From: iw@all.net
Subject: IW Mailing List iw/951218
---------------------------------------------
Date: Sun, 17 Dec 1995 22:12:28 -0500
From: mdevost@chelsea.ios.com (Matthew G. Devost)
Subject: Re: IW Mailing List iw/951217

>---------------------------------------------
>>From: Potter B MSgt ACC/SCXX 
>Subject: Info Warfare versus Right-Wing French Govt -- A Lurker Replies
>Date: Sat, 16 Dec 95 23:41:00 EST
...
>opportunity to take part in an act of IW.  THIS IS DANGEROUS.  Can
>anyone here anticipate the possible impacts of shutting-down the French
>government for however long it takes to recover from this? How about
>possible impacts on safety of flight in French airspace because their
>flight facilities may not be able to coordinate with one another? What
>about the French economy? These whiners may be joined by most of their
>countrymen if this attack, combined with an economic collapse due to
>lack of investor confidence, succeeds in destroying France. 

I really don't think that mass traffic at a dozen web sites is going to
effect the operation of air traffic control in France.  If so, remind me
never to fly there.  This IW attack is based on creating an
inconvenience to French net users.  Conceptually, I rank it below the
guy that wanted to take down power in Memphis last year after the folks
that ran the AA BBS were arrested.  That sort of attack really could
have some serious implications. 

I found Bruce's original posting interesting, because we rarely take the
time to focus on information warfare as political protest.  (cyber-civil
disobedience to use a Schwartau term) How much damage could a group of
like minded political protesters do using IW methods?

Lets take a hypothetical situation in which a group tries to delay or
stop the deployment of NATO troops in Bosnia.  We'll make a few
assumptions:

They are well organized.  They have global membership.  They are
technologically savy.  They have limitted funding.  Extremism is an
attractive option to some group members. 

Does this group pose a threat? What targets are they likely to hit? Who
are they going to get funding from? What do you do to counter the threat
or disperse the focus of the group? Any thoughts?
---------------------------------------------
Date: Sun, 17 Dec 1995 22:45:35 -0800 (PST)
From: Dave Watson 
Subject: Re: IW Mailing List iw/951216

I see no connection to IW in Mr Sterling's thinly veiled support of 
radical anti-government irrational whiners.  If it is not your intention 
to contrubute to such nonsense, an explantion of the posting might be 
appropriate.  If you intend to use this forum for such purposes, please 
remove me from the list.
---------------------------------------------
Moderator's Note:

	It's hardly supporting the effort to post here - all.net has
informed the administrators at these sites of the pending threat.  If
anything it's helping defenders to understand how people are trying to
use IW.  At least that's the moderator's view.

	As to whether it has to do with IW, it might be valuable to look
at it in terms of the definitions used on this list.  Let's try it:

The "Lines of Communication" definition of Steve Trolan:

	"The jockeying for dominance of this LOC is the essence of infowar."

	The proposed attack seems to me to me a form of jockying for
	dominance of lines of communication.  Specifically, to deny
	service to official government LOC.


Cohen's overly broad definition:

	"Conflict where IT is the weapon, the target, the objective, or
	the method."

	In this case, information technology and/or information is the
	weapon, the target, the objective, and the method.  Clearly
	there is a conflict.

Several people posting to this list have wanted to limit this to only
cases where IT is the target:

	In this attack IT is clearly the target - specifically, the listed
	servers.

Several people want to limit it it be only as related to high-intensity
conflict:

	An all out assault for 1 hour as a demonstratipon of power seems
	to me fairly high intensity if it comes off.  What would be higher
	intensity on a soft-kill basis?

Alexander Gagin states that war is:

	"actions directed to force an enemy to obey" (and uses this as a
	basis for understanding IW).

	This attack seems to meet the force of will definintion.

Mike Brown's definition is:
	"Information Warfare" on the other hand, is combat in the
	cyberspace -- an effort to deny the adversary the use of
	portions of the information space while simultaneously
	protecting one's own. 

	Clearly this threat is an effort to deny the adversary the use of
	portions of the information space.  I don't think that protecting
	one's own is an issue here, but perhaps it is?

Finally, here is Dave Watson's definition as posted to this list (951127)

	"I perceive it as a composite of the evolutionary directions of
	traditional malicious hacking, leading to organized attacks by
	people with definite financial or political objectives."

	It seems to me that the threateened attack was dead center on this
	definition.

In our ongoing discussion of the definition of IW, this seems like a
good example to use as a differentiator.  If this threat does not meet
the definition of IW, why not?
---------------------------------------------
Date: Sun, 17 Dec 1995 23:59:03 -0500
From: winn@Infowar.Com
Subject: French IW:

The proposed Denial of Service attack against the French gov't is a
simple component of Cyber-Civil Disobedience.  (See my article in
3.15.95 issue of Information Week.) The parallel to the 60's is
unmistakable: Back then, 100,000's of marchers could bring an entire
city to a standstill.  Today, the same number can bring an entire gov't
to its virtual knees.  So what else is new? That's what Class I
Information Warfare is all about; distributed power.  Each individual
alone has little effect against the masses of bandwidth; but together,
they can be an effective 'fighting force.'

So can hackers.  A number of underground denizens proposed in early 1995
to wage war on France for its spying indiscretions against the US, and
the US's seeming lack of policy based response - in public no less.  I
talked most of them out of it (DST is not known for polite restribution
and the FBI/SS would have arrested them on the spot and worried about
specific laws broken at a later date).

Then, the computers at an allied naval base in Toulons (sp?) was broken
into by persons unknown.  Strategic routing plans for Mediterranean
forces were allegedly stolen as were the accoustic signatures of allied
ships. 

France. Alas, poor France.
---------------------------------------------
From: fc@all.net (Dr. Frederick B. Cohen)
Subject: Re: IW Mailing List iw/951217
Date: Mon, 18 Dec 1995 06:54:14 -0500 (EST)

> From: Potter B MSgt ACC/SCXX 
> Subject: Info Warfare versus Right-Wing French Govt -- A Lurker Replies
> Date: Sat, 16 Dec 95 23:41:00 EST
...
> THIS IS DANGEROUS.  Can
> anyone here anticipate the possible impacts of shutting-down the French
> government for however long it takes to recover from this? How about
> possible impacts on safety of flight in French airspace because their
> flight facilities may not be able to coordinate with one another? What
> about the French economy? These whiners may be joined by most of their
> countrymen if this attack, combined with an economic collapse due to
> lack of investor confidence, succeeds in destroying France. 

I think this is a bit of an over-reaction.  Even if you could completely
disable these 6 sites it would probably not have much overall impact on
the French government.  It certainly wouldn't shut down the French
government or impact the safety of flight in French airspace.  Compared
to the effect of the ongoing strikes, I doubt if the economic impact
would even be felt. 
---------------------------------------------
Date: Mon, 18 Dec 1995 08:12:51 -0500 (EST)
From: Sick Puppy 
Subject: IW (Sniffers & Navy)

Padgett mentions sniffers as example of undetectable attack.

In fact the Navy attack (which was a hacker, not Navy staff) was
detected INSIDE our network when the hacker hit a TIS Gauntlet from the
inside.  The Navy system got in over a previously unknown dial-up line. 

Cisco logging and Spectrum were useless in trying to trace the
connections.  What showed them up was a sniffer.  Several people asked
for a few more specifics by e-mail. 

The packets captured by the sniffer showed: 
MicroSoft Message Sever Block commands; for example Mailslot Browse
   inside of NetBios packets;
      inside of Novell IPX packets;
         inside of UDP packets.

Speaking from experience, the user-id and password usually show up in the 
first 128 bytes captured by a sniffer.

It is my humble opinion that ANY networked system that does not use end
to end encryption is crackable in less than 20 minutes with a sniffer. 
I have tried sniffers on systems that used end to end encryption and got
nowhere.  If you fetch back a sniffer log during the weekday morning
busy period, 9.30 a.m.  to 10.30 a.m., nobody ever notices because the
network is always busy then. 

Anyway, back to Padgett's point.  According to some mail I received, 
these San Diego Navy dudes are supposed to be IW heavy-weights, but they
had no idea I was lifting their packets off the wire with a sniffer until
I showed them. 
---------------------------------------------
Date: Mon, 18 Dec 95 07:26:20 EST
From: "Tim McElwaine" 
Subject: NEW LIST?

My view of IW is classical, I see IW as denying a potential adversary
(military or business) access to critical information (mine or his),
serving the purpose of lengthing his decision cycle.  The flip side is
garnering important information on a potential adversary to shorten my
own decision cycle.  IW is not a new field, but rather the bringing
together of tasks that a Nation or military has always attempted to do,
under one umbrella. 
---------------------------------------------
Moderator's Note:

	[The following extract from] today's CERT alert at a time
corresponding to the movement of troops into Bosnia may just be
coincidence - but then, it may not be.  I thought I would seek the
opinion of the group on this matter. 

=============================================================================
CA-95:18                         CERT Advisory
                               December 18, 1995
                       Widespread Attacks on Internet Sites
-----------------------------------------------------------------------------

Over the last several weeks, the CERT Coordination Center has been working on
a set of incidents in which the intruders have launched widespread attacks
against Internet sites. Hundreds of sites have been attacked, and many of the
attacks have been successful, resulting in root compromises at the targeted
sites. We continue to receive reports, and we believe that more attacks are
going undetected.

**********************************************************************
All the vulnerabilities exploited in these attacks are known, and are
addressed by CERT advisories (see Section III).
**********************************************************************
[...]
I.   Description

     Intruders are doing the following:
        - using automated tools to scan sites for NFS and NIS vulnerabilities
        - exploiting the rpc.ypupdated vulnerability to gain root access
        - exploiting the loadmodule vulnerability to gain root access
        - installing Trojan horse programs and packet sniffers
        - launching IP spoofing attacks

II.  Impact
     Successful exploitation of the vulnerabilities can result in unauthorized
     root access.

III. Solution
     The CERT staff urges you to immediately take the steps described in
     the advisories and README files listed below. Note that it is important
     to check README files as they contain updated information we received
     after the advisory was published.
     a. Using automated tools to scan sites for NFS and NIS vulnerabilities
        * CA-94:15.NFS.Vulnerabilities
        * CA-94:15.README
        * CA-92:13.SunOS.NIS.vulnerability
     b. Exploiting the rpc.ypupdated vulnerability to gain root access
         * CA-95:17.rpc.ypupdated.vul
         * CA-95:17.README
     c. Exploiting the loadmodule vulnerability to gain root access
        * CA-93:18.SunOS.Solbourne.loadmodule.modload.vulnerability
        * CA-95:12.sun.loadmodule.vul
        * CA-95:12.README
     d. Installing Trojan horse programs and packet sniffers
        * CA-94:01.ongoing.network.monitoring.attacks
        * CA-94:01.README
     e. Launching IP spoofing attacks
         * CA-95:01.IP.spoofing
         * CA-95:01.README

     The CERT advisories and README files are available from
         ftp://info.cert.org/pub/cert_advisories

     If you find a compromise, please complete the Incident Reporting Form
     that we have provided in the appendix of this advisory, and return the
     form to cert@cert.org. This completed form will help us better assist
     you.

     Note: Because of our workload, we must ask you not to send log files of
     activity, but we would be happy to work with you as needed on how to
     interpret data that you may collect. Also, the CERT staff can provide
     guidance and advice, if needed, on how to handle incidents and work with
     law enforcement.

     If you see activity that indicates an attack is in progress, we encourage
     you to contact other sites involved and the service providers, as well as
     the CERT Coordination Center.
[...]
---------------------------------------------
Date: Mon, 18 Dec 95 08:39:28 EST
From: "tom briggum" 
Subject: Re: IW Mailing List iw/951217


>| - Spread this message everywhere
>| - a) In the date 21/12/1995, 6pm-7pm link to sites of French Government
>|   [December 21 at noon EST] (look at the list no. 1 or cut and copy the home
>|   page of the list no. 3);
>| - b) replay said procedure several times for an hour at intervals of a few
>| seconds.
>|
>| A demonstration of 1000, 10.000, 100.000 netusers all together making
>| part of a line crossing French Government's sites.  The result of this
>| strike will be to stop for an hour network activities of French
>| Government.
> -------------

     What I find fascinating about this is the method of organizing and
deploying an offensive force.  In physical warfare, you need to round up
a bunch of volunteers or conscripts and feed, house and train them for
several months before they are of any use to you.  In information
warfare, you've got millions of potential soldiers with the skills
necessary to wage war, each one available to you at the press of a key. 
All you need do is make a good enough argument for them to go to battle. 
And the "lynch mob" phenomenon doesn't hurt, either. 
---------------------------------------------
Date: Mon, 18 Dec 95 09:15:34 -0500
From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security)
Subject: RE: IW Mailing List iw/951217

a) An authorized machine on a LAN cannot be determined to be in
promiscuous mode unless you can ask it directly. 

b) If a contract is lost because the oppo knows what you are going to
bid or a negotiation results in agreement at the worst terms acceptable
to you, how would you know if IW had been practised?

c) IMNSHO is it almost always a mistake to give up a real tactical
advantage because of a possibility you might lose a strategic one. 
---------------------------------------------