[ISN] Information Warfare

From: InfoSec News (isnat_private)
Date: Wed Oct 24 2001 - 00:14:53 PDT

  • Next message: InfoSec News: "[ISN] Security UPDATE, October 24, 2001"

    http://www.techreview.com/magazine/nov01/freedman.asp
    
    By David H. Freedman
    November 2001 
    
    Breaking into networks is more than a joyrideit's the coming mission
    of criminals, industrial spies and terrorists. Can new security
    techniques stop them?
    
    The middle-aged mancall him Johnpeered at the numbers rolling across
    his computer monitor, which provided the only illumination in the
    cramped basement. One number, 307, caught his eye. Like the others, it
    designated a port, or gateway, between a certain corporation's
    computers and the outside world. John had just run a program on his PC
    that sent electronic probes throughout the corporation's network to
    find a complete list of these ports. Port 307 was "open"any data
    coming through it could be displayed on John's screen. Would the
    information prove useful?
    
    It did. Port 307 turned out to be where one network server sent bad
    passwords, along with the usernames of whoever typed them in. Network
    administrators had taken the trouble to hide legitimate passwords from
    prying eyes but hadn't worried about rejected passwords. John knew,
    however, that most failed passwords aren't wild guesses but rather are
    "fat-fingered," or typos. It was pretty easy to guess what
    "valentime3" was meant to be. Seconds later, John had logged onto the
    server. Three minutes after that he discovered a password file that
    listed one user's password as blanka shortcut favored by systems
    administrators out to avoid having to type in a password hundreds of
    times daily. Now John had "root access," meaning the server recognized
    him as God. He whooped and called Jim Settle, former head of the FBI's
    computer crime squad and now CEO of Washington, DC-based security
    consultancy SST. "I'm in."
    
    Settle congratulated him, hung up and called the chief information
    officer of the corporation whose network his man had just penetrated.
    "Guess who just took over your network?" asked Settle. The man was
    stunnedbut grateful. After all, he had quietly retained Settle's
    services precisely to learn if his network was vulnerable. Now he
    knew. Before Settle and his crew finished, they would find dozens of
    other ways to take control.
    
    Though Settle's break-in took place with the victim's blessing, it
    echoes tens of thousands of malicious invasions. Each year the
    Computer Security Institute, a San Francisco-based organization of
    computer security professionals, and the FBI survey computer security
    managers at large companies and government agencies. In this year's
    survey of 538 managers, 85 percent of these organizations suffered
    security breaches; most suffered financial loss as a result. The
    average reported loss: about $2 million.
    
    That probably offers an optimistic view of the problem's scope. Settle
    has been hired by more than 60 companies to "red team" their computer
    systemsthat is, to test security by breaking in the way hackers would.
    Not only did his people gain intimate access to every system, but only
    one firm even detected a breach. Moreover, the problem's not just
    corporate: according to a review by the U.S. General Services
    Administration, outsiders broke into and temporarily controlled at
    least 155 computer systems at 32 federal agencies last year.
    
    And that's not even the bad news. While computer network break-ins
    have long been almost exclusively the work of joyriding, bored
    teenagers, security and law-enforcement professionals believe the
    threat is about to shift from run-of-the-mill hackers toward
    professional criminals, industrial spies, hostile governments and
    terrorists. Eventually, say experts, computer attacks are likely to
    bankrupt companies, compromise U.S. security and perhaps even kill
    hundreds or thousands of citizens by disrupting computer control of
    anything from traffic signals to food supply transport. "These threats
    are real," says Jack Holleran, former technical director of the
    National Security Agency's National Computer Security Center and now
    an independent computer security consultant. "It's just a matter of
    when, and it will be sooner rather than later."
    
    The rising stakes have touched off an escalating stream of network
    skirmishes between those determined to break into organizations'
    computers and those charged with protecting them. Right now, the bad
    guys are winning. "Internet security is a big mess," says Bill
    Cheswick, a chief scientist at Lumeta, a Somerset, NJ,
    computer-security software firm spun off from Lucent Technologies. "It
    gets discouraging sometimes." That sobering reality has sent Cheswick
    and other top computer scientists into their labs to come up with new
    weapons for the intensifying battle.
    
    Electronic Pearl Harbor
    
    The havoc that can be wreaked online has become almost limitless.
    Unless you're living deep in the woods on fish you catch, chances are
    almost every aspect of your life is mediated through computers, from
    your train ride into work (thanks to computer-controlled track
    switches) to paying bills to relaxing in front of the television
    (which gets its juice from a computerized electric power grid). A
    terrorist organization or hostile nation that wanted to disrupt life
    in the United States, or a thief who wanted to plunder a company, has
    an embarrassment of riches to choose from, notes Pat Lincoln, director
    of the Computer Science Laboratory at nonprofit research institute SRI
    International. Lincoln, whom U.S. officials have briefed on these
    concerns, notes that though the details are classified, the government
    is carefully watching several groups and nations for warnings of
    computer attacks. "If you're recruiting people to drive trucks that
    blow up, maybe next year you'll get someone to plant an Internet
    'worm,'" says Lincoln.
    
    Possible targets of terrorist or state-sponsored attacks include
    electric power grids, natural-gas pipelines, water supplies, dams,
    hospitals and a variety of other critical facilities that could be
    paralyzed by assaults on the right computers, possibly resulting in
    widespread suffering and even death. Holleran notes that 80 percent of
    the food transported by rail in the United States crosses either of
    two bridges over the Mississippi River; even a moderate
    computer-driven mishap near one of them could potentially cause
    shortages and skyrocketing food prices. Phone service could
    increasingly be at risk, too, thanks to plans to move most voice
    traffic onto the Internet, which is far less secure than conventional
    phone networks. Banks, stock exchanges, the U.S. Social Security
    Administration and the U.S. Postal Service are also vulnerable. An
    attack on any such crucial network would serve as what security
    experts call an "electronic Pearl Harbor."
    
    Access to, or a means to disrupt, military networks would be a special
    prize in this computer cold war. "A commercial site might be willing
    to put up with a certain amount of fraudulent traffic" that slows or
    temporarily halts service, says Robert Anderson, head of the
    information sciences group at nonprofit think tank the Rand
    Corporation. "But in a military system you'd be talking about lives
    being lost." Imagine, for example, the computer-driven targeting
    displays in tanks and bombers misidentifying friendly installations as
    enemy positions, or radio command networks being disrupted, or even
    inundated with fake commands. Such infiltrations could conceivably
    influence the outcome of a war. Uncle Sam is widely believed to have
    developed its own capabilities for attacking enemy computer systems,
    but because the United States tends to be far more computer dependent
    than its overseas counterparts, we have more to lose via information
    warfare, Anderson says.
    
    Computer attacks could even become a force to reckon with in politics,
    notes AT&T Labs security expert Avi Rubinat least if some communities
    follow through on plans to allow voting over the Internet. All a
    malicious agent would have to do is launch a mild attack that slowed
    down a vote-processing server enough to prevent a few percent of the
    ballots from getting through in a couple of districts. "It's the
    easiest type of attack one could possibly launch, and it could be
    enough to disrupt an election," says Rubin.
    
    On the business side, the attacks are less theoretical. Citibank was
    ripped off in 1994 to the tune of $10 million by a Russian computer
    whiz, who transferred the funds to his and his accomplices' accounts.
    Most of the money was eventually recovered, but experts say there have
    probably been larger, more successful computer heists at other
    financial-services companies. Why haven't we heard about them? Because
    the companies quietly bury the loss in the books as some other type of
    expense. "If someone breaks into a company's computers and gets $50
    million, the company will feel there's nothing to gain by reporting
    it," says Jon David, a senior editor of the journal Computers and
    Security and a security manager at a large financial-services firm.
    "It just makes customers and stockholders nervous."
    
    For a growing number of thieves, though, purloined corporate
    informationnot moneyis likely to become the currency of choice. R&D
    data, financial records, personnel files, details of upcoming
    dealscorporate servers are treasure troves of data that can be sold to
    competitors, speculators or anyone with a grudge. And of course, a few
    firms or their employees may stoop to direct computer-based espionage
    against competitors. Since hijacked information would typically be
    copied and not altered, companies might never know they've been hit.
    In a so-far-unique public case of industrial espionage allegedly
    carried out by computer, Moore Publishing, a Wilmington, DE,
    investigative firm, filed a $10 million lawsuit against Steptoe and
    Johnson, a well known Washington, DC, law firm. Settled in July 2000
    for an undisclosed sum, the suit claimed that Steptoe and Johnson
    repeatedly broke into Moore computers, allegedly in revenge for
    Moore's having bought the rights to the "steptoejohnson.com" domain
    name (which it subsequently gave up).
    
    Infinite Standoff
    
    The security war can seem like an infinite standoff; for every new
    defense researchers devise, invaders develop countermeasures, leading
    to counter-countermeasures, and so on. Fortunately, defenders don't
    have to make it impossible to break into networks; they only have to
    make getting in so difficult, or so fraught with the risk of being
    tracked down, that the bad guys think twice.
    
    Consider, for example, the most common means of breaking into a
    computer system: stealing passwords. Since employees often use a word
    or proper name as a password, would-be intruders can turn to any of
    several automated password-guessing programs freely available on the
    Web (try a search on "LOphtCrack," for example) to run through a
    dictionary full of guesses. "It just takes one user with a bad
    password to compromise a system," says Dorothy Denning, a computer
    scientist at Georgetown University.
    
    To fight back, organizations can enlist software that automatically
    rejects passwords based on words or names and forces users to change
    their passwords regularly to limit potential damage. Even safer are
    security "tokens"devices from keychains that plug into computers to
    small liquid-crystal displayswhich make stolen passwords less
    valuable. Tokens like those made by Symantec and San Jose, CA-based
    Secure Computing dynamically generate a new password each time a user
    needs to log in; a version made by RSA Security of Bedford, MA,
    generates a new password every minute or so in synchronization with
    servers. But even these precautions won't stop highly motivated
    malicious agents. They can fast-talk employees out of passwords by
    posing as systems administrators over the phone or simply walk through
    the offices, where they can often spot passwords that are written
    down. And acquiring a token can be as simple as stealing a purse.
    
    A growing number of companies and government agencies are also turning
    to smart cards to limit illicit entry into their systems. Smart cards
    have embedded computer chips containing code that identifies the
    holder. Passed through a reader that can be attached to any computer,
    the smart card authorizes the holder to use that computer to access
    the network: the network will reject commands from a computer that
    hasn't been presented with an authorized smart card. Smart cards can
    also contain the "keys" required to read or send encrypted data.
    Unlike encryption keys stored on a PC, keys encoded on a smart card
    can't be stolen via the network. Even tighter access control can be
    engineered by combining smart cards with "biometric signatures" like
    fingerprints or voiceprints. RSA Security, Luxembourg's Gemplus and
    the Datacard Group in Minnetonka, MN, are among the vendors already
    selling smart cards; Siemens offers smart cards tied to a fingerprint,
    and Domain Dynamics of Swindon, England, is prototyping cards encoded
    with voiceprints.
    
    Of course, smart cards can be stolen, too, and though
    tamper-resistant, the code on embedded chips can in theory be cracked
    once a card falls into the wrong hands. One way around this weakness
    is to build the authorization chips into the innards of the computer
    itself. This way, bad guys must physically get their hands on an
    authorized computer to crack a networka dicey proposition that even if
    successful isn't likely to go unnoticed for long. IBM, Intel,
    Hewlett-Packard, Microsoft and Compaq Computer founded the Trusted
    Computing Platform Alliance, now 170-plus members strong, to push for
    the development of such chips. The technology could be used in
    conjunction with smart cards and other security devices. "It puts a
    hardware barrier in front of a malicious software attack," says David
    Safford, manager of IBM Research's Global Security Analysis
    Laboratory. Safford estimates that in three to five years, every
    computer built will include the chips. IBM Research has also developed
    a tamperproof device that can be installed in servers, similar to the
    chips endorsed by the Trusted Computing Platform Alliance.
    
    Eventually, though, the chip has to talk to software, and some
    security experts peg that as the weak point of the Trusted Computing
    Platform Alliance's scheme. And once logged into a system, intruders
    can send commands that might coax the operating systemwhether it's
    Unix, Microsoft Windows or Sun Solarisinto granting them systems
    administrator privileges. That typically includes the ability to
    examine server files, gain access to other servers, install "back
    doors" that allow easy future entry and cover their tracks by altering
    the system's logs.
    
    Operating systems can be "tightened down" to prevent this sort of
    manipulation, but most systems administrators aren't familiar with the
    approximately 300 manual programming routines the procedure requires.
    Even if they are, malicious parties can exploit newly discovered holes
    (an average of 10 new Windows vulnerabilities, for example, circulate
    around the Web each month) unless systems administrators are unusually
    diligent about updating security features. "The machines get worse
    just sitting there," notes Dan Farmer, a security consultant who has
    worked extensively for Sun Microsystems.
    
    A terrorist or industrial spy doesn't have to be proficient in the
    nuts and bolts of security hole exploitation to capitalize on these
    weaknesses. Software penetration "tool kits" that automate the process
    of invading and taking over a system can be downloaded from thousands
    of sites on the Web.
    
    To help combat marauders who exploit such server vulnerabilities,
    systems administrators can employ intrusion detection software, such
    as Cybercop from Santa Clara, CA-based Network Associates, Cisco
    Systems' Secure IDS and SRI International's Emerald. These systems
    monitor network traffic looking for sequences of commands specifically
    associated with malicious attacks, as well as out-of-the-ordinary
    command sequences or data traffic. When the software spots something
    unusual, it notifies the systems administrator, who can then decide
    whether to shut the questionable traffic down.
    
    But some attacks will be new and subtle enough to avoid detection. Or
    more commonly, invasions may be detected but ignored. Routine hackers
    and even inept legitimate users so frequently trigger current
    intrusion detection systems that many systems administrators disregard
    the alarmsor turn them off. Many of the companies Jim Settle's team
    penetrated were running high-end intrusion detection software costing
    $100,000 or more but for one reason or another didn't recognize the
    attack.
    
    To counteract these glitches, researchers at Sandia National
    Laboratories, Network Associates and Cisco are working on intrusion
    detection systems that do a better job of differentiating false alarms
    and amateurish attacks from serious invasions. Some systems under
    development will even be able to analyze activity across a network to
    distinguish isolated attacks from the sort of massive, coordinated
    assaults that tend to be more damaging, says Fred Cohen, a security
    consultant and Livermore, CA-based Sandia researcher who coined the
    term "computer virus." Future intrusion detection systems, he notes,
    will also make the network "self-coordinating": when a particular
    server is under attack, the network will place similar servers on high
    alert, or even shut them down, under the assumption that the attacker
    will attempt to exploit related vulnerabilities. Cohen has been
    working on ways to allow intrusion detection systems to recognize
    "slow attacks," an especially subtle and hard-to-spot technique in
    which an attack is purposely spread out over hours or even days to
    avoid triggering conventional alarms. "Most organizations have been
    ignoring that problem, because they have their hands full just
    recognizing attacks that occur in real time," he says.
    
    Cohen is also among those working on another method to defend servers:
    so-called deception techniques. These involve setting the network up
    not merely to resist intruders but also to confuse and mislead
    thempreventing them from causing damage and making it easier to
    monitor their activities. For example, an intruder will normally use
    software to scan a network for open ports, typically resulting in a
    list of 30 or so gateways that can be explored for vulnerabilities.
    One deception technique is to have the network automatically reply to
    a port scan with a list of a million or more portsfar more than even
    the most motivated agent is likely to sift through looking for
    weaknesses. Organizations that want to go all out can even set up
    entire databases of phony information that are made available to
    anyone trying to improperly access the system.
    
    Cohen notes that some security professionals have shied away from
    deception techniques out of concern that legitimate users will be
    fooled or inconvenienced, but he disagrees. "We've been experimenting
    with the techniques for four years on our networks, and we haven't
    seen one case where a user wasted time because of them, or as far as
    we know, one case where an attacker got to real data," he says. Cohen
    currently gives away some deception software on his Web site, and
    security firm Recourse Technologies of Redwood City, CA, sells a
    product called ManTrap, probably the most sophisticated deception
    system available commercially. But Cohen says more advanced systems
    are generally built in-house because they require a great deal of
    customization and maintenance.
    
    In an effort to identify network vulnerabilities before invaders
    exploit them, companies can run software designed to ferret out and
    flag flaws. For example, Bill Cheswick's group at Lumeta sends a
    barrage of specially tagged packets of data from inside an
    organization's network to servers outside the network, and vice versa.
    The software then points out any network servers that let traffic move
    through in both directions. Such "leaky" servers represent an easy way
    in for intrudersand for malicious software like the Code Red worm that
    infected servers worldwide last summer. "The way companies usually
    find out about leaky servers is when a worm like Code Red spreads
    throughout the network," notes Cheswick. "If your network is tight,
    you should never see anything like Code Red inside. But it ran through
    all kinds of organizations."
    
    Cybercrime's Next Frontier
    
    Even when security professionals manage to defend existing networks,
    the ever increasing demand for more access by legitimate users creates
    new vulnerabilities. Take the explosion in wireless data networks,
    which allow an organization's employees to exchange messages and other
    data while wandering around with laptops and other devices. These
    networks provide malicious agents with "the next great frontier" for
    cybercrime, says Padgett Peterson, a Lockheed Martin security expert.
    The Internet is lousy with instructions for breaking into cell phones,
    pagers and personal digital assistants like the Palm. Intruders can
    also try "war-driving," which involves cruising the roads around
    corporate or government strongholds with equipment that intercepts
    wireless data transmissionsno passwords needed.
    
    In an attempt to defeat such drive-by hacking, many wireless networks
    incorporate the popular Wired Equivalent Privacy protocol, which
    scrambles all data sent over the network. Unfortunately, AT&T
    researchers led by Avi Rubin and guided by theoretical work published
    by researchers at Cisco and the Weizmann Institute in Israel cracked
    the scheme in August, essentially rendering it useless. Rubin suggests
    replacing the approach with a technique compatible with the new (and
    so far impenetrable) Advanced Encryption Standard expected to be
    adopted by government agencies by year's end. But this won't be much
    consolation to organizations that have already invested millions of
    dollars in setting up their wireless networks. "When the new standard
    comes out, all the wireless PC cards and base stations will have to be
    replaced," says Rubin.
    
    But no matter how successfully such technologies fend off existing
    threats, no end to the security wars is in sight. That's because
    experts can't predict perfectly what tricks criminals, spies and
    saboteurs will come up with next to turn our reliance on computers
    against us. "I'm always surprised by what the next threat turns out to
    be," says Lockheed Martin's Peterson.
    
    To guard against threats that pros haven't even imagined yet, Peterson
    advocates a different sort of defense: rethinking the basic
    architecture of organizational networks. Conventional corporate
    network architecture, he says, affords employees fairly open access to
    internal databases, while attempting to place generally ineffective
    restrictions on connections to the outside world. Under that scheme,
    he says, a malicious agent need only gain access to an employee's
    computer in order to get into the databases.
    
    Under the plan Peterson supports, users would have relatively open
    access to the outside world, while databases and other files are
    placed under severe and closely monitored restrictions. That way, an
    invader could take over Internet servers and employees' computers but
    still couldn't gain access to the databases and filesbecause nobody
    gets free access. "You have to be willing to reverse your thinking,"
    Peterson says. "Not many people are."
    
    There's another weakness to address: law enforcement's limited ability
    to respond to computer security threats. Despite increasing security
    efforts in both the private and public sectors, sophisticated invaders
    can more or less operate without fear of being tracked down, even if
    they are detected. "Law enforcement and systems administrators are
    always behind the curve," says Settle. Experts agree that the FBI,
    which bears much of the federal responsibility for responding to
    computer attacks, is woefully ill equipped to deal with computer crime
    and terrorism. "If that's where our expertise lies, we're in trouble,"
    says Computers and Security editor David. That's another reason most
    companies don't bother to report break-ins when they manage to detect
    them. In the Computer Security Institute and FBI survey, only 36
    percent of the companies that admitted to being hit said they reported
    the crime to law enforcement.
    
    It may be, says security consultant Farmer, that the only reason we
    haven't been victimized by a much more intense barrage of computer
    assaults is that most professional criminals and terrorists still
    perceive conventional physical attacks like armed robbery and bombings
    as providing more reliable payoffs. "That will change as we move our
    critical infrastructures online," he asserts.
    
    In the end, the solution may be to rethink what the Internet is good
    for, as Lockheed Martin's Peterson suggests. Just as savvy travelers
    know not to pack irreplaceable possessions in a checked suitcase or
    walk in an urban park after dark, so organizations and individual
    users will recognize that highly sensitive data shouldn't be sitting
    on easily accessed servers. "Security probably won't improve in a
    technical sense," says Farmer. "Only in a social sense."
    
    As for less sensitive information, well, organizations may need to
    accept the notion that the advantages of keeping it accessible
    outweigh the pain of occasionally having it swiped. Consider it a cost
    of doing business in a wired worldor to put it another way, an
    acceptable casualty of electronic war.
    
    David H. Freedman, a contributing writer to Technology Review, is a
    senior writer at eCompany Now. His work has appeared in the Atlantic
    Monthly, the New York Times, Wired, the Harvard Business Review and
    many other publications.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Oct 24 2001 - 05:34:34 PDT