[ISN] Hacker 'Attacks' on Military Networks (includes winns quotes)

From: mea culpa (jerichoat_private)
Date: Tue Mar 09 1999 - 02:11:16 PST

  • Next message: mea culpa: "[ISN] 15 year old "Super Hacker" busted"

    http://www.nytimes.com/library/tech/99/03/cyber/articles/08defense.html
    
    March 8, 1999
    Hacker 'Attacks' on Military Networks May Be Closer to Espionage
    By PETER WAYNER 
    
    In recent weeks, Government officials involved with defense have described
    a new kind of "cyberwar" being fought on the Internet, with unknown
    hackers unleashing relentless assaults on military computers.
      
    "Are we under constant attack? Absolutely," said Representative Curt
    Weldon, a Pennsylvania Republican who heads the Military Research and
    Development Subcommittee of the House Armed Services Committee, in a
    telephone interview on Friday. Weldon held a closed-door briefing last
    month at which military officials told House members that the Pentagon was
    facing new threats from hackers.
    
    "Attack" is a strong word, one that might bring to mind the Japanese
    strike on Pearl Harbor. But some computer security experts stress that
    while the hacker activity that the House heard about is a potential
    threat, calling it an attack could be an overstatement. Much of it appears
    to be something closer to cold war espionage than a bombing run.
    
    The Naval Surface Warfare Center in Dahlgren, Va., first detected the
    unusual activity that John J. Hamre, the Deputy Secretary of Defense,
    described to the House last month. Fred Kerby, the information system
    security manager at the center, characterized it as a "low and slow scan,"
    designed to map out military computer networks without attracting
    attention.
    
    Drew Dean, a computer security expert at Xerox's Palo Alto Research
    Center, said it could be misleading to characterize this kind of scan as a
    full attack. 
    
    "It's a precursor to attack," he said. "If someone I didn't know scanned
    my machine, I would assume it was an unfriendly act." Dean noted, however,
    that there are often legitimate and innocent reasons for a computer user
    to check out another machine across the Internet.
    
    In fact, the Norwegian Supreme Court was recently asked to rule on whether
    or not such scanning was illegal. The court decided that it was not,
    because it was similar to a knock on the door, not forced entry.
    
    A hacker wanting to learn something about an organization's computer
    network might begin by scanning the network with the "ping" protocol,
    which sends a small packet of data to a computer and asks it to respond to
    see if it is connected to the network. This is equivalent to calling a
    list of sequential telephone numbers and seeing who answers. 
    
    Kerby at the Naval Surface Warfare Center said that most military sites
    routinely block out ping requests. "We don't allow them through," he said.
    "We regard them as an ankle biter... We just note that they came up and
    rang the door bell, but we had everything secured before they got here."
    
    Some hackers use more sophisticated probes. It is possible, for instance,
    to see if a computer accepts electronic mail by sending a trial message. 
    This information can be exploited, in some cases, because older versions
    of the popular electronic mail program known as Sendmail have numerous
    security holes that could give a hacker access to a system. Robert Tappan
    Morris Jr., then an undergraduate at Cornell University, used one such
    hole to launch a "worm" program that crippled the Internet in 1988.
    
    In the case of the latest probes, the hackers tried to conceal the scale
    of their effort by sending requests from a number of different computers. 
    
    "This is what's known as a coordinated attack," said John Green, a senior
    security analyst at the Naval Surface Warfare Center. "It's not detected
    by most commercial detection systems. What made this significant is that
    it was low and slow. We would get very few packets from each site." 
    
    The Dahlgren center discovered these distributed probes with a new
    surveillance system they designed called "Shadow," which looks for
    patterns in data traffic. In this case, it analyzed packet flows over
    several months and revealed that many machines were being completely
    probed. 
    
    "Instead of hitting 65,536 ports on one computer, they'll be probing one
    or two ports on each computer, then one or two on another computer," 
    Kerby said. After some time, all of the ports on each computer would have
    been systematically probed by several machines acting in concert.
    
    "Scanning or probing is just a reconnaissance effort," Green said. "Once
    they gather a map of your network, they can then go back and target the
    machines that they've discovered." 
    
    Assessing the real danger of this activity is difficult to do. Many people
    use tools like the ping protocol to test and debug their networks.  In
    fact, those probing the military networks may be using the same tools used
    routinely by the network administrators, because they have both legitimate
    and illegitimate uses.
    
    Determining the scope of the hackers' effort is also hard, in part because
    the Department of Defense refuses to say much about them. The
    investigation is still unfolding and is also classified.
    
    The Pentagon has said that, as is the case with the vast majority of
    hacking attempts, the recent probes did not result in the penetration of
    any computers storing sensitive information. Also, the Dahlgren center
    said it found a way to thwart this method of probing, and has told all
    military services about the remedy. It has posted the Shadow software on
    its Web site so any organization can use it freely.
    
    Some security experts and critics of the military budget dismiss the
    recent talk of "cyberwar" as a public relations effort, designed to get
    Congress to increase defense spending. They point out that truly sensitive
    government computers are not even connected to the Internet. It is
    important to ask, they say, whether the activity described to Congress was
    an attempt to launch missiles or just probes of innocent desktop computers
    used to surf the Web.
    
    "It would not surprise me if this was a public relations maneuver," said
    Winn Schwartau, a security consultant and author of the book "Information
    Warfare," in a telephone interview on Friday.
    
    Schwartau said, however, that the nation is not spending enough to defend
    itself from enemies armed with computers and hacking expertise. "Maybe
    they're being more open about it to help with the overall awareness that
    America is sorely lacking," he said.
    
    "Is surveillance an offensive activity?" Schwartau asked. "Under the
    cold-war mentality, it was. A U2 surveillance of Russia was considered
    offensive. Some satellite surveillance was considered offensive."
    
    Military computers have long been a favorite target of members of the
    hacker underground wanting to show off their skills. But Representative
    Weldon said it is important not to dismiss all hacking attempts as the
    work of computerized joyriders. 
    
    "I can tell you, I know there are countries out there that are putting
    money into information warfare," he said. "You know, they can't match our
    military, so they take what they have: high-performance computers and
    people who know systems. Then you work on compromising our systems."
    
    Weldon noted that the Defense Department is not the only target of
    malicious hackers. "We know of banks who've had their firewalls broken and
    money transferred out, and they're not going to talk about it," he said.
    The private sector needs to cooperate more with the government in this
    area, he said.
    
    -o-
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:20:32 PDT