Forwarded from: William Knowles <wk@private> http://www.gcn.com/vol1_no1/daily-updates/36688-1.html By Patience Wait GCN Staff 08/17/05 HUNTSVILLE, Ala.- A professor from Auburn University has made the case that the United States may face a war in the future in which not a single shot is fired, but yet America loses. There could be "pre-emptive achievement of military objectives strictly by information warfare techniques," said John "Drew" Hamilton, associate professor of engineering and director of the Information Assurance Laboratory at the university. Hamilton projected that such a conflict could take place by 2015 - the time it would take to infiltrate computer development programs and insert malware into operating systems, applications software, firmware and hardware. Acquisition trends in the military actually facilitate the possibility of such a scenario, Hamilton added. "You don't expect the military to go to Home Depot to buy a [rocket launcher], but we expect them to go to Staples to buy software," he said. Software developers have always written back doors into their code, and even secure, partitioned systems such as the Secret IP Router Network have them. "I learned that when I got e-mail from Joint Forces Command to scan their attachments" for viruses, Hamilton said. The risk in pushing the use of commercial, off-the-shelf software is compounded by private-sector outsourcing, he said. Microsoft Corp., for instance, has outsourced some programming tasks to China and Russia. Hamilton said that Dan Wolf, information assurance director of the National Security Agency, told an academic group in June that "DOD agencies have been outsourcing IT services to [Section] 8a firms that are fronts for foreign intelligence agencies." Nor is the problem limited to the Microsoft environment. Linux, touted by open-source proponents, has its own vulnerabilities. "NSA [National Security Agency] recompiled the kernel so you can't turn off [key] logging, which is good for forensics," figuring out what happened after the fact, Hamilton said. Finally, the military has not made software a "core competency," according to Hamilton. "Some government agencies have contracted for software code they don't own the rights for." Hamilton suggested several steps that could be taken to pre-empt and prepare for this kind of warfare, including reverse-engineering software architecture to find weaknesses, identifying sensitive parameters that can be exploited and looking for undocumented functionality. He also said that the Defense Department should stop funding university research conducted by foreign nationals. Hamilton added that this is not a xenophobic reaction, but a reasonable response to a potential threat. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* _________________________________________ Attend ToorCon Sept 16-18th, 2005 Convention Center San Diego, California www.toorcon.org
This archive was generated by hypermail 2.1.3 : Thu Aug 18 2005 - 00:28:19 PDT