BEWARE: E-MAIL WIRETAPS LIKE CARNIVORE CAN STEAL SENSITIVE CORRESPONDENCE

Recently, the Privacy Foundation (see sidebar, “The Privacy Foundation”) announced that a simple, hidden JavaScript code segment in HTML-formatted e-mail messages can effectively allow someone to monitor all succeeding messages that are forwarded with the original message included. Clearly, this can cause confidential internal communications to be compromised. Here’s a look at how to identify wiretaps and protect yourself from them.

The Privacy Foundation at the University of Denver conducts research into communications technologies and provides the public with tools to maintain privacy in the information age. You can read the Foundation’s report and commentary on e-mail wiretaps. The report cites the following possible uses for this security breach:

• The wiretaps can provide the ability to monitor the path of a confidential e-mail message and the written comments attached.

• In a business negotiation conducted via e-mail, one side can learn inside information from the other side as the proposal is discussed through the recipient company’s internal e-mail system.

• A bugged e-mail message can capture thousands of e-mail addresses as the forwarded message is sent around the world.

• Commercial entities, particularly those based offshore, may seek to offer e-mail wiretapping as a service.

This security problem is a particularly dangerous one for organizations that conduct conversations containing sensitive internal information via e-mail. The usual scenario for such communication is that a message from an outside source is forwarded from executive to executive within a company, and it includes each person’s comments. If there’s an e-mail wiretap on the original external document, each time someone forwards the message to someone else, a copy of their message is automatically and invisibly e-mailed to the original sender of the external message (or someone designated by them).

This problem affects only HTML-enabled e-mail readers that have JavaScript turned on by default, such as Microsoft Outlook, Outlook Express, and Netscape Communicator 6.1. Eudora and AOL 6.0 are not affected, nor are Web mail services such as Yahoo and Hotmail.

Snuff

As hackers obtain ever more dangerous and easy-to-use tools, they are being countered by novel defense strategies. The Pentagon envisions a war in the heavens, but can it defend the ultimate high ground? You bet! Witness the experimental idea of setting up a decoy network separate from your real one to fool intruders as they try to fool you.

Deception Network

This so-called “deception” network is envisioned as more than just a single server set up to be a “honeypot,” where hackers may break in, find a dead-end, and have their activities recorded with an eye toward prosecution. Rather, the decoy net is an entire fake network, complete with host computers on a LAN with simulated traffic, to convince hackers for as long as possible that it’s real.

Experts debate whether such nets will be worth the effort, but agree they can be a way to slow hackers long enough to sort the curious from the truly destructive “snuff.” A group calling itself “The Honeynet Project” has quietly begun testing decoy networks on the Internet.

The Honeynet Project is not intended to prosecute intruders who haplessly wander into their elaborate decoys, but to study hacker responses in depth to devise the best decoy defenses. There are only a few commercial honeypot-style products on the market, including Network Associates CyberCop Sting and (from Recourse Technologies) ManTrap.

Other decoy networks do slow intruders with an eye toward collecting evidence to prosecute them. To collect evidence, you need to divert the hacker to a deception network. The idea is to feed back information about what hackers do to a kind of “deception central” for network administrators. The time the hackers are dealing with a deception environment, is time they’re not in your network.

It is possible to create a deception network that has the same IP network address as your real network. Deception nets carry obvious administrative burdens, such as the need to generate realistic traffic to fool a hacker and maintain a network no one really uses.

These deception techniques have doubters. It’s not clear yet if you can fool a lot of people with this deterrent. Meanwhile, hackers continue to learn new tricks.

The year 2000 has seen the emergence of a new breed of distributed port scanners and sniffers that make it easier for attackers to hide their intent. There’s now a kernel-level root-kit for Linux, called Knark, which when installed by hackers changes the operating system to hide files and present false information to administrators. And another new one, called Dsniff, can be used to capture traffic on Ethernet switches and inject traffic into a network to direct traffic to itself, known as the man-in-the-middle attack.

It’s pretty nasty stuff. For very sensitive networks, you may want to activate port-level security on your switches.

Many tools that let hackers carry out surveillance are now Web-based. Why Web-based? It’s easy. No complicated downloads or zip files. They can hack from anywhere, and it’s anonymous.

Although a talented few among hackers actually make attack tools, many of these tools today are freeware. And they’re posted on dozens of techie sites, not the secret underground.

The tool, which involves launching an attack to determine operating system weakness, was given solely to vendors, but somehow ended up posted on the Packetstorm site in its depository for tools. In the wrong hands this tool is dangerous. But that version isn’t as dangerous as other versions that will be released.

The New IW Space Race

The war was not going well. Serbian forces were sowing terror across Kosovo. NATO pilots squinting through clouds could do little to stop them. Errant NATO bombs had killed dozens of civilians and shaken support for the alliance. Then the Pentagon saw it had another problem. A Colorado outfit, called “Space Imaging,” was about to launch a picture-taking satellite with clarity nearly as good as that of U.S. spy satellites. The company could have sold photos of NATO air bases or troop encampments to, say, Serbian operatives. That had to be stopped. But how?

The brass canvassed its experts for recommendations. The U.S.-licensed firm could simply be ordered not to take pictures over a broad swath of Europe. A similar ban could be issued for a few key areas, such as northern Albania. In the end, however, no order was issued. A malfunction sent Space Imaging’s satellite plunging into the Pacific Ocean 30 minutes after it lifted off.

Fortune may not be so kind next time. Space Imaging launched another satellite and started selling pictures from it. Several other companies are right behind it. Before too long, an international bazaar for high-quality satellite imagery will be open for business. And potential foes are making headway with their own satellite capabilities. There’s a new proliferation of space-based capabilities. Plus, the U.S.’s Cold War-era capabilities have atrophied.

That’s pushing the Pentagon into a whole new kind of warfare. In the future, the U.S. military will be responsible for countering space systems and services used for hostile purposes. That’s a nice way of saying the Pentagon needs to be prepared to defend the ultimate high ground by attacking hostile satellites. The new policy also directs the Space Command to start developing tactics and doctrine for conducting warfare in the heavens. It must also come up with plans for deploying space-based lasers or other weapons that could be used against targets anywhere on Earth or above it. If the United States ultimately deploys such weaponry, not only would it break one of the great taboos of the past 50 years, but it could also transform the way America structures its military and fights wars.

But aggressive “space control,” as the military calls its quest for dominance in the sky, could backfire. The military view is that it would be the neatest thing in the world to have a death ray in space. But will deploying it lead to a war with somebody?

Very possibly, some critics say. Developing space weapons would be a mistake of historic proportions that would trigger an arms race in space. Imagine scenarios in which other nations follow the U.S. example and scramble to launch their own space weapons while frantic generals, unable to tell exactly who has put what into orbit, plead for extravagant countermeasures. In Pentagon war games, just trying to defend U.S. satellites causes problems. If you defend the satellite, you often widen the war. The activity ends up being the problem and not the solution.