[ISN] Lights out

From: InfoSec News (isn@private)
Date: Tue Jun 13 2006 - 05:06:32 PDT


http://www.fcw.com/article94825-06-12-06-Print

By Brian Robinson
June 12, 2006 

Most federal agencies and an increasing number of state and local
offices have made significant investments in communications services
that run over government-owned or commercial fiber-optic networks.  
Fiber can carry much more data than traditional copper lines and at
lower costs.

Besides government operations, a growing part of the country's economy
depends on the Internet and its fiber-based backbone - everything from
online shopping and entertainment to banking and health care.

But given its vital importance as a communications medium and general
concerns about terrorist threats to the country's economic and
critical infrastructure, just how secure are the country's fiber
networks?

Experts say fiber, like any network technology, is indeed vulnerable
to a determined eavesdropper with the know-how and right equipment.  
That means agencies should safeguard sensitive data.

 From a broader, more systemic perspective, however, the country's
fiber-optic infrastructure is more redundant and thus more resilient
than it was a few years ago, reducing the chances that an attacker
could cripple large segments of it, experts say. But localized
problems stemming from physical damage to the infrastructure -
intentional or not - still have the potential to affect its
availability.


Not a priority

For an increasingly technology-dependent country, the security of
fiber-optic networks is apparently low on the list of concerns for
those whose job it is to worry about such threats.

For example, in its recently published "Federal Plan for Cyber
Security and Information Assurance," the National Science and
Technology Council identified the Internet's Domain Name System,
network routing protocols and a host of other process control systems
most in need of security research and development. The report did not
address fiber networks and other infrastructure issues.

Meanwhile, the U.S. Cyber Consequences Unit (US-CCU), an independent
research group that advises the Homeland Security Department, did not
include the fiber infrastructure in a recent draft of a cybersecurity
issues checklist it gave to DHS.

That checklist identified measures at the enterprise or organizational
level, said Scott Borg, director of the US-CCU. The unit will probably
investigate fiber infrastructure security issues later, he said.

With technology budgets tighter than ever, organizations may decide
that fiber security is just not that pressing compared with other
cybersecurity issues, said Bernard Skoch, executive vice president of
Suss Consulting and a former principal director for network services
at the Defense Information Systems Agency.

"People in government are in a classic fight over funding and have to
prioritize their needs," Skoch said. "In some ways, it takes a greater
level of sophistication to say why something is not needed, and right
now, I think there are a lot of people who have concluded that the
fiber infrastructure mesh is well-enough protected."


Hacking fiber

Some experts say the notion that fiber networks are sufficiently
secure may not be a well-informed conclusion. Tapping fiber without
detection is difficult but certainly not impossible, they say.

One of the classic assumptions about such networks is that it is
inherently more secure than copper cable. A signal traveling over
copper tends to leak outside the cable, so anyone with a sensitive
scanner could pick up those signals and access the data.

Because fiber uses various wavelengths of light rather than electrons
to carry data, it does not routinely suffer from similar leakage.  
Stealing data in transit - between the two ends of the fiber - means
someone has to physically break a fiber strand to tap it or somehow
bend the fiber enough to induce light to exit the fiber. That is not
an easy task, some experts say.

Physically tapping into fiber means you will interrupt the data
stream, which will alert a network operator, said Frank Dzubeck,
president of Communications Network Architects, a network integrator.

"To detect the light passively, you have to first strip away all of
the shielding around the fiber and then put something in place to
catch the light bouncing off the glass of the fiber strand," he said.  
"And then you have to determine what the data is that you are
capturing. This is all involved specialty equipment. It's not
something you can purchase on the open market."

But Seth Page, chief executive officer of New York-based Oyster
Optics, which makes intrusion-detection equipment, said he believes
that the fiber infrastructure is vulnerable to hackers who can tap
fiber with common maintenance tools that are available worldwide.

"This same equipment with modifications can be used to capture 100
percent of the voice, video and data going across the network," Page
said. "All you need to do is get access to the fiber loop serving a
particular building."

Hackers don't even need to get all of the data traveling on the fiber,
he said. The packet headers reveal information about phone numbers, IP
addresses and the fiber service provider. Even if an organization
encrypts data and a hacker does not have the means to decrypt it, the
packet headers would not be encrypted, he said. The hacker could save
the rest of the data and attempt to decrypt it later.

The equipment that can capture light from the fiber can also easily
inject light into it, Page said. That would allow a hacker to modify
or jumble the data going through the fiber, corrupting it or causing a
denial-of-service attack on the network.

Perhaps the biggest danger to fiber networks is the so-called backhoe
effect, a decidedly low-tech danger.

It happens when contractors or private landowners dig into the ground
and inadvertently break fiber cables that telecommunications companies
have laid. As recently as 2004, telecom facilities were still among
the most likely to be affected by excavation work. The Common Ground
Alliance, an industry organization aimed at limiting damage caused by
such events, said telecom operations made up 27.5 percent of the
reports it received about such accidents.

"It's still probably the most significant threat," said M.E. "Mich"  
Kabay, associate professor of information assurance at Norwich
University in Vermont.


Nerve-wracking map

Fiber's vulnerability to errant digging underscores the notion that
deliberate tampering poses a real risk, Kabay said.

"The telcos are so concerned about making sure people don't dig where
their fiber-optic cables are," he said. "But on the other hand, if you
were a terrorist, where would you then go to bring down all of the
northeast corridor communications?"

The potential chaos that such sabotage could cause was highlighted in
2003 when a doctoral thesis written by George Mason University
graduate student Sean Gorman sparked widespread consternation in
industry and government.

Gorman used public sources to compile a map of all the major business
and industrial sectors in the country and overlay a representation of
the fiber infrastructure that connected them. With a single mouse
click, anyone could see the location of communications choke points
for vital sectors of the U.S. economy.

The infrastructure's resiliency has improved in recent years, however,
through an effort to re-engineer it into a hierarchical structure of
fiber rings that mesh together, Dzubeck said. "Nothing is centralized
in one spot anymore, so if you want to take out one of these [rings],
you'd have to take out many, many sections at once," he said. "There
are multiple paths communications can take through these rings, and if
you do cut a cable, you are only cutting one small section."

All of the fiber in place in the United States now is redundant
because of this new configuration, said Ron Martin, vice president of
service provider development for optical networking at Cisco Systems.

"Every fiber now has an alternate path through which the data can be
sent," Martin said. "If there is a fiber breakage or an equipment
failure, the communication reroutes itself, causing maybe hundreds of
milliseconds of disruption at most."

IP design also enables this dynamic rerouting. IP breaks data streams
into various packets that a network can route via different paths and
then reassemble at the final destination.

"We've not figured out a way to stop people [from] digging up our
fiber with backhoes, so the key is having some way to allow customers
to recover from those events," said Steven Parrott, a product
development manager at Sprint. "With IP, if you lose a particular
fiber path, it's very simple just to reroute the data."

The bottom line for users is that there is minimal, if any, disruption
in their communications, Parrott said.

Despite continuing instances of fiber breakages, the Alliance for
Telecommunications Industry Solutions reported that facility outages
were at a record low in 2004, and it was one of the best years for
network reliability.

Nobody fixes leaks in a roof unless it's raining, said John Pescatore,
vice president and research fellow at Gartner Research, who previously
worked at the National Security Agency and the U.S. Secret Service.

Without a smoking gun to indicate a threat or attack, most officials
do not worry about fiber's security, Pescatore said. "People don't
care."

[...]



_________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.
www.blackhat.com



This archive was generated by hypermail 2.1.3 : Tue Jun 13 2006 - 05:11:49 PDT