[iwar] [fc:Information.Warfare]

From: Fred Cohen (fc@all.net)
Date: 2001-10-24 13:25:38
Next message: Fred Cohen: "[iwar] [fc:Hacktivists.take.sides.in.war:.GForce.is.one.of.the.most.prolific.hacker.groups]"
Previous message: Fred Cohen: "[iwar] Heads up (fwd)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-Id: <200110242025.f9OKPcR13620@red.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
From: Fred Cohen <fc@all.net>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Precedence: bulk
Date: Wed, 24 Oct 2001 13:25:38 -0700 (PDT)
Reply-To: iwar@yahoogroups.com
Subject: [iwar] [fc:Information.Warfare]
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Information Warfare

By David H. Freedman, Tech Review, 10/24/2001
<a href="http://www.techreview.com/magazine/nov01/freedman.asp">http://www.techreview.com/magazine/nov01/freedman.asp>

Breaking into networks is more than a joyrideit's the coming mission of
criminals, industrial spies and terrorists.  Can new security techniques
stop them?

The middle-aged mancall him Johnpeered at the numbers rolling across his
computer monitor, which provided the only illumination in the cramped
basement.  One number, 307, caught his eye.  Like the others, it
designated a port, or gateway, between a certain corporation's computers
and the outside world.  John had just run a program on his PC that sent
electronic probes throughout the corporation's network to find a
complete list of these ports.  Port 307 was "open"any data coming
through it could be displayed on John's screen.  Would the information
prove useful?

It did.  Port 307 turned out to be where one network server sent bad
passwords, along with the usernames of whoever typed them in.  Network
administrators had taken the trouble to hide legitimate passwords from
prying eyes but hadn't worried about rejected passwords.  John knew,
however, that most failed passwords aren't wild guesses but rather are
"fat-fingered," or typos.  It was pretty easy to guess what "valentime3"
was meant to be.  Seconds later, John had logged onto the server.  Three
minutes after that he discovered a password file that listed one user's
password as blanka shortcut favored by systems administrators out to
avoid having to type in a password hundreds of times daily.  Now John
had "root access," meaning the server recognized him as God.  He whooped
and called Jim Settle, former head of the FBI's computer crime squad and
now CEO of Washington, DC-based security consultancy SST.  "I'm in."

Settle congratulated him, hung up and called the chief information
officer of the corporation whose network his man had just penetrated. 
"Guess who just took over your network?" asked Settle.  The man was
stunnedbut grateful.  After all, he had quietly retained Settle's
services precisely to learn if his network was vulnerable.  Now he knew. 
Before Settle and his crew finished, they would find dozens of other
ways to take control. 

Though Settle's break-in took place with the victim's blessing, it
echoes tens of thousands of malicious invasions.  Each year the Computer
Security Institute, a San Francisco-based organization of computer
security professionals, and the FBI survey computer security managers at
large companies and government agencies.  In this year's survey of 538
managers, 85 percent of these organizations suffered security breaches;
most suffered financial loss as a result.  The average reported loss:
about $2 million. 

That probably offers an optimistic view of the problem's scope.  Settle
has been hired by more than 60 companies to "red team" their computer
systemsthat is, to test security by breaking in the way hackers would. 
Not only did his people gain intimate access to every system, but only
one firm even detected a breach.  Moreover, the problem's not just
corporate: according to a review by the U.S.  General Services
Administration, outsiders broke into and temporarily controlled at least
155 computer systems at 32 federal agencies last year. 

And that's not even the bad news.  While computer network break-ins have
long been almost exclusively the work of joyriding, bored teenagers,
security and law-enforcement professionals believe the threat is about
to shift from run-of-the-mill hackers toward professional criminals,
industrial spies, hostile governments and terrorists.  Eventually, say
experts, computer attacks are likely to bankrupt companies, compromise
U.S.  security and perhaps even kill hundreds or thousands of citizens
by disrupting computer control of anything from traffic signals to food
supply transport.  "These threats are real," says Jack Holleran, former
technical director of the National Security Agency's National Computer
Security Center and now an independent computer security consultant. 
"It's just a matter of when, and it will be sooner rather than later."

The rising stakes have touched off an escalating stream of network
skirmishes between those determined to break into organizations'
computers and those charged with protecting them.  Right now, the bad
guys are winning.  "Internet security is a big mess," says Bill
Cheswick, a chief scientist at Lumeta, a Somerset, NJ, computer-security
software firm spun off from Lucent Technologies.  "It gets discouraging
sometimes." That sobering reality has sent Cheswick and other top
computer scientists into their labs to come up with new weapons for the
intensifying battle. 

Electronic Pearl Harbor

The havoc that can be wreaked online has become almost limitless. 
Unless you're living deep in the woods on fish you catch, chances are
almost every aspect of your life is mediated through computers, from
your train ride into work (thanks to computer-controlled track switches)
to paying bills to relaxing in front of the television (which gets its
juice from a computerized electric power grid).  A terrorist
organization or hostile nation that wanted to disrupt life in the United
States, or a thief who wanted to plunder a company, has an embarrassment
of riches to choose from, notes Pat Lincoln, director of the Computer
Science Laboratory at nonprofit research institute SRI International. 
Lincoln, whom U.S.  officials have briefed on these concerns, notes that
though the details are classified, the government is carefully watching
several groups and nations for warnings of computer attacks.  "If you're
recruiting people to drive trucks that blow up, maybe next year you'll
get someone to plant an Internet 'worm,'" says Lincoln. 

Possible targets of terrorist or state-sponsored attacks include
electric power grids, natural-gas pipelines, water supplies, dams,
hospitals and a variety of other critical facilities that could be
paralyzed by assaults on the right computers, possibly resulting in
widespread suffering and even death.  Holleran notes that 80 percent of
the food transported by rail in the United States crosses either of two
bridges over the Mississippi River; even a moderate computer-driven
mishap near one of them could potentially cause shortages and
skyrocketing food prices.  Phone service could increasingly be at risk,
too, thanks to plans to move most voice traffic onto the Internet, which
is far less secure than conventional phone networks.  Banks, stock
exchanges, the U.S.  Social Security Administration and the U.S.  Postal
Service are also vulnerable.  An attack on any such crucial network
would serve as what security experts call an "electronic Pearl Harbor."

Access to, or a means to disrupt, military networks would be a special
prize in this computer cold war.  "A commercial site might be willing to
put up with a certain amount of fraudulent traffic" that slows or
temporarily halts service, says Robert Anderson, head of the information
sciences group at nonprofit think tank the Rand Corporation.  "But in a
military system you'd be talking about lives being lost." Imagine, for
example, the computer-driven targeting displays in tanks and bombers
misidentifying friendly installations as enemy positions, or radio
command networks being disrupted, or even inundated with fake commands. 
Such infiltrations could conceivably influence the outcome of a war. 
Uncle Sam is widely believed to have developed its own capabilities for
attacking enemy computer systems, but because the United States tends to
be far more computer dependent than its overseas counterparts, we have
more to lose via information warfare, Anderson says. 

Computer attacks could even become a force to reckon with in politics,
notes AT&amp;T Labs security expert Avi Rubinat least if some
communities follow through on plans to allow voting over the Internet. 
All a malicious agent would have to do is launch a mild attack that
slowed down a vote-processing server enough to prevent a few percent of
the ballots from getting through in a couple of districts.  "It's the
easiest type of attack one could possibly launch, and it could be enough
to disrupt an election," says Rubin. 

On the business side, the attacks are less theoretical.  Citibank was
ripped off in 1994 to the tune of $10 million by a Russian computer
whiz, who transferred the funds to his and his accomplices' accounts. 
Most of the money was eventually recovered, but experts say there have
probably been larger, more successful computer heists at other
financial-services companies.  Why haven't we heard about them? Because
the companies quietly bury the loss in the books as some other type of
expense.  "If someone breaks into a company's computers and gets $50
million, the company will feel there's nothing to gain by reporting it,"
says Jon David, a senior editor of the journal Computers and Security
and a security manager at a large financial-services firm.  "It just
makes customers and stockholders nervous."

For a growing number of thieves, though, purloined corporate
informationnot moneyis likely to become the currency of choice.  R&amp;D
data, financial records, personnel files, details of upcoming
dealscorporate servers are treasure troves of data that can be sold to
competitors, speculators or anyone with a grudge.  And of course, a few
firms or their employees may stoop to direct computer-based espionage
against competitors.  Since hijacked information would typically be
copied and not altered, companies might never know they've been hit.  In
a so-far-unique public case of industrial espionage allegedly carried
out by computer, Moore Publishing, a Wilmington, DE, investigative firm,
filed a $10 million lawsuit against Steptoe and Johnson, a well known
Washington, DC, law firm.  Settled in July 2000 for an undisclosed sum,
the suit claimed that Steptoe and Johnson repeatedly broke into Moore
computers, allegedly in revenge for Moore's having bought the rights to
the "steptoejohnson.com" domain name (which it subsequently gave up). 

Infinite Standoff

The security war can seem like an infinite standoff; for every new
defense researchers devise, invaders develop countermeasures, leading to
counter-countermeasures, and so on.  Fortunately, defenders don't have
to make it impossible to break into networks; they only have to make
getting in so difficult, or so fraught with the risk of being tracked
down, that the bad guys think twice. 

Consider, for example, the most common means of breaking into a computer
system: stealing passwords.  Since employees often use a word or proper
name as a password, would-be intruders can turn to any of several
automated password-guessing programs freely available on the Web (try a
search on "LOphtCrack," for example) to run through a dictionary full of
guesses.  "It just takes one user with a bad password to compromise a
system," says Dorothy Denning, a computer scientist at Georgetown
University. 

To fight back, organizations can enlist software that automatically
rejects passwords based on words or names and forces users to change
their passwords regularly to limit potential damage.  Even safer are
security "tokens"devices from keychains that plug into computers to
small liquid-crystal displayswhich make stolen passwords less valuable. 
Tokens like those made by Symantec and San Jose, CA-based Secure
Computing dynamically generate a new password each time a user needs to
log in; a version made by RSA Security of Bedford, MA, generates a new
password every minute or so in synchronization with servers.  But even
these precautions won't stop highly motivated malicious agents.  They
can fast-talk employees out of passwords by posing as systems
administrators over the phone or simply walk through the offices, where
they can often spot passwords that are written down.  And acquiring a
token can be as simple as stealing a purse. 

A growing number of companies and government agencies are also turning
to smart cards to limit illicit entry into their systems.  Smart cards
have embedded computer chips containing code that identifies the holder. 
Passed through a reader that can be attached to any computer, the smart
card authorizes the holder to use that computer to access the network:
the network will reject commands from a computer that hasn't been
presented with an authorized smart card.  Smart cards can also contain
the "keys" required to read or send encrypted data.  Unlike encryption
keys stored on a PC, keys encoded on a smart card can't be stolen via
the network.  Even tighter access control can be engineered by combining
smart cards with "biometric signatures" like fingerprints or
voiceprints.  RSA Security, Luxembourg's Gemplus and the Datacard Group
in Minnetonka, MN, are among the vendors already selling smart cards;
Siemens offers smart cards tied to a fingerprint, and Domain Dynamics of
Swindon, England, is prototyping cards encoded with voiceprints. 

Of course, smart cards can be stolen, too, and though tamper-resistant,
the code on embedded chips can in theory be cracked once a card falls
into the wrong hands.  One way around this weakness is to build the
authorization chips into the innards of the computer itself.  This way,
bad guys must physically get their hands on an authorized computer to
crack a networka dicey proposition that even if successful isn't likely
to go unnoticed for long.  IBM, Intel, Hewlett-Packard, Microsoft and
Compaq Computer founded the Trusted Computing Platform Alliance, now
170-plus members strong, to push for the development of such chips.  The
technology could be used in conjunction with smart cards and other
security devices.  "It puts a hardware barrier in front of a malicious
software attack," says David Safford, manager of IBM Research's Global
Security Analysis Laboratory.  Safford estimates that in three to five
years, every computer built will include the chips.  IBM Research has
also developed a tamperproof device that can be installed in servers,
similar to the chips endorsed by the Trusted Computing Platform
Alliance. 

Eventually, though, the chip has to talk to software, and some security
experts peg that as the weak point of the Trusted Computing Platform
Alliance's scheme.  And once logged into a system, intruders can send
commands that might coax the operating systemwhether it's Unix,
Microsoft Windows or Sun Solarisinto granting them systems administrator
privileges.  That typically includes the ability to examine server
files, gain access to other servers, install "back doors" that allow
easy future entry and cover their tracks by altering the system's logs. 

Operating systems can be "tightened down" to prevent this sort of
manipulation, but most systems administrators aren't familiar with the
approximately 300 manual programming routines the procedure requires. 
Even if they are, malicious parties can exploit newly discovered holes
(an average of 10 new Windows vulnerabilities, for example, circulate
around the Web each month) unless systems administrators are unusually
diligent about updating security features.  "The machines get worse just
sitting there," notes Dan Farmer, a security consultant who has worked
extensively for Sun Microsystems. 

A terrorist or industrial spy doesn't have to be proficient in the nuts
and bolts of security hole exploitation to capitalize on these
weaknesses.  Software penetration "tool kits" that automate the process
of invading and taking over a system can be downloaded from thousands of
sites on the Web. 

To help combat marauders who exploit such server vulnerabilities,
systems administrators can employ intrusion detection software, such as
Cybercop from Santa Clara, CA-based Network Associates, Cisco Systems'
Secure IDS and SRI International's Emerald.  These systems monitor
network traffic looking for sequences of commands specifically
associated with malicious attacks, as well as out-of-the-ordinary
command sequences or data traffic.  When the software spots something
unusual, it notifies the systems administrator, who can then decide
whether to shut the questionable traffic down. 

But some attacks will be new and subtle enough to avoid detection.  Or
more commonly, invasions may be detected but ignored.  Routine hackers
and even inept legitimate users so frequently trigger current intrusion
detection systems that many systems administrators disregard the
alarmsor turn them off.  Many of the companies Jim Settle's team
penetrated were running high-end intrusion detection software costing
$100,000 or more but for one reason or another didn't recognize the
attack. 

To counteract these glitches, researchers at Sandia National
Laboratories, Network Associates and Cisco are working on intrusion
detection systems that do a better job of differentiating false alarms
and amateurish attacks from serious invasions.  Some systems under
development will even be able to analyze activity across a network to
distinguish isolated attacks from the sort of massive, coordinated
assaults that tend to be more damaging, says Fred Cohen, a security
consultant and Livermore, CA-based Sandia researcher who coined the term
"computer virus." Future intrusion detection systems, he notes, will
also make the network "self-coordinating": when a particular server is
under attack, the network will place similar servers on high alert, or
even shut them down, under the assumption that the attacker will attempt
to exploit related vulnerabilities.  Cohen has been working on ways to
allow intrusion detection systems to recognize "slow attacks," an
especially subtle and hard-to-spot technique in which an attack is
purposely spread out over hours or even days to avoid triggering
conventional alarms.  "Most organizations have been ignoring that
problem, because they have their hands full just recognizing attacks
that occur in real time," he says. 

Cohen is also among those working on another method to defend servers:
so-called deception techniques.  These involve setting the network up
not merely to resist intruders but also to confuse and mislead
thempreventing them from causing damage and making it easier to monitor
their activities.  For example, an intruder will normally use software
to scan a network for open ports, typically resulting in a list of 30 or
so gateways that can be explored for vulnerabilities.  One deception
technique is to have the network automatically reply to a port scan with
a list of a million or more portsfar more than even the most motivated
agent is likely to sift through looking for weaknesses.  Organizations
that want to go all out can even set up entire databases of phony
information that are made available to anyone trying to improperly
access the system. 

Cohen notes that some security professionals have shied away from
deception techniques out of concern that legitimate users will be fooled
or inconvenienced, but he disagrees.  "We've been experimenting with the
techniques for four years on our networks, and we haven't seen one case
where a user wasted time because of them, or as far as we know, one case
where an attacker got to real data," he says.  Cohen currently gives
away some deception software on his Web site, and security firm Recourse
Technologies of Redwood City, CA, sells a product called ManTrap,
probably the most sophisticated deception system available commercially. 
But Cohen says more advanced systems are generally built in-house
because they require a great deal of customization and maintenance. 

In an effort to identify network vulnerabilities before invaders exploit
them, companies can run software designed to ferret out and flag flaws. 
For example, Bill Cheswick's group at Lumeta sends a barrage of
specially tagged packets of data from inside an organization's network
to servers outside the network, and vice versa.  The software then
points out any network servers that let traffic move through in both
directions.  Such "leaky" servers represent an easy way in for
intrudersand for malicious software like the Code Red worm that infected
servers worldwide last summer.  "The way companies usually find out
about leaky servers is when a worm like Code Red spreads throughout the
network," notes Cheswick.  "If your network is tight, you should never
see anything like Code Red inside.  But it ran through all kinds of
organizations."

Cybercrime's Next Frontier

Even when security professionals manage to defend existing networks, the
ever increasing demand for more access by legitimate users creates new
vulnerabilities.  Take the explosion in wireless data networks, which
allow an organization's employees to exchange messages and other data
while wandering around with laptops and other devices.  These networks
provide malicious agents with "the next great frontier" for cybercrime,
says Padgett Peterson, a Lockheed Martin security expert.  The Internet
is lousy with instructions for breaking into cell phones, pagers and
personal digital assistants like the Palm.  Intruders can also try
"war-driving," which involves cruising the roads around corporate or
government strongholds with equipment that intercepts wireless data
transmissionsno passwords needed. 

In an attempt to defeat such drive-by hacking, many wireless networks
incorporate the popular Wired Equivalent Privacy protocol, which
scrambles all data sent over the network.  Unfortunately, AT&amp;T
researchers led by Avi Rubin and guided by theoretical work published by
researchers at Cisco and the Weizmann Institute in Israel cracked the
scheme in August, essentially rendering it useless.  Rubin suggests
replacing the approach with a technique compatible with the new (and so
far impenetrable) Advanced Encryption Standard expected to be adopted by
government agencies by year's end.  But this won't be much consolation
to organizations that have already invested millions of dollars in
setting up their wireless networks.  "When the new standard comes out,
all the wireless PC cards and base stations will have to be replaced,"
says Rubin. 

But no matter how successfully such technologies fend off existing
threats, no end to the security wars is in sight.  That's because
experts can't predict perfectly what tricks criminals, spies and
saboteurs will come up with next to turn our reliance on computers
against us.  "I'm always surprised by what the next threat turns out to
be," says Lockheed Martin's Peterson. 

To guard against threats that pros haven't even imagined yet, Peterson
advocates a different sort of defense: rethinking the basic architecture
of organizational networks.  Conventional corporate network
architecture, he says, affords employees fairly open access to internal
databases, while attempting to place generally ineffective restrictions
on connections to the outside world.  Under that scheme, he says, a
malicious agent need only gain access to an employee's computer in order
to get into the databases. 

Under the plan Peterson supports, users would have relatively open
access to the outside world, while databases and other files are placed
under severe and closely monitored restrictions.  That way, an invader
could take over Internet servers and employees' computers but still
couldn't gain access to the databases and filesbecause nobody gets free
access.  "You have to be willing to reverse your thinking," Peterson
says.  "Not many people are."

There's another weakness to address: law enforcement's limited ability
to respond to computer security threats.  Despite increasing security
efforts in both the private and public sectors, sophisticated invaders
can more or less operate without fear of being tracked down, even if
they are detected.  "Law enforcement and systems administrators are
always behind the curve," says Settle.  Experts agree that the FBI,
which bears much of the federal responsibility for responding to
computer attacks, is woefully ill equipped to deal with computer crime
and terrorism.  "If that's where our expertise lies, we're in trouble,"
says Computers and Security editor David.  That's another reason most
companies don't bother to report break-ins when they manage to detect
them.  In the Computer Security Institute and FBI survey, only 36
percent of the companies that admitted to being hit said they reported
the crime to law enforcement. 

It may be, says security consultant Farmer, that the only reason we
haven't been victimized by a much more intense barrage of computer
assaults is that most professional criminals and terrorists still
perceive conventional physical attacks like armed robbery and bombings
as providing more reliable payoffs.  "That will change as we move our
critical infrastructures online," he asserts. 

In the end, the solution may be to rethink what the Internet is good
for, as Lockheed Martin's Peterson suggests.  Just as savvy travelers
know not to pack irreplaceable possessions in a checked suitcase or walk
in an urban park after dark, so organizations and individual users will
recognize that highly sensitive data shouldn't be sitting on easily
accessed servers.  "Security probably won't improve in a technical
sense," says Farmer.  "Only in a social sense."

As for less sensitive information, well, organizations may need to
accept the notion that the advantages of keeping it accessible outweigh
the pain of occasionally having it swiped.  Consider it a cost of doing
business in a wired worldor to put it another way, an acceptable
casualty of electronic war. 

David H.  Freedman, a contributing writer to Technology Review, is a
senior writer at eCompany Now.  His work has appeared in the Atlantic
Monthly, the New York Times, Wired, the Harvard Business Review and many
other publications. 

------------------------ Yahoo! Groups Sponsor ---------------------~-->
Get your FREE VeriSign guide to security solutions for your web site: encrypting transactions, securing intranets, and more!
http://us.click.yahoo.com/UnN2wB/m5_CAA/yigFAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
Next message: Fred Cohen: "[iwar] [fc:Hacktivists.take.sides.in.war:.GForce.is.one.of.the.most.prolific.hacker.groups]"
Previous message: Fred Cohen: "[iwar] Heads up (fwd)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
This archive was generated by hypermail 2.1.2 : 2001-12-31 20:59:57 PST