[ISN] Red alert on the e-war front

From: InfoSec News (isnat_private)
Date: Wed Jul 16 2003 - 00:46:11 PDT

  • Next message: InfoSec News: "[ISN] CRYPTO-GRAM, July 15, 2003"

    http://www.newscientist.com/hottopics/tech/article.jsp?id=24024800
    
    By Duncan Graham-Rowe 
    New Scientist Magazine   
    05 July 03
    
    I'M SITTING in a swanky conference room in Washington DC, surrounded
    by 65 computer experts from several businesses, and just about every
    US government agency and branch of the military. Normally their job is
    to defend the computer networks of such weighty establishments as the
    Department of Defense, the FBI, the National Security Agency, Air
    Force Intelligence, the Marine Corps and several large corporations.  
    But everyone has switched allegiance. Today, we're the bad guys.
    
    We have enrolled in hacking school. Using only our cunning and some
    basic software tools downloaded from the internet, we are about to
    learn about breaking into computer networks. The reason so many
    military, security and corporate bodies have sent people along to this
    event is a growing concern that the US is vulnerable to a full-scale
    electronic attack. In February, President Bush published a "National
    Strategy to Secure Cyberspace". It pointed out that, given a malicious
    intent, potential adversaries now have access to internet-based tools
    that could seriously harm the nation 's infrastructure. We are not
    talking here about simply defacing a website or putting it out of
    action for a few hours. With networked computers running the phone
    lines, air traffic systems, water supply, dams, power stations,
    financial markets and services, food distribution, communications,
    healthcare and emergency services, a return to the Stone Age could be
    just a few hacks away. "Waiting to learn of an imminent attack before
    addressing important critical infrastructure vulnerabilities is a
    risky and unacceptable strategy," the report says. "Cyber attacks can
    burst onto the Nation 's networks with little or no warning and spread
    so fast that many victims never have a chance to hear the alarms."
    
    "It's not a matter of if, it's a matter of when," says Winn Schwartau,
    head of the Florida-based security consultancy Interpact, and joint
    organiser of this event. And so my co-conspirators, reasoning that it
    makes sense to err on the side of caution, have turned out here to
    learn the art of hacking getting to know how their enemies might work,
    and so making themselves better able to work out strategies to foil
    them.
    
    The plush surroundings aside, the technical set-up we have in front of
    us is highly realistic, says Tim Rosenberg of White Wolf consultants,
    co-organiser of this cyber-war game. It includes a miniature version
    of the internet, with a bogus company network on one end and ourselves
    on the other. "The only unrealistic thing is that we know that you're
    coming," Rosenberg says.
    
    Of course, Schwartau and security consultants like him could be (and
    have been) accused of hyping the problem; there are books to be sold,
    courses to be run and lucrative cyber-defence contracts to gain. Much
    of the concern about cyber-terrorism seems to be fired by anecdotes
    about hacks or attempted hacks, or even just hackers sniffing around
    the power companies it 's hard to find any concrete evidence that a
    cyber-attack is imminent.
    
    But even if there is a plausible threat, couldn't we ensure that all
    critical networks are kept securely cut off from the rest of the
    world? Unfortunately, the answer is no. Many companies, including the
    utilities, rely on their interconnectedness to trade. Even the air
    traffic control system is not entirely disconnected. According to
    Daniel Mehan, the US Federal Aviation Administration 's assistant
    administrator for information services, it is no longer practical to
    completely separate air traffic management networks from the rest of
    the world it would simply be too expensive to set up. "It 's very,
    very hard to get at the air traffic system," says Mehan "But you will
    never develop a system that can 't have any intrusion ever."
    
    One source of vulnerability comes from a class of programs called
    SCADAs, which stands for supervisory control and data acquisition
    systems. It is programs of this type that allow electricity, gas and
    water supply networks to be managed from a central control point. "It
    used to be the case that we 'd open floodgates by turning a wheel,"  
    says Howard Schmidt, vice-chair of the Critical Infrastructure
    Protection Board, set up by President Bush in October 2001. "Today
    it's done through a keyboard, often through a remote system."
    
    SCADAs used to be home-grown, purpose-built systems, closed off from
    the rest of the world. But now, as companies come under increasing
    pressure to maximise profits, hardly anyone can afford to use
    custom-built software any more. "The Chinese use the same SCADA
    vendors as they use here in America," says Bill Flynt, formerly the
    director of homeland infrastructure security threats office for the US
    Army, and now at TRC Solutions, a security company based in Kansas
    City, Missouri. That has left us with generic SCADAs gateways to the
    companies operating on publicly accessible networks. These days, one
    cyber-attack fits all.
    
    It is now 5 years since the Clinton administration started paying
    attention to the claims that the US was vulnerable to a cyber-attack.  
    The first response was to issue a directive called the Presidential
    Decision Directive 63 Protecting America 's Critical Infrastructures,
    which called for national centres to be established to warn of
    computer attacks and respond to them. The trouble is that no one
    seemed to want to get involved.
    
    Clinton's solution was to try to enlist the help of the private sector
    by setting up information-sharing networks. It also encouraged
    companies to invest more seriously in IT security something they had
    previously been unwilling to do. The idea was that a central
    organisation run by the FBI would be used by companies to share
    information about any threats, weaknesses, viruses or oddities they
    spotted.
    
    Unfortunately many companies didn't reckon there was much in it for
    them. The FBI appeared willing to receive information but was less
    forthcoming when it came to handing it out. For many companies, the
    idea that they and their competitors might share sensitive information
    with the same third party went wholly against the grain. With no
    satisfactory way to deal with it, cyber-security problems remained
    just one of the costs of doing business and certainly not something to
    let the shareholders know about. "Less than 10 per cent of
    cyber-crimes get investigated because CEOs are reluctant to get the
    police involved," says Harris Miller, president of the Information
    Technology Association of America.
    
    Does it really only take a few point-and-clicks to bring down a
    superpower? No. At the very least, such a task would require an
    enormous number of highly trained, highly motivated terrorists working
    in a closely coordinated and meticulously planned attack. And even
    given this scenario, some consultants, such as James Lewis of the
    Center for Strategic & International Studies, an independent public
    policy research institute, say that the threats have been wildly
    overstated.
    
    Lewis's assessment of cyber-terrorism, published last December,
    concludes that "the Internet is a new thing, and new things can appear
    more frightening than they really are." Power companies are used to
    dealing with sudden problems such as fallen power lines or computer
    malfunctions, he points out. Temporary failures are almost routine,
    yet most of the time people on the outside know nothing of any
    difficulties. While 70 per cent of US power companies had suffered
    cyber-attacks in the first six months of 2002, none of the attacks had
    caused a power failure. The idea that a cyber-attack could cripple the
    entire nation doesn 't hold up, Lewis says.
    
    Whatever the truth about the credibility of the threat, many companies
    are preparing themselves to deal with such an attack, Schwartau says
    try one and you might be in for a surprise. Although using electronic
    countermeasures is illegal, many companies have apparently put
    programs in place that respond to an attack by disabling the attacking
    computers.
    
    Have they thought this through? If there's one thing I've learned in
    hacking school, it 's that hackers take over other people's machines
    and hide behind them. If cyber-war does break out, who knows what
    damage an electronic counter-attack could do to the very critical
    infrastructure it is trying to protect? Friendly fire and collateral
    damage may be about to go digital.
    
    
    
    Date & Time Monday, 0800 hours
    
    We 've barely slept for days. But our reconnaissance is now complete;  
    finally, we can begin. My personal objective is simple break into an
    electrical power company, bring down as much of the electricity grid
    as I can, and plunge a large part of the US into darkness. While I do
    this, my accomplices will attack the rest of the grid and other parts
    of the country 's critical infrastructure the banks, the transport
    systems, utilities, communications, food supply, and so on. Our aim
    total disruption.
     
     
    
    Date & Time Monday, 1400 hours
    
    If I'm to do any serious damage I need to become god of the computer
    network I'm attacking. If I can pose as the network 's administrator I
    can then do pretty much what I want to any computer on the network
    change passwords, delete files, even bring the entire network down.  
    All I need to do is get my hands on the file called sysadmin, the
    system administrator 's access file. But to do this, I need to get
    inside the company 's machines.
    
    Any computer connected to the internet needs an Internet Protocol (IP)  
    address to identify itself, and my reconnaissance has already told me
    which IP addresses have been allocated to the company I 'm targeting.  
    That's not hard, as IP addresses are publicly available. Some of these
    computers function as website or email servers and will talk to
    anyone. Machines intended solely for company use will be more picky,
    and the sysadmin file is almost certainly going to be behind one of
    these computers.
    
    To find the hidden computers, I use one of the many programs that were
    originally developed for system administrators to use across a network
    but have since become one the mainstays of every hacker 's arsenal.  
    These programs can usually be freely downloaded from the net. The one
    I 'm using scans a list of IP addresses like a roll-call, shouting out
    IP addresses to see who 's out there. Any machine that fails to
    respond must be a protected system that is deliberately trying to
    remain invisible. Sure enough, one IP address on my target system
    fails to respond.
    
    Another scanning program tells me what kinds of task the machines are
    being used for. One operates the file transfer protocol (FTP), another
    is an email server and another is a Microsoft Internet server and
    probably hosts the company's website. This, I decide, is going to be
    my back door into the network.
     
     
    
    Date & Time Monday, 2100 hours
    
    Once inside the company network, I need to find out how other company
    computers address the computer where sysadmin resides. A sure-fire way
    to find out is to take over a router somewhere on the internet between
    me and the company 's network. Routers are vital parts of the internet
    that direct data traffic around the net. The machine that wouldn 't
    respond when I sent out its IP still has to use the internet somehow,
    so the router will be aware of it and it will respond to calls from
    the router.
    
    Fortunately for an attacker like me, routers are designed to be
    accessed remotely, so that engineers can maintain large numbers of
    them from a single location. Using a program downloaded from the
    Internet I find the router I'm looking for. I try accessing it by
    pretending to be a network engineer. If I'm lucky the username and
    passwords I need to do this will still be set to their default
    settings. Far too often this is the case. After trying a few obvious
    ones "password" and "1234" I get lucky. In fact the password turned
    out to be the moniker of the router.
    
    Now I am in a position to do some damage. Taking control of the
    router, as I have done, is like taking control of the points at a
    railway junction. Instead of misdirecting trains, I would be
    controlling data. I could, if I wanted to, stop any internet traffic
    entering or leaving this company. This kind of attack, called "denial
    of service", is estimated to cost the US economy alone millions of
    dollars a year. I'm not tempted by this option, however I'm intent on
    getting inside the company 's network. Now I can simply ask the router
    which computers it can "see". And because this request is coming from
    a router, it doesn't trigger any of the systems that are supposed to
    detect intruders. Sure enough, I see the IP address of the computer
    I'm after and the router gives the name it is known by on the network
    I'm attacking. I am ready for the assault.
     
     
    
    Date & Time Tuesday 0900 hours
    
    I am about to attack the web server. I dig out the name of the
    webmaster I found it listed on the website, along with his email
    address. The first part of the address is most likely his login to the
    system, but I still need a password. After a few failed guesses I
    decide to go for a good old-fashioned brute-force approach it's time
    to roll out the password cracker, a program that will attempt millions
    of possible passwords for you, starting with the obvious ones.
    
    Several hours and countless cups of coffee later, I'm in. I am now in
    a position to deface the company's website. But that would be small
    beer compared with my mission objective. I'm going for the jugular.
    
    I am now officially trespassing. I run a search to see which other
    computers this server is connected to. My luck seems to be drying up.  
    This server seems to link to just about every other server the company
    has except the one I want. Clearly the people who set up the network
    are not as dumb as I'd hoped. But one of the computers it links to
    does look promising a Sun machine running a database that might well
    be used to keep records of the company's e-commerce transactions. If
    that's what it is, it will be connected to every other machine in the
    company. By querying the database I see that it is indeed connected to
    my target computer. I can now access this legitimately because I'm
    coming at it from the inside. It tells me there is yet another
    computer behind it and this holds the sysadmin file. That's it I am in
    control. Now, to delete all the files
     
    
    
    Date & Time Tuesday, 1200 hours
    
    Having successfully cracked the network, I was in the mood for
    whooping and high-fiving with my co-conspirators. Sadly, it was not to
    be. By the time I had completed my mission, there were only four of us
    left in the room myself and the three designers of the network who had
    kindly agreed to show me, step-by-step, how to achieve what the other
    65 programmers had figured out hours ago. America has nothing to fear
    from me.
    
    message ends
     
     
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Jul 16 2003 - 03:31:25 PDT