[ISN] Information Insecurity (GovExec Magazine, April 1999)

From: mea culpa (jerichoat_private)
Date: Thu Apr 01 1999 - 23:21:59 PST

  • Next message: mea culpa: "Re: [ISN] Infowar part of NATO arsenal?"

    Forwarded From: William Knowles <erehwonat_private>
    (GovExec.com) [April 1999] Every 20 minutes someone tries to penetrate a
    Defense Department computer network. But not all of the intruders are
    outsiders. Defense officials are increasingly concerned about trusted
    employees seeking restricted data. Just as troubling is that many
    intrusions could be prevented if workers followed basic security
    procedures. While computers have become central to agency operations
    across government, security has not.
    A case in point: A few months ago, 27-year-old computer whiz Shawn Key
    hacked into a federal agency's computer network. (He spoke about the
    agency on the condition that it not be identified.) For national security
    purposes, the office Key broke into was supposed to have no more than a
    handful of carefully controlled modems through which employees could
    access the Internet. Instead, Key found more than 500 modems on the
    systemóa mother lode for any hacker intent on wreaking havoc. Just days
    before the modems were discovered, network administrators had issued an
    order expressly forbidding the use of extraneous modems.
    Fortunately for the agency, Key is what he calls an "ethical hacker," 
    working to protect organizations against intrusions by "nonethical
    hackers": disgruntled employees, precocious teen-agers trying to embarrass
    institutions by posting electronic graffiti, and terrorists intent on
    damaging national security. As a systems engineer at the computer security
    firm J.G. Van Dyke and Associates in Bethesda, Md., Key's job is to probe
    client computer systems for security breaches.  And there are plenty of
    breaches at federal agencies.
    In recent months, Key says, he has repeatedly hacked into federal computer
    systems where the network administrator's password was blank, essentially
    giving himóand any other hackeróa key to the network and all the data
    managed there. With such access, a hacker could shut down the system,
    install or delete software, read, modify or delete data, and cover his
    tracks, avoiding detection altogether. As for the 500 excess modems Key
    recently encountered, agency employees were probably plugging laptop
    computers with built-in modems into phone jacks at their desks to connect
    to the Internet, he says, not realizing they were compromising security.
    The vulnerability of federal agencies to computer attacks is growing, says
    Michael Vatis, director of the FBI's National Infrastructure Protection
    Center, one of several new government organizations established in the
    last year to shore up computer security in both the public and private
    sectors. NIPC's mission is to detect, deter, assess, warn of, respond to,
    and investigate intrusions and illegal acts that target or involve
    critical infrastructures. As such, it is the government's central
    coordinating authority for responding to cyber threats.
    "Unfortunately, this is definitely a growth industry," Vatis says.  "Every
    year the number of people using the Internet increases massively. That
    means there are more illegal intrusions and I think a lot of the more
    serious threats out there are beginning to see the utility of cyber
    weaponsówhether we're talking about organized crime groups, terrorists,
    foreign intelligence services or foreign militaries. The problem is just
    going to grow more and more." 
    Protecting information on computer networks in the federal government is a
    vast and complex undertaking, because agencies have become dependent on
    computers for almost all of their day-to-day business operations. Networks
    have grown so fast in recent years that very few administrators fully
    understand the systems they are supposed to manage. Rapidly changing
    technology and employee turnover make it virtually impossible to keep
    agency personnel appropriately trained to deal with intrusions on their
    networks. At the same time, the government's growing reliance on data
    networks increases its vulnerability to hackers by exposing agencies to
    more points of entry, many beyond managers' control.
    Insider Threat
    Such vulnerability is keenly felt at Defense and intelligence agencies.
    "We have found that almost anyone with a computer and modem can use
    specialized malicious software and tools and attempt to disrupt our
    network operations and make it difficult for us to effectively carry out
    our missions," says Air Force Maj. Gen.  John H.  Campbell, commander of
    the Pentagon's >Joint Task Force for Computer Network Defense, an interim
    office established in January to coordinate DoD responses to cyber
    threats. "It isn't just our classified data and systems that require
    security, it is also our unclassified but sensitive data, such as payroll
    and acquisition information."
    "Traditional geographical boundaries do not exist in cyberspace and the
    size of the area of operations is unbounded," says Campbell.  "Since so
    many of our computer systems are interconnected, threats to one seemingly
    isolated computer system can potentially become a threat to multiple
    computer systems."
    Deputy Defense Secretary John Hamre told members of the House Armed
    Services Committee's research and development panel at a closed hearing
    Feb. 23 that it is not a question of whether there will be an electronic
    equivalent of the sneak attack on Pearl Harbor but when such an attack
    will occur. In an interview with Defense News, panel chairman Rep. Curt
    Weldon said Hamre told the panel that Defense computer systems were then
    under a significant, organized attack.  Hamre told Government Executive he
    could not discuss the attack, citing an ongoing investigation with the
    FBI.  In the unclassified version of Hamre's statement to the committee,
    he wrote, "I am very concerned about our ability to defend the information
    systems that make actual offensive operations possible."
    Hamre noted that, "We are increasingly concerned about those who have
    legitimate access to our networksóthe trusted insider. . .  . I cannot
    emphasize strongly enough the seriousness of the insider threat to our
    information systems and, through those systems, to the department's
    operations." One security expert who works with both federal and private
    sector organizations says that on average, as many as 70 percent of
    intrusions come from inside an organization. Building and sustaining a
    secure information infrastructure is a challenge across the federal
    Last September, the General Accounting Office reported significant
    information security weaknesses in each of the 24 largest federal
    agencies. Inadequately restricted access to sensitive data and other
    weaknesses "place critical government operations, such as national
    defense, tax collection, law enforcement and benefit payments, as well as
    the assets associated with these operations, at great risk of fraud,
    disruption and inappropriate disclosures. In addition, many intrusions or
    other potentially malicious acts could be occurring but going undetected
    because agencies have not implemented effective controls to identify
    suspicious activity on their networks and computer systems."
    GAO auditors demonstrated such weaknesses last year after the Senate
    Governmental Affairs Committee asked them to assess whether the State
    Department's unclassified information systems were susceptible to
    unauthorized access. The answer, GAO found, was an overwhelming yes. 
    Auditors penetrated State's computer systems through internal network
    security controls, Internet gateways and public information servers.
    By simply walking into unsecured facilities, auditors were able to
    download files that contained password lists. In one unlocked area,
    auditors accessed a local area network server where they obtained
    administrator-level access, known as "superuser" access, giving them total
    control of the system's operations and security functions. After gaining
    such access on several different operating platforms, including UNIX and
    Windows NT, auditors viewed international financial information, travel
    arrangements, detailed network diagrams, employees' e-mail and other
    sensitive data.
    Social Engineering
    "Our penetration tests were largely successful," said Gene Dodaro,
    assistant comptroller general in GAO's accounting and information
    management division, during testimony before the Senate committee last
    May.  State's computer systems were vulnerable to just about anybody
    determined to take advantage of them. "Without any passwords or specific
    knowledge of State's systems, we successfully gained access to State's
    networks through dial-in connections to modems," he said. "Having obtained
    this access, we could have modified, stolen, downloaded or deleted
    important data; shut down services; and monitored network traffic, such as
    e-mail and data files."
    "Unauthorized deletion or alteration of data could enable known criminals,
    terrorists and other dangerous individuals to enter the United States.
    Personnel information concerning approximately 35,000 State employees
    could be useful to foreign governments wishing to build personality
    profiles on selected employees.  Manipulation of financial data could
    result in overpayments or underpayments to vendors, banks and individuals,
    and inaccurate information being provided to agency managers and the
    Congress. Furthermore, the overseas activities of other federal agencies
    may be jeopardized to the extent they are supported by State systems,"
    Dodaro said.
    In some cases, auditors were able to obtain key information, such as
    passwords, just by talking to employees, a technique computer specialists
    refer to as "social engineering." According to Key, employees in many
    organizations don't follow, or aren't aware of, basic security policies,
    such as how to establish effective passwords.  In other organizations,
    security policies are nonexistent. 
    Computer security weaknesses are by no means limited to the State and
    Defense departments.  "This country is wide open to attack
    electronically," Hamre told leading private-sector chief information
    officers at the Fortune 500 CIO Forum in Aspen, Colo., last summer.
    "We're vulnerable because of the enormous productivity improvements that
    we've sought through information technology in the last 20 years," Hamre
    said. "Increasingly, American business, in order to save money and to shed
    itself of the cost of proprietary networks, is moving these systems onto
    an Internet-based communications network. So we're finding increasingly,
    America's businesses and utilities are controlling the infrastructure
    through a technology that was never designed with security in mind."
    Over the last decade, the Defense Department has followed suit, shifting
    what were formerly government-controlled communications systems to
    commercial systems. Defense officials estimate more than 95 percent of
    military communications today take place over commercial networks. The
    liability posed by such dependence became clear when the Pentagon
    conducted an exercise known as "Eligible Receiver" in 1997.  Using
    off-the-shelf technology and software downloaded from hacker Web sites, a
    team of about 20 employees from the National Security Agency hacked into
    unclassified Pentagon computer systems. The surprise exercise, designed to
    expose weaknesses in computer security, succeeded beyond the planners'
    wildest expectations. Among other things, the exercise showed how hackers
    might disrupt troop deployments.
    "It was startling," Hamre said. "We didn't really let them take down the
    power system in the country, but we made them prove that they knew how to
    do it."
    The 'Big Banana'
    Between 1999 and 2002, the Defense Department plans to spend $3.6 billion
    to address computer security issues. With 2 million computers, 100,000
    local area networks and more than 100 long-distance networks, securing
    information is a formidable challenge for the agency.
    Arthur Money, the DoD's CIO and the Pentagon's point man for computer
    security, says on an average day there are about 60 unauthorized
    intrusions into Pentagon computer networks. Of those, about 60 a week are
    serious enough to be considered attacks. In his testimony, Hamre said the
    Defense Department detects "80 to 100 events daily. Of these,
    approximately 10 will require detailed investigation." Whatever the exact
    figure, it represents only what the Defense Department is able to detect,
    which may be only a fraction of actual intrusions, security officials say,
    because a good hacker can mask his comings and goings.
    "Almost every intrusion is first viewed as a law enforcement issue,"  says
    Money. "If it's a blatant national security problem and it's recognized as
    thatórecognizing when that's the case is the problemówe have the authority
    to do what we need to do." As such, the Pentagon works closely with the
    FBI in investigating intrusions.
    One significant attack was detected in early February 1998, just eight
    months after the Eligible Receiver exercise, when officials at the Air
    Force's Information Warfare Center in San Antonio, Texas, spotted a
    pattern of unauthorized entries into several different Defense networks
    around the country. For days, the hackers led military and FBI security
    experts on a computer crime chase around the world. The attack, which
    coincided with the deployment of troops and equipment to the Persian Gulf
    for a possible strike against Iraq, was believed by some at the time to be
    an act of cyber warfare on the part of Iraq, especially after
    investigators traced intrusions to computer servers in the Middle East.
    When the hackers turned out to be two teens in California and one in
    Israel, national security personnel were relievedóbut only somewhat.
    "Doesn't it scare you that we're finding kids who can do this stuff?" 
    asked Vatis when he testified about the attack before the Senate Judiciary
    Committee's panel on technology, terrorism and government information last
    June.  "Doesn't it scare you to think that we may not know what people
    with more sophisticated skills and resources are doing? The cases that we
    are seeing are enough of an indication of our vulnerabilities to make us
    realize that this is in fact a very serious problem."
    A majority of hackers just want to test their skills, Vatis said.  "They
    see the Defense Department as the big banana, the final exam, the ultimate
    challenge." As a result, the FBI spends a lot of time working with Defense
    and intelligence agency officials.
    Since Eligible Receiver and the teen attack last February, the Defense
    Department has beefed up security significantly, Money says.  "All the
    services now have deployed intrusion detection devices, so we're much more
    aware when intrusions happen. We were pretty wide open a year ago. We have
    much better tools, so we have more scouts out, if you will, and
    consequently we're finding more intrusions."
    Growing Threat
    It is impossible to gauge the true number of intrusions into federal
    networks. There is no central repository for such information. In the
    private sector, information indicating security weaknesses is closely
    guarded. Nonetheless, there are indications that hacking is a growing
    problem. An annual survey of public and private security specialists
    conducted by the FBI and the Computer Security Institute, a professional
    organization of computer security specialists based in San Francisco has
    shown dramatic increases in security breaches.  Sixty-four percent of
    respondents in 1998 reported intrusions in the previous 12 months, a 16
    percent increase over 1997 survey results. 
    Law enforcement investigations have also increased. When the National
    Infrastructure Protection Center was formed in February 1998, the FBI had
    about 500 pending computer intrusion investigations. Today, there are more
    than 650 such cases. There is also an increase in the number of intrusions
    reported, says Vatis. "It could be that more are happening, it could be
    that more are being noticed, or it could be that more are being reported.
    It's likely all of those."
    There is no single action agencies can take to protect their networks,
    says Lt. Gen. William Campbell, the Army's director for command, control,
    communications and computers. "It's a defense in depth. You need a series
    of things, ranging from the mundane, such as having proper passwords, to
    sophisticated intrusion detection devices."
    There are three basic levels of managing security, he says, and all need
    to be continually updated as technology changes. The first is establishing
    security policies and proceduresóand enforcing them. The second is
    implementing effective training programs for the lowest-level users
    through systems administrators. Finally, agencies must continue to refine
    their network architectures and incorporate protection technologies.
    While the Pentagon is investing more resources in network security,
    hackers are also getting more sophisticated, says Vice Adm. Robert Natter,
    director of space, information warfare, command and control for the Navy.
    But he argues that the military must not shy away from commercial
    technology because of the security >threat. Instead, he says, DoD should
    continue to invest heavily in countermeasures. "I compare this technology,
    where it is today, with the biplane. If we had walked away from that
    technology because it crashed a lot, we wouldn't be flying jetliners
    today. It's very fragile, it's very susceptible to problems, to nefarious
    attempts to get into it, but we need to face up to that, invest in
    combating it and move forward"
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Hacker News Network [www.hackernews.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:21:44 PDT