http://www.newscientist.com/hottopics/tech/article.jsp?id=24024800 By Duncan Graham-Rowe New Scientist Magazine 05 July 03 I'M SITTING in a swanky conference room in Washington DC, surrounded by 65 computer experts from several businesses, and just about every US government agency and branch of the military. Normally their job is to defend the computer networks of such weighty establishments as the Department of Defense, the FBI, the National Security Agency, Air Force Intelligence, the Marine Corps and several large corporations. But everyone has switched allegiance. Today, we're the bad guys. We have enrolled in hacking school. Using only our cunning and some basic software tools downloaded from the internet, we are about to learn about breaking into computer networks. The reason so many military, security and corporate bodies have sent people along to this event is a growing concern that the US is vulnerable to a full-scale electronic attack. In February, President Bush published a "National Strategy to Secure Cyberspace". It pointed out that, given a malicious intent, potential adversaries now have access to internet-based tools that could seriously harm the nation 's infrastructure. We are not talking here about simply defacing a website or putting it out of action for a few hours. With networked computers running the phone lines, air traffic systems, water supply, dams, power stations, financial markets and services, food distribution, communications, healthcare and emergency services, a return to the Stone Age could be just a few hacks away. "Waiting to learn of an imminent attack before addressing important critical infrastructure vulnerabilities is a risky and unacceptable strategy," the report says. "Cyber attacks can burst onto the Nation 's networks with little or no warning and spread so fast that many victims never have a chance to hear the alarms." "It's not a matter of if, it's a matter of when," says Winn Schwartau, head of the Florida-based security consultancy Interpact, and joint organiser of this event. And so my co-conspirators, reasoning that it makes sense to err on the side of caution, have turned out here to learn the art of hacking getting to know how their enemies might work, and so making themselves better able to work out strategies to foil them. The plush surroundings aside, the technical set-up we have in front of us is highly realistic, says Tim Rosenberg of White Wolf consultants, co-organiser of this cyber-war game. It includes a miniature version of the internet, with a bogus company network on one end and ourselves on the other. "The only unrealistic thing is that we know that you're coming," Rosenberg says. Of course, Schwartau and security consultants like him could be (and have been) accused of hyping the problem; there are books to be sold, courses to be run and lucrative cyber-defence contracts to gain. Much of the concern about cyber-terrorism seems to be fired by anecdotes about hacks or attempted hacks, or even just hackers sniffing around the power companies it 's hard to find any concrete evidence that a cyber-attack is imminent. But even if there is a plausible threat, couldn't we ensure that all critical networks are kept securely cut off from the rest of the world? Unfortunately, the answer is no. Many companies, including the utilities, rely on their interconnectedness to trade. Even the air traffic control system is not entirely disconnected. According to Daniel Mehan, the US Federal Aviation Administration 's assistant administrator for information services, it is no longer practical to completely separate air traffic management networks from the rest of the world it would simply be too expensive to set up. "It 's very, very hard to get at the air traffic system," says Mehan "But you will never develop a system that can 't have any intrusion ever." One source of vulnerability comes from a class of programs called SCADAs, which stands for supervisory control and data acquisition systems. It is programs of this type that allow electricity, gas and water supply networks to be managed from a central control point. "It used to be the case that we 'd open floodgates by turning a wheel," says Howard Schmidt, vice-chair of the Critical Infrastructure Protection Board, set up by President Bush in October 2001. "Today it's done through a keyboard, often through a remote system." SCADAs used to be home-grown, purpose-built systems, closed off from the rest of the world. But now, as companies come under increasing pressure to maximise profits, hardly anyone can afford to use custom-built software any more. "The Chinese use the same SCADA vendors as they use here in America," says Bill Flynt, formerly the director of homeland infrastructure security threats office for the US Army, and now at TRC Solutions, a security company based in Kansas City, Missouri. That has left us with generic SCADAs gateways to the companies operating on publicly accessible networks. These days, one cyber-attack fits all. It is now 5 years since the Clinton administration started paying attention to the claims that the US was vulnerable to a cyber-attack. The first response was to issue a directive called the Presidential Decision Directive 63 Protecting America 's Critical Infrastructures, which called for national centres to be established to warn of computer attacks and respond to them. The trouble is that no one seemed to want to get involved. Clinton's solution was to try to enlist the help of the private sector by setting up information-sharing networks. It also encouraged companies to invest more seriously in IT security something they had previously been unwilling to do. The idea was that a central organisation run by the FBI would be used by companies to share information about any threats, weaknesses, viruses or oddities they spotted. Unfortunately many companies didn't reckon there was much in it for them. The FBI appeared willing to receive information but was less forthcoming when it came to handing it out. For many companies, the idea that they and their competitors might share sensitive information with the same third party went wholly against the grain. With no satisfactory way to deal with it, cyber-security problems remained just one of the costs of doing business and certainly not something to let the shareholders know about. "Less than 10 per cent of cyber-crimes get investigated because CEOs are reluctant to get the police involved," says Harris Miller, president of the Information Technology Association of America. Does it really only take a few point-and-clicks to bring down a superpower? No. At the very least, such a task would require an enormous number of highly trained, highly motivated terrorists working in a closely coordinated and meticulously planned attack. And even given this scenario, some consultants, such as James Lewis of the Center for Strategic & International Studies, an independent public policy research institute, say that the threats have been wildly overstated. Lewis's assessment of cyber-terrorism, published last December, concludes that "the Internet is a new thing, and new things can appear more frightening than they really are." Power companies are used to dealing with sudden problems such as fallen power lines or computer malfunctions, he points out. Temporary failures are almost routine, yet most of the time people on the outside know nothing of any difficulties. While 70 per cent of US power companies had suffered cyber-attacks in the first six months of 2002, none of the attacks had caused a power failure. The idea that a cyber-attack could cripple the entire nation doesn 't hold up, Lewis says. Whatever the truth about the credibility of the threat, many companies are preparing themselves to deal with such an attack, Schwartau says try one and you might be in for a surprise. Although using electronic countermeasures is illegal, many companies have apparently put programs in place that respond to an attack by disabling the attacking computers. Have they thought this through? If there's one thing I've learned in hacking school, it 's that hackers take over other people's machines and hide behind them. If cyber-war does break out, who knows what damage an electronic counter-attack could do to the very critical infrastructure it is trying to protect? Friendly fire and collateral damage may be about to go digital. Date & Time Monday, 0800 hours We 've barely slept for days. But our reconnaissance is now complete; finally, we can begin. My personal objective is simple break into an electrical power company, bring down as much of the electricity grid as I can, and plunge a large part of the US into darkness. While I do this, my accomplices will attack the rest of the grid and other parts of the country 's critical infrastructure the banks, the transport systems, utilities, communications, food supply, and so on. Our aim total disruption. Date & Time Monday, 1400 hours If I'm to do any serious damage I need to become god of the computer network I'm attacking. If I can pose as the network 's administrator I can then do pretty much what I want to any computer on the network change passwords, delete files, even bring the entire network down. All I need to do is get my hands on the file called sysadmin, the system administrator 's access file. But to do this, I need to get inside the company 's machines. Any computer connected to the internet needs an Internet Protocol (IP) address to identify itself, and my reconnaissance has already told me which IP addresses have been allocated to the company I 'm targeting. That's not hard, as IP addresses are publicly available. Some of these computers function as website or email servers and will talk to anyone. Machines intended solely for company use will be more picky, and the sysadmin file is almost certainly going to be behind one of these computers. To find the hidden computers, I use one of the many programs that were originally developed for system administrators to use across a network but have since become one the mainstays of every hacker 's arsenal. These programs can usually be freely downloaded from the net. The one I 'm using scans a list of IP addresses like a roll-call, shouting out IP addresses to see who 's out there. Any machine that fails to respond must be a protected system that is deliberately trying to remain invisible. Sure enough, one IP address on my target system fails to respond. Another scanning program tells me what kinds of task the machines are being used for. One operates the file transfer protocol (FTP), another is an email server and another is a Microsoft Internet server and probably hosts the company's website. This, I decide, is going to be my back door into the network. Date & Time Monday, 2100 hours Once inside the company network, I need to find out how other company computers address the computer where sysadmin resides. A sure-fire way to find out is to take over a router somewhere on the internet between me and the company 's network. Routers are vital parts of the internet that direct data traffic around the net. The machine that wouldn 't respond when I sent out its IP still has to use the internet somehow, so the router will be aware of it and it will respond to calls from the router. Fortunately for an attacker like me, routers are designed to be accessed remotely, so that engineers can maintain large numbers of them from a single location. Using a program downloaded from the Internet I find the router I'm looking for. I try accessing it by pretending to be a network engineer. If I'm lucky the username and passwords I need to do this will still be set to their default settings. Far too often this is the case. After trying a few obvious ones "password" and "1234" I get lucky. In fact the password turned out to be the moniker of the router. Now I am in a position to do some damage. Taking control of the router, as I have done, is like taking control of the points at a railway junction. Instead of misdirecting trains, I would be controlling data. I could, if I wanted to, stop any internet traffic entering or leaving this company. This kind of attack, called "denial of service", is estimated to cost the US economy alone millions of dollars a year. I'm not tempted by this option, however I'm intent on getting inside the company 's network. Now I can simply ask the router which computers it can "see". And because this request is coming from a router, it doesn't trigger any of the systems that are supposed to detect intruders. Sure enough, I see the IP address of the computer I'm after and the router gives the name it is known by on the network I'm attacking. I am ready for the assault. Date & Time Tuesday 0900 hours I am about to attack the web server. I dig out the name of the webmaster I found it listed on the website, along with his email address. The first part of the address is most likely his login to the system, but I still need a password. After a few failed guesses I decide to go for a good old-fashioned brute-force approach it's time to roll out the password cracker, a program that will attempt millions of possible passwords for you, starting with the obvious ones. Several hours and countless cups of coffee later, I'm in. I am now in a position to deface the company's website. But that would be small beer compared with my mission objective. I'm going for the jugular. I am now officially trespassing. I run a search to see which other computers this server is connected to. My luck seems to be drying up. This server seems to link to just about every other server the company has except the one I want. Clearly the people who set up the network are not as dumb as I'd hoped. But one of the computers it links to does look promising a Sun machine running a database that might well be used to keep records of the company's e-commerce transactions. If that's what it is, it will be connected to every other machine in the company. By querying the database I see that it is indeed connected to my target computer. I can now access this legitimately because I'm coming at it from the inside. It tells me there is yet another computer behind it and this holds the sysadmin file. That's it I am in control. Now, to delete all the files Date & Time Tuesday, 1200 hours Having successfully cracked the network, I was in the mood for whooping and high-fiving with my co-conspirators. Sadly, it was not to be. By the time I had completed my mission, there were only four of us left in the room myself and the three designers of the network who had kindly agreed to show me, step-by-step, how to achieve what the other 65 programmers had figured out hours ago. America has nothing to fear from me. message ends - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Jul 16 2003 - 03:31:25 PDT