The Disrupters Are Among Us

When I talk about problems in information systems, one of the most common responses I get is that my depiction is inherently pessimistic. If systems are as vulnerable as I say they are, why isn't there already a global collapse? My best responses are:

I personally try to understand this issue by studying the causes of information system failures in detail, classifying the causes and effects, and trying to understand how and why things are the way they are. Many experts also use lists of incidents to consider the efficacy of protection. To give an idea of the sorts of incidents that may cause disruption to components of the NII, I have included a broad but not comprehensive set of descriptions of accidents, attacks, motives, perpetrators, and effects.

In order to interpret descriptions of this sort it is vital to understand that these lists are not exhaustive. They represent only a small portion of the things encountered in a typical career in this field. These descriptions are intended to give a general sense of the breadth and magnitude of the problems in information protection in the NII and an understanding of why the issues of protection need to be carefully examined.

Computer Accidents

Information system problems are commonly broken down into accidental and intentional acts. Most information technology managers recognize that accidents happen and consider protection from accidents to be part of the cost of doing business. It is common to differentiate accidents into acts of God or nature and acts or inaction by human beings, but I will not explicitly differentiate them here.

As an example of the impact of disruption on organizations, a survey of denial of services identified about 4 billion dollars of losses in 1992 alone. [Ballou] This survey doesn't even begin to address the sources of disruption or differentiate intentional from accidental disruption, but it should give an idea of the extent of the problem.

Errors and omissions This is probably the most widely recognized disruptive phenomena today. Everyone makes mistakes, and when these mistakes affect information systems, even a small mistake can be severe. More than one rocket has blown up because of a '+' sign instead of a '-' sign in a computer program. [Risks] In one case, there was a jet aircraft automatic pilot that flipped the plane upside down when it went south of the equator because of such an error. It would have been a fun flight if the flaw wasn't detected in a simulation run. Errors and omissions have been responsible for many other incidents, including several cases where lives were lost.

Examples of loss of life include overdoses of radiation due to programming errors in medical equipment with only software safety provisions and several commercial airline crashes related to autopilot problems. [Risks]

Power failure Power failures have caused major outages in information system operations ever since computers became more reliable than the power system. A typical home computer operates for several years without a hardware problem, while power failures happen several times per year for short periods of time in most U.S. locations. If your computer is on and writing to the disk when the power fails, you could lose the entire contents of the disk. In larger systems, the problem is far more severe. In one incident in the 1970s, the power to the computers in the computer science department at Carnegie-Mellon University failed, even though they had two separate power lines coming into their computer center. It turned out that a backhoe cut the wire between where the two power sources entered the university and the point of presence in the building. Backhoes may be the single most dangerous weapon of the information age. Power disruptions capable of interfering with computer operations in my company's data centers have averaged between one per week and one per month over a 10-year period, and these figures are not unusual.

Cable Cuts The rare power failures caused by a cable cut are only a symptom of the backhoe disease. Cases of communication cables being cut seem to be almost epidemic. When a communications cable is cut, it physically disrupts communications that would otherwise operate over that cable. For example, if the cable to an office building is cut, the entire building may lose communications. With the increased bandwidth of cables caused by technological advances, we have used fewer cables to carry more data, which makes this problem far worse. For example, a fiber optic cable can carry about 375,000 telephone calls, so a fiber optic cable cut may disrupt all of the calls taking place at any one time in a major city. Recent famous examples include a cable cut in New York City that disconnected air traffic control for much of the northeastern United States and a cable cut in upstate New York that disconnected the 18 supposedly redundant Internet connections between New England and the rest of the United States. All 18 connections ran through the same fiber-optic cable. There are also many less spectacular cable cuts, and it is almost certain that every organization will experience at least one incident every few years.

Fire Fire has been a leading cause of death and destruction ever since cities became popular. Legend has it that Nero played the fiddle while Rome burned several thousand years ago [Nero]. Although Nero was apparently not involved, Rome did indeed burn. Fire physically destroys equipment and inventory of all sorts, including backup tapes, communications wires, switching equipment, and information systems. It also tends to make repair very difficult because all traces of the previous configuration are lost in a typical fire.

In Chicago, in the spring of 1990, a telephone company central office fire resulted in lost telephone service to tens of thousands of customers for a period of several months. [Neumann] If you were in the telephone-based mail-order business in the affected area, you were almost certainly out of business fast. Insurance may cover fire damage, but few policies cover the consequential damage resulting from loss of use of information systems affected by fire.

Flood Floods have a tendency to happen in low-lying areas and stream beds, and few natural floods since the one Noah was in have had a severe effect on the second story of buildings on hillsides. On the other hand, the Johnstown flood which involved a broken dam in Johnstown, Pennsylvania did destroy many two-story buildings on the hillsides downstream of the dam. Floods tend to short out electrical connections, which are the heart of information systems. Although many parts of many information systems can survive water, almost all systems are at least temporarily disrupted. The major floods in the midwest in 1993 disrupted information systems in many buildings. But an even more interesting flood from my perspective was the Chicago flood of 1992. In this case, underground waters were held back from the nineteenth-century underground tunnel system of Chicago by walls that were poorly maintained. When one particular wall broke down, there were major power and telephone outages throughout the city. Almost everyone was caught unaware because they never thought of Chicago as being very susceptible to floods.

Earth movement In zones where earthquakes are common, is also quite common to have earth movement produce outages in information systems. Earth movement causes vibrations that disrupt internal connections between information system components, disrupt power, cause disk drives to physically destroy themselves, and disrupt wiring. In the Los Angeles earthquake of 1993, telephone service and electrical power were unavailable to hundreds of thousands of people for several days. The effect on information systems was obviously severe, but it didn't get much press coverage because next to the human suffering, it wasn't considered very important. Many businesses may have taken a long time to recover their information systems. Other forms of earth movement include mud slides, sink holes, and other similar phenomena. Although these forms of earth movement are comparatively local, they can still cause significant disruption.

Solar flares Solar flares increase background radio frequency noise which interferes with communication. Solar flares also increase the number of cosmic rays, which collide with computer memory elements and sometimes cause transient bit errors. In one case, solar flares interfered with the Global Positioning System (GPS), causing errors in displayed position. [Risks] With a GPS receiver, you can locate your position in the space around Earth to within about ten meters. With some careful calibration, you can get within about two meters, and by using enough statistical information, you can get an even more exact location. GPS is now used in military operations and has been accepted by the Federal Aviation Administration (FAA) for use in commercial aircraft guidance.

Volcanos Volcanic eruptions are fairly rare events in most of the world, but there are still many active volcanos. Most active volcanos generate lava flows on an ongoing basis, but when the rare one blows, it can change a lot of things in the environment that affect information systems. The Mt. St. Helens eruption in the 1980s was an example of a catastrophic eruption, while Hawaii deals with lava flows all of the time. The major problems for information systems in volcanic eruption come when physical destruction from the volcano interferes with parts of the infrastructure being used to support information systems and when small ash from the volcano becomes widely disbursed and causes physical damage to disk drives and other similar devices.

Severe weather, static electricity, air conditioning loss, etc. Severe weather causes many effects on information technology. For example, high temperatures tend to make air conditioning fail, which in turn causes overheating, which destroys computers very quickly. Low temperatures tend to make relative humidity low, which increases static electricity, and this can also destroy computers. Thunderstorms cause lightning, which strikes buildings and causes power fluctuations that destroy information systems. Extreme weather also effects other aspects of the infrastructure which cause indirect affects on information systems. Hurricanes are one severe example of how weather can damage information systems. Large hurricanes tend to disrupt substantial portions of the power grid, telecommunications, and other infrastructure elements. They also physically destroy computer centers and other elements of the information infrastructure of individuals and organizations.

Relocating computers Relocating computers sometimes causes enough vibration to disrupt the delicate alignment of disk drives, which in turn makes disks unusable. In one case at a major university, a computer system was moved only a few feet and yet sustained total loss of disk storage. Fortunately, backups were done just before the move to cover this contingency, and the loss was minimal. Although computer components are increasingly designed to sustain movement without substantial damage, there are still physical forces that can damage components and their interconnections.

System maintenance In another incident at the same university, a hardware maintenance person came in and realigned the tape heads of a tape drive to compensate for mechanical skew as a part of regular maintenance. After the maintenance person departed, old tapes could no longer be read. The cure was to properly misalign the tape head so the improperly written tapes could be read, read in the tapes, realign the tape heads to the proper setting, and rewrite the tapes.

Many disruptions occur from system maintenance, but without maintenance, many other disruptive factors might go undetected.

Testing The whole point of testing is to find problems before they impact users. Once problems are found, they can be fixed. A common problem encountered today is that test modes are often available at times when they should not be. When this happens, many undesired side effects are possible. In one incident, a test of computer viruses at AT&T resulted in the accidental infection of the master copy of AT&T's supposedly secure version of the UNIX operating system. [Duff] It seems the testing mode was being used in that system, and it introduced a vulnerability. In a similar incident, the Internet Virus entered through a testing capability that was left enabled in a standard distribution of Sun's version of the UNIX operating system. [InetWorm] [InetWorm2] It is fairly common for people to test uninterruptable power supplies, but it is also fairly common to forget to turn off the information systems they support before testing. If the power supply fails, so do the information systems it supports.

Inadequate maintenance Inadequate maintenance can be just as hazardous as inappropriate maintenance. The whole purpose of maintenance is to find and correct problems before they have a serious impact on operations. Many modern information systems cannot operate over an extended period of time without maintenance. As a simple example, sophisticated information systems often produce audit records. If these audit records are never examined or deleted, they are of no value, and they may cause the system to fail by consuming so much space that the information system runs out of storage.

Humidity High humidity causes electronics to fail because it causes short circuits, but perhaps it is more dangerous to paper, which absorbs the water from the air, weakens, and rots. On the other hand, if paper is kept too dry, it will become brittle and crack. In humid environments, micro-organisms thrive, and they tend to eat everything from the rubber in cars to the plastic in computer circuit boards. In dry environments, many materials become very brittle and misshaped. For example, the circuit boards used in computers may crack, disk drives may warp, power supplies may change characteristics, fan lubrication may dry up, static charges may accumulate in video displays, mechanical switches on pointing devices may fail, and wires connecting components may break. Needless to say, this can cause serious problems.

Smoke Smoke often causes more damage than fire. In the case of information systems, smoke causes serious damage in unsealed components. For example, a floppy disk drive has an electromagnetic read-write head with tolerances about the width of a human hair. If smoke gets in the system, the disk head may fail. Even the fans used to cool systems become less reliable when smoke comes along, because it causes friction in the bearings and can gum up air filters, causing cooling to become inefficient, and producing heat-related damage. Other components such as integrated circuits depend on air flow for cooling. Smoke may deposit added insulation that reduces the cooling effect and increases thermal damage.

Dust If you've ever opened a computer that has been running for a few years without an internal cleaning, you have found an enormous amount of dust. Dust accumulates because the fan typically blows air through a system to cool the components which have higher failure rates at higher temperature. As the dust enters the system, it is trapped in areas with low air flow, and it accumulates, causing larger areas of low air flow, and so on. Over time, a computer can accumulate so much dust that cooling becomes ineffective and failure rates go up.

Gasses, fumes, and cleaning chemicals But don't rush in with a regular cleaning person to clean all your computers. I made the mistake of letting a cleaning person come in and clean my dusty computers one day, and nearly paid the price in a big way. It turned out that the cleaning chemicals used on the dust rag got into the electronics and caused a temporary short circuit resulting in a system failure. After the fluids dried, the system worked again, but it was a bit scary to have the system go down from disk failures just as the cleaning person sprayed cleaning chemicals into the disk-drive enclosure. Various gasses and fumes cause plastic enclosures to fail. Among the effects are damage to sealed disk drives and loosened connections. In some cases, the chemicals are changed by the increased temperature inside a computer and this can cause chemical reactions that cause other damage.

Heat Several of the examples above relate to heat. Increased heat causes failure rates in electronic and mechanical components to rise fairly dramatically. In studies of electronics done in the 1970s, it was found that for every 10 degrees celsius increase in temperature over the normal operating range of an integrated circuit, the mean time to failure was cut in half. In other words, on the average, a computer running at 15 degrees celsius that fails only once per 10 years will fail once per 5 years if operated at 25 degrees celsius. Mechanical systems have similar problems because as bearings get hot, they deform. This causes more friction, which increases the heat, which increases the deformation, and so forth. If you run a disk drive at a higher temperature, on the average, it will crash sooner.

Temperature cycling Lest you decide to keep turning your computer off to reduce heat damage, you should be aware that temperature cycling also causes damage. Metallic components expand and shrink as temperature changes, causing mechanical stresses which eventually cause breakage in the same way as bending a coat hanger back and forth will eventually break it. When you turn a computer on for several hours and then turn it off again for several hours, temperature cycling is most pronounced.

Electronic Interference In several recent cases, signals from airport radar and similar sources have caused computers to fail and the interaction of emanations from information systems has been cited a number of times as a cause of system failures. [AvWeek] This is the reason the FAA now requires airline passengers to turn off personal computers and some other electronic equipment during takeoff and landing.

Vibration Electronic equipment that is shaken is subject to the same physical stresses as any other device. Under enough stress of the right characteristic, the equipment will fail. Most information systems are not designed for extensive shaking, dropping, or other such things, but there are components designed to handle such stresses. These components cost more, but in an environment where these stresses are common, they are well worth the price difference. For example, military equipment specifications require hardening against shaking and falling, and palmtop computers such as the HP-100 can fall from six feet onto pavement without significant damage.

Corrosion Anyone who has spent much time fixing computers or other electronic equipment is familiar with the effects of corrosion. The contacts between integrated circuit boards and the computer's backplane corrode, and this causes transient errors and, eventually, permanent faults. The common cure is to reseat the boards by removing them and putting them back in. Corrosion is usually caused by environmental factors.

Intentional Events

Several authors have reported that once detection was put in place, over one incident per day was detected against their computers attached to the Internet. [Bellovin2] [Cheswick2] [Ranum] Other people have placed detection systems on the Internet to detect attacks and have privately reported similar figures. There are about 2.5 million computers on the Internet, so simple multiplication tells us that something like 900 million attacks per year take place on the Internet alone.

With that amount of computer crime underway, you might well ask where the superhighway patrol is. Unfortunately, it is a lot harder to patrol the information superhighways than the automotive superhighways, and unlike the highway patrol, there are no information police to speak of and they don't have information patrol cars.

The situation today in the infosphere is much the same as it was in the goesphere in the wild west. It's easy to steal from the weak and it's easy to avoid being caught. There are some law enforcement people out there, but they are few and far between and they have almost none of the tools required to get the job done. Information system users end up hiring private police that are often inadequate to the task.

Many of the most common attacks are listed here to give a flavor for the sorts of things people do to attack information systems. This list is by no means comprehensive, but it gives a flavor of the variety of events that may occur.

Trojan Horses A Trojan Horse is a hardware or software component that has an unadvertised side effect. The term is normally used to indicate a malicious side effect, and comes from an ancient war in which the Greeks were being defeated on the battlefield by the Trojans. In desperation, the Greeks gave a giant wooden statue of a horse to the Trojans. The Trojans took the horse into their walled fortress, and that night, the Greeks hiding in the statue came out and opened the gates to the fortress. The Greeks entered and massacred the Trojans. Thus the expression Beware of Greeks bearing gifts. In computers, a Trojan horse can be used to deny services, to corrupt information, or to leak secret information. Many examples of Trojan horses appear every day in the information business.

Time Bombs A time bomb in an information system is just the analogy of a physical time bomb. Once the time bomb is activated, it detonates at a later time, resulting in some damaging effect. A time bomb can potentially deny services, corrupt information, and/or leak secrets. A software time bomb might try to delete all of the files on a system, while a hardware time bomb might cause a component to fail. Another way of looking at this is by considering planned obsolescence. In products warranted for one year, it is common to have hardware failures just after the end of the warranty period. This is either because product testing shows that failures begin at that time, or because the parts used to make the system are selected for their low cost, and the price is set by the quality of the component. It is also possible to design systems to have very sharp changes in reliability after a well-defined point in time by exploiting the known failure characteristics in combination. [DPS] [Gray]

Use or Condition Bombs A use or condition bomb is just like a time bomb except that it is triggered by a number of uses or some other condition of the state of the environment. This practice has been used by some consultants to assure payment or to cause damage when they are fired. [Times] A typical condition might be that the consultant's last login was more than three months ago. The effects of such an attack are often limited to the consultant's work product, but not always. In some cases, consultants who were not paid for a job claimed that a use or condition bomb was their way of assuring payment. The courts have consistently ruled against these consultants.

Dumpster Diving A lot of people in today's society throw away a lot of things without realizing their potential value. Information is commonly discarded when stored in paper form, and even old magnetic tapes and floppy disks are commonly thrown in the garbage when they have outlived their usefulness to the owner. The information contained in these forms may be quite helpful to an attacker. In trying to break into systems, it is now a common practice for attackers to go to the dumpsters used for disposal of waste in search of information that may lead to easier entry or more successful attack. Similarly, some waste disposal companies have been accused of selling waste paper to people in search of information. The police also commonly search garbage for evidence, and this is certainly not beyond the scope of work for a spy. Some of the most famous AT&T attacks came about as a result of dumpster divers getting copies of manuals for systems. In exceptional cases, listings of user IDs and passwords are found in dumpsters.

In many organizations, old backup tapes are thrown out when they begin to have faults during backups. Under these circumstances, a dumpster diver may get a full on-line copy of a lot of corporate information, including password files and details of internal controls.

Fictitious People In the current Internet, it is fairly easy to create as many personas as desired. Little authentication is done to verify the identity of anyone willing to pay for services. One author suggested that there is a risk of people taking on multiple fictitious identities and providing several different viewpoints that all combine to recommend the same product or service. By placing enough opinions that lead to the same conclusion into a widely read forum, you may be able to set a trend that results in people believing lies. By making friends with people of different opinions, you may choose which identity to use when talking to each. False identities are good leaping off points for all sorts of crime. For example, in September of 1994, somebody used a false identity to threaten to kill the President of the United States via electronic mail. This was done using an identity provided on a FreeNet - a community provided public service access point to the Internet.

Protection Limit Poking In most systems, information storage, retrieval, analysis, and communications services can be denied to one user by another. For example, many password protection schemes only allow a user to try to login a fixed number of times before they must see an administrator to have their user ID reinstated. An example of an attack would be to try to login to the other user's account using a wrong password. Once the limit is reached, the other user cannot access the system and is forced to go through an administrator to regain access. If the defense against password guessing is improperly implemented, incorrectly guessing the administrator's password can be used to prevent the administrator from logging in. If the administrator is the only one who can restore access and the administrator's access is disabled to stop further password guessing, the system may have to be shut down and manually modified in order to restore normal operation.

Email Overflow In this attack, electronic mail (e-mail) is used to flood computer systems with information, thus reducing available resources for other purposes. In experimental attacks, this technique was shown to be very effective in denying services, [DISAdoc] and several incidents since that time have demonstrated the same results with accidental causes. [WSJ]

The experimental attacks consisted of sending electronic mail to computers throughout the U.S. military network from the Internet. In the first experiment, e-mail was sent to the `root' user at each of 68 sites chosen from a (German) Chaos Computer Club listing. This was done to establish that mail sent to most of them would be received and stored in their computers. The following table describes the results:

 Number  Response
 40  got the mail - no response
 10  refused the mail
 1  no root user, identified self as `TSO'
 2  no such user ID, listed other user IDs
 2  no user called `root' on their system
 7  not found by the mail system
 6  got the mail - personal response

The second experiment consisted of sending mass quantities of mail into one site (done on an isolated computer designated for that purpose) to see how it affected operations. The first effect was a slight slowing of other processes on the system, presumably due to the disk output and processing required to process and store all of the mail. The second effect was consumption of all available disk space in the `/usr' partition of the disk. The target system had about 18 Mbytes of free space on that partition, and it took only 4.5 minutes to exhaust it, at which point the system started having severe problems because it could not create or add to files. The system console indicated that no disk space was available on that disk partition.

It typically takes about 30 minutes to find the specific problem in such an incident (in this case, the files consuming all of the disk space) once the systems administrator is able to login to the system. On some systems, the administrator cannot login properly without adequate disk space, but either way, the net effect is a half an hour or more of denial of services, corruption, and repudiation. The lack of disk space causes many programs to fail, and if you are unable to write a file to disk, it is hard to do much useful work. Files being written when there is no space left typically end up in an inconsistent state. Most programs dealing with files do not detect and properly handle these conditions, so the corruption goes unnoticed for the moment. Audit trails take disk space, and since there is none available, they cannot log the side effects of this disruption for later analysis. Depending on details of the implementation, the audit program may even stop operating entirely. After the problem is found, there is an even bigger problem. How does the administrator prevent this attack and still allow legitimate mail to pass? It turns out that this is not so simple in most modern computer mail systems.

After posting this information to the `risks' forum on the Internet, numerous replies asserted that this attack was not properly defended on existing systems. [Risks] One respondent pointed out that electronic fax and news transmissions had similar problems, and are not adequately addressed by many current systems. Some time after this experiment was published, an accidental disruption occurred when a law firm tried to advertise on the Internet and was flooded with hate mail. The service provider used by the law firm had to shut down because of the disruptive effect of all the e-mail.

Infrastructure Interference By sending signals to a satellite or microwave dish, it's fairly easy to interfere with signals and disrupt these elements of the NII on a wide scale. One example was the Home Box Office (HBO) attack launched in the late 1980s where someone with a satellite dish sent his own signal to HBO listeners all over the United States. [Pessin]

Infrastructure Observation Radio signals are also fairly easy to observe. For example, the microwave dishes that used to carry many of the conversations into and out of Washington, D.C. passed their signals right over the Russian Embassy. It is widely believed that the mass of radio equipment in the embassy was used, at least partially, to listen to telephone conversations passing over this microwave link.

Sympathetic Vibration Most modern communications protocols are designed to deal with common types of delay problems such as packets arriving too late to be of value. But the mechanisms used for retransmission are designed for reliability under random fault conditions and not under intentional attack. By creating packet feedback mechanisms, it is almost always possible to cause a network to overload with protocol packets, thus disrupting services. In some cases, this has even happened accidentally. [FCC-NRC] [NRC-Nets] Even modern electronic mail (e-mail) systems are susceptible to this sort of disruption. For example, there are many automatic mail responders on the Internet. These systems listen for incoming e-mail requesting standard information and respond by mailing the standard response back to the sender. By forging a sender identity, which is trivially done on the Internet, the response can be sent to another automatic mail responder. The two mail responders may then eternally send more and more mail back and forth in automatic response, flooding the Internet with junk mail and causing widespread havoc.

Human Engineering This is a favorite of many attackers. The weakest links in many protection systems are the people, and the easiest way to exploit the weakness is by convincing the people you have a legitimate purpose. If you look and talk like a maintenance person, the receptionist will probably treat you like one. Several television shows have filmed and shown attacks where teenagers call into a company and act as if they are telephone repair people who lost the password to the maintenance computer or left their phone list at home. They then get the maintenance phone number and password from the operator and enter the telephone network as a privileged user from a pay phone free of charge. A skilled attacker can easily change billing information, make calls to anywhere in the world, and disrupt telephone service once such information is obtained.

Bribes In many cases, the worst paid employees are in the best position to attack information systems. For example, the night watchman is typically a low paid, transient worker. For $20, you can probably bribe the night watchman to use the telephone to call your brother in Iowa. Chances are you will be left alone to rummage through the facility if you use the technique right. For a bit more money, you can probably bribe maintenance people to let you take one of their shifts. After all, they get paid for doing nothing, and you get the run of the place. The net effect is a collapse of many of the physical security precautions that may have been in place, and with physical access, there is no limit to the potential techniques that can be used for leakage, denial, and corruption.

Get a Job Bribes are quite limited. If you want to do a better job of attacking a system, why not apply for a job as a night janitor. The security check is probably minimal, and in many cases you will have unlimited access to the whole facility all night. Best of all, you get paid to launch the attack. It is also fairly easy to get a job as a computer operator or night operations manager if you forge the proper background. That might even get you authorized access to many of the information systems and make your attack far easier.

Password Guessing The practice of guessing passwords has existed since ancient times. The reason that password guessing works so well is that people use easily guessed passwords, and the reason for this is inadequate training and inadequate use of technology. In an experiment I did in 1982, I successfully guessed more than 80 percent of the user passwords on a mainframe computer system trying only about 10 guesses per user. Similar experiments have been done by researchers for many years and, despite widespread dissemination of these results, the situation is much the same today.

Invalid Values on Calls In many computer systems, unanticipated requests for service (i.e., calls to the operating system with illegal or undocumented values) result in violations of protection. In DOS, where there is no protection in the operating system itself, many of the common activities such as spooling files to the printer require the use of undocumented operating system calls. This encourages abuse by outside vendors, and fosters incompatibility across versions of the operating system. In more advanced operating systems, protection is fairly effective except for implementation errors. One good example of an invalid call producing a negative result was in an early version of an IBM computer. In this system, there was an operating system call that shut down the computer by causing a physical mechanism to pull all of the boards out of the backplane. The call was not documented to users, and the people who implemented the operating system didn't protect the call from accidental or malicious use.

Computer Viruses In every widely used operating system, protection is inadequate to limit the spread of computer viruses. Computer viruses are programs that reproduce. In the process, they may infect other programs which in turn infect other programs, and so they spread far and wide. There are now about 5,000 computer viruses known by researchers, and many more are created every day. The real threat of computer viruses is that they can act as vectors for spreading any other attack. With a computer virus, it is simple to corrupt data throughout an information network, to disrupt services on a wide scale, and to leak secrets from the best computer security systems available today. [Cohen-Wiley]

Data Diddling Data diddling is a technique whereby data is illicitly modified. By illicitly modifying data, information systems may produce wrong results and, because few current information systems have integrity controls, these errors will likely remain undiscovered for a long time. Data diddling has been used to change salary rates, alter investment profiles, change patient records, and in all sorts of other ways. In most modern computer networks, data diddling can be done remotely without even entering the computer under attack by modifying information being sent through the network.

Packet Insertion In most current networking environments, it is relatively easy to insert a packet forged to appear to be from a different source. There are even public domain programs that provide facilities to assist in this effort. Packet insertion has been used to replay financial transactions, gain entry into systems, bypass access controls, induce network control problems, and spoof file servers. In essence, anything that can be done from over a network legitimately can be done over the same network illegitimately. By inserting packets at the network level, all of the computer security in the computers that are connected to the network is defeated. [Cohen-93]

Packet Watching In most current networking environments, it is also relatively easy to observe packets flowing between networked computers. Some of the public domain software allows the listener to isolate traffic between particular sites and observe terminal sessions, including the entry of user identities and passwords. In one experiment at Queensland University of Technology, a graduate student under my direction implemented a simple program to analyze network traffic and produce terminal sessions between user and computer pairs. [Cohen-QUT] [Cohen-93] In a very similar effort detected in early 1994, thousands of user identities and passwords were stolen from computers attached to the Internet computer network. [AP] The attackers have not yet been identified.

Van Eck Bugging In the 1980s, a paper was published describing experiments that enabled a remote observer to use electromagnetic emanations from a video display to watch the display. [VanEck] Since that time many people have shown that it is possible to electronically watch a typical video display from a location on the other side of a wall or from hundreds of meters away.

In one case, a British television station used this sort of equipment to show that Scotland Yard's computers could be observed from outside the building.

Conducted emanations over power lines can also be exploited to extract data from some computer systems. For a cost of only a few hundred dollars, anyone with the desire and knowledge to do so can observe information appearing on your video terminals in real-time, thus leaking information as it is created or used and gaining detailed knowledge of how it is used and by whom.

Electronic Interference Normal air traffic control radar can cause interference and intermittent failures in computer equipment within a radius of several hundred meters. [AvWeek] Energy signals of sufficient strength can jam LAN cables, serial cables, keyboard connectors, mouse cables, and other electromagnetic devices. [Brewer] In electrical power systems, it is fairly easy to induce noise characteristics that can cause computer failures as well. It is fairly common for electrical noise from rotating machines like electric saws and drills to do this. This can be used to cause random corruptions or denial of services.

Federal Aviation Administration (FAA) measurements of electromagnetic interference at one high density U.S. airport peaked at 14,000 volts per meter from surveillance and satellite tracking radars. The FAA set a 200 volts/meter no adverse effects limit for one aircraft, partly due to rapid movement of both aircraft and radar beam. [AvWeek] Thus the noise levels from our own infrastructure's safety equipment introduces adverse effects to our own aircraft.

PBX Bugging Many modern telephone systems provide the capability to listen in on conversations, even when the telephone is hung up. The most common method is to set the time till the on-hook condition causes the microphone to close parameter in the PBX to an unexpected value. In many systems, this will leave the call engaged. The attacker then enables a conference call with that headset and listens in. This allows anyone with access to your PBX to listen in on private conversations in any office that uses the system without the people in the office either being aware of the interception or able to detect that the attack is underway. The next time you are in an important meeting in a room with a telephone, you should consider the possible consequences.

Open Microphone Listening Many current computers are shipped with microphones for voice input. Soon after the first of these systems was shipped, attackers found that they could listen to the voice input when the normal voice input programs were not functioning. This enables anyone with a minimal amount of access to listen to conversations without alerting the user. This technique can be used to record or listen to private conversations, to tell when people are or are not present, to listen to keyboard input and derive passwords, and in low noise environments, to listen to conversations in other rooms. Even after this technique was widely known, some of the major manufacturers of systems with this problem continued to produce systems with no mechanical microphone switch or activity light. [Risks]

Video Viewing Some of the newest multimedia systems have video input capabilities to facilitate video conferencing. Just as microphones are commonly left unprotected, video input devices commonly have no switch and are controlled by a computer which can be broken into over the network. Video viewing can be used to watch keystrokes, to see how people behave, to see who comes by and in offices, to see when people are in or out, to determine police and maintenance schedules, and to read plans and other documentation. When used in the home, private lifestyle information may also be attained. When used as a cable television interface device in a bedroom, the violation of privacy can be extreme. Again, the manufacturers have not responded, and in most current video input systems, attackers can watch and record what happens without alerting the user. [Risks]

Repair, Replace, and Remove Information Some computer repair shops reuse old disks as replacements for a broken disk. Still others apparently extract data from disks before they reconfigure them. Under these conditions it is easy to take information from the disk and use or resell it. In one case I know of, a bank sold used computers without removing information from the disk drives. The result was a substantial amount of private information getting into a place it was not supposed to be.

Wire Closet Attacks Most buildings have wire closets that are used to connect information systems and power systems. It is often easier to gain access to these rooms than other parts of a facility. Once access is attained, wires can be tapped, cut, rerouted, wired together, or otherwise altered. Most facilities have poor documentation of how their wire rooms are configured. In a few hours, it is often possible to do enough damage in one wire closet in an office building to affect hundreds of workers over a period of a week or more. Consider how easily a telephone answering service could be damaged in this way.

Shoulder Surfing This attack has been used since the earliest days of computing and is now commonly used by people who steal telephone access codes. The idea is to watch someone enter their password or PIN number and then to reuse it. In many environments, people are unaware of the possibility of shoulder surfing. For example, at the National Computer Security Center (NCSC) of the National Security Agency (NSA) in 1986, I was in the director's corner office, and noticed that the keyboard and video screen could easily be observed from outside the building.

Many people feel uncomfortable asking someone to look away while they type a password. This is a social mores that has to change if we are to continue using passwords as we do today. Once a password or PIN is attained, anything the original user could do can be done by the attacker, and the original user will likely be blamed for the results, at least for a little while.

Toll Fraud Networks In one modern version of shoulder surfing, people watch telephone credit card users enter their phone card information and quickly pass it to people throughout the U.S. via bulletin boards or other electronic media. In some cases, hundreds of thousands of dollars in telephone services have been stolen in a matter of hours. It is quite common for people to break into PBX systems with voice mail and use these systems to store telephone access codes for others to use. The average PBX-based toll fraud loss is more than $40,000.

Data Aggregation Seemingly innocuous data can often be combined to get confidential information. [Denning82] Perhaps one of the most impressive uses of information for tracking a person's movements was the use of credit card and other electronic records to track comedian John Belushi's movements in the last days of his life. In this case, an author wrote a book detailing exactly where he had been, what he had done, and who he had been with from minute to minute using electronic records.

Process Bypassing A variety of semiautomatic processes are used in modern businesses. For example, a teller at a bank may make an entry indicating that you deposited $100 today. In this case, at the end of the day, the money in the cash drawers is added up, so an obvious fraud will be detected before too long. But in some of these processes the checks are not as straightforward or well designed. In a typical case, a data entry clerk entered data indicating that a product had been returned when it had not. The result was that the system generated a check for a refund to the customer. Once the clerk noticed this flaw, she began to enter numerous returns that did not exist, and arranged for the checks to be forwarded to a friend. She took the money and ran. Whenever there is a process of this sort without adequate controls, such a fraud is possible.

Backup Theft In cases where a lot of information is desired with a minimum of effort, it is commonly easier to take a backup tape than enter a system through the normal means. By borrowing a backup tape for a short period of time, it is usually possible to copy the contents and return the tape before it is missed. Security on backups is often far less stringent than on information systems. For example, many backups are transported to off-site storage facilities using common carriers. They may be left in piles at shipping docks for hours or days. In many cases, they are kept at the desk of a systems administrator whose office is not in the protected area of the computer room. Backup tapes often have all of the information on a system in plaintext form. By getting a copy of the backup tape, both the data and the programs become available for analysis. A serious attacker wanting to launch an attack against a live system may well decide to get a backup first, so that they can thoroughly test their attacks in a simulated environment before launching them for real.

Remote backups over local area networks are becoming increasingly popular, particularly for backing up large numbers of interconnected PCs. This means that an attacker can get a copy of a backup by watching LAN traffic. By forwarding that traffic through larger networks like the Internet, an attacker can watch backups from anywhere in the world.

Login spoofing When I was a professor at Lehigh University, I did an experiment where I logged into a timesharing computer system and ran a program that simulated the login screen. Whenever a user walked up to the screen, the program would simulate the login process, tell the user they had typed a bad password, terminate the program, and logout. When the user tried again, the login worked. Not one user noticed the attack and I was able to systematically gain user identity and password pairs, even from systems administrators. In the global networking environment, it is fairly simple to forge network identities. This can also be used for login spoofing.

Hangup Hooking Modems don't always hang up the phone line instantly when the user hangs up the telephone. While I was still a professor at Lehigh University, I was demonstrating a login spoofing attack to the students in one of my information protection classes. I was logging into a remote computer, when much to everyone's surprise, another attack I had discussed previously was realized by accident. I had accidentally dialed into a remote computer and been attached to a previous user's account because the modem line they had been using didn't disconnect them before I dialed into the same phone line. I was left logged into another user's account. If it can happen by accident, imagine how easy it must be to do intentionally.

Call Forwarding Fakery With modern telephone systems, it is common to use the caller-ID feature or dial-back capabilities to detect the source of an incoming call and route it appropriately. Attackers respond quickly to these sorts of technological defenses, and almost immediately came up with methods to use call forwarding to eliminate this defense. When a call-back modem is used, the attacker will forward calls from the call-back number to their location. When caller-ID is being used, they will forward the call through another number to break the link to their actual location. This is often done from telephone booths, so that eventually tracing back the call does not lead to the perpetrator without additional forensic evidence. Private Branch eXchanges (PBXs) can also be used as intermediaries to obscure the source of a call.

Email Spoofing In one case, a computer operator erroneously took orders issued by his supervisor through electronic mail (e-mail). Since the electronic mail system was not secure at this installation, it was possible for any user to append data to the operator's incoming mail file. If the data was formatted correctly, there was no way to tell legitimate mail from a forgery. After several mysterious system crashes and file losses, the supervisor called the operator into his office to find out what was going on. The operator said that he was just following the supervisor's instructions, and that he could prove it! He logged into the system, and showed the surprised supervisor the forged messages.

The vast majority of modern electronic mail systems allow forgeries to be made very simply, and many major corporations and government agencies use electronic mail as a major means of inter-office communication.

Input Overflow In most implementations of higher-level computer languages, the most commonly used input routines do not check the length of input. Rather, they pack input characters into a finite-sized memory array starting at some memory location and continuing until an input terminating character is entered. If no bounds checking is done, it is easy for an attacker to create an input stream longer than the allocated area. The result is that the input data overwrites some other part of the computer's memory. Depending on what stored values the attacker overwrites, almost anything in the computer can be altered. This technique has been used in several attacks against electronic mail systems widely used in the Internet.

Illegal value insertion In many systems, illegal data values produce unpredicted behavior. For example, in some menu systems, entering a back-quote character (`) followed by a command, followed by another back-quote may result in the command being executed outside of the menu system. Similarly, by using the `.sy' precursor to a line in a mail message in some mainframes, it is possible to gain control over the entire computer. I actually did this once as a demonstration on a production mainframe computer used by a major financial institution.

Induced stress failures Most systems can only sustain a certain level of stress before they begin to make mistakes. This may seem like a uniquely animal problem, but almost all current information systems have similar difficulties. The reason has to do with the fact that in order to keep costs low and allow flexibility, systems are almost always configured to allow one thing to be traded off against another. In the telephone system, for example, during very high call volume periods, calls don't always go through, you may get connected to a wrong number, or you may even get connected into an existing call. All of these things have happened to me. By intentionally seeking out or creating these situations, systems may be maliciously attacked.

False Update Disks An increasingly common way to enter a system is by sending a free update disk to a product. Such updates are commonly installed right away and without question, as long as they look legitimate. By placing a Trojan horse on a fake update disk, an attacker can place whatever programs are desired into a system. For example, an attacker could insert a program to search for desired data and use electronic mail to leak the information. In one case, thousands of disks were sent to computer users who were subscribers to a popular computing magazine. Literature claimed that the disks included a questionnaire to see if the user was likely to have contracted Acquired Immune Deficiency Syndrome (AIDS). It may seem hard to believe that anyone would use such a disk, but several thousand users did. As a side effect, these disks encrypted on-line information and told the user to send money to get the repair program. [Cohen-Wiley] Many less obvious spoofing attacks have been carried out, and it is very easy to send a legitimate looking update disk to an unsuspecting user.

Network Services Attacks In modern computer networks, the underlying protocols used to provide remote services are almost universally insecure. In fact, there are now several automated tools that systematically break into remote systems to test protection. [Farmer] In many experiments, every host against which attacks are tried is taken over. For example, a widely published attack breaks into a significant percentage of all of the computers in the Internet by simply sending electronic mail. As a side effect, the mail program opens a terminal session for use by remote computers. The terminal session grants a high level of privilege to the attacker and does not produce the normal audit trails used to detect attacks.

Combined Attacks Many attacks can be combined together to achieve an attacker's goals. For example, network packets can be forged in order to get access to a computer from which a password file is extracted, analyzed, and legitimate passwords are derived. With these passwords, on-line files can be modified to allow reentry at a later time, and this system can be used to launch attacks on other systems. This example may seem obvious, but there are a lot of far more subtle combined attacks that are far harder to defend against.

A Classification of Disruptions

If anything should be clear from the examples provided in this chapter, it should be that a complete list of the things that can go wrong with information systems is impossible to create. People have tried to make comprehensive lists, and in some cases have produced encyclopedic volumes on the subject, but there are a potentially infinite number of different problems that can be encountered, so any list can only serve a limited purpose.

A vital lesson to learn about information protection is that the assumptions made in the design, implementation, and use of systems dictate the protection attained. Any time decision-makers use an assumption to make a protection decision, they leave open the possibility that the assumption will be violated and that the resulting protection will therefore fail.

Benny Hill said it well: ``When you assume, you make an ass of u and me.'' Having said that, I will now make some big assumptions.

The other side of the assumption coin is that when you make really good assumptions about protection, few, if any, avenues of attack are left open, and the cost of protection tends to be substantially lowered. In this book, I have taken the perspective that, regardless of the cause of a protection failure, there are three and only three sorts of things that can result:

In the parlance of the information protection field, these are called corruption of information, denial of services, and leakage of information. These terms are commonly shortened to corruption, denial, and leakage, respectively. Their opposites are called integrity, availability, and privacy (a.k.a. secrecy or confidentiality). For the purposes of this book, I will collectively call corruption, denial, and leakage disruptions and integrity, availability, and privacy, protections.


Corruption is any illicit or unauthorized modification of information, whether by accident or intent. Since our use of the term information is broad, this is not limited to technological actions. For example, if a person enters unauthorized or incorrect information, this is a form of corruption.

Integrity is defined as soundness, purity, and completeness. [Webster] This would seem to be the opposite of corruption, and I will use the term in that way. In some cases, policy may state that integrity means that information correctly reflects an external reality in the model of reality used by the information system. Thus, integrity may go directly to the issue of information system design.


Denial of services is the failure to provide a service that should be provided as a matter of policy. Regardless of the cause, if service is denied when it should be provided, service is denied. Many policies have different levels of service and associated priorities, which is another way of saying that selective denial of services is acceptable under certain conditions.

The term availability has been narrowly defined in the field of fault-tolerant computing as the ratio of the mean time to failure (MTTF) divided by the mean time to repair (MTTR) plus the mean time to failure or, in simpler terms, the portion of time over the life-cycle of a system that it is operating correctly. I use the broader meaning of the term.


Leakage of information sounds like the information is in a jar, and there are holes letting it out. And that's just right. When information gets to places it's not supposed to go, it fits into my meaning of the term leakage. For example, when someone accidentally sends company confidential information in electronic mail that goes over the Internet, this is a leak.

Privacy is one of three common terms used to describe the opposite of leakage. The other two are confidentiality and secrecy. These terms have essentially the same meaning, and yet they carry very different connotations in different communities. For example, privacy is thought to be a very important thing in universities, while secrecy is widely considered counter to the goal of a university. In military operations, privacy is not permitted to the individual, however, secrecy is vital to military success. Lawyers will all stand up for client confidentiality, but when it comes to privacy, they commonly debate the issue on a case-by-case basis. All of this notwithstanding, the terms will be used interchangeably throughout this document.

One more note on privacy is in order. Many people think of privacy as not allowing someone else to disturb them. Our use of the term is intended to include this meaning as well. In essence, this sort of privacy is preventing leakage of information from the outside to the inside, and as such, it is another side of the same coin. A hole that lets water out of a jar, can also let air in.

The Validity of This Classification Scheme

When I think about what I want information technology to provide me, I can sum it up in a few words:

Get the right information

to the right place

at the right time.

This seems to me to require that information be unaltered, pure, and reflective of the reality it represents, that desired services are provided, and that information does not get to the wrong place or go at the wrong time. In other words, integrity, availability, and privacy. I am hard pressed to think of any other words I could add that would both add content and represent my desires more accurately.

As an exercise for the reader, and to make certain that my message is getting across, I would like you to go through all of the accidental and intentional events described earlier and classify each of them in terms of this classification scheme. Many things may fall into multiple categories, but is there anything that does not fall into at least one of them? If not, the classification scheme has worked, at least to some extent.

The Disrupters

In the realm of intentional attacks, there are always live agents lurking somewhere in the background, for only living creatures have what is commonly called intent. I have often been asked who attacks computers. Here is my response:


Many publications on computer security identify the most common source of intentional disruption as authorized individuals performing unauthorized activities.

Even the rather extensive clearance procedures used by the Department of Defense (DoD) have not proven effective in eliminating the insider threat. For example, in 1994, Aldrich Ames, a high-ranking official in the Central Intelligence Agency who was once responsible for Soviet counterintelligence, was found to be working for Russia. [Brodie] It is prudent to take additional measures to prevent, detect, and respond to insider attacks.

Accidental disruption is also commonly caused by insiders acting imprudently, and it is sometimes very difficult to differentiate between accidental and intentional disruption in this context. This implies that more stringent techniques may have to be applied to observe insider behavior and reliably trace the specific actions of individuals in order to detect patterns indicative of intent.

The most costly sources of insider attack seem to be executives, people who predominantly use application programs, programmers, and other employees in that order. Executives often have authority to cause enormous transactions and do so. [Cox] People that use applications seem to accidentally find ways through systems, such as the illicit return of goods method described earlier. Temptation in conjunction with a lack of fear of being caught leads to reuse of the technique for personal gain. For example, I was at a national appliance store chain recently, and got bored while waiting a long time for the completion of a credit check. I was sitting at a computer terminal, so I decided to look up my transaction. It asked for an employee ID, and I typed 112. It then listed me as some employee and let me modify the price of the item I was purchasing. I put in a note that said Great Guy, set the price back to the correct value, and told the salesman what I had done. At the checkout counter, my bill said Great Guy. If I were even a little bit unscrupulous, I could easily have left the altered price and nobody would have probably even noticed. If they had, I could have simply claimed that I knew nothing of it.

Programmers have technical expertise and access, but they are typically watched more closely by management and administrators than others, and it is far easier to trace an intentional program alteration to a programmer than to trace the exploitation of a design fault in the overall system to a data entry clerk or executive.

One reason it is easier to catch programming changes is that a programming change can be seen as an alteration with obvious affects while other similar activities are authorized by the design of the system. To see flaws that are the indirect result of design decisions requires the ability to step outside of the technical context of bits and bytes and understand the overall system view.

Private Detectives and Reporters

Modern private detectives use information systems extensively to trace people and events. Private detectives now advertise their use of computers to track down spouses who haven't paid child support after a divorce. With a social security number, it is simple to track down more than 90 percent of people in the United States in a matter of minutes. Getting a name, address, employer name, credit report, home and work telephones and addresses, and other similar information is easy. States are even putting information about their citizens on computers, and this means you can trace many activities through the department of motor vehicles, the court system, the taxation system, and more.

Getting much more information is also possible, but it usually takes a bribe, which is not as unusual as you might think. I heard one news director say on the air that if the reporter couldn't get the details of a sealed court decision within 24 hours, they would get another reporter. In the recent Tanya Harding case, where an olympic athlete was accused of plotting to assault an opponent, details of the plea bargain were known to the general public before the judge knew about them.


Many companies use consultants in a wide variety of roles and, recently, outsourcing (the use of outside consultants to replace many of a company's employees) has become quite popular as a way to reduce the cost of information technology. These consultants, in most of their forms, provide part-time or short-term assistance. The problem is that there is no long term motive for someone who knows they will be gone in a week or two to be protective of your technological resources.

Many documented cases have been reported where consultants have left time bombs or other potentially hazardous software in systems. A common theme is the claim that such measures are used to assure that their bill is paid. Of course, if someone does this, that person is breaking the law in most jurisdictions. It's called extortion. A far less obvious way consultants cause harm is by leaking details about internal operations.

Whistle blowers

Whistle blowers may be good or bad depending on your point of view, but a common thread is their desire to get evidence of the things they believe to be wrong within an organization. In the process, some whistle blowers remove documents that are confidential, illicitly access information systems, or perform other functions that are not in keeping with the protection policy.


Hackers (as opposed to crackers) are basically thrill seekers who use information technology rather than fast cars or bungee cords. They spend their time learning how systems work at a deep level and exploit this information to roam the information highways seeking out adventure. They have bulletin boards for sharing information, regular meetings, and perhaps the most famous of their efforts is the quarterly hacker magazine 2600.

All of this information is widely known in the computer security community. For example, the risks forum, which is accessible via the Internet, had a far more extensive list of attack techniques and details than this magazine, and it is considered completely legitimate, while 2600 is viewed by many as an underground publication. [Risks]

Club initiates

A recent trend in Europe has been the initiation of youngsters into computer clubs based on their ability and willingness to create computer viruses that aren't detected by popular computer virus detection programs. One of the side effects is the creation of a large number of fairly trivial variations on known computer viruses. Although many people in the antivirus market seem to fear these groups, any reasonably good virus defense can protect against these variations fairly simply.

I feel compelled to keep this in perspective. Gangs in the United States have initiations that, according to media reports, require youngsters to have unprotected sex with someone who has AIDS. This is the modern version of Russian roulette, a game wherein one bullet is placed in a six-shooter, the barrel is spun, and the player points the gun at their head and pulls the trigger. Other initiations include robbing a store, shooting a member of a rival gang, or illegally carrying drugs across a border. By comparison, the modification of a computer virus seems pretty mild.


Whereas hackers are generally gentle in their illicit use of information systems, crackers are not. Crackers are professional thieves who steal through illegally accessing information. Safe crackers take valuable goods from physical safes, while computer crackers take valuable goods from or via information systems. As an example, in most large financial institutions, it is possible to transfer large amounts of money, stocks, bonds, or other fungibles by simply getting the attacker's information to the right place at the right time. Electronic funds transfer (EFT) fraud is usually for a high dollar value, occurs in well under one second, and is untraceable if done properly.

A few years ago, an information technology version of Charles Dickens' Fagan was arrested. In this case, a woman had been seducing young male crackers into performing theft by electronic means. She kept most of the money and kept the young men hooked by tempting them with a dream lifestyle.

Tiger teams

A tiger team is the computer security parlance for a team of expert attackers who break into computer systems (usually) with the permission of the owner. Tiger teams are fairly widely used to test security systems, but as a rule, this is a waste of money. In almost every case, a decent tiger team can defeat the protective measures put in place. But this does not necessarily mean you should enhance protection. The real reason for tiger teams is to demonstrate weaknesses to upper management in a believable scenario. In this way, the information technology staff can scare managers into allocating more funds.

If all was right with the world, top-level managers would have a healthy respect for their dependency on information technology and its limitations, and it wouldn't be necessary to use these tactics. The dangers of this approach include offending top-level managers, providing attackers with knowledge on how to attack systems, and opening windows of opportunity for attackers to exploit.

The real problem with tiger teams is that if they don't find anything, it does not mean you are safe, only that they couldn't break in. None of the tiger teams used before the early 1980s ever tested a computer virus attack because viruses were unknown at that time. Today, few tiger teams test network attacks that will probably dominate the high quality attack technology over the next 10 years.


Financial gain is one of the major motives for murder. If someone is willing to commit murder for tens of thousands of dollars, why would they hesitate to break into a computer for even more.

I was recently working on a proposal for a government contract that could be worth more than a billion dollars. I noticed that the information system they were using to do the proposal was a personal computer kept in a relatively insecure location, and networked over a relatively insecure network to other PCs throughout the United States. This seems to be fairly typical of big business, and it indicates a serious lack of concern that could substantially impact the outcome of government bids.

Examples of competitors launching attacks include the efforts by Hitachi to get IBM technical information in the 1980s and the French government's assistance of French companies in getting information from executives of other nations. [Alexander2]

Maintenance People

Many incidents of computer viruses seem to start when someone enters a facility to do maintenance of a network-based PC or printer. They may come from another site which had a virus. Instead of going through a cleaning process, they simply load their (newly infected) maintenance disks into your computer and do their maintenance tasks. But this is only the accidental path for maintenance.

It is now a common technique for attackers to dress and act as maintenance people in order to gain unrestricted access to a facility. This is so commonly known that it has been used almost universally in television shows and movies for more than 20 years, and yet, this technique still works in many organizations.

Professional Thieves

People who steal money for a living have recently started to learn how to use computers in their work. Willie Sutton (the famous bank robber) was once asked why he robbed banks. His answer: ``That's where the money is.'' That's no longer true of course. There is far more money transferred electronically now than was ever held in bank vaults. Just to give you a perspective, the average bank transfers its entire assets in electronic funds transfers between two and three times per week. In other words, if you could forge transactions over a two-day period, you could take all the money from the average bank.

Professional thieves are catching up to technology. It is now normal to read about tens of millions of dollars being taken in an EFT fraud. As an example, there are currently two unsolved EFT thefts from 1989 worth more than 150 million dollars each. [Cox] Information systems are clearly where the money is now.

A lot of people have suggested the use of information networks to allow remote home security systems to be enabled, to provide remote observation, and to allow remote activation of such things as coffee makers and ovens. But the same technology can potentially be exploited by people wishing to break into a home.

Professional thieves use a wide variety of indicators to determine when someone will be where and exploit these indicators to decide when to strike. To the extent that people place indicators of this information on networks, they provide thieves with the most important information needed to thrive.


Hoodlums are more prone to extortion, kidnapping, beatings, and these sorts of things than the subtleties of electronic thievery. In order for them to keep up with the high-class thieves, they have to find newer and better ways to extort money. One of the ways is by controlling garbage disposal.

In one recent case, hundreds of millions of dollars worth of old bond certificates were improperly disposed of by a gang of hoods. The certificates were taken from New York to a New Jersey warehouse, and from there, they were distributed to sales people throughout Europe and sold to investment bankers. What's the information technology issue here? It turns out that old certificates are listed in information systems so they can be differentiated from new and valid certificates. But between the European Community and the United States, there is a significant delay, and the information systems are not used as much as they should be. Thus, the right information did not get to the right place at the right time to prevent the fraud from succeeding. This is also an example of how people can exploit timing problems in current information systems.


Vandalism is a relatively simplistic activity carried out with the main purpose of causing arbitrary harm. In most cases, vandals don't have a clear understanding of the value of the things they are damaging when they do damage.

In one case I discussed with executives at a large company, the vandal was a union employee who repeatedly smashed video display terminals on the production floor with a hammer. He did it in plain sight during working hours, but the company could not invoke sanctions because the union supported the worker and the company couldn't afford a strike over a broken video terminal every week. Internet vandals regularly delete all of the files on systems they enter.


Activists have disrupted information systems to bring attention to causes. Although this has not happened as much recently, in the 1960s it was a widely used tactic by anti-war activists in the United States. [Campbell]

Environmental groups, such as Greenpeace, have used physical means to prevent whaling and sit-ins to prevent opening of hazardous waste destruction facilities. It is certainly not beyond the realm of possibility that they would use computer networks to get their message across. For example, it would be a simple matter to cause messages to be displayed throughout the Internet or to dominate the computerized messages sent through America OnLine used on such television shows as CNN's Talk Back Live. This is an ideal venue for activists because they can get their message across while remaining essentially untrackable.

Crackers for Hire

Sometimes crackers are hired by other criminals to carry out jobs that involve special technical expertise. This represents a potent combination of high-powered talent and strong financial backing.

It is a good thing that most crackers aren't really as expert as they put themselves up to be. On the other hand, almost all current information protection is so weak that you don't have to be a real expert to get the job done.

Deranged People

Many people in society are deranged. Some of them use information systems to exercise their behavior. Widely publicized recent examples include computer stalkers, who use computer networks to locate, track, and stalk victims. In one case, a person seeking homosexual encounters with young boys used computers to entice them. In another case, a man stalked a woman and threatened to kill her over computer networks. The Internet is increasingly used by deranged people for this sort of activity, and it is very easy for them to do this anonymously.

Another area where computers have been used for a long time is in the area of pornography. If people are allowed to communicate without restriction and privately over computer networks, how does the state prevent pornographic information from being distributed in an electronic form? The balance between freedom of speech and the right of privacy also comes into play in light of recent cases where unauthorized pictures of women in toilets, dressing rooms, and tanning booths have been duplicated and sold in underground markets.

Organized Crime

When criminals organize, they become far more dangerous than when they are acting alone. They tend to have far more money, a wider diversity of talents, and a less risk-averse perspective. Organized criminals don't seem to have a problem with killing people that interfere with them, but they do have another big problem. The high overhead of organized crime makes it imperative that they generate a lot of regular income in order to sustain operations. This forces them to steal higher dollar values per crime or to commit more crimes per member than independent criminals. The former approach seems to be preferred because of the high risk and increased work load involved in increasing the per member crime rate.

In one recent report, it was found that organized crime is now paying about $10,000 per PC to have the PCs of top-level executives in large corporations stolen. Since the PC itself is worth far less than that much if purchased new, it is clear that the criminals are paying for the information and not the hardware. This is likely an attempt to make their crimes more profitable on a per crime basis.

Drug Cartels

Drug cartels are typically oriented toward a few specialty crimes: smuggling, drug sales, and homicide. Because of these limits on their activities, they tend to be far more protective of market share than many other criminals. Computers are increasingly being used by law enforcement to track cartels and store information on informers. Meanwhile, the cartels are increasingly using computers and high quality encryption technology to hide their activities. Information systems are also vital to the money-laundering activity required in order to turn drug profits into usable funds on a large scale.

Recent changes to international laws have been designed specifically to help trace the money-laundering activities of drug cartels. Whereas a few years ago, you could simply transfer funds through four or five countries before the process became untraceable, the process now requires that more countries get involved, and the number of countries that allow transactions to remain hidden from law enforcement is quickly reaching zero. The day may soon come when all financial transactions are directly reported to the government and analyzed by computers. This is already true of most transactions valued at more than a few thousand dollars.


Terrorists have historically gone after airliners, office buildings, and government offices because of their high profile and paralyzing effect. The great promise of info-terrorism lies in the large-scale impact, the minimal harm to people, the enormous financial effect, the ease of carrying out attacks with a small number of attackers, and the low risk of being caught.

One shot in the info-terrorist war was fired in New York when the World Trade Center was bombed, [Gladwell] but there are many other less widely reported incidents. For example, London has a lot of bombings directed against financial institution facilities which consist primarily of information systems. [Musacchio]


Spies have existed for at least as long as governments have existed, and their main purpose is, and has always been, to gather information from the enemy and provide it to the friendly, and to corrupt enemy information so as to confuse and misdirect their efforts.

Spies exist at the corporate as well as the national level, with corporate spies being far less noticed and less pursued.

Among the numerous cases of electronic eavesdropping for leaking information, the case documented by Cliff Stoll in his best-selling book The Cookoo's Egg, is one of the best known, [Stoll] [Stoll91] but not one of the most severe. One of the most severe cases was discovered long after the six-month limit on storing audit trails made tracing the attack to its source impossible. In this case, many sites were entered with unlimited access. It is impossible to even assess the damage at this time. [Brewin] [Messmer]

In another recent case, Mr. Aldrich Ames, a top-level counterintelligence expert at the CIA, was found to be a spy for the former Soviet Union and, after the breakup of the Soviet Union, for the Russian government. According to recent reports, Mr. Ames may have sold information to the Russian government about secret key-escrow technology used in the Clipper Chip [SecInsider] touted by the U.S. government as a way to have secure communications within the United States while granting law enforcement the ability to tap into conversations when they have a warrant. Ames also accessed classified databases with information on undercover agents posing as businessmen in Europe. [WashTimes]


Police powers to wiretap have been a controversial subject in the United States for a long time. A recent Supreme Court ruling indicated that listening to the radio signals of portable telephones without a warrant is legal. [WashNews] Cellular telephones are not included in this ruling for now, but the Federal Bureau of Investigation (FBI) has been trying to illegalize encryption of telephone calls for a long time. [Wayner] The court has also ruled that it is legal for the government to track telephone numbers of all telephone calls to determine who is calling who, and when. [Mosquera]

With these expanding police powers to search and seize otherwise private information, the right of privacy is rapidly waning. The way the law works today, you have a right to privacy if you have a reasonable expectation of privacy. Since you now know that your privacy in telephone conversations is limited, your expectation is lower, and as a result, you have less of a right.

Government Agencies

Government agencies are increasingly using intrusive means to access private information. The use of these techniques increases with the size of the agency, so that local governments virtually never use this sort of information, while the federal government has taken a quite intrusive position. For example, all international telephone calls can now be monitored, digital communications are commonly collected, and the government is pushing for regulations that would allow telephone taps to be instituted nearly instantaneously and without the telephone company being involved. In the cable networks, which are rapidly starting to provide bidirectional communication and computation services, the rules are unclear, but the government is pushing toward regulations that would permit unlimited eavesdropping on communications.

Among the possibilities for these media are the observation of video telephony, tapping of transactions going to and from bank accounts, tapping of contractual business transactions, and the use of audit trails to characterize peoples' behavior. The claim is that this is necessary in order to keep up with high-tech crime, and there are strong arguments on both sides. A possible scenario might help.

Suppose people start selling interactive videophone sessions with naked children. This would be considered pornography by many standards, and would presumably be subject to laws about obscene materials. But to tell if someone is doing this may require tapping of the line, which would presumably be a violation of privacy. Is it truly the right of the government to observe all communications in order to detect crimes? Suppose I call my wife over the videophone and we get naked and play some sexual game. What right does the government have to control or observe sexual behavior of a married couple? How can the government tell one sort of behavior from another and how can it assure privacy of one and observation of the other?

What if the government only tracks lists of services provided to each individual? Would such a database violate personal privacy? Suppose the tracking included lists of people who called doctors who primarily deal with the treatment and cure of sexually transmitted diseases. If the information got out, it could be quite embarrassing, but more importantly, it could be used to blackmail people. Even more importantly, it's nobody else's business. Perhaps in the information age, there will be no privacy of this sort anymore.

Infrastructure Warriors

In the information infrastructure, war takes on a different meaning. Infrastructure warriors seek to destroy infrastructure so as to disable the enemies ability to sustain long-term military capabilities.

Some examples of infrastructure war include destroying the electrical power grid to cause electrical failures, destroying the water supply to kill or disable large segments of the population, elimination of telecommunications capabilities to make it impossible for the enemy to coordinate efforts, and destroying the highway system to make travel inefficient.

The implication should be clear. Infrastructure must be protected because it is a highly vulnerable and highly critical element of the overall economic and military success of any nation.

Nation States and Economic Rivals

A number of countries have computer security groups and some of these are working to certify operating systems, hardware, and software. This demonstrates that these countries are working to discover flaws in existing products and that they are aware of specific techniques by which these systems can be disrupted. European participants in ITSEC (Information Technology Security Evaluation Criteria) include England, Netherlands, France, and Germany, \cite[App E, p 283.]{NRC} with Italy beginning to join in. Russia, Japan, China, Australia, New Zealand, Singapore and South Africa are also countries with certification and/or active computer security interest.

A number of countries participate in the world market for telephone and data switching systems, and can be assumed to have the knowledge to disrupt telephone and data networks based on their design, manufacturing, and deployment expertise. Companies marketing Private Branch eXchange (PBX) or central office (CO) equipment include Hitachi, NEC (Nippon Electric Company) and Fujitsu (Japan), Ericsson (Sweden), Alcatel (France), and Siemens (Germany). [Trades] The United States depends on systems from these manufacturers for information assurance in telecommunications.

A talk by Wayne Madsen presented at IFIP SEC '90 (International Federation of Information Processing Societies annual Computer Security Conference) in 1990 provided a rating of various countries' ability to engage in computer ``hacking'', and the information that intelligence services were apparently becoming engaged in economic intelligence for business organizations. [PS] More than 30 countries are given excellent ratings in computer-communications espionage, meaning they almost certainly have sufficient expertise to corrupt computer and network data and disrupt operations. Among these countries are India, Taiwan, Republic of Korea, China, Japan, and South Africa. [Madsen]

Project Rehab, operated by Germany beginning in 1988, is a computer and network intrusion research effort which has accessed computer systems in the U.S. and other countries. The project depends on ``hacker'' techniques and other research, and has approximately 36 computer specialists and senior intelligence officials assigned. A primary focus is on cataloging network addresses and establishing pathways for later use. [PS]

Military Organizations

\BOX{95 percent of DoD telecommunications capability is provided by public networks owned and operated by common carriers. [SECA] These are the same networks that will be used in the NII. [NMSD] This means that in wartime, information infrastructure attacks against military targets will necessarily cause disruption to civilian systems.}

In military operations, the requirements for survivability are far more severe than in nonmilitary systems, and the losses when information systems fail are in terms of human lives and the future of nations.

One area where military efforts have paid off is in the use of electromagnetic pulses to destroy information processing equipment. In the most widely described scenario, the electromagnetic pulse caused by nuclear weapons travels over communications wires to destroy information systems for hundreds of miles around. The Ground Wave Emergency Network (GWEN) is the only U.S. strategic defense communications system hardened to survive a high-altitude electromagnetic pulse (HEMP). [AvWeek2]

In a much less spectacular example, cars parked about 300 meters from an electromagnetic pulse (EMP) generator test had coils, alternators, and other controls disabled. The former Soviet Union developed an EMP weapon before its breakup, and nuclear EMP hardening has proven ineffective against this weapon. [Fulghum] In the United States, a Los Alamos EMP generator produced a 12 to 16 million amp pulse, with a rise time of 400 nanoseconds. Some 16 x 40-inch generators have produced about 30 million amps of current. [Fulghum2] A generator of this sort could disable almost any current electronic information system at a substantial distance by damaging internal components.

There is some difficulty in deciding whether enough shielding has been used against electromagnetic interference (EMI). EMI was suspected in Army Blackhawk helicopter crashes, since the Navy version has more shielding and fewer crashes. [Brewer]

One paper published in 1989 compares computer viruses to traditional electronic counter measures and states that computer viruses are uniquely qualified to disrupt tactical operations; that several recent trends in military electronic systems make them more vulnerable, including standard computers, software, and data links; and that protective measures must be initiated before viruses are used by an adversary. [Cramer]

Limited direct evidence exists for associating virus discovery locations with virus origins (e.g., language particulars and programming styles) and there is a substantial body of indirect evidence in the form of discovery location statistics that suggests that disruption technology and expertise exist in many nations. One study associating virus discoveries with countries gave the following results:

 Country  virus discoveries  Country  virus discoveries
 Former USSR  76  Canada  23
 United States  68  England  22
 Bulgaria  61  Taiwan  16
 Poland  38  Sweden  16
 Germany  30  Israel  15
 Netherlands  26  Spain  14
 Italy  23  Australia  14

From 3 to 10 viruses were first discovered in Argentina, Austria, Finland, France, Greece, Hungary, India, Indonesia, Malaysia, New Zealand, Portugal, Republic of South Africa, Switzerland, and Turkey. [Preston3]

Vendors of anti-virus software normally have detailed knowledge of computer operations and large collections of viruses to study. Anti-virus software vendors are in place in the U.S.(5), Israel(3), United Kingdom(3), New Zealand(3), Holland(3), Australia(3), Thailand, Iceland, Canada, Colombia, Sweden, and Ukraine. [Slade]

Another indicator is the countries of residence of speakers at the International Computer Virus and Security Conference, held in New York City each March. In 1992, technical talks were given by representatives from Germany(3), Bulgaria, Belgium, England(2), Iceland, Russia, Australia, Mexico, and Israel. [DPMA93] Authors of anti-virus hardware and software can also be found in China, India, Taiwan, Japan, Malasia, several CIS (the former Soviet Union) countries, and others.

It is clear from computer virus information alone, that many countries of security interest to the United States have knowledge and technology in the computer virus arena that could be directed specifically to disrupt the information infrastructure of the U.S. military.

Information Warriors

Information warfare can be practiced by small private armies, terrorist organizations, drug lords, and even highly motivated individuals of modest means. This may represent a fundamental shift away from the notion that the hostile nation state is the major threat the United States has to be concerned with. [Drucker] [Tofler] [Creveld2] [Tofler2]

Five books on computer viruses, including two that are tutorials on writing viruses, discuss military use of viruses. [Hoffman] [Ludwig] [McAfee] [Burger] [Ferbrache] A recent popular novel has the central theme of crippling attacks on U.S. computers by means of viruses, computer terminal eavesdropping, high-energy radio frequency `guns', and electromagnetic pulses. The author's virus examples are not as subtle or malicious as a real attack by experts. [Schwartau] An interactive movie on CD-ROM, released in October 1993, illustrates information warfare against the U.S. It includes details about crippling and corrupting time standards, which affect precision weapon targeting and long distance telephone switches. [Xiphias]

The Chaos Computer Club in Germany maintains an annotated list of the Internet addresses of U.S. DoD command, control, supply, and logistics computers on one of their computer accounts in Germany. [Simon] Apparently selected from hundreds of publicly available military computer Internet addresses, listed systems are primarily Army, Navy, and Air Force logistics, computer, communications, and research sites. This listing is not kept in publicly available bulletin boards throughout the world, but access to it was attained via an international connection.

In order to detect attacks and test out defenses against them, military and commercial organizations have created tools to test for known defects. [Farmer] Information warriors now have tools that automatically perform attacks against infrastructure targets. These tools are almost always successful in today's environment (in one test the success rate was over 99.9%), and this is without human effort. With human effort and adequate resources, every current system is vulnerable.


We now know what sorts of things are done and who does them, but there is another issue of motive. Many people I have talked to have a hard time understanding why anyone would do such a thing, and ask me if I could explain what percentage of people do what for what reason. In response, I offer here some of the motives I have encountered, but I caution you that there are no valid statistics on even the number of attacks underway today.

To some readers, this section may seem redundant, and to some extent it is, but motive is a very important and often overlooked issue in information protection. As any judge will tell you, motive, opportunity, and means are necessary components of proving criminal behavior. Without understanding motive, we may miss the opportunity to prevent and detect attack, and we will certainly miss a key component of understanding the challenge of information protection.

Money or Profit

Whether it is destroying another company's information systems to make them less efficient or taking money through electronic means, greed is one of the strongest motives seen. After all, people are willing to kill for far less than the average computer criminal takes in a funds transfer fraud.

Fun, Challenge, and Acceptance

Many hackers enjoy finding ways to get around restrictions. The ability to do something nobody else knows how to do is often used to show off, whether it is popping a wheelie or breaking into a computer. Some thrill seekers love the challenge of holding a global corporation at bay, and there is a certain sense of power and satisfaction in this sort of David and Goliath struggle. Still others use computer attacks as a way to be accepted into a hacker group in the same way as people use shooting other people as a way to get into an inner city gang. A good example is the hacker club in Germany that requires a unique virus be generated as a condition of membership.

Vengeance or Justice

Vengeance is often considered justice by the vengeful. It doesn't matter which way you view it, the important thing to understand is that people who feel justified may use any means to attain their ends, and certainly information system attack is widely considered justifiable. A good example is the case where two hacker groups in New York turned each other in because they each felt the other had insulted their honor.

Mental Illness

People who launch extremely malicious computer viruses are, in essence, randomly destroying other peoples' work. This sort of random destruction, if encountered in the context of shootings, would probably be associated with a mental illness, or at least with some sadistic tendencies. One of the most widely recognized areas where sadism seems to be the motive is in computer virus attacks where viruses are spread without specific targets and programmed to do mass destruction of data. [Cohen-Wiley]

Religious or Political Beliefs

Zealots who believe that God is on their side have been around since the concept of God was introduced. In their minds, almost anything can be justified if it is God's will or for a heavenly cause. The Crusades were one example of this. Another example is fanatics in the United States who believe they should murder doctors to prevent abortions.

A similarly powerful motivation for breaking the law is the National Interest. A good example is the Watergate case where Republicans working for the President broke into Democratic headquarters to get strategic planning details. The Iran-Contra affair is another example of this. It turns out that in the Iran-Contra affair, Oliver North was caught partially because, although he deleted electronic mail that indicated possible guilt, the computer security system had backups that stored copies of that mail. [JShannon]

Clearly, people who are willing to do these things will also be willing to exploit information systems to their advantage.


When animals believe they have been backed into a corner, their fight or flight response is limited to fighting. Employees who feel they are about to be fired, companies in heavy competition, or any number of other situations may come to be viewed as a matter of self-defense, and this may result in abuse of information systems. A good example is the common use of time bombs by programmers as retribution for being fired.


Tiger teams exist to test protection systems. They are generally paid to demonstrate weaknesses. Similarly, researchers perform experiments on systems to test protection weaknesses. In these cases, the attacks are almost always legitimate and authorized.


People can be coerced into action by all sorts of things. Their children can be kidnapped, their sex lives can be documented for possible release, and the list goes on and on. Under coercion, people may do whatever it takes to attack an information system.

Military or Economic Advantage

Nations commonly exploit information systems to their military and economic advantage. In the Gulf War, the United States destroyed Iraq's information infrastructure in order to win the war. [Campen] France sponsors eavesdropping as a national policy to help their corporations compete. [Alexander2]

Gathering or Destruction of Evidence

Whether it's the police, a whistle blower, or simply someone trying to get ahead in an organization, people commonly use information systems to get the evidence on others. On the other side, people who don't want evidence found have a tendency to try to destroy records in information systems. Again, the Oliver North incident comes to mind.

The Magnitude and Scope of the Problem

One quarterly report of large-scale disruption incidents for the fall of 1993 includes a Federal Aviation Administration (FAA) computer systems failure delaying regional traffic for 90 minutes (the cause is still unknown), an FAA weather computer system failure for 12 hours due to a time-activated logic bomb, a programming error in an X-ray system that resulted in wrong dosages to about 1,045 cancer patients, and a software error that crashed the Hamburg Integrated Services Digital Network (ISDN) telecommunications services for more than 11 hours. This is only one of several similar publications that report such incidents. [edpacs]

Lapses in policies and procedures seem to be common for major software manufacturers. As an example, in 1992, Novell released a virus to thousands of customers when it noticed after quality control was completed that a key file was missing from the master distribution disks then being transported to the disk duplication facility. Instead of returning to the quality control process, the person transporting the disks for duplication loaded the file from the most convenient computer, which by chance, contained a virus that was transferred to the floppy disk. The disk was sent to duplication, packaged, and shipped to customers. [DPMA] The disks were apparently never tested at random after duplication for problems, the disks enroute to the duplication facility were not sealed or permanently write-protected, the personnel were not properly trained, and the initial quality control process never detected that the correct file was not on the disk.

AT&T reports that it knows of being probed more than once per day from the Internet. [Bellovin2] Digital Equipment corporation provides similar data. [Ranum]

Some consultants have suggested that companies interested in how often they will be attacked place a honey pot, a system put in place to be attacked, on the Internet and watch to see how often it is attacked. According to some people who have tried this, they are attacked more than once per day and usually the attacker cannot be traced. After a Sun employee described some relatively sophisticated network attacks against Unix-based computers, Sun had to shut down its internal network for a week because of outside penetrations they were unable to stop without isolating their internal networks from the rest of the world. [Schmitz]

In 1994, the Internet was attacked and passwords to about 100,000 systems were stolen by listening to network packets. At the same time, the DoD was under a concerted attack that persists through the time of this writing. In this case, compromised systems included those used for ballistic weapons research, aircraft and ship design, military payroll, personnel records, procurement, electronic mail, supercomputer modeling of battlefield research, and computer security research. [AP] Although none of the released information was classified, information was apparently corrupted in unknown ways and services were denied at times. The attackers have not been caught yet, despite more than a year of ongoing attack after they were detected and some six months or more of attacks before they were detected.

Today's information-processing components consist largely of low-assurance computer systems. Every general-purpose DoD and civilian computer system tested so far has proven vulnerable to disruption. [Cohen-Wiley] Many existing DoD information-processing components don't even meet nominal business operational control requirements common throughout industry. For example, a recent GAO audit to determine if controls in large data centers were adequate to assure data integrity showed:

``... that both [Cleveland and Indianapolis] DITSO Centers had serious deficiencies [that would] allow any knowledgeable user to gain access to pay data, and to add, modify, or destroy it, or accidentally or intentionally to enter erroneous data, without leaving an audit trail.'' [OIG]

A degree of assurance in existing DoD systems is provided by their physical isolation from an integrated network, but in most industries, communications is given priority over protection, and isolation is a rare exception, not the rule.

It is vital for decision-makers to understand that these newly connected systems are vulnerable to disruption of a wider variety from more sources and make suitable investments in protection to offset the increased risk.

``Just how vulnerable our networks have become is illustrated by the experiences of 1988: There were three major switching center outages, a large fiber optic cable cut, and several widely reported invasions of information databases by so-called computer hackers.'' \cite[p. 2]{NRC} One outage in 1991 affected millions of customers and temporarily disrupted air traffic control centers in New York (which caused slowdowns in much of the northeastern United States and across the nation).

Protection of individual devices operating point-to-point is well within modern technology, but the overall end-to-end communication requirement is far more complex. Most commercial networks have little or no coverage against intentional disruption and commonly fail from software errors, mischievous, and malicious attacks. [FCC-NRC] [Alexander] [NRC] [NRC-Nets]

Major concerns about network assurance come from several sources. Current network management information assurance standards are incomplete and have only addressed authentication requirements. [GNMP] Current network assurance standards only address authentication. [NIST-OSS]

The Government Network Management Profile's (GNMP) primary goal is to develop interoperable products [GNMP] to allow network managers to remotely monitor and control network resources residing on network components developed by different vendors. This interoperability goal makes the network management system vulnerable to disruption. From network management sites, the entire network could potentially be disrupted. A good example is that most of the major telephone networks have one or at most two network management sites that control all long-haul switching. A simple attack on three or four sites could disrupt the vast majority of communications in the United States for a substantial period of time.

The consolidation of the DISN network management into a hierarchical network management system was originally designed to make it possible for a network management center in one domain to ``cut through'', monitor, and directly control another domain. This could potentially be done without the authority or knowledge of any intervening network managers despite the authentication between sites. [MIL3800] Unless specifically addressed, this may allow a single attacker to disrupt the whole network. [OSD-c3i] The same situation currently exists in most telephone and cable company networks. More recent designs have moved toward a system of centralized monitoring and decentralized control via authenticated messaging to vendor-supplied data centers.

There is no current plan for creating a separate and different network management capability that can operate when the NII itself is not functioning. This lack of external control capability has historically proven inadequate, as the Internet virus of 1988 clearly demonstrated. [InetWorm] [InetWorm2]

Current network management systems typically address known faults in known ways. [Lewis] Some systems recover from high probability errors, [Cochran] while others detect and recover from large numbers of burst errors, [Civanlar] but intentional attack is rarely treated in the available literature.

Local area networks (LANs) are highly vulnerable to attack from any point on the network, [Cohen-93] as well as from outside networks connected through routers, gateways, or bridges. Some recent advances have provided costly and complex partial solutions to this problem, [Bellovin2] [Ranum] [Cheswick] but none of these solutions is comprehensive or feasible for use in an average computer facility.

Internet service providers commonly offer access to the Internet by providing leased lines between their local sites and public access points, computers that interface between user sites and the leased lines, and essentially no added protection. Thus, anyone who signs up with one of these service providers is leaving the protection to a service provider that profits from reduced cost more than anything else. In some rare instances, service providers offer protection services as a competitive advantage, but the market has not flocked to these service providers over others yet, and the protective services they offer are certainly not well designed for each client on a case-by-case basis.

Existing infrastructure components have well-known and easily exploited vulnerabilities to disruption, but even if these components were individually strengthened against disruption, they would not necessarily provide information assurance when networked together. The combination of otherwise assured systems in an assured network environment can lead to an overall system that is not assured. In one case, two systems that were independently safe against corruptions by a particular computer virus were both disrupted by that virus when they were networked together. The cause was a mismatch in the way integrity was implemented and the way peer-to-peer communications works in modern networks. [Cohen-Wiley] There is still no overall theory of how to safely connect network components, but in the limited cases where connection safety is understood, unsafe connections should be avoided. [Cohen87] [Cohen87-2]

Simply bolting together a variety of information security features doesn't solve the protection problem.

To get synergistic benefits by combining information assurance features, they have to be properly combined, and this is not yet a well understood phenomenon. [Cohen-Wiley] In most cases, rather than enhancing protection by combining features, the entire system is only as strong as the weakest link.

The people who architect infrastructure must come to understand this issue and exploit that understanding to provide adequate information assurance.

It would take quite an effort to characterize all of the incidents listed in this book in terms of their financial impact, but a short table including relatively well-confirmed major losses cited earlier should serve as an indicator of the situation today.

 Item  Annual cost estimate
 Denial of services attacks  $4B
 AT&T Toll Frauds  $2B
 Other Toll Frauds (est)  $2B
 FBI reported computer crimes  $2B
 Total  $10B

Less well documented losses include the 900 million break-in attempts per year over the Internet, unreported and undetected computer crimes, and all manner of other losses.

fred at