[ISN] Bracing for guerrilla warfare in cyberspace

From: cult hero (jerichoat_private)
Date: Sat May 22 1999 - 05:22:31 PDT

  • Next message: cult hero: "[ISN] House panel aims to bolster security law"

    [Moderator: Warning - A fair share of FUD in this article.]
    Forwarded From: Sunit Nangia <sunitat_private>
    Bracing for guerrilla warfare in cyberspace
    'There are lots of opportunities; that's very scary'
    April 6, 1999
    By John Christensen
    CNN Interactive 
    (CNN) -- It is June, the children are out of school, and as highways and
    airports fill with vacationers, rolling power outages hit sections of Los
    Angeles, Chicago, Washington and New York. An airliner is mysteriously
    knocked off the flight control system and crashes in Kansas. 
    Parts of the 911 service in Washington fail, supervisors at the Department
    of Defense discover that their e-mail and telephone services are disrupted
    and officers aboard a U.S. Navy cruiser find that their computer systems
    have been attacked. 
    As incidents mount, the stock market drops precipitously, and panic surges
    through the population. 
    Unlikely? Hardly. The "electronic Pearl Harbor" that White House terrorism
    czar Richard A. Clarke fears is not just a threat, it has already
    Much of the scenario above -- except for the plane and stock market
    crashes and the panic -- occurred in 1997 when 35 hackers hired by the
    National Security Agency launched simulated attacks on the U.S. 
    electronic infrastructure. 
    "Eligible Receiver," as the exercise was called, achieved "root level" 
    access in 36 of the Department of Defense's 40,000 networks. The simulated
    attack also "turned off" sections of the U.S. power grid, "shut down"
    parts of the 911 network in Washington, D.C., and other cities and gained
    access to systems aboard a Navy cruiser at sea. 
    At a hearing in November 1997, Sen. Jon Kyl, R-Arizona, chairman of a
    Senate technology subcommittee, reported that nearly two-thirds of U.S. 
    government computers systems have security holes. 
    "If somebody wanted to launch an attack," says Fred B. Schneider, a
    professor of computer science at Cornell University, "it would not be at
    all difficult." 
    'There are lots of opportunities'
    Although "Eligible Receiver" took place in the United States, which has
    about 40 percent of the world's computers, the threat of cyberterrorism is
    * During the Gulf War, Dutch hackers stole information about U.S. troop
    movements from U.S. Defense Department computers and tried to sell it to
    the Iraqis, who thought it was a hoax and turned it down. 
    * In March 1997, a 15-year-old Croatian youth penetrated computers at a
    U.S. Air Force base in Guam. 
    * In 1997 and 1998, an Israeli youth calling himself "The Analyzer" 
    allegedly hacked into Pentagon computers with help from California
    teen-agers. Ehud Tenebaum, 20, was charged in Jerusalem in February 1999
    with conspiracy and harming computer systems. 
    * In February 1999, unidentified hackers seized control of a British
    military communication satellite and demanded money in return for control
    of the satellite. 
    The report was vehemently denied by the British military, which said all
    satellites were "where they should be and doing what they should be
    doing." Other knowledgable sources, including the Hacker News Network,
    called the hijacking highly unlikely. 
    "There are lots of opportunities," says Schneider.  "That's very scary." 
    'The Holy Grail of hackers'
    President Clinton announced in January 1999 a $1.46 billion initiative to
    deal with U.S. government computer security -- a 40 percent increase over
    fiscal 1998 spending. Of particular concern is the Pentagon, the military
    stronghold of the world's most powerful nation. 
    "It's the Holy Grail of hackers," says computer security expert Rob Clyde.
    "It's about bragging rights for individuals and people with weird
    Clyde is vice president and general manager of technical security for
    Axent Technologies, a company headquartered in Rockville, Maryland, that
    counts the Pentagon as one of its customers. 
    The Defense Department acknowledges between 60 and 80 attacks a day,
    although there have been reports of far more than that. 
    The government says no top secret material has ever been accessed by these
    intruders, and that its most important information is not online.  But the
    frustration is evident. 
    Michael Vatis, director of the FBI's National Infrastructure Protection
    Committee, told a Senate subcommittee last year that tracing cyberattacks
    is like "tracking vapor." 
    'A lot of clueless people'
    Schneider says the "inherently vulnerable" nature of the electronic
    infrastructure makes counterterrorism measures even more difficult. 
    Schneider chaired a two-year study by the National Academy of Sciences and
    the National Academy of Engineering that found that the infrastructure is
    badly conceived and poorly secured. 
    "There is a saying that the amount of 'clue' [knowledge] on the Internet
    is constant, but the size of the Internet is growing exponentially," says
    Schneider. "In other words, there are a lot of clueless people out there.
    It's basically a situation where people don't know how to lock the door
    before walking out, so more and more machines are vulnerable." 
    Schneider says the telephone system is far more complicated than it used
    to be, with "a lot of nodes that are programmable, and databases that can
    be hacked." Also, deregulation of the telephone and power industries has
    created another weakness:  To stay competitive and cut costs, companies
    have reduced spare capacity, leaving them more vulnerable to outages and
    disruptions in service. 
    Still another flaw is the domination of the telecommunications system by
    phone companies and Internet service providers (ISPs) that don't trust
    each other. As a result, the systems do not mesh seamlessly and are
    vulnerable to failures and disruptions. 
    "There's no way to organize systems built on mutual suspicion,"  Schneider
    says.  "We're subtly changing the underpinnings of the system, but we're
    not changing the way they're built. We'll keep creating cracks until we
    understand that we need a different set of principles for the components
    to deal with each other." 
    'The democratization of hacking'
    Meanwhile, the tools of mayhem are readily available. 
    There are about 30,000 hacker-oriented sites on the Internet, bringing
    hacking -- and terrorism -- within the reach of even the technically
    "You no longer have to have knowledge, you just have to have the time," 
    Clyde says. "You just download the tools and the programs. It's the
    democratization of hacking. And with these programs ... they can click on
    a button and send bombs to your network, and the systems will go down." 
    Schneider says another threat is posed not by countries or terrorists, but
    by gophers and squirrels and farmers. 
    In 1995, a New Jersey farmer yanked up a cable with his backhoe, knocking
    out 60 percent of the regional and long distance phone service in New York
    City and air traffic control functions in Boston, New York and Washington.
    In 1996, a rodent chewed through a cable in Palo Alto, California, and
    knocked Silicon Valley off the Internet for hours. 
    "Although the press plays up the security aspect of hacker problems," 
    says Schneider, "the other aspect is that the systems are just not built
    very reliably. It's easy for operators to make errors, and a gopher
    chewing on a wire can take out a large piece of the infrastructure. That's
    responsible for most outages today." 
    'The prudent approach'
    Schneider and Clyde favor a team of specialists similar to Clinton's
    proposed "Cyber Corps" program, which would train federal workers to
    handle and prevent computer crises. But they say many problems can be
    eliminated with simple measures. 
    These include "patches" for programs, using automated tools to check for
    security gaps and installing monitoring systems and firewalls.  Fixes are
    often free and available on the Internet, but many network administrators
    don't install them. 
    A step toward deterrence was taken in 1998 when CIA Director George Tenet
    announced that the United States was devising a computer program that
    could attack the infrastructure of other countries. 
    "That's nothing new," says Clyde, "but it's the first time it was publicly
    announced. If a country tries to destroy our infrastructure, we want to be
    able to do it back. It's the same approach we've taken with nuclear
    weapons, the prudent approach." 
    The U.S. Government Accounting Office estimates that 120 countries or
    groups have or are developing information warfare systems.  Clyde says
    China, France and Israel already have them, and that some Pentagon
    intrusions have surely come from abroad. 
    "We don't read about the actual attacks," says Clyde, "and you wouldn't
    expect to." 
    "The Analyzer" was caught after he bragged about his feat in computer chat
    rooms, but Clyde says the ones to worry about are those who don't brag and
    don't leave any evidence behind. 
    "Those are the scary ones," he says. "They don't destroy things for the
    fun of it, and they're as invisible as possible." 
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Hacker News Network [www.hackernews.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:23:35 PDT