http://www.nytimes.com/library/tech/99/03/cyber/articles/08defense.html March 8, 1999 Hacker 'Attacks' on Military Networks May Be Closer to Espionage By PETER WAYNER In recent weeks, Government officials involved with defense have described a new kind of "cyberwar" being fought on the Internet, with unknown hackers unleashing relentless assaults on military computers. "Are we under constant attack? Absolutely," said Representative Curt Weldon, a Pennsylvania Republican who heads the Military Research and Development Subcommittee of the House Armed Services Committee, in a telephone interview on Friday. Weldon held a closed-door briefing last month at which military officials told House members that the Pentagon was facing new threats from hackers. "Attack" is a strong word, one that might bring to mind the Japanese strike on Pearl Harbor. But some computer security experts stress that while the hacker activity that the House heard about is a potential threat, calling it an attack could be an overstatement. Much of it appears to be something closer to cold war espionage than a bombing run. The Naval Surface Warfare Center in Dahlgren, Va., first detected the unusual activity that John J. Hamre, the Deputy Secretary of Defense, described to the House last month. Fred Kerby, the information system security manager at the center, characterized it as a "low and slow scan," designed to map out military computer networks without attracting attention. Drew Dean, a computer security expert at Xerox's Palo Alto Research Center, said it could be misleading to characterize this kind of scan as a full attack. "It's a precursor to attack," he said. "If someone I didn't know scanned my machine, I would assume it was an unfriendly act." Dean noted, however, that there are often legitimate and innocent reasons for a computer user to check out another machine across the Internet. In fact, the Norwegian Supreme Court was recently asked to rule on whether or not such scanning was illegal. The court decided that it was not, because it was similar to a knock on the door, not forced entry. A hacker wanting to learn something about an organization's computer network might begin by scanning the network with the "ping" protocol, which sends a small packet of data to a computer and asks it to respond to see if it is connected to the network. This is equivalent to calling a list of sequential telephone numbers and seeing who answers. Kerby at the Naval Surface Warfare Center said that most military sites routinely block out ping requests. "We don't allow them through," he said. "We regard them as an ankle biter... We just note that they came up and rang the door bell, but we had everything secured before they got here." Some hackers use more sophisticated probes. It is possible, for instance, to see if a computer accepts electronic mail by sending a trial message. This information can be exploited, in some cases, because older versions of the popular electronic mail program known as Sendmail have numerous security holes that could give a hacker access to a system. Robert Tappan Morris Jr., then an undergraduate at Cornell University, used one such hole to launch a "worm" program that crippled the Internet in 1988. In the case of the latest probes, the hackers tried to conceal the scale of their effort by sending requests from a number of different computers. "This is what's known as a coordinated attack," said John Green, a senior security analyst at the Naval Surface Warfare Center. "It's not detected by most commercial detection systems. What made this significant is that it was low and slow. We would get very few packets from each site." The Dahlgren center discovered these distributed probes with a new surveillance system they designed called "Shadow," which looks for patterns in data traffic. In this case, it analyzed packet flows over several months and revealed that many machines were being completely probed. "Instead of hitting 65,536 ports on one computer, they'll be probing one or two ports on each computer, then one or two on another computer," Kerby said. After some time, all of the ports on each computer would have been systematically probed by several machines acting in concert. "Scanning or probing is just a reconnaissance effort," Green said. "Once they gather a map of your network, they can then go back and target the machines that they've discovered." Assessing the real danger of this activity is difficult to do. Many people use tools like the ping protocol to test and debug their networks. In fact, those probing the military networks may be using the same tools used routinely by the network administrators, because they have both legitimate and illegitimate uses. Determining the scope of the hackers' effort is also hard, in part because the Department of Defense refuses to say much about them. The investigation is still unfolding and is also classified. The Pentagon has said that, as is the case with the vast majority of hacking attempts, the recent probes did not result in the penetration of any computers storing sensitive information. Also, the Dahlgren center said it found a way to thwart this method of probing, and has told all military services about the remedy. It has posted the Shadow software on its Web site so any organization can use it freely. Some security experts and critics of the military budget dismiss the recent talk of "cyberwar" as a public relations effort, designed to get Congress to increase defense spending. They point out that truly sensitive government computers are not even connected to the Internet. It is important to ask, they say, whether the activity described to Congress was an attempt to launch missiles or just probes of innocent desktop computers used to surf the Web. "It would not surprise me if this was a public relations maneuver," said Winn Schwartau, a security consultant and author of the book "Information Warfare," in a telephone interview on Friday. Schwartau said, however, that the nation is not spending enough to defend itself from enemies armed with computers and hacking expertise. "Maybe they're being more open about it to help with the overall awareness that America is sorely lacking," he said. "Is surveillance an offensive activity?" Schwartau asked. "Under the cold-war mentality, it was. A U2 surveillance of Russia was considered offensive. Some satellite surveillance was considered offensive." Military computers have long been a favorite target of members of the hacker underground wanting to show off their skills. But Representative Weldon said it is important not to dismiss all hacking attempts as the work of computerized joyriders. "I can tell you, I know there are countries out there that are putting money into information warfare," he said. "You know, they can't match our military, so they take what they have: high-performance computers and people who know systems. Then you work on compromising our systems." Weldon noted that the Defense Department is not the only target of malicious hackers. "We know of banks who've had their firewalls broken and money transferred out, and they're not going to talk about it," he said. The private sector needs to cooperate more with the government in this area, he said. -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:20:32 PDT