internet could be used for spying. They can stop arguing, however, because it is already happening. For example, the Soviet Union's space shuttle program was based on American technology stolen from the Internet. Designs were acquired from various technical universities online. In fact, Robert Windrem, in "How Soviets Stole a Shuttle," says that:

So thorough was the online acquisition, the National Security Agency learned, that the Soviets were using two East-West research centers in Vienna and Helsinki as covers to funnel the information to Moscow, where it kept printers going "almost constantly".…Intelligence officials told NBC News that the Soviets had saved billions on their shuttle program by using online spying.

The Soviets have long recognized the Internet as a valid intelligence source. An Internet legend gained international fame by breaking a KGB spy ring that used the Internet to steal American secrets. I refer here to Clifford Stoll, an astronomer then working at a university in Berkeley, California.

Stoll set out to discover the source of a 75-cent accounting error. During his investigation, he learned that someone had broken into the university's computers. Instead of confronting the intruder, Stoll watched the activity. What he saw was disturbing .

The intruder was using Stoll's servers as a launch point. The real targets were military computers, including servers at the Pentagon. The intruder was probing for information on U.S. nuclear preparedness. Stoll recognized this for what it was: spying. He therefore contacted the Federal Bureau of Investigation. However, to Stoll's surprise, FBI agents dismissed the entire incident and refused to offer assistance. Stoll began his own investigation. What followed has since become the most well known chapter in Internet folklore.

After analyzing chained connections through the telephone system, Stoll traced the spy to Germany. His evidence would ultimately prompt the FBI, the CIA, and the West German Secret Police to get involved. In March 1989, Clifford Stoll was credited with cracking a German spy ring that stole our secrets from the Net and sold them to the KGB. (An interesting side note: The German spies received not only money, but also large amounts of cocaine for their services.)

The full story can be read in The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage, by Clifford Stoll. Mass Market Paperback, ISBN: 0-67172-688-9.

The Threat Gets More Personal

These cases are intriguing but reveal only a glimpse of what's to come. Today, hostile foreign nations are studying how to use the Internet to attack us. The new threat, therefore, is not simply espionage but all-out Internet warfare. Are we ready? Sort of.

Information warfare has been on the minds of defense officials for years. Recent studies suggest that we'll experience our first real information warfare attack within 20 years. Most hostile foreign nations are already preparing for it:

Defense officials and information systems security experts believe that over 120 foreign countries are developing information warfare techniques. These techniques enable our enemies to seize control of or harm sensitive Defense information systems or public networks, which Defense relies upon for communications. Terrorists or other adversaries now have the United States to launch untraceable attacks from anywhere in the world. They could infect critical systems, including weapons and command and control systems, with sophisticated computer viruses, potentially causing them to malfunction. They could also prevent our military forces from communicating and disrupt our supply and logistics lines by attacking key Defense systems.

—"Information Security: Computer Attacks at Department of Defense Pose Increasing Risks." (Testimony, 05/22/96, GAO/T-AIMD-96-92).

Most information warfare policy papers center on the importance of information warfare in a wartime situation. However, some U.S. information warfare specialists have recognized that we needn't be at war to be attacked :

The United States should expect that its information systems are vulnerable to attack. It should further expect that attacks, when they come, may come in advance of any formal declaration of hostile intent by an adversary state…This is what we have to look forward to in 2020 or sooner.

—"A Theory of Information Warfare; Preparing For 2020." Colonel Richard Szafranski, USAF.

The real question is this: If they attack, what can they do to us? The answer might surprise you.

The President's Commission on Critical Infrastructure Protection (a group studying U.S. vulnerability) has identified key resources that can be attacked via the Internet. Here are a few:

·         Information and communications

·         Electrical power systems

·         Gas and oil transportation and storage

·         Banking and finance

·         Transportation

·         Water supply systems

·         Emergency services

·         Government services

In 1998, the PCCIP delivered a report with preliminary findings. They, too, concluded that we might be attacked without warning:

Potentially serious cyber attacks can be conceived and planned without detectable logistic preparation. They can be invisibly reconnoitered, clandestinely rehearsed, and then mounted in a matter of minutes or even seconds without revealing the identity and location of the attacker.

Is the situation that critical?

Who Holds the Cards?

Technology is a strange and wonderful thing. Depending on who's using it, the same technology used to create Godzilla can also be used to create weapons of mass destruction. For this reason, technology transfer has been tightly controlled for almost five decades.

During that time, however, commercial advances have dramatically influenced the distribution of high-grade technology. Thirty years ago, for example, the U.S. government held all the cards; the average U.S. citizen held next to nothing. Today, the average American has access to technology so advanced that it starts to come close to technology currently possessed by the government.

Encryption technology is a good example. Many Americans use encryption programs to protect their personal data from prying eyes. Some of these encryption programs (such as Pretty Good Privacy) produce military-grade encryption. This is sufficiently strong that U.S. intelligence agencies have a hard time cracking it within a reasonable amount of time, and time is often of the essence.

Note

Encryption has already thwarted several criminal investigations. For example, in the case of famed cracker Kevin Mitnick, the prosecution had a problem: Mitnick encrypted much of his personal data. As reported by David Thomas from Online Journalism:

The encrypted data still posed a problem for the court . As is stands, government officials are holding the encrypted files and have no idea of their contents. The defense claims that information in those files may prove exculpatory, but revealing their contents to the government would violate Mitnick's Fifth Amendment protection against self-incrimination. Further, pros ecutors have indicated that they will not be using the encrypted files against Mitnick, but they refuse to return the evidence because they do not know what information the files hold. Ultimately, the court sided with the prosecution. Judge Pfaelzer described Mitnick as "tremendously clever to put everyone in this position" but indicated that "as long as he (Mitnick) has the keys in his pocket, the court is going to do nothing about it."

Advanced technology has trickled down to the public. In many cases, crackers and hackers have taken this technology and rapidly improved it. Meanwhile, the government moves along more slowly, tied down by restrictive and archaic policies. As a result, the private sector has caught (and in some cases, surpassed) the government in some fields of research.

This is a matter of national concern and has sparked an angry debate. Consider the Mitnick case. Do you believe that the government is entitled to Mitnick's encryption key so it can find out what's inside those files? That's a hard question to answer. If Mitnick has a right to conceal that information, so does everybody.

In the meantime, there's a more pressing question: How does this technology trickle-down affect our readiness for an Internet attack?

Can the United States Protect the National Information Infrastructure?

From a military standpoint, there's no comparison between the United States and even a gang of third-world nations. The same is not true, however, in respect to information warfare.

In March 1997, a Swedish cracker penetrated and disabled a 911 system in Florida. Eleven counties were affected. The cracker amused himself by connecting 911 operators to one another (or simply denying service altogether).

Note

The Swedish case was not the first instance of crackers disrupting 911 service. In Chesterfield, New Jersey, a group dubbed the Legion of Doom was charged with similar crimes. What was their motivation? "[T]o attempt to penetrate 911 computer systems and infect them with viruses to cause havoc."

Note

Another disturbing case occurred in March 1997, when a Rutland, Massachusetts, teenager cracked an airport. During the attack, the airport control tower and communication facilities were disabled for six hours. (The airport fire department was also disabled.) It was reported as follows :

"Public health and safety were threatened by the outage which resulted in the loss of tele phone service, until approximately 3:30 p.m., to the Federal Aviation Administration Tower at the Worcester Airport, to the Worcester Airport Fire Department, and to other related concerns such as airport security, the weather service, and various private airfreight companies. Further, as a result of the outage, both the main radio transmitter, which is connected to the tower by the loop carrier system, and a circuit which enables aircraft to send an electric signal to activate the runway lights on approach were not operational for this same period of time."

— Transport News, March 1998.

The introduction of advanced minicomputers has forever changed the balance of power. The average Pentium and Alpha processors are more powerful than many mainframes were five years ago. Add to this advances in Linux clustering and distributed processing solutions, and with relatively cheap hardware you can start approaching the processing power that was previously only known by a few government and research institutes.

A third-world nation could theoretically pose a threat to our national information infrastructure. Using advanced microcomputers (and some high-speed connections), a third-world nation could wage a successful information warfare campaign against the United States at costs well within its means. In fact, bona fide cyberterrorism will probably emerge in the next few years.

Furthermore, the mere availability of such advanced technology threatens our military future in the "real" world. Nations such as Russia and China have progressed slowly because they lacked access to such technology. Their missiles are less accurate because their technology base was less advanced. U.S. defense programs, however, were sufficiently advanced that even when we appeared to make concessions in the arms race, we really made no concessions at all. Here's an example: The United States only agreed to quit nuclear tests after we developed the technology to perform such tests using computer modeling.

As the United States'perceived enemies obtain more sophisticated computer technology, their weapons will become more sophisticated—but it's not simply weapons that make the difference. It's the combination of weapons, communication, and information. If our enemies can alter our information, or prevent us from accessing it, they can gain a tremendous tactical military advantage. This could make up for shortcomings in other areas. Shane D. Deichman reports the following in his paper "On Information War:"

A key element of the information warfare environment is the participants need not possess superpower status. Any power (even those not considered nation-states) with a modicum of technology can disrupt fragile C2 networks and deny critical information services. Rather than a Mahanian "information control" strategy that attempts to dominate all segments of the information spectrum, though, a more realistic strategy for U.S. forces is one of "information denial" (that is, the denial of access to truthful information).

Perhaps a question less asked, however, is, should the U.S. government be responsible for protecting all of the U.S. infrastructure? After all, aren't the companies that operate systems like our telephone networks FOR PROFIT? Shouldn't the protection of these systems be one of their primary concerns?

You'd think so, wouldn't you? Although the U.S. government has more then its fair share of problems and tasks , organizations turning to the government to make their information security problems go away are missing the point. Information security is everyone's problem—welcome to the party.

What Would an Information Attack Look Like?

There hasn't yet been an all-out information war. The distributed denial of service attacks that hit in February 2000 definitely opened some eyes, but it's difficult to say how a full-scale attack would be conducted . Military officials aren't willing to talk specifics. We can speculate, however, as many think tanks do.

In February 2000, some of the largest sites were knocked off the Internet using distributed denial of service tools. The attack made headlines in just about every news publication out there. One of the early reports can be seen at http://www.computerworld.com/cwi/story/0,1199,NAV47_STO43010,00.html .

Specialists from Rand Corporation, for example, have engaged in some armchair planning. They delivered a report that posed various questions about the United States'readiness and made recommendations for intensive study on the subject:

We suggest analytical exercises to identify what cyberwar, and the different modalities of cyberwar, may look like in the early twenty-first century when the new technologies should be more advanced, reliable, and internetted than at present. These exercises should consider opponents that the United States may face in high- and low-intensity conflicts. CYBERWAR IS COMING!

—"International Policy Department." John Arquilla and David Ronfeldt, RAND. 1993. Taylor & Francis. ISBN 0-14959-339-0.

Not surprisingly, military and intelligence analysts are learning a great deal simply by studying how the Internet works (and how Americans use it).

Much current research is aimed at defining what types of threats the Internet poses to political structures. Charles Swett, an assistant for strategic assessment at the Pentagon, made strides in this area. He released a report titled "Strategic Assessment: The Internet." In it, he addressed how the Internet will influence American domestic politics. He suggested that special groups can use the Internet to network amongst themselves . He offered one example in particular:

Another, somewhat startling, example, is a message posted on the Internet on December 16, 1994, calling for nationwide protests against the Republican Party's Contract with America. The message accuses the Contract with America of being, in effect, class war, race war, gender war, and generational war, and urges recipients to " mobilize thousands of demonstrations in local communities across the nation," "fill the jails by engaging in acts of civil disobedience," and engage in other disruptive actions.

Swett predicted that this would ultimately lead to domestic threats. However, he also suggested that these elements are vulnerable to attack:

Political groups whose operations are coordinated through the Internet will be vulnerable to having their operations disrupted by false messages inserted by opposing groups.

Note

Mr. Swett was more correct than he realized. What he described has already happened . In recent years, several wars have erupted on Usenet between Scientologists and their critics . These wars were attended by some fairly mysterious happenings. At one stage of a particularly ugly struggle, just when the Scientologists seemed overwhelmed by their adversaries, a curious thing happened:

And thus it was that in late 1994, postings began to vanish from alt.religion.scientology, occasionally with an explanation that the postings had been " canceled because of copyright infringement." To this day, it is not known who was behind the deployment of these "cancelbots," as they are known. Again, the CoS disclaimed responsibility, and the anti-Scientology crowd began to refer to this anonymous participant simply as the "Cancelbunny," a tongue-in-cheek reference to both the Energizer bunny and to a well-known Net inhabitant, the Cancelmoose, who has taken it upon himself (itself? themselves?) to set up a cancelbot- issuing process to deal with other kinds of spamming incidents. But whoever or whatever the Cancelbunny may be, its efforts were quickly met by the development of yet another software weapon, appropriately dubbed "Lazarus," that resurrects canceled messages (or, more accurately, simply alerts the original poster, and all other participants in the newsgroup, that a specific message has been canceled, leaving it up to the original poster to reinstate the message if he or she were not the party that issued the cancel command).

—"The First Internet War; The State of Nature and the First Internet War: Scientology, its Critics, Anarchy, and Law in Cyberspace ." David G. Post. Reason magazine, April 1996. ( 1996 David G. Post. Permission granted to redistribute freely, in whole or in part, with this notice attached.)

Swett closed his report with several observations about monitoring general Internet traffic on a wholesale basis:

Monitoring of that traffic would need to be supported by automated filters that pass through for human analysis only those messages that satisfy certain relevance criteria.

What Swett described (though he might not have realized it) is a complex, automated, domestic intelligence system. In other words, welcome to 1984. In all probability, early attempts to use the Internet to ascertain and mold political sentiment will be directed toward a country's own people.

But that's about theoretical, domestic information warfare. What about actual Internet warfare? What are some likely targets? The Rand Corporation claims to know. In their paper "Information Warfare: A Two-Edged Sword," Rand specialists wrote

Information war has no front line. Potential battlefields are anywhere networked systems enable access—oil and gas pipelines, for example, electric power grids, telephone switching networks. In sum, the U.S. homeland may no longer provide a sanctuary from outside attack.

For more information, see http://www.rand.org/ publications /RRR/RRR.fall95.cyber/infor_war.html .

In their paper, Rand authors described an imaginary attack set in the not-so- distant future. They predicted the following events:

·         Electrical and telephone systems in the United States would be knocked out for hours.

·         Freight and passenger trains would derail or collide.

·         Oil refineries would ignite .

·         Our financial system would fail, including automatic tellers.

·         Well-organized domestic extremists would make strategic strikes.

·         Computer-controlled weapons systems would malfunction.

Experts suggest that this could happen in a matter of hours. That's a chilling thought. Is it true? Are we really that dependent on technology, or are our government agencies fishing for funding?

The truth is that we are that dependent on technology.

The State of the Government

Throughout the Internet's history, government sites have been popular targets. One of the pri mary reasons this happens is because of press coverage that follows such an event. Crackers enjoy media attention, so their philosophy often times is that, if you're going to crack a site, crack one that matters.

Government sites are supposed to have better security than their commercial counterparts. Hence, the media reacts more aggressively when a government site is cracked. Likewise, crackers who successfully penetrate a government site gain greater prestige among their fellows (whether it's deserved or not).

You needn't look far to find evidence that government sites are being cracked regularly. A 1997 report filed by the Government Accounting Office (GAO) concerning the security of the nation's defense networks concluded that:

Defense may have been attacked as many as 250,000 times last year…In addition, in testing its systems, DISA [Defense Information Systems Agency] attacks and successfully penetrates Defense systems 65% of the time. According to Defense officials, attackers have obtained and corrupted sensitive information—they have stolen, modified, and destroyed both data and software. They have installed unwanted files and "back doors" which circumvent normal system protection and enable attackers unauthorized access in the future. They have shut down and crashed entire systems and networks, denying service to users who depend on automated systems to help meet critical missions. Numerous Defense functions have been adversely affected, including weapons and supercomputer research, logistics, finance, procurement, personnel management, military health, and payroll.

Information Security: Computer Attacks at Department of Defense Pose Increasing Risks ([Chapter Report, 05/22/96, GAO/AIMD-96-84]; Chapter 0:3.2, Paragraph 1), which is the source of the preceding information, is available online at http://www.securitymanagement.com/library/000215.html .

That same report indicates that, although more than a quarter million attacks occur annually, only 1 in 500 attacks are detected and reported.

Note

Earlier reports indicate similar results. For example, between 1992 and 1995, DISA attacked some 38,000 defense networks. Better than 65% of those networks were successfully penetrated. Of that number ( roughly 24,700), some 96% failed to detect that they were under attack. Interestingly, however, the Air Force seems to be on their toes, or at least more so than their Army counterparts: In general testing, only 1 out of every 140 attacks was detected; in an Air Force study (covering from 1992 to 1995) 1 out of every 8 incidents was detected.

Government agencies understandably try to minimize these facts, but some of the incidents are hard to obscure. For example, in 1994, crackers gained carte blanche access to a weapons-research laboratory in Rome, New York. Over a two-day period, the intruders downloaded vital national security information, including wartime-communication protocols. Such information is extremely sensitive and, if used improperly, could jeopardize the lives of American service personnel. If crackers with relatively modest equipment can access such information, hostile foreign governments (with ample computing power) could access even more.

Note

Whether some foreign governments have the technical knowledge to attack U.S. information infrastructure is debatable. (Although GAO reports indicate that some 120 nations have information warfare programs.) However, it is known that despite technology transfer restrictions, many nations are acquiring the tools necessary to make a viable attack. China, for example, acquired high-end Silicon Graphics workstations for use in 3D modeling. These were ultimately used in China's nuclear program.

This phenomenon is not new, nor have government officials done much to improve the situation. Indeed, some very high-profile government sites have been cracked in recent years. In 1996, for example, both the Central Intelligence Agency (CIA) and the Department of Justice (DoJ) were cracked.

In the CIA case, a cracker seized control on September 18, 1996, replacing the welcome banner with one that read The Central Stupidity Agency. Links to a hacker group in Scandinavia accompanied the new "banner." In the DoJ incident (Saturday, August 17, 1996), a photograph of Adolph Hitler was offered as the Attorney General of the United States.

While these two incidents might seem noteworthy, because of the agencies that were attacked, the truth is that hundreds, if not thousands, of government sites have been attacked in recent years. In one case, 26 government sites were hit in the same day.

"Online gang defaces 26 government sites"—Government sites in the UK, United States, and Australia were all hit simultaneously by a single "Cyber Gang." Get more information at http://www.computerworld.com/cwi/story/0,1199,NAV47_STO43010,00.html .

Federal agencies aren't the only targets, either. In October 1996, the Florida State Supreme Court's home page was cracked. Prior to its cracking, the page was used to distribute recent court decisions. The crackers removed this information and replaced it with pornography. (The court subsequently reported an unusually high rate of hits.)

These attacks are increasing, and so far the availability of advanced security technology has had little impact. Why? It's not the technology; it's the people. (For example, the DoJ site had a firewall but it was improperly configured.) To illustrate how fragile our government sites are, I want to look at some more recent cases.

Defense Information Systems Network

In April 1998, a group dubbed the Masters of Downloading (not to be confused with the Masters of Destruction) cracked the DISN. When they were inside, the intruders stole customized software used by DISN—software not available to the public. (DISN controls vital military satellites .) As reported by Reuters news service:

MOD members said the stolen software, known as the Defense Information Systems Network Equipment Manager (DEM), was the key to the U.S. network of military Global Positioning System (GPS) satellites—used to pinpoint missile strikes, guide troops, and assess ground conditions. http://www.news.com/News/Item/0,4,21357,00.html

Such vital data could prove devastating in the hands of a hostile foreign nation. DISN services include the following:

…the infrastructure, satellite communications (military and commercial), forward deployed telecommunications, and readily deployable assets, all of which provide the war-fighting Commanders-in-Chief (CINCs) the ability to plug in and access the full capability of the Defense Information Infrastructure from anywhere, at anytime , and in support of any mission…. http://www.disa.mil/DISN/disns54.html

The folks at DISN clearly need to put their house in order. At present, national security is at risk.

The United States Navy and NASA

Also in April 1998, several U.S. Navy and NASA hosts were crippled by wholesale denial of service attacks. (Though no data was lost or damaged, the hosts were unreachable and unus able for minutes or, in some cases, hours.) Many of those hosts were critical military and technological research centers. Here are a few of the victims:

·         Ames Research Center

·         Dryden Flight Research Center

·         Goddard Space Flight Center

·         The Jet Propulsion Laboratory

·         Kennedy Space Center

·         Langley Research Center

·         Lewis Research Center

·         Marshall Space Flight Center

·         Moffett Airfield (California)

·         NASA headquarters

·         Stennis Space Center

Microsoft, the vendor responsible for the hole, posted an advisory about the vulnerability. In the advisory, Microsoft officials wrote this:

Since March 2, 1998, there have been numerous reports of malicious network-based, denial of service attacks launched against Internet-connected systems. We were notified of these attacks, which affected some Internet-connected Microsoft Windows NT and Windows 95 systems, by customers and security alert organizations, including CIAC and CERT.

"Numerous reports" is an understatement. In fact, the attacks knocked out hundreds of hosts that served thousands of users. In addition to NASA and Navy computers, a laundry list of university hosts were downed. Here are a few:

·         The University of California at Berkeley

·         The University of California at Los Angeles

·         The University of California at San Diego

·         The University of California at Irvine

·         Cornell University

·         MIT

·         The University of Texas at Austin

·         The University of Washington

·         The University of Wisconsin at Madison

The attack was a new breed of denial of service, which emerged in January 1998. To learn the mechanics of the attack, please read Chapter 16, "Denial of Service Attacks."

The Pentagon Attacks

In February 1998, key Pentagon hosts were cracked in what authorities dubbed "the most organized and systematic attack ever" on military networks. The crack was masterminded by Israeli teenager Ehud Tenebaum. He reportedly tutored two California teenagers, showing them various ways to breach the Pentagon's security. The kids from California put this knowledge to work and within days, the three broke into hundreds of networks across America.

Note

The Israeli teen also managed to uncover weaknesses at the Knesset, the Israeli parliament. (Little information is available on the Knesset hack, but it is known that the Knesset network was penetrated.)

The Pentagon attack was particularly disturbing because it illustrated how anyone (located anywhere) could easily cripple defense networks. It is true that the machines compromised did not contain secret or even classified information. But, ideally , none of our prized defense networks should be vulnerable to attack.

Perhaps even more disturbing was Israel's initial reaction to the attack. Israeli government officials made light of it, and praised Mr. Tenebaum for his talents at breaching American networks.

Simultaneously adding insult to injury , a team of young crackers claiming affiliation with Tenebaum threatened to down more servers if their associate were arrested. Tenebaum was ultimately placed under house arrest along with a number of his cohorts and is now being tried.

Other Cracked Government Sites

Targets like NASA, the Pentagon, and the U.S. Navy draw ample press coverage. However, lesser government sites are also cracked regularly—we just don't hear about them. In fact, it's now at a point where tracking the number of government sites cracked is almost a full-time job. For example, the second edition of Maximum Security listed a half- dozen or so sites that had been broken into in the late '90s. Today, dozens are broken into and reported every month. The numbers are simply staggering.

Although I could go on listing government sites that were hacked until I'm blue in the face, there is already a great, up-to-date site that does it for me. See http://www.attrition.org for a massive archive of defaced Web sites. Although defacements are not always as severe as thorough break-ins, they serve as a good tell-tale that a site's security is not up to par.

Government Security

In the past, the U.S. government has blamed its problem on many people and many factors. Some of these include

·         The widespread availability of automated cracking tools

·         Technology advancing at an incredible rate

·         Those damn kids

In reality, none of these factors are totally responsible, and these misconceptions have left their mark on the industry. However, even the government has started to come around in this realization:

Defense information networks are operating with archaic internal security policies. These policies prevent, rather than promote security. To demonstrate why, I want to refer to the GAO report I mentioned previously. In it, the government concedes

The military services and Defense agencies have issued a number of information security policies, but they are dated, inconsistent and incomplete.

The report points to a series of defense directives as examples. It cites (as the most significant DoD policy document) Defense Directive 5200.28. This document, Security Requirements for Automated Information Systems, is dated March 21, 1988.

Let's examine a portion of that defense directive. Paragraph 5 of Section D in that document states

Computer security features of commercially produced products and Government- developed or -derived products shall be evaluated (as requested ) for designation as trusted computer products for inclusion on the Evaluated Products List (EPL). Evaluated products shall be designated as meeting security criteria maintained by the National Computer Security Center (NCSC) at NSA defined by the security division, class, and feature (for example, B, B1, access control) described in DoD 5200.28-STD (reference (K)).

It is within the provisions of that paragraph that the government's main problem lies. The Evaluated Products List (EPL) is a list of products that have been evaluated for security ratings, based on DoD guidelines. (The National Security Agency actually oversees the evaluation.) Products on the list can have various levels of security certification.

Security Requirements for Automated Information Systems is available on the Internet at http://www.c3i.osd.mil/bpr/bprcd/485x.htm .

Before you continue, you should probably briefly view the EPL for yourself. Check it out at http://www.radium.ncsc.mil/tpep/epl/epl-by-class.html .

The first thing you'll notice about this list is that most of the products are old. For example, examine the EPL listing for Trusted Information Systems'Trusted XENIX, a UNIX-based operating system.

The listing for Trusted XENIX can be found at http://www.radium.ncsc.mil/tpep/epl/entries/CSC-EPL-92-001-A.html .

TIS's Trusted XENIX is endorsed and cleared as a safe system, one that meets the government's guidelines (as of September 1993). However, examine closely the platforms on which this product has been cleared. Here are a few:

·         AST 386/25 and Premium 386/33

·         HP Vectra 386

·         NCR PC386sx

·         Zenith Z-386/33

These architectures are ancient. By the time products reach the EPL, they are often pathetically obsolete. (The evaluation process is lengthy and expensive not only for the vendor, but for the American people, who are footing the bill for all this.) Therefore, you can conclude that much of the DoD's equipment, software and security procedures are likewise obsolete.

Now add the question of internal education. Are defense personnel trained in (and implementing) the latest security techniques? No. Again, quoting the GAO report:

Defense officials generally agreed that user awareness training was needed, but stated that installation commanders do not always understand computer security risk and thus, do not always devote sufficient resources to the problem.

In the past, there wasn't adequate funding for training. As such, the majority of defense personnel remained unskilled in even detecting an intrusion, let alone tracing the source.

This situation was allowed to spiral out of control for years. The government recently took action and although it might still be a day late, it is no longer a dollar short. Special teams have since been formed at various levels of government. Let's take a look at those teams now.

The National Infrastructure Protection Center (NIPC)

In February 1998, Attorney General Janet Reno announced the formation of the National Infrastructure Protection Center (NIPC), an investigative organization populated with personnel from the FBI's Computer Investigations and Infrastructure Threat Assessment Center (CIITAC). The NIPC tracks network intrusions and attempts to develop long-range solutions, including intrusion detection and international cooperation of police agencies.

There are some interesting articles about the CIITAC, the NIPC, and related organizations:

·         Hacking Around. The NewsHour with Jim Lehrer, March 1998. http://www.pbs.org/newshour/bb/cyberspace/jan-june98/hackers_5-8.html

·         U.S. to Set Up Interagency Defense Against Cyberattacks. Sunworld Online, February 1998. http://www.sun.com/sunworldonline/swol-03-1998/swol-03-if.html#2

·         Attorney General Announces Crime Center To Tackle Cyberattacks. Gayle Kesten, February 28, 1998. http://www.techweb.com/wire/story/TWB19980228S0004

·         Open Sources: NIPC's film debut. Lewis Koch, ZDNET, May 8, 2000 http://wwwzdnet.com/intweek/stories/news/0,4164,2567603,00.html

Summary of Government Vulnerabilities

To date, government security has been largely inadequate, and although the efforts of the PCCIP, NIPC, and CIITAC will undoubtedly improve the situation, further work is needed.

Until information security officers are properly trained, government sites will be cracked on a regular basis. Reasonable levels of security are obtainable, and, if the government cannot obtain them on its own, it must enlist private sector specialists who can.

The State of the Corporate Sector

It's clear that government servers can be successfully attacked, but what about the public sector? Is American business—big or small—immune to the cyber threat? Hardly. In fact, private sites are taken down with much greater frequency. Virtually every information security survey ever issued has reported a steep rise in incidents, and defacement mirrors such as attrition.org and defaced.alldas.de report hundreds of Web site defacements per month. Worse , while Web site defacements are publicly humiliating, most security experts agree that they are only the tip of the iceberg in terms of total incidents in the field.

Marketers who are anxious to sell electronic commerce to the public assure us that these incidents are harmless. They point out, for example, that credit card and personal data is perfectly safe. Are they right? No—not by a long shot.

Credit Card Theft Goes Cyber: The StarWave Incident

In July 1997, crackers demonstrated one of the first widely known attacks on Internet credit card data. Their targets weren't small-time firms, either. Credit card numbers of NBA and ESPN site users were captured and distributed.

StarWave was the site responsible for protecting that data. StarWave is a widely known firm that hosts many large commercial sites, including ABC News. However, in July 1997, StarWave officials were apparently unprepared for the security breach.

The cracker or crackers took the credit card numbers and mailed them to NBA and ESPN subscribers to demonstrate to those users that their credit data was unsafe. Included in the mailing was a message. The relevant portion of that message was this:

Clearly, StarWave doesn't consider the protection of individual credit card numbers a worthwhile endeavor. (This is one of the worst implementations of security we've seen.)

StarWave officials responded quickly, explaining that the security breach was minor. They also changed system passwords and have since added an extra level of encryption. However, the fact remains: User credit card data had leaked out.

Credit Card Theft Hits Overdrive

Electronic commerce advocates originally asserted that the StarWave case was an isolated incident. In fact, at the time, many contended that few verified cases of credit card theft existed, and that the threat was relatively small. Time eventually proved them to be dead wrong.

Consider the case of Carlos Felipe Salgado. Salgado used a sniffer program (you'll learn about these in Chapter 15, "Sniffers" ) to steal thousands of credit card numbers off the Net. In their affidavit, FBI agents explained:

Between, on or about May 2, 1997, and May 21, 1997, within the State and Northern District of California, defendant CARLOS FELIPE SALGADO, JR., a.k.a. "Smak," did knowingly, and with intent to defraud, traffic in unauthorized access devices affecting interstate commerce, to wit, over 100,000 stolen credit card numbers, and by such conduct did obtain in excess of $1000; in violation of Title 18, United States Code, Section 1029(a)(2).

Salgado's method was one well known to crackers:

While performing routine maintenance on the Internet servers on Friday, March 28, 1997, technicians discovered that the servers had been broken into by an intruder. Investigation by technicians revealed a "packet sniffer" installed on the system. The packet sniffer program was being used to capture user IDs and passwords of the authorized users.…the FBI, met "Smak" at the appointed hour and place. "Smak" delivered an encrypted CD containing over 100,000 stolen credit card numbers. After the validity of the credit card information was confirmed through decryption of the data on the CD, "Smak" was taken into custody by the FBI.

Sniffer attacks are probably the most common way to grab credit card data (and usernames and password pairs). They are so common that Jonathan Littman (a renowned author of a best- selling book on hacking) wrote this in response to the Salgado case:

Fact No. 1: This was an old fashioned attack—and it happens about as often as dogs sniff themselves. The packet sniffer that Carlos Felipe Salgado Jr., a.k.a. Smak, allegedly installed in a San Diego Internet provider's server is something hackers have been doing for years. My provider in Northern California was hacked a couple of months ago and just last week too. Guess what that hacker was about to install?

—"Take No Solace in This Sting," Jonathan Littman. ZDNET News. http://www.zdnet.com/zdnn/content/zdnn/0523/zdnn0007.html

Unfortunately, these incidents were only the start. Consider the following cases:

·         In 1995, thieves stole 50,000 phone card numbers from an MCI server. Those numbers were ultimately used to charge some $50 million in calls.

·         In November 1996, someone lifted a server from VISA in California, netting 300,000 credit card numbers.

·         In May 1997, someone lifted a hard disk from a Levi-Strauss server. The thief made away with 40,000 credit card numbers and other personal customer information.

·         In January 1999, thieves stole 485,000 credit card numbers and hid them on the Web site of a U.S. government agency. Apparently the site was used to store the data, and wasn't discovered until much later.

·         In January 2000, thieves stole 300,000 credit cards from CD Universe. At the time, this was the largest theft of credit cards to be publicly reported.

·         In March 2000, a cracker known as "Curador" lead authorities on a global chase after lifting 26,000 some credit cards from an assortment of e-commerce sites. Curador was caught later that same month.

·         In December 2000, Egghead.com reported that they had suffered a security breach that might have exposed 3.7 million credit card numbers. Egghead later reported that they didn't believe the intruder was able to access the credit cards, but the scare was definitely significant.

·         In March 2001, the FBI and NIPC issued a warning that Russian and Ukrainian thieves have stolen more then 1 million credit cards.

Notice a trend here? The problem is only getting worse. These are just some of the reasons why the Internet is a dangerous place to do business. Unfortunately, the stories are only getting more and more outrageous .

The Trends

Hard statistics on security breaches are difficult to come by. However, there are a few good sources. One is the Computer Security Institute's Computer Crime and Security Survey. The CSI Survey is conducted annually, and the 1999 results are in. You can obtain those results at http://www.gocsi.com/prelea_000321.htm .

Briefly, the 1999 results indicate yet another increase in computer crime. For example, 90% of the respondents reported security breaches in the previous year. In 1998, that number was at 64%, and, in 1997, it was at 48%. Approximately three- quarters of all respondents suffered hard denial of service attacks, and an equal number experienced penetration by remote attackers. Of all respondents, 59% indicated that the Internet was the point of entry for intruders.

CSI's survey is not the only one that suggests an increase in Internet security breaches. Probably the most fascinating study was performed by a rather colorful and iconoclastic security researcher named Dan Farmer.

Dan Farmer's Survey

In 1996, Farmer used SATAN (a tool that automates scans for vulnerabilities) to do a generalized Internet survey. In that survey (titled Shall We Dust Moscow? Security Survey of Key Internet Hosts and Various Semi-Relevant Reflections ), Farmer scanned some 2,200 Internet hosts. The scan's purpose was simple: Determine how many hosts were vulnerable to remote attack.

The survey was controversial because Farmer did not ask permission from his targets. In addition, Farmer didn't choose average sites as his targets. Instead, he chose banks, credit unions, government sites, and other key servers that should have superb security. Some of his findings follow:

·         Farmer found that a staggering 1,700 sites (some 65% of all sites tested ) were vulnerable to attacks widely known to crackers.

·         Many targets had firewalls and other baseline security measures, measures that administrative personnel rely heavily on for their core security.

To view Farmer's survey, point your browser here:

http://www.trouble.org/survey/

The Ernst & Young LLP/ComputerWorld Information Security Survey

If your company has asked you to justify a security plan, you're probably looking around for more statistics. No problem; there's a lot of material out there. One good source is the Ernst & Young LLP/ComputerWorld Information Security Survey. That survey is located here:

[View full width]

http://www.ey.com/global/vault.nsf/US/2nd_Annual_Global_Information_Security_Survey/$file/

FF0157.pdf

The Ernst & Young survey differs a bit from others mentioned earlier. For a start, it's a survey of human beings. (Actually, it's a survey of more than 4,300 information managers.) Respondents were asked a wide variety of questions about Internet security and secure electronic commerce.

One recurring theme throughout the 1998 survey was this: Most information officers (and even administrative folks) now recognized security to be a major issue. The report indicated that, despite that fact, the majority of sites still did not employ best practices. Respondents also indicated the following:

·         More than 35% did not plan on using cryptography in the future.

·         More than 49% did not use firewalls.

·         More than 75% did not have an incident response team in place.

If your company holds similar attitudes toward security measures, you need to get busy.

A Warning

Many companies that consider establishing a Web server feel that security is not a significant issue. For example, they might co-locate their box, and in doing so might throw both the responsibility and liability to their ISP. After all, ISPs know the lay of the land, and they never get cracked, right? Wrong. ISPs get cracked all the time.

Do not to exclude universities from your sites, either. For example, in December 2000, Security Focus ran a report on the University of Washington break-in. Intruders stole more than 5,000 patient records from the University's Medical Center. See a report on this incident at http://www.securityfocus.com/news/122 .

If you're an information officer and your firm requests Internet connectivity, be sure to cover the bases. Make it known to all concerned that security is a serious issue. Otherwise, you'll take the blame later. You should also be wary of any ISP that gives you blanket assurances. Today, even firewalls can be cracked, and cracked through the same old methods by which servers are cracked—exploitation of human error.