[ISN] Securing the Lines of a Wired Nation

From: InfoSec News (isnat_private)
Date: Fri Oct 05 2001 - 00:52:45 PDT

  • Next message: InfoSec News: "[ISN] Zero-Knowledge pulls the mask off"

    October 4, 2001
    In the hours of torment and confusion after the attacks on the World
    Trade Center and the Pentagon, many people making phone calls to or
    from the affected cities encountered the grating "All circuits are
    busy" recording. E-mail messages, however, seemed to sail through the
    crisis to their destinations. The smooth traffic was hailed by many
    experts as testament to the underlying strength of the Internet.
    But hold on just one nanosecond. Are we talking about the Internet,
    referred to by so many other experts as a famously vulnerable, fragile
    network that can be brought to its knees by college students in the
    Philippines or a teenager in Canada, with estimates of damage in the
    billions of dollars?
    It is indeed the same Internet, ever a combination of flaky and
    robust. Fred Cohen, the computer security researcher who first applied
    the word "virus" to malicious software, said that the individual
    elements of the network were fragile but that the network over all was
    resilient. "It's easy to tear a piece of paper," he said. "Try tearing
    a phone book in half." Still, David J. Farber, a computer scientist
    and former chief technologist at the Federal Communications
    Commission, said that the Internet's success on Sept. 11 could largely
    be attributed to the fact that "nobody attacked it."
    Experts in the emerging field of cyberterrorism say that with such an
    inviting target, terrorists are bound to take up the hackers' wares.
    What will happen when an attacker with real resources and a deep
    desire to do harm grabs the keyboard?
    It may not take long to find out, and the vulnerability may go far
    beyond Web sites or e-mail.
    According to a report last week by the Institute for Security
    Technology Studies, founded last year at Dartmouth, "U.S. retaliatory
    strikes for the tragic Sept. 11 events may result in cyberattacks
    against the American electronic infrastructure." While such attacks
    may amount to no more than familiar nuisances like hackers' defacing
    Web pages or tying up sites by overwhelming them with traffic "the
    potential exists for much more devastating cyberattacks," the report
    Those who watch trends in computer crime and terrorism say that the
    two are coming together with potentially catastrophic results. Richard
    A. Clarke, who will head cyberterrorism efforts for the Bush
    administration's Homeland Security Council, said in a speech last
    December that the government had to make cybersecurity a priority or
    face a "digital Pearl Harbor."
    In 1997, the President's Commission on Critical Infrastructure
    Protection noted that telephone networks and the Internet were
    increasingly the bonds of the world's economy, for everything from
    financial operations to the supply of water and power.
    Consequently, it said, "a computer can cause switches or valves to
    open and close, move funds from one account to another, or convey a
    military order almost as quickly over thousands of miles as it can
    from next door, and just as easily from a terrorist hideout as from an
    office cubicle or military command center."
    For Tom Marsh, who was the commission's chairman, the worst-case
    scenarios are nightmarish: a determined coalition of hackers, he said,
    could disrupt 911 service, air traffic control, the power-switching
    centers that move electricity around the country, rail networks and
    more. "It's a major undertaking," said Mr. Marsh, a retired Air Force
    general, "but it's not beyond the realm of possibility." The
    complexity of the attacks on the World Trade Center and the Pentagon,
    he said, showed that "even terrorist organizations can conduct very
    well- organized and sophisticated attacks."
    "We said in our report we didn't foresee an electronic Pearl Harbor,
    and I still don't," he said. "But I do believe that as cybercrime
    progresses, over time the terrorists are going to get more and more
    interested in it and see it as a very possible opportunity to cause
    major disruption."
    Those who have worked in cyberintelligence say that the attention to
    the subject is timely. "Up until the 11th, people like me would talk
    in terms of the growing threat of transnational attack the prospect of
    new forms of terrorism and the basic reaction was, `Yeah, yeah, yeah,
    but that's theoretical,' " said Jeffrey A. Hunker, dean of the Heinz
    School of Public Policy and Management at Carnegie Mellon University
    and formerly the senior director for protection of critical
    infrastructure at the National Security Council.
    Since the attacks, he said, it has become clear that "there are
    clearly transnational organizations that are incredibly capable of
    executing sophisticated operations and are enormously creative and
    innovative." That, in turn, "makes much more real the possibility of
    new techniques or new types of terrorist attacks," including
    cyberterror, he said. "We're sitting on a cyber time bomb," he said.
    Some experts have warned, for example, that systems accessible to the
    Internet like power grids could be brought down by a determined
    hacker, though as Mr. Farber put it, "it's a lot easier to throw a
    hand grenade down the highway south of San Jose and take out a major
    power station" than to do so by modem. And most would put cyberattacks
    in a different category from the weapons of mass destruction
    associated with visions of catastrophic terrorism; these are not
    nuclear arms, nerve gas or germs. Instead, many experts now call them
    weapons of mass disruption.
    "People aren't going to be killing us with computers," Mr. Hunker
    said, "but our life may be hell because of computer attacks."
    The likeliest use of the technology, he said, would be to complicate
    matters further after a real-world attack, a tactic he describes with
    the military phrase "force multiplier." That could involve planting
    false information on the Web to create a panic or taking down crucial
    computers in the financial or communications sectors.
    The ripple effects of the World Trade Center attacks on everything
    from the travel industry to supply chains in manufacturing show the
    potential for havoc. "Besides the fact of the horrendous loss of life,
    it was really an attack on the critical infrastructures," said Mary J.
    Culnan, a professor of management and information technology at
    Bentley College in Waltham, Mass., and a member of the presidential
    commission that issued the 1997 report.
    The Clinton administration started the first major national effort to
    upgrade computer security in government and business against
    cybercrime and terrorist attack. President Bill Clinton issued an
    order in May 1998 creating the National Infrastructure Protection
    Center, a collaborative effort of law enforcement, military and
    intelligence organizations to shore up defenses against computer
    crime. The center also developed an information-sharing network with
    major industrial sectors.
    Such activities will presumably be brought under the umbrella of the
    new Homeland Defense Council that President Bush has appointed Gov.
    Tom Ridge of Pennsylvania to run. Mr. Clarke will oversee cyberdefense
    initiatives for the council as head of its Office of Cyber Security.
    Michael Vatis, the head of the Dartmouth cybersecurity group and a
    former head of the National Infrastructure Protection Center, said the
    stereotype of computer intruders as thrill-seeking teenage loners was
    misleading. Talented intruders who are motivated and perhaps banding
    together with criminal or ideological motives can go far, he said,
    citing little-publicized attacks on business and Pentagon computer
    networks by hackers who may be linked to organized crime in Russia.
    The attacks, beginning in 1998, are the focus of a federal
    investigation. "The type of access they were able to gain," he said,
    and "the amount of information and the types of information they were
    getting means they could do lots of stuff to those systems," both
    purloining data and disrupting operations.
    Even more dangerous than outsiders, potentially, are insiders with
    specialized knowledge, according to the 1997 report of the President's
    Commission on Critical Infrastructure Protection. That report
    estimated that by this year 19 million people worldwide would have the
    skills to engage in malicious hacking and 1.3 million people would
    have advanced knowledge of the systems that control the nation's
    telecommunications infrastructure.
    Whatever the nature of the attack, the tools are easy to acquire and
    the knowledge to use them even more so. A reasonably competent
    programmer who is willing to delve into the arcana of computer
    operating systems and networks can cobble together viruses or other
    destructive computer code from software posted online. Similarly,
    tools for examining computer systems for security holes and the
    programs that can be used to take advantage of them to gain
    unauthorized entry are also easy to find online, and computer vandals
    are happy to share their knowledge in Internet forums.
    So what is to be done? Most of the measures that experts recommend,
    like keeping up with the latest antivirus software, using strong
    passwords to protect computers and networks and installing
    intrusion-detection software, are painfully obvious but still ignored
    by many businesses, government agencies and consumers. The Dartmouth
    report also recommends increasing protection at Web sites and keeping
    backups of their important data, with special attention to the
    potential for Web page defacement.
    That report also recommends vigilance, and appropriate software, to
    prevent or detect the surreptitious commandeering of computer systems
    for use in denial-of-service attacks. (A guide to the best security
    practices can be found at www.cert.org /security-improvement.)
    Informal networks for intrusion detection are beginning to form among
    those who hope to find security in numbers. One such network, AirCert,
    has been developed by the CERT Coordination Center at Carnegie
    Mellon's Software Engineering Institute. The fledgling AirCert project
    places Internet- based security sensors on participating sites; those
    sensors automatically send data on intrusion attempts to a central
    CERT knowledge base that is able to analyze the information and share
    it quickly.
    The idea has been suggested before. A network for intrusion detection
    in government computers, called Fidnet, was proposed late in the
    Clinton administration but never created because of assertions that
    the system might be used as a large-scale monitoring network for
    citizens' online communications. Government officials insist that was
    never the intention, but Mr. Vatis said that they did not make their
    case well.
    Making that case may now be easier, but Professor Culnan, at Bentley
    College, said that mounting an effective deterrent to cyberterror was
    no small task. "It's a gigantic problem making this work," she said.
    "But at least we've started thinking about it."
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Fri Oct 05 2001 - 03:09:13 PDT