Subject: IW Mailing List iw/951228
From: fc (Fred Cohen)
Subject: Re: IW Mailing List iw/951227
Date: Wed, 27 Dec 1995 20:56:09 -0500 (EST)

> From: Walter Auch 
> Subject: Re: IW Mailing List iw/951226
> "Security through obscurity" is questionable, at best.  ...

1 - At some level, all technical info-sec depends on either physical
security or security through obscurity. [...]

Try to name some type of info-sec that is effective and doesn't depend
on anything physical and yet does not involve obscuring anything in any
way.  The reason you can't do it is because other than some physical
attributes, one bit is the same as another.  Unless you can keep me away
physically, the only option is to keep me from knowing the right bits -
and that is security through obscurity. ...

2 - If you don't use a unique approach and the threat is severe (as it
tends to be in military situations), in today's environment, you are
doomed to rapid failure.  The reason is that widely published holes are
found at a rate of about 10 a month.  If you don't do something special,
attackers get 10 windows of vulnerability per month, many of which
aren't closed for many months (if ever). 

3 - There's a lot more to info-sec than technology [and] a lot of it
depends on obscurity for its success.

... and Robert Steele asks:
> 1) ... Are most intruders caught or not?
	Bellovin and Cheswick (and others) claim that with strong
	detection in place, the number of detected entry attempts
	increases by a factor of 100 and that on average, 1 entry
	attempt per day per site is observed from over the Internet. 
	The 1995 CSI Internet survey tells us that only 25% of
	corporations detected any attepted entry in the last year.
	If this is even in the right ballpark, most intruders aren't
	even noticed. 

> Are they pursued under various state and federal (and laws of other nations)?
	It takes a lot of effort by the victim to chase attackers and
	get them arrested, etc.  Few defenders have the means or the
	will to do this. 

> Are most intruders adventures or are they maliciously looking for data to
> steal or destroy? Your thoughts?
	There a lot of different types of intruders with a lot of
	different motives. ...

> 2) Would there be a better response than the current "kids-will-be-kids"
> attitude?
	There are a lot of better responses.  How about: Kids will one
	day be adults - let's teach them what they have to know.  Adults
	are not kids, let's prosecute them. 
From: Jonny Llama 
Subject: Re: IW Mailing List iw/951227
Date: Wed, 27 Dec 1995 22:12:32 -0500 (EST)
> >From: (John W. Cobb)
> > Subject: Re: IW Mailing List iw/951225
> Well, IMO execution seems quite extreme. Robert must be joking somewhat (or
> else lets hope he does not have access to the levers of power. :> )

[Let the punishment fit the crime...] High Treason demands strict and
swift punishment, [trying to damage a country] is ...  more than

> exception rather than the rule.  Why as a society, doesn't the networld
> take more active efforts at punishment?

Agreed. For too long have these sorts of attacks been [ignored] as if they
were a "grey area".

> 1) The perpetrator is often unknown and it takes a great deal of effort
> to identify him/her. 

[A lot of this is because we don't try very hard to catch people.]

> I know that everyone can cite cases that are exceptions to this picture
> (the Morris worm, corporate espionage, etc.), but one must agree that

It is my honest opinion that Morris-like attacks are not malicious, this 
is moot.

> My questions to spark discussion are:
> 1) To what extent is the previous characterization accurate? Are most...

It's hard to say, because if they come in and out without detection, how 
can you estimate the percentages of these types of intrusion (ugh).  Many 
do get caught, some are found in wooded areas burned, others are 
extradited from foreign countries for accessing CIA switched networks, 
other have their mothers called.  It looks as IW takes all kinds.

> 2) Would there be a better response than the current "kids-will-be-kids"...

... these crimes should be looked at with a harder edge than
"kids-will-be-kids" because people, no matter what age, have to take a
responsibility for what activities they partake in. ...

mod: trim this down... [done].
Date: Thu, 28 Dec 1995 08:15:17 -0500 (EST)
From: Sick Puppy 
Subject: Re: IW Mailing List iw/951227

> 1) The perpetrator is often unknown and it takes a great deal of effort
> to identify him/her. 
The chances of identifying a skilled attacker are very poor.  Besides the 
effort, it often involves a very high cost.  To identify attackers as 
part of IW will be extremely expensive.  It is cheaper to insulate 
systems better.

> 3) The perpetrator is often not motivated by greed, but by adventurism. 

Adventurism on the part of a single individual is a major problem and 
often results in the discovery of previously unknown bugs in systems.
It is not unusual for a single action to have unforeseen adverse effects 
on the communication between networked systems.  As an example, sending a
large message with a list of addresses that is too long from one site to 
another, where both systems check the length of the address list on 
incoming messages, can result in a game of ping-pong between the two 
systems as each rejects it back to the other.  Basically has the same 
effect as mail-bombing someone, except it is entirely unintentional.
Date: Thu, 28 Dec 1995 15:43:06 -0500
From: (kenpyle)
Subject: Re: IW Mailing List iw/951227

>"Security through obscurity" is questionable, at best.  In the case of IW,
>one would have to assume that significant amounts of research (from open
>source documents, amoung other sources) will have been done.  To depend upon
>a "unique approach" to provide any level of security is not, IMHO, reasonable.

I'm sorry if I implied that the only means of security inside the DoD should
be the application of a "unique" security protocol, but like all security
measures, this is just one part of the total package.  First, there is
relatively few adverse effects to a program that implements security through
obscurity as part of it's total plan of attack.  Provided that it is not the
sole means through which security is gained, I don't see any problems with
the implementation AS LONG AS the rest of the security suite is maintained
to include maintaining databases of classified information that are not
on-line, etc.
From: (Ry Jones)
Subject: Navy ship hacking (the real deal)
Date: Thu, 28 Dec 1995 11:53:27 -0800 (PST)

One of my people is related to a person who was actually involved in
the Navy Ship Hacking. I have removed the email addresses. ...

You can read the interspersed comments below but the bottom line is that
the story is HIGHLY embellished and is not at all possible.  Most of the
systems that are used to "run" the ship, if they are electronic at all
and not hydraulic, are definitely not connected together and are
definitely not connected to an "unclass" net (Milnet) that anyone could
get at from the internet.  Most ship's in a battle group, with the
exception of the Carrier, don't even have off-ship's network
connectivity at all.  It is correct in a couple of "slight" respects. 
There was a "Joint Warrior" exercise more correctly known as "JWID -
Joint Warrior Interoperability Demonstration" that is held every year in
Sep.  I have been intimately involved with it for the past two years and
will be again this year ...  And yes there were attempts made to
"break-in" to the demonstration systems but that was the extent of the
effort.  The JWID IP network in fact as a covered or SECRET classified
network requiring SECRET Crypto to gain access.  Not something that
every Tom, Dick or Harry can buy off the street.  And there is
definitely NO access from the unclass net to the classified nets such as
the JWID Net (T3 ATM backbone) or the Secret side of the Milnet now know
as SIPRNET or Secret IP Router Network.  See other comments below. 

>>A few clicks and then the e-mail message entered the ship's control system...

NO ship's control systems are connected to unclass lans.  If they are
even capable of being networked they definitely aren't email "aware". 

>>War of the microchips: the day a hacker seized control of a US battleship

All of the Battleship's were decommissioned and put back into mothballs over
three years ago.

>>BY SIMPLY dialing the Internet and entering some well-judged keystrokes,
>>a young US air force captain opened a potentially devastating new era in
>>warfare in a secret experiment conducted late last September.  His
>>target was no less than gaining unauthorised control of the US Navy's
>>Atlantic Fleet.

The internet and the SECRET networks are not connected and again there
is no connection between the networks.  On top of that, CINCLANTFLT
(Commander-in-Chief, US Atlantic Fleet) was not involved in JWID this
year at all.  Most of the focus was on the west coast (MCTSSA - USMC
Electronic Testing Center) and CINCPACFLT (Your old island home of Oahu). 

>>Watching Pentagon VIPs were sceptical as the young officer attempted to
>>do something that the old Soviet Union had long tried to do and failed. 
>>He was going to enter the very heart of the United States Navy's
>>warships - their command and control systems.

Again most ship's command and control system (Our (the company I work
for) software by the way) doesn't even have connectivity off the ship. 
Even if you did shut down JMCIS (Joint Military Command Information
System) or GCCS (Global Command and Control System) and both based on
our software.  Even if you did shut it down, it wouldn't affect the REAL
"shooting" power of any ship in the US Navy.  They might make a bad
decision if "mis-information" was provided but shutting it down would
just make them use other system. 

>>He was armed with nothing other than a shop-bought computer and modem. 
>>He had no special insider knowledge but was known to be a computer
>>whizzkid, just like the people the Pentagon most want to keep out.
Yeah, Yeah, Yeah.  Makes for a good story.  BTW didn't the bad guys in
that Steven Seagal movie do this.  Or was that an episode that I saw on
"JAGS" with a submarine. 

>>As he connected with the local node of the Internet provider, the
>>silence was tangible.  The next few seconds would be vital.  Would the
>>world's most powerful navy be in a position to stop him?
>>A few clicks and whirrs were the only signs of activity.  And then a
>>seemingly simple e-mail message entered the target ship's computer
>>First there was jubilation, then horror, back on dry land in the control
>>room at the Electronic Systems Centre at Hanscom Air Force Base in
>>Massachusetts.  Within a few seconds the computer screen announced
>>"Control is complete."

Hanscom is a testing Center for the Air Force and is looking for purpose in life.

>>Out at sea, the Captain had no idea that command of his
>>multi-million-dollar warship had passed to another.  One by one, more

multi-billion Dollar warship actually.  But again, it is NOT physically
possible for anyone to log on via network and "take over" a ship.

>>targeted ships surrendered control as the codes buried in the e-mail
>>message multiplied inside the ships' computers.  A whole naval battle
>>group was, in effect, being run down a phone-line.  Fortunately, this


>>invader was benevolent.  But if he could do it ... 
>>Only very senior naval commanders were in the know as the "Joint
>>Warrior" exercise, a number of experiments to test defence systems,

It's actually a demonstration to try to push the various military computer
systems to strive to become inter operable and share each others data.  A
pie-in-the-sky but a worthy one none the less.

>>unfolded between September 18-25.  Taking over the warships was the

These dates were for the VIP tour days of JWID.  The demo, including set up
period, actually ran from 1-29Sep.  Believe me I know because I was at Camp
Pendleton, CA the WHOLE time.

>>swiftest and most alarming of the electronic "raids" - and a true shock
>>for US military leaders.  "This shows we have a long way to go in
>>protecting our information systems," said a senior executive at the
>>airbase where the experiment was conducted. 
>>The exact method of entry remains a classified secret.  But the Pentagon

rlogin, ftp, telnet, std passwords, nfs, etc.  No rocket science nor is
ANY of this stuff classified. 

>>wanted to the first to test the extent of their vulnerability to the new
>>"cyberwarriors" - and had the confidence to admit it. 
>>Now they believe they know what they are dealing with and the defences
>>are going up. 

This is true to some extent and firewalls are going into place.  Even on
the classified nets, requiring SECRET crypto and more importantly,
"physical access", there are now fears of unauthorized us military
people being able to log into systems where they don't belong. 
Date: Sun, 26 Nov 1995 23:39:53 PST
From: Tad Cook 
Subject: Stalking Cellular Bandits

Once-top-secret spy technology used in battle to foil cellular bandits

                    FROM COLD WAR TO CELL WARS

By Lee Gomes
Mercury News Staff Writer

THE COLD WAR is over, but there's no rest for the weary.  Now, some of
the same people who helped defeat the "Evil Empire" are hard at work
against a new enemy.  And what a wild crew is this latest batch of bad
guys: Dr.  Who, ColdFire, OleBuzzard, Cool8. 

In one of Silicon Valley's most remarkable defense conversion stories, a
group of engineers from ESL Inc., the ultra top-secret but somewhat
stodgy Pentagon sub-contractor in Sunnyvale, has become the nucleus of a
hot high-tech start-up in one of the nation's most sizzling markets:
cellular telephones. 

Using sophisticated technology originally developed to keep tabs on the
communications from Soviet submarines and ships, Corsair Communications
Inc.  is doing battle with a new and altogether domestic opponent:
cellular phone pirates. 

In just six months of operation, Corsair's "RF fingerprinting" system
has become the bane of cell phone thieves in much of Los Angeles, its
first major test.  It's done so well, in fact, that telecommunications
experts say the system could represent a major new defensive capability
in the war against "cloned phones," a multi-billion dollar annual scam
as well as the biggest growth industry in the underground economy. 

... Corsair's "PhonePrint" is aimed at ending that annoyance by taking
advantage of a simple technical insight.  In the same way that
individual people will have slightly different handwriting or
fingerprints, any two radio transmitters will send out a radio
frequency, or RF, signal in slightly different ways. 

If you can learn the "fingerprints" of all the different transmitters
used by your opponent, something both Americans and Soviets tried as
part of their Cold War espionage arsenal, you'll know a lot, such as
whether a given transmission is from the massive aircraft carrier
Admiral Kuznetsov or the lowly supply ship Ivan Kucherenko. 

... techniques that were applied against the Soviet Navy can now be used
against big-city cell-phone fraud because cellular phones are radio
transmitters, too. 

In fact, two cell phones that roll off the same high-tech assembly line
one after another will have enough subtle differences -- such as in the
tolerances of their various resistors and capacitors -- that the signals
they emit will be completely distinguishable from each other, as long as
you know what to look for.  And that's become the chink in the armor of
phone cloning, currently the state of the art in cell phone fraud. 

... Corsair's system puts the equivalent of a 486 computer with 20
megabytes of RAM and a 540 megabyte hard drive into each cell site. 
(While usually hidden from users, these sites are the backbone of a
cellular system, containing both transmitters and receivers as well as a
triangular antenna.  There are about 500 cell sites in the Bay Area,
divided between two cellular providers, and roughly twice as many in Los

The system builds a data base of the fingerprints for each phone,
through normal usage.  Then, when it notices a mismatch between an RF
fingerprint and pair of numbers, it assumes the pair of numbers have
been illegally entered into a second phone.  The call is simply not put

How effective is Corsair's technology? The system has been fully
operational since summer in more than 100 of the Los Angeles cell sites
with the highest fraud rate, and Melissa May, a spokeswoman for cell
carrier Airtouch, said the company is "impressed with the results.  We
think both the company and our customers have benefited."

Corsair's computers prepare daily reports about its effectiveness, and
while the company doesn't want the exact numbers publicized, they show
it blocking tens of thousands of clone calls a day -- on a daily caller
volume of well over 500,000. 

... If all cell sites in Los Angeles have RF fingerprinting (Airtouch's
competitor, L.A.  Cellular, is testing the system as well) then it will
be impossible to gets pairs of numbers from L.A.  That will force
pirates to do their shopping elsewhere; getting serial numbers from
low-crime areas where carriers haven't installed RF fingerprinting, and
then selling them back in areas where people are clamoring for them,
like Los Angeles. 

Ultimately, then, to be effective, the technology will need to be
deployed on a nationwide basis, with all 600 of the companies staying in
touch. ...

Published 11/26/95 in the {San Jose Mercury News.}