[ISN] IT infrastructures could be battlefields of future wars

From: InfoSec News (isn@private)
Date: Thu Aug 18 2005 - 00:08:00 PDT


Forwarded from: William Knowles <wk@private>

http://www.gcn.com/vol1_no1/daily-updates/36688-1.html

By Patience Wait 
GCN Staff
08/17/05 

HUNTSVILLE, Ala.- A professor from Auburn University has made the case 
that the United States may face a war in the future in which not a 
single shot is fired, but yet America loses. 

There could be "pre-emptive achievement of military objectives 
strictly by information warfare techniques," said John "Drew" 
Hamilton, associate professor of engineering and director of the 
Information Assurance Laboratory at the university. 

Hamilton projected that such a conflict could take place by 2015 - the 
time it would take to infiltrate computer development programs and 
insert malware into operating systems, applications software, firmware 
and hardware. 

Acquisition trends in the military actually facilitate the possibility 
of such a scenario, Hamilton added. "You don't expect the military to 
go to Home Depot to buy a [rocket launcher], but we expect them to go 
to Staples to buy software," he said. 

Software developers have always written back doors into their code, 
and even secure, partitioned systems such as the Secret IP Router 
Network have them. 

"I learned that when I got e-mail from Joint Forces Command to scan 
their attachments" for viruses, Hamilton said. 

The risk in pushing the use of commercial, off-the-shelf software is 
compounded by private-sector outsourcing, he said. Microsoft Corp., 
for instance, has outsourced some programming tasks to China and 
Russia. 

Hamilton said that Dan Wolf, information assurance director of the 
National Security Agency, told an academic group in June that "DOD 
agencies have been outsourcing IT services to [Section] 8a firms that 
are fronts for foreign intelligence agencies." 

Nor is the problem limited to the Microsoft environment. Linux, touted 
by open-source proponents, has its own vulnerabilities. "NSA [National 
Security Agency] recompiled the kernel so you can't turn off [key] 
logging, which is good for forensics," figuring out what happened 
after the fact, Hamilton said. 

Finally, the military has not made software a "core competency," 
according to Hamilton. "Some government agencies have contracted for 
software code they don't own the rights for." 

Hamilton suggested several steps that could be taken to pre-empt and 
prepare for this kind of warfare, including reverse-engineering 
software architecture to find weaknesses, identifying sensitive 
parameters that can be exploited and looking for undocumented 
functionality. 

He also said that the Defense Department should stop funding 
university research conducted by foreign nationals. Hamilton added 
that this is not a xenophobic reaction, but a reasonable response to a 
potential threat.



*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*



_________________________________________
Attend ToorCon 
Sept 16-18th, 2005
Convention Center
San Diego, California
www.toorcon.org 



This archive was generated by hypermail 2.1.3 : Thu Aug 18 2005 - 00:28:19 PDT