[ISN] Information Warfare News Briefs: Friday 10th July, 1998

From: mea culpa (jerichot_private)
Date: Sat Jul 11 1998 - 05:48:53 PDT

  • Next message: mea culpa: "[ISN] Hacker breaks into USAF computer..."

    Forwarded From: iteamt_private
        I N F O R M A T I O N  W A R F A R E  -  N E W S  B R I E F S
                         Friday 10 July, 1998
       Articles for today:
         1. Terrorism at the touch of a keyboard Possible
         2. U.S. Navy Busier Than in Cold War
         3. Britain, Ireland on diffent encryption paths 
         4. Hackers target SA millions
        Terrorism at the touch of a keyboard Possible targets: anything run by      
                          (U.S. News & World Report; 07/13/98)                      
       Not long ago, if a terrorist wanted to cause a blackout in, say, New
    York, it would have taken some work. He might have packed a truck with
    explosives and sent it careening into a power plant. Or he might have
    sought a job as a utility worker so he could sabotage the electrical
    system. But now, intelligence experts say, it's possible for a trained
    computer hacker to darken Gotham from the comfort of home. Worse, his home
    might be as far away as Tehran, Iran. Worse yet, warned CIA director
    George Tenet recently, he may enjoy the full backing and technical support
    of a foreign government. 
        In a closed briefing to Congress, the CIA chief said at least a dozen
    countries, some hostile to America, are developing programs to attack
    other nations' information and computer systems. China, Libya, Russia,
    Iraq, and Iran are among those deemed a threat, sources later said. 
    Reflecting official thinking, no doubt, the People's Liberation Daily in
    China notes that a foe of the United States "only has to mess up the
    computer systems of its banks by hi- tech means. This would disrupt and
    destroy the U.S. economy." While the specifics are classified, a new
    National Intelligence Estimate reports at least one instance to date of
    active cybertargeting of the United States by a foreign nation. Officials
    are worried because so much of America's infrastructure is either driven
    or connected by computers. Computers run financial networks, regulate the
    flow of oil and gas through pipelines, control water reservoirs and sewage
    treatment plants, power air traffic control systems, and sustain
    telecommunications networks, emergency services, and power grids. All are
    vulnerable. "An adversary capable of implanting the right virus or
    accessing the right terminal," Tenet said, "can cause massive damage." 
    Two years ago, a Swedish hacker wormed his way through cyberspace from
    London to Atlanta to Florida, where he rerouted and tied up telephone
    lines to 11 counties, put 911 emergency service systems out of commission,
    and impeded the emergency responses of police, fire, and ambulance
    services. There have been many domestic cyberattacks as well. The number
    of pending FBI cases involving computer crimes--a category that includes
    computer infrastructure attacks and financial crimes--increased from 128
    in 1996 to about 550 today. 
      Too many 911s. Last year, intelligence officials got a glimpse of what's
    possible during an information-warfare exercise named Eligible Receiver.
    The secret war game began with a set of written scenarios in which energy
    and telecommunications utilities were disrupted by computer attacks. In
    one scenario, the attackers targeted the 911 emergency phone system by
    telling Internet users there was a problem with the system. The scenario
    posited that people, driven by curiosity, would phone 911 and overwhelm
    the system.  Eligible Receiver culminated when three two-person "red
    teams" from the National Security Agency actually used hacker techniques
    that can be learned on the Internet to penetrate Department of Defense
    computers. After gaining access to the military's electronic message
    systems, the teams were poised to intercept, delete, and modify all
    messages on the networks. Ultimately, the hackers achieved access to the
    DOD's classified network and, if they had wished, could have denied the
    Pentagon the ability to deploy forces. In another exercise, the DOD found
    that 63 percent of test attacks on its own systems went undetected.  In
    February, the FBI raided the homes of two California high school
    sophomores. Their hacker assaults on the Pentagon, NASA, and a U.S.
    nuclear weapons research lab were described by a deputy defense secretary
    as "the most organized and systematic attack" on U.S.  computers ever
    discovered. To make the Pentagon attack hard to trace, the hackers routed
    it through the United Arab Emirates. They were directed by a teenage
    hacker in Israel. 
       To help industries fend off hacker attacks, both foreign and domestic,
    the government has created the National Infrastructure Protection Center,
    to be staffed by 125 people from the FBI, other agencies, and industry.
    Recent events make clear that tighter defenses are needed. A year ago, a
    boy only 14 with a home computer disabled control-tower communications at
    a Worcester, Mass., airport for six hours. Jim Trainor, executive director
    of security at Bell Atlantic, says the loopholes the teenager exploited
    have been closed. But no computer environment is totally secure.
    Preventing hacker attacks is "like a never-ending journey," Trainor says.
    "You will never get there." 
    (Copyright 1998)
                           U.S. Navy Busier Than in Cold War                        
                                 (AP Online; 07/08/98)                             
       LONDON (AP)  The United States Navy is almost three times busier in the
    post-Cold War era than it was before 1990, U.S. Navy Secretary John Dalton
    said Wednesday. 
       American ships have taken part in peacekeeping operations, humanitarian
    missions, and international crises like the recent confrontation with
    Iraq, he said. 
       Dalton questioned Navy budget cuts this decade, saying sufficient funds
    are needed to maintain the Navy's high standards. 
       "Talk of greater quality for our armed forces means, today, a heavy
    investment in the promises of information warfare and modern technology,"
    he said in a speech to the Royal United Services Institute for Defense
       Dalton said high-tech ballistic missile defense systems are necessary
    to security, as more nations gain missile technology. 
       "This kind of threat means real capital investment that often goes
    head-to- head with public perceptions that a post-Cold War world means
    smaller navies and less spending," he said. 
       Dalton also argued that the need for highly effective naval forces will
    increase in the 21st century. 
       He cited threats posed by the proliferation of weapons of mass
    destruction, terrorism, religious fundamentalism and international
    organized crime. 
                      Britain, Ireland on diffent encryption paths                  
                                   (Reuters; 07/09/98)                              
        By Wendy Grossman LONDON (Wired) - As computer security issues move to
    the United States' political, legislative, and judicial front burners,
    recent announcements across the Atlantic indicate that the UK and Ireland
    are waking up to the importance of the encryption debate and taking
    dramatically different approaches to the issue.  Last week, the UK's
    Department of Trade and Industry said it would extend regulations banning
    the unlicensed export of military technologies, including transmission by
    intangible means: e-mail, Web publishing and other computer networks. 
        Like the United States, the British government is effectively trying
    to put a lock on the spread of robust data-scrambling techniques, or
    encryption.  Unlike the US, where the Clipper Chip of 1993 sparked debate
    that has only grown more heated in the ensuing years, Britain has seen
    little public discussion of encryption. 
        Instead, hoping not to disturb the UK's placid crypto waters, the
    British trade department has characterized its export control proposals as
    simply closing loopholes in existing laws. But the use and nature of
    cryptography has changed radically since the original encryption laws were
    passed in 1939, on the eve of World War II.  By contrast, the Republic of
    Ireland released a policy paper, "A Framework for Ireland's Policy on
    Cryptography and Electronic Signatures," on June 24. The paper positions
    Ireland as an unrestricted global ecommerce hub.  "The production, import,
    and use of encryption technologies in Ireland shall not be subject to any
    regulatory controls other than obligations relating to lawful access," the
    framework document states.  The Irish document makes no mention of "key
    recovery," a scheme championed by US intelligence agencies that would give
    law enforcement back-door access to scrambled communication. The Irish
    approach to law enforcement access to data is comparatively liberal. In
    cases where access to encrypted information was deemed vital to criminal
    investigations, authorities would obtain a court order asking the data's
    owners to turn over the "plaintext" of the sealed information, or supply
    "keys or algorithms" to unlock the data themselves. 
     Such a provision, if legislated, would preclude law enforcement from
    having its own set of universal keys, a key sticking point in the US
    encryption controversy.  The difference between Irish and British policies
    reflects in part Ireland's alignment with Europe, rather than Britain.
    Ireland and Britain both joined the EC in 1973, but Ireland, unlike
    Britain, is joining the European Monetary Union, which is set on creating
    a single currency for Europe.
     Some critics also deride the "special relationship" between the military
    establishments in Britain and the United States.  "The bottom line is that
    the UK is effectively the 51st state of the US when it comes to defense
    policy, and all of this issue is to do with ensuring that the special
    relationship is used as a lever," says Simon Davies, director of Privacy
    International and a fellow of the London School of Economics.  Like their
    counterparts in the US, British observers say the extension will do little
    to halt the global spread of crypto, and could do serious damage to the
    UK's place in the growing information-based economy. 
        "[The extensions] will gut the UK electronic commerce industry," says
    Ross Anderson, a cryptographer at Cambridge University, "because no one is
    going to trust any software that's approved for export by the spooks. They
    have been caught again and again rethreading equipment and inserting back
    doors in products."  Anderson also believes that requiring a license in
    order to cooperate with researchers elsewhere in the world will
    effectively close down British academic research into cryptography. 
    {Reuters:Wired-0709.00227}   07/09/98
                               Hackers target SA millions                           
                             (Africa News Service; 07/03/98)                        
       South African companies are under constant attack by computer hackers
    and crackers around the globe and fears are growing that inadequate
    computer security could let cyber thieves get their hands on millions of
    rands and confidential information. 
       Ian Melamed, a Johannesburg computer crime expert working with Interpol
    to control the problem in Africa, said break-ins on the continent's
    computer systems had reached crisis levels and were getting worse. 
       Most developing countries, like South Africa, have inadequate
    legislation in this field, making it difficult to prosecute computer
       Mr Melamed is working with the SA Law Commission to draft new laws
    which will outlaw hacking (illegally breaking into private computer
    networks) and cracking (stealing money or tampering with and damaging
    digital information). 
       In the first case of its kind in South Africa, a computer hacker is to
    be tried in the Pretoria High Court for snooping in private files in an
    off- limits area of one of the country's big Internet service provider
       The hacker scaled the "firewall" used to protect private areas of the
    company's network, but left "footprints". Computer fraud experts were able
    to trace the location of the computer where the crime was committed. 
       Details of charges had not been disclosed yet because, Mr Melamed said,
    the investigation was at a sensitive stage. A court date is yet to be set. 
       Representatives of the big Internet service providers, the police
    commercial crime unit and Fraudnet, a computer crime company, meet today
    to discuss how to handle the case . 
       Mr Melamed, who is consulted by police regularly to help in computer
    investigations, said the absence of anti-hacking laws meant the case would
    be tough to prosecute. 
       But he was confident there was enough evidence for the computer
    companies and police to win it. Companies where security had been breached
    were reluctant to go public because they immediately became targets of
    hackers and crackers who, knowing someone else had found a way in, also
    tried to break through their security. 
       Africa was especially vulnerable now because Internet technology was
    available, but companies were ignorant about protecting themselves and
    client information. 
       The worst local culprits were often juvenile "cyber boffins", some as
    young as 11, who were fast mastering ways to dodge computer police
    patrolling networks for rogue visitors. 
       "Ask a computer-literate child for a tour of the Internet and you will
    be staggered by what he knows. 
       "I can only say I hope their knowledge is used for the benefit of the
    economy one day, because it's formidable," said Mr Melamed. 
       Police spokesman John Sterrenberg said the school holidays could soon
    become a nightmare time for computer police as bored youngsters logged on
    to the Internet and hacked their way into no-go areas. 
       "There might be no law against hacking or cracking, but stealing is
    still stealing," he warned. In the Western Cape police have investigated
    40 cases of computer fraud involving R2-million over the past two years. 
       Hackers, often working from overseas, will usually go through second
    computer networks to cover their tracks. This means police are often sent
    on the wrong trail - and the wrong continent. 
       Within five minutes on the Internet, the Cape Argus found step-by- step
    instructions on how to crack cellphone numbers, hack into private networks
    and create mayhem. (Copyright 1998 Cape Argus.) Distributed via Africa
    News Online by Africa News Service. 
    (Copyright 1998 Africa News Service)
    The Y2K News Briefs are provided as a free service of iWarfare.com, if you have
    any articles you think would be of benefit to this news service, please email
    them to y2kteamt_private
    To unsubscribe send email to y2k-newst_private, UNSUBSCRIBE in the subject.
    Subscribe: mail majordomot_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:58:33 PDT