[ISN] Lost in cyberspace

From: InfoSec News (isnat_private)
Date: Tue Mar 04 2003 - 23:54:04 PST

  • Next message: InfoSec News: "[ISN] Google: Net Hacker Tool du Jour"

    Forwarded from: William Knowles <wkat_private>
    By Brendan I. Koerner
    March 3, 2003
    Seemingly innocuous movies occasionally have nasty, unintended
    consequences. Jaws creator Peter Benchley, for example, believes his
    tale of underwater mayhem has driven mankind to hunt several lethal
    shark species to the brink of extinction. Jodie Foster's bawdy turn in
    Taxi Driver helped stir would-be Reagan assassin John Hinckley Jr. to
    violence. And the 1983 Matthew Broderick vehicle WarGames convinced
    everyone that a lone hacker can wipe out the West Coast as easily as
    booting up Excel.
    HOW ELSE TO explain the credulity with which the Bush administration's
    National Strategy To Secure Cyberspace was greeted last month? The
    76-page document is chock full of what computer-security experts term
    "FUD" - geek shorthand for spreading bogus "fear, uncertainty, and
    doubt." Never mind that the hype over alleged "cyberterrorism" has
    been thoroughly debunked, time and time again. The government's
    information technology sages still trot out dubious stats in support
    of a looming "cyberwar," claiming that hostile nations possess legions
    of computer-savvy shock troops ready to knock out New York's
    electricity, zap the nation's phone lines, or open up the Hoover Dam.
    Yet here we are in 2003, and the cyberterrorism casualty list is still
    barren. Sure, some Serb hackers slowed down the NATO Web site during
    the Kosovo conflict, and a couple of Chinese hackers defaced sites in
    the wake of their country's embassy being bombed. But, honestly, did
    either incident get you quaking in your Keds?
    Still, the Bush Strategy does its best to play up the drama. It notes,
    for example, that "Identified computer security vulnerabilities -
    faults in software and hardware that could permit unauthorized network
    access or allow an attacker to cause network damage - increased
    significantly from 2000 to 2002, with the number of vulnerabilities
    going from 1,090 to 4,129." Scary-sounding, yes, but virtually
    meaningless. The generally accepted bug rate for software is between
    five and 15 errors per 1,000 lines of code, which means that your
    typical Windows operating system probably has close to 300,000
    potential "vulnerabilities." Not every bug is exploitable, but you get
    the picture - mass-produced software has always been woefully
    insecure, and those 4,129 reported holes represent only a tiny
    fraction of the total.
    But the increase in reported vulnerabilities is actually a good thing
    for computer security since it allows for patches to be designed. So
    this stat works against the report's case that (as Bush writes in his
    intro) "threats in cyberspace have risen dramatically."  Besides, the
    vast majority of attacks exploit less than a dozen major
    vulnerabilities. If system administrators simply took the time to
    patch those well-publicized problems, the Strategy might have clocked
    in at a more readable length.
    The Strategy employs some fuzzy math to amp up the peril, stating that
    "one estimate places the increase in cost to our economy from attacks
    to U.S. information systems at 400 percent over four years." There's
    no footnote as to where this estimate comes from, nor any mention of
    what dollar amount will be quadrupled. The report does quickly add,
    however, that "While those losses remain relatively limited, that too
    could change abruptly."
    Such hypothetical changes are a big theme throughout. The report makes
    a big deal out of recent worm attacks like NIMDA, then backtracks by
    adding, "Despite the fact that NIMDA did not create a catastrophic
    disruption to the critical infrastructure." - Or there's this nugget:
    "In wartime or crisis, adversaries may seek to intimidate the nation's
    political leaders by attacking critical infrastructures and key
    economic functions or eroding public confidence in information
    The notion that hackers could disrupt basic services is a favorite
    scare tactic of the National Infrastructure Protection Center, formed
    by President Clinton to combat the cyberterror menace. NIPC is also
    one of the most ineffectual bureaucratic agencies ever to come down
    the pike. (Check out this site for a full account of NIPC's [1]
    foibles.)  Despite ostensibly being staffed by the nation's best and
    brightest cyberwarriors, NIPC has never bothered to mention that
    mission-critical systems are not designed for remote operation, which
    makes the whole Hoover Dam scenario implausible at best. Of course,
    toning down the hyperbole could mean fewer funds for NIPC, so why
    bother? (Richard Clarke, Clinton's cybersecurity czar during NIPC's
    formative years, is responsible for one of my favorite FUD quotes of
    all time: "An attack on cyberspace is an attack on the United States,
    just as much as a landing on New Jersey." Uh-huh.)
    To be fair, law enforcement is not the only entity beating the
    cyberterror drum. The computer-security industry is well-versed in
    hyping the threat, from making their self-serving "experts" available
    whenever another virus hits to planting hoaxes in the press, such as
    McAfee's notorious "JPEG virus scam." Industry representatives spout
    ridiculously high estimates for cyberattack damages, such as the $1.2
    billion price tag for the February 2000 "Mafia Boy" denial-of-service
    attacks; that number included the short-lived loss of market
    capitalization ascribed to the attacks. Microsoft (which owns Slate)  
    is guilty of some particularly egregious FUDing. Last February, the
    Microsoft-led Business Software Alliance published a survey claiming
    that a major cyberattack would be launched against the United States
    within 12 months and that Uncle Sam should be sure to stock up on the
    latest security products. The deadline passed with nary an apology
    from the BSA.
    But it's the government that circulates the real doozies.  Absent any
    actual proof of cyberterrorism's existence, the Strategy dredges up an
    old myth regarding a series of 1998 attacks on the Pentagon, NASA, and
    several research labs. "The intrusions," we're told, "were targeted
    against those organizations that conduct advanced technical research
    on national security, including atmospheric and oceanographic topics
    as well as aircraft and cockpit design."
    What's really being discussed here, however, is an amalgamation of
    several different incidents. One involves three teens - two
    Californians and an Israeli - who managed to hack their way into some
    unclassified Pentagon payroll files and some worthless dot-mil sites.  
    Another is a shadowy Russian-based operation that the Department of
    Defense nicknamed "Moonlight Maze" and that the press characterized as
    a potential WarGames scenario - at least until DOD itself admitted
    that nothing of value was compromised. The last involved a gang
    calling itself the "Masters of Downloading," which claimed to be able
    to "take control" of NASA satellites. This claim, too, was
    discredited. (Meanwhile in the offline world, a man posing as a CIA
    agent was able to tour sensitive NASA buildings for eight months
    before his ruse was discovered.)
    None of this is to suggest that computer security isn't a problem.
    Corporate networks, in particular, are far from locked-down, and
    economic crime is an increasing headache for e-commerce enterprises
    and financial institutions alike. Occasionally it seems as if every
    credit card number in the world will eventually wind up in the hands
    of computer-savvy Russian teen-agers. And, yes, the Strategy does make
    a few smart recommendations to deal with such issues, such as
    organizing a nationwide program to better train system administrators.
    But the bulk of the report's solutions are lame. Most are meaningless
    jargon, such as suggesting that "future components of the cyber
    infrastructure are built to be inherently secure and dependable for
    their users." A fantastic sentiment, but as mushy as stating that the
    president is "for the children." What about making software vendors
    liable for bug-ridden products? Or rooting out insecure Microsoft
    products like the troubled SQL server in favor of more secure
    open-source solutions like OpenBSD?
    Nothing so bold is forthcoming in the Strategy. Which is yet another
    indicator that the czars of national computer security are perfectly
    content to tease out the hyperbole in perpetuity. The bigger the
    perceived threat, the greater their importance inside the Beltway.
    Brendan I. Koerner is a fellow at the New America Foundation.
    [1] http://vmyths.com/resource.cfm?id=26&page=1
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed Mar 05 2003 - 03:08:51 PST