[prev in list] [next in list] [prev in thread] [next in thread] 

List:       isn
Subject:    [ISN] Bracing for guerrilla warfare in cyberspace
From:       cult hero <jericho () dimensional ! com>
Date:       1999-05-22 12:22:31
[Download RAW message or body]


[Moderator: Warning - A fair share of FUD in this article.]


Forwarded From: Sunit Nangia <sunit@cerf.net>

http://www.cnn.com/TECH/specials/hackers/cyberterror/

Bracing for guerrilla warfare in cyberspace
'There are lots of opportunities; that's very scary'

April 6, 1999
By John Christensen
CNN Interactive 

(CNN) -- It is June, the children are out of school, and as highways and
airports fill with vacationers, rolling power outages hit sections of Los
Angeles, Chicago, Washington and New York. An airliner is mysteriously
knocked off the flight control system and crashes in Kansas. 

Parts of the 911 service in Washington fail, supervisors at the Department
of Defense discover that their e-mail and telephone services are disrupted
and officers aboard a U.S. Navy cruiser find that their computer systems
have been attacked. 

As incidents mount, the stock market drops precipitously, and panic surges
through the population. 

Unlikely? Hardly. The "electronic Pearl Harbor" that White House terrorism
czar Richard A. Clarke fears is not just a threat, it has already
happened. 

Much of the scenario above -- except for the plane and stock market
crashes and the panic -- occurred in 1997 when 35 hackers hired by the
National Security Agency launched simulated attacks on the U.S. 
electronic infrastructure. 

"Eligible Receiver," as the exercise was called, achieved "root level" 
access in 36 of the Department of Defense's 40,000 networks. The simulated
attack also "turned off" sections of the U.S. power grid, "shut down"
parts of the 911 network in Washington, D.C., and other cities and gained
access to systems aboard a Navy cruiser at sea. 

At a hearing in November 1997, Sen. Jon Kyl, R-Arizona, chairman of a
Senate technology subcommittee, reported that nearly two-thirds of U.S. 
government computers systems have security holes. 

"If somebody wanted to launch an attack," says Fred B. Schneider, a
professor of computer science at Cornell University, "it would not be at
all difficult." 

'There are lots of opportunities'

Although "Eligible Receiver" took place in the United States, which has
about 40 percent of the world's computers, the threat of cyberterrorism is
global. 

Consider: 

* During the Gulf War, Dutch hackers stole information about U.S. troop
movements from U.S. Defense Department computers and tried to sell it to
the Iraqis, who thought it was a hoax and turned it down. 

* In March 1997, a 15-year-old Croatian youth penetrated computers at a
U.S. Air Force base in Guam. 

* In 1997 and 1998, an Israeli youth calling himself "The Analyzer" 
allegedly hacked into Pentagon computers with help from California
teen-agers. Ehud Tenebaum, 20, was charged in Jerusalem in February 1999
with conspiracy and harming computer systems. 

* In February 1999, unidentified hackers seized control of a British
military communication satellite and demanded money in return for control
of the satellite. 

The report was vehemently denied by the British military, which said all
satellites were "where they should be and doing what they should be
doing." Other knowledgable sources, including the Hacker News Network,
called the hijacking highly unlikely. 

"There are lots of opportunities," says Schneider.  "That's very scary." 

'The Holy Grail of hackers'

President Clinton announced in January 1999 a $1.46 billion initiative to
deal with U.S. government computer security -- a 40 percent increase over
fiscal 1998 spending. Of particular concern is the Pentagon, the military
stronghold of the world's most powerful nation. 

"It's the Holy Grail of hackers," says computer security expert Rob Clyde.
"It's about bragging rights for individuals and people with weird
agendas." 

Clyde is vice president and general manager of technical security for
Axent Technologies, a company headquartered in Rockville, Maryland, that
counts the Pentagon as one of its customers. 

The Defense Department acknowledges between 60 and 80 attacks a day,
although there have been reports of far more than that. 

The government says no top secret material has ever been accessed by these
intruders, and that its most important information is not online.  But the
frustration is evident. 

Michael Vatis, director of the FBI's National Infrastructure Protection
Committee, told a Senate subcommittee last year that tracing cyberattacks
is like "tracking vapor." 

'A lot of clueless people'

Schneider says the "inherently vulnerable" nature of the electronic
infrastructure makes counterterrorism measures even more difficult. 
Schneider chaired a two-year study by the National Academy of Sciences and
the National Academy of Engineering that found that the infrastructure is
badly conceived and poorly secured. 

"There is a saying that the amount of 'clue' [knowledge] on the Internet
is constant, but the size of the Internet is growing exponentially," says
Schneider. "In other words, there are a lot of clueless people out there.
It's basically a situation where people don't know how to lock the door
before walking out, so more and more machines are vulnerable." 

Schneider says the telephone system is far more complicated than it used
to be, with "a lot of nodes that are programmable, and databases that can
be hacked." Also, deregulation of the telephone and power industries has
created another weakness:  To stay competitive and cut costs, companies
have reduced spare capacity, leaving them more vulnerable to outages and
disruptions in service. 

Still another flaw is the domination of the telecommunications system by
phone companies and Internet service providers (ISPs) that don't trust
each other. As a result, the systems do not mesh seamlessly and are
vulnerable to failures and disruptions. 

"There's no way to organize systems built on mutual suspicion,"  Schneider
says.  "We're subtly changing the underpinnings of the system, but we're
not changing the way they're built. We'll keep creating cracks until we
understand that we need a different set of principles for the components
to deal with each other." 

'The democratization of hacking'

Meanwhile, the tools of mayhem are readily available. 

There are about 30,000 hacker-oriented sites on the Internet, bringing
hacking -- and terrorism -- within the reach of even the technically
challenged. 

"You no longer have to have knowledge, you just have to have the time," 
Clyde says. "You just download the tools and the programs. It's the
democratization of hacking. And with these programs ... they can click on
a button and send bombs to your network, and the systems will go down." 

Schneider says another threat is posed not by countries or terrorists, but
by gophers and squirrels and farmers. 

In 1995, a New Jersey farmer yanked up a cable with his backhoe, knocking
out 60 percent of the regional and long distance phone service in New York
City and air traffic control functions in Boston, New York and Washington.
In 1996, a rodent chewed through a cable in Palo Alto, California, and
knocked Silicon Valley off the Internet for hours. 

"Although the press plays up the security aspect of hacker problems," 
says Schneider, "the other aspect is that the systems are just not built
very reliably. It's easy for operators to make errors, and a gopher
chewing on a wire can take out a large piece of the infrastructure. That's
responsible for most outages today." 

'The prudent approach'

Schneider and Clyde favor a team of specialists similar to Clinton's
proposed "Cyber Corps" program, which would train federal workers to
handle and prevent computer crises. But they say many problems can be
eliminated with simple measures. 

These include "patches" for programs, using automated tools to check for
security gaps and installing monitoring systems and firewalls.  Fixes are
often free and available on the Internet, but many network administrators
don't install them. 

A step toward deterrence was taken in 1998 when CIA Director George Tenet
announced that the United States was devising a computer program that
could attack the infrastructure of other countries. 

"That's nothing new," says Clyde, "but it's the first time it was publicly
announced. If a country tries to destroy our infrastructure, we want to be
able to do it back. It's the same approach we've taken with nuclear
weapons, the prudent approach." 

The U.S. Government Accounting Office estimates that 120 countries or
groups have or are developing information warfare systems.  Clyde says
China, France and Israel already have them, and that some Pentagon
intrusions have surely come from abroad. 

"We don't read about the actual attacks," says Clyde, "and you wouldn't
expect to." 

"The Analyzer" was caught after he bragged about his feat in computer chat
rooms, but Clyde says the ones to worry about are those who don't brag and
don't leave any evidence behind. 

"Those are the scary ones," he says. "They don't destroy things for the
fun of it, and they're as invisible as possible." 


-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Hacker News Network [www.hackernews.com]

[prev in list] [next in list] [prev in thread] [next in thread]