Document created: 21 OCTOBER 1999
Cyberterrorism hype
With the 1990s
propensity to dot.com everything that moves, 'hacking' and 'cyberterrorism'
have become subjects of intense media coverage. Almost daily, hitherto
unknown security specialists warn of potential catastrophes: news
that gets picked up by the media and crosses the globe with impunity.
Johan J Ingles-le Noble discussed the subject
with programmers at Slashdot to profile so-called cyberterrorists
and examine the viability of cyberwarfare.
Cyberterrorism is
a buzzword of 1999. Indeed, with the remarkable growth of the Internet,
hacking horror stories have reached new heights of publicity, leading
to a veritable media frenzy. Yet careful examination of the issue
reveals much of the threat to be unsubstantiated rumour and media
exaggeration. The exaggeration is understandable, however - these
technologies underpin our entire society, and what paper can resist
printing a scoop revealing that banks are being blackmailed with
threats of attacks on their computers, or that a military satellite
has been hijacked by hackers? The idea that an anonymous teenager
working alone from his bedroom can wreak electronic havoc on the
far side of the world makes for good press.
What is a hacker?
Nothing gets a hacker's
back up quicker than someone confusing a hacker with cracker. The
term 'hacker' refers to an individual who programmes enthusiastically
(even obsessively), enjoys programming or is especially good at
programming; a 'cracker' is somebody who breaks into another's computer
systems or digs into their code (to make a copy-protected programme
run). Yet the boundaries have become somewhat blurred and the popular
understanding of these terms is is quite wrong: ever since Hollywood
produced 'Wargames', based on Kevin Mitnic's cracking activities
(known as 'exploits'), the term 'hacking' has become synonymous
with unauthorised access into restricted systems - which is 'cracking'.
In today's world, such activity also includes the deliberate defacement
of websites. Hackers are quick to point out that there is a code
of hacker ethics that precludes any profit from the activity - the
only motive is the activity itself - but they are not naïve:
realising the potential for misuse, they divide themselves into
'white-hat' hackers (ethical hackers) and 'black-hat' hackers (crackers).
According to hackers,
99% of cracking incidents can be blamed on so-called 'script-kiddies'.
These are usually young people who manage to acquire some 'cracking
tools' somewhere on the Internet and are keen try them. They choose
a 'cool' target (such as NASA, the Pentagon or the White House)
and launch the tools. Older, more established
hackers see them
as upstarts. Think of a kid walking down a corridor testing doorknobs;
whilst they are more than capable of defacing websites such as that
of the Central Intelligence Agency (CIA), their actions are seen
as the equivalent of putting down a whoopie cushion on the chair
of the UN Secretary General - juvenile, noisy and somewhat embarrassing,
but ultimately without real effect. Says Mick Morgan, webmaster
to the UK's Queen Elizabeth: "I have nightmares about waking up
to find graffiti (which is all it is) on one of my customer's sites."
However, even minor
exploits illustrate one of the many paradoxes facing computer security.
Specific websites, intended for the computer systems administrators
and webmaster audiences, monitor the security vulnerabilities (bugs)
in software that allow exploits to take place. The purpose of these
websites is to distribute the corrective programming 'patches' that
rectify the bugs. However, such sites are open to the public and
are therefore the ideal place for crackers to discover new cracks.
The result of this is that the vast majority of methods used by
crackers to break into sites are known and there are patches available.
This means that many believe the responsibility for security breaches
lies not with the software supplier but with the company that owns
and operates the system. Thus, if a company suffers a security breach,
that highlights its own negligence or incompetence, which, along
with the bad publicity associated with intrusions, makes it unsurprising
that many companies are reluctant to publicise security breaches
of their systems. This is especially true of the financial sector:
there have been rumours for several years that banks have been blackmailed
by hackers; confirmation has never been forthcoming.
Cracker profile
Global estimates
vary, but a JIR extrapolation based on mid-1990 estimates by Bruce
Sterling, author of The Hacker Crackdown: Law and Disorder on the
Electronic Frontier, puts the total number of hackers at about 100,000,
of which 10,000 are dedicated and obsessed computer enthusiasts.
A group of 2501,000 are in the so-called hacker 'élite',
skilled enough to penetrate corporate systems and to unnerve corporate
security. Given the huge number of people working as programmers
for the online economy (the technical side of which requires much
the same skills as those required by a hacker), the totals are sure
to rise. According to the Center for Research on Electronic Commerce
at the University of Texas, in 1998 the Internet economy was worth
US$301.4 billion, providing 1.2 million jobs in the USA alone.
The minimum skill-set
needed to be a 'script-kiddy' is simply the ability to read English
and follow directions. Indeed, much can be gleaned from books or
documents and mailing lists online such as 'L0pht' bulletins and
'Phrack', whilst exploits can be learned from websites such as 'bugtraq',
'rootshell' or 'packetstorm'. In fact, virus-writing and exploit
code is common, and some is even automated.
However, to launch
a sophisticated attack against a hardened target requires three
to four years of practice in C, C++, Perl and Java (computer languages),
general UNIX and NT systems administration (types of computer platform),
LAN/WAN theory,remote access and common security protocols (network
skills) and a lot of free time. On top of these technical nuts and
bolts, there are certain skills that must be acquired within the
cracker community.
'Hi, I'm Cheryl, I'm
new in IT support. I'm having trouble with the modem bank. Can you
check the modem to make sure it's turned on? Also, can I have the
number to make sure I'm using the right one?' Of course, being a diligent
and helpful worker, the recipient of such a call may be only too happy
to help.
Tools of the trade
The cracker skillset
is more common in highly educated individuals taught in the USA
and Western Europe, although anyone with enough intelligence and
time can pick it up without formal schooling. In fact, the skills
are not at all rare or unusual, being the same as those required
for an average, small or medium-sized company network system administrator:
a position which commands among the lowest pay in the computer industry.
The chances are that there is a university drop-out in your town
with all of these prerequisites. That said, a list of qualifications
does not fully explain their make-up, as the skillset is more to
do with lifestyle than specific capabilities. Some people collect
baseball cards; others analyse [computer network] protocols.
Attacks happen in
various guises, from the simple and automated to the highly disguised
and sophisticated. Crackers also write their own tools, which are
disseminated in the underground. Certain system diagnostic tools
and other cracker script tools can significantly automate the process
of cracking less secure systems. At the low end of the sophistication
scale there are activism websites, such as 'Floodnet', which hold
web-page functionality that automates the process of reloading another
website's pages in an attempt to make the system 'overheat' so that
it ceases to work. This is a form of the most common exploit, Denial
of Service (DoS), which comes in many forms. It is most common due
to webmasters and web server administrators creating poorly written
Common Gateway Interface (CGI) scripts (website programming). Exploiting
the poorly written code is no great feat. In the words of one hacker:
"Any punk kid could do this to any organisation without any trouble
whatsoever."
Computer specialists
suggest that, while annoying, such unsophisticated DoS attacks have
a hidden danger: they could mask the use of specialist software
custom-written by an élite cracker amid the noise of the
barrage of multiple automated attacks. Other tools exist that are
designed by the hacker community, such as BO2000, which was specifically
created to embarrass Microsoft's Windows NT security. In fact, the
size of the black market in software (computer programmes) is enormous.
Not only can exploit tools be procured in this manner, but they
can easily be found online.
Social engineering
Social engineering
is a term describing the process whereby crackers engineer a social
situation that allows any potential cracker to obtain access to
an otherwise closed network. This access could either be permanent
(infiltrating an insider into the organisation who enables outside
access), or temporary. Indeed, the scenario has a stunning simplicity
about it: "Hi, I'm Cheryl. I'm new in IT support. I'm having trouble
with the modem bank. Can you check the modem to make sure it's turned
on? Also, can I have the number to make sure I'm using the right
one?" Of course, being a diligent and helpful worker, the recipient
of such a call is only too happy to help.
Most previous instances
of information technology (IT) security violations have been attributable
to 'inside jobs', which is why there has been significant controversy
recently about US concerns hiring foreign programmers to rectify
Y2K issues.
Having gained access,
a cracker can either install code directly into the systems on the
spot or add a transmitter device. To illustrate a scenario, after
gaining access to a facility as cleaning staff, the perpetrator
could put a small computer, itself connected to the main network,
into the base of a lamp with an infra-red port (network connection)
aimed out the window of an office or linked to a mobile phone. This
gives an active presence on the target network and, more importantly,
remote access to the device from anywhere within line of sight.
In commercial environments, the security teams that search for bugs
(bugs in the classical sense - 'listening devices') with receivers
do not generally do infra-red profiles of a building; such a device
will not transmit unless active, so sweeping for it is more difficult
than trying to detect a bug that is monitoring audio.
Cellular modems also
work, but are potentially detectable by radio-frequency sweeps.
However, for corporate espionage it is an easy matter to pre-position
several such systems and then take advantage of security vulnerabilities
to gain permanent entry to the system. The phone company makes entry
easy if the location is near a residential area as a receiving mobile
phone just needs to be plugged into the network interface (telephone
connection) of any house. Such attacks are not new, but the scale
of machines necessary to realise them is down to 4in2
of PC board for an amateur willing to spend a little time shopping
in the back of a technology magazine. "For less than US$1,000 you
could build such systems and disguise them as appliances like lamps,"
said Paul Roberts, a US-based information security (INFOSEC) specialist.
Espionage on other
computers by remotely monitoring the electro-magnetic (EM) signals
they emit whilst in use is possible today, albeit expensive. Figures
of $35,000 are quoted as estimates for a remote monitoring station
in a van, for example, although the cost is coming down. "EM snooping
technology might very well come into the reach of the advanced information
security hobbyist or the determined criminal in the next five to
10 years," said Markus G Kuhn from the Computer Laboratory at Cambridge
University in the UK.
Cracking: methods
Exploits come mainly
in three species: DoS; destruction of information (erasing); and
corruption of information (spoofing).
As indicated previously,
DoS attacks take the form of overloading the processes of the computer
hosting the website (the server), which then shuts itself down.
Recently, a new form of such attacks has become prevalent - the
'distributed co-ordinated attack' - in which thousands of servers
are used in unison. "It's possible to detect the attack, but it
is very hard to block it using current software," said Thomas Longstaff,
senior technical researcher for the Software Institute at Carnegie
Mellon University. However, a co-ordinated attack to bring down
a government's or a corporation's computer systems cannot be maintained
long enough to be little more than a nuisance. Yet while only annoying
at the moment, as interconnectivity increases and the importance
of the online economy becomes manifest, such exploits will have
serious financial implications. That said, recovery from such an
attack tends to be fast.
Erasing is considered
very difficult to conduct because any system worth attacking is
also worth backing up. UK and US interbank transactions are backed
up daily with multiple remote tapes, so any cracker wanting to destroy
the interbank market will cause the loss of at most one day's transactions.
However, this is not without consequence: consumer confidence in
the banking system might drop to unprecedented levels were exploits
to be publicised.
Viruses are a form
of erasure most computer users are familiar with. Indeed, as a teenager
Robert Morris accidentally launched a virus that shut down most
of the Unix-based computers in the USA in the 1980s. Much can be
said for judging the security implications of information technology
by the fact that virus protection is now standard on any company
computer. A good thing too, as 1999's 'Melissa virus' was the first
of a new generation of Microsoft-targeted viruses that are self-replicating
by sending themselves forward in an email entitled 'Important message
from . . .' to the people listed in a person's Outlook Express email
package without their knowledge. The 'Bubbleboy' virus promises
to be worse, as you just have to receive it to be affected. Erasing
attacks can be guarded against through multiple, remote (in both
geography and network topology) back-ups, taken at sufficient frequency
that the maximum possible loss is bearable for the system (the 'safe
frequency'). Any system for which the safe frequency is too low
for the defence to be practical (such as a power grid) tends be
kept remote from networks, although this is not always the case.
Yet for every solution
there is a problem. The effectiveness of back-ups can be circumvented
by malicious programming that corrupts one random byte in the data;
even though the back-ups look good, the data is bad. There is no
way of telling unless the whole tape is recovered to find the one
or two data files that have changed and examining them 'with a microscope'.
The problems are obvious if someone had 10 weeks of back-ups, each
with different bits of bad data, and all the back-ups were infected.
There would be no way to know which data was good and which was
bad. Indeed, if the cracker knows enough about the system he/she
is attacking, recovery may be impossible.
Spoofing is much
more difficult to guard against. This kind of attack comes in two
guises: attempts to create phoney records or phoney messages in
a system (such as creating false bank accounts); or attempts to
create phoney instructions to the processing system, causing a failure
of the system. This is as bad as an erasing attack. The easiest
way to defend against non-destructive spoofing is again to use back-ups
and to operate double-entry book-keeping, which traces every record
to its creation and requires consistency between numerous (again,
preferably topologically remote) sources. This multiplies the difficulty
of an attack as the attacker has to break several systems instead
of just one. By appearing to be a user, however, a cracker could
manipulate data or corrupt the hardware by installing a virus, for
example. While this would not be quite like a bomb going off, it
could have much worse long-term repercussions.
The Internet Auditing
Project
Host count: 36,431,374
Vulnerability count:
730,213
Vulnerable host count:
450,000
Destructive spoofing
aimed at the processor rather than its records is a different matter.
Causing the processor to execute phoney instructions could allow
an attacker to erase records, transmit phoney messages and, potentially,
cover his/her tracks well enough to escape consistency checks. This
kind of attack is more difficult than any other - usually the only
way to get another machine to execute rogue instructions is to exploit
'buffer overflows', overloading the temporary data buffer on computers.
Nightmare scenarios
are based on such attacks. "We could wake one morning and find a
city, or a sector of the country, or the whole country having an
electric power problem, a transportation problem or a telecommunication
problem because there was a surprise attack using information warfare,''
claims Richard Clarke, the US National Security Council adviser
who heads counterterrorism efforts. Whilst alarmist, precedents
do exist, as evidenced by Gail Thackaray, recognised as one of the
premier cracker-catchers in the business: "One hacker shut down
a Massachusetts airport, 911 emergency service and the air traffic
control system while playing with the municipal phone network, and
another hacker in Phoenix invaded the computer systems of one of
the public energy utilities, attaining 'root' level privileges on
the system controlling the gates to all the water canals from the
Grand Canyon south." These examples involved individuals rather
than organised groups, and none of them were politically motivated.
Cyberterrorism?
In warfare as well as
in business, IT is the great equaliser. Its low financial barrier
to entry relative to heavy industry allows even the poorest organisations
an IT effectiveness equal (or nearly equal) to large corporations.
The greatest advantage
the covert warfare arms of major nation-states (such as the CIA
or Mossad) have over small terrorist organisations is the financial
wherewithal to develop massive intelligence networks using the best
equipment. IT levels the playing field in this regard.
Because sensitive
military computers are required to be kept as far away from the
Internet as possible, unless there was some major oversight or an
incidence of social engineering, a military system cannot be directly
attacked. However, there is always a weak link in the chain: for
example, an army depends on Vendor A for supplies/ equipment, and
Vendor A depends on parts from Vendor B, and so on. Somewhere in
that chain is a vulnerability due to the massive networks, technological
dependence and just-in-time ordering systems. Indeed, although direct
attacks on critical infrastructure are unlikely, if on a network
that has a link into it elsewhere, then one vulnerability is all
it takes. Strikes in one automotive plant have effectively shut
down large car makers. Most US automotive plants are also government
contractors supplying vehicles and replacement parts to the military:
an obvious target for planting viruses during war.
Some people collect baseball
cards, others analyse protocols
Cyberterrorism is
not only about damaging systems but also about intelligence gathering.
The intense focus on 'shut-down-the-power-grid' scenarios and tight
analogies with physically violent techniques ignore other more potentially
effective uses of IT in terrorist warfare: intelligence-gathering,
counter-intelligence and disinformation.
Disinformation is
easily spread; rumours get picked up by the media, aided by the
occasional anonymous e-mail. Cracking into a government server and
posting a new web page looks impressive and generates publicity,
but cracking into a government server and reading private email
is much more valuable to terrorists. This gives cyberterrorists
valuable details about the thought and operations of their adversaries,
and can aid in planning conventional attacks. Furthermore, if terrorists
can penetrate the security of an enemy organisation's computer networks,
they do not need to do any damage to be militarily effective. Rather,
they can quietly copy information to process at their leisure, without
having to physically smuggle it out of secure facilities. False
or misleading information can be planted in (or deleted from) databases,
undermining the effectiveness of organisations relying on that information.
In today's environment, authentication via strong encryption is
still rare and IT makes forgery easy. Credentials can be forged
to fool authorities or the media for purposes of disinformation
or to enhance covert physical activities.
As pointed out by
Clifford Stoll in The Cuckoo's Egg, automated 'data mining' techniques
can be used to search for useful patterns in vast stores of insecure
and seemingly unrelated data. A bank may assume its electronic fund
transfer system is the most vital system to protect, but a terrorist
may only want access to the financial records of persons or groups
that are the bank's customers. This may not even involve destruction
of data, as the pure information is often much more valuable than
simply destroying random records. Reconnaissance attacks such as
these are difficult to stop but extremely damaging. In the long-term
banking scenario, the terrorist may simply choose to track sources
of funding based on deposit records to harm the person or group
who is the target. In a situation like this, going into the bank
to destroy the information is only a temporary setback and will
raise attention. Why destroy a valuable point of information gathering
by doing something short-term like disrupting operations?
Nevertheless, for
the terrorist, cracking might be used for more than just destroying
data. Attacking an information system would be a good way to either
distract the target or otherwise enable the terrorist to perform
a physical attack. An example might be to crack into an airline
and delete transport manifests to cover the transport of illegal
materials. Had Shoko Asahara and the Aum Shinrikyo group been able
to crack the Tokyo power system and stop the subways, trapping passengers
on the trains, the number of casualties caused by their 1995 Sarin
gas attack might have been significantly larger. If a determined
group wanted to bring New York to its knees, what better way than
to combine a physical bombing campaign with simultaneous IT attacks
on the power grid, hospitals, emergency services and the media?
Turning to the larger
picture, in warfare the party that runs out of funds first loses.
Thus, the objective of warfare may not just be to inflict as much
physical damage
as possible, but instead be to maximise financial damage. The Irish
Republican Army (IRA) learnt to use this concept very effectively
in recent years, sufficiently occupying the resources of the British
government through infrastructural attacks (as opposed to direct
attacks against people). This suggests that, in the future, stock
markets or other primary financial institutions might become high-profile
targets and the most effective means of accomplishing a terrorist's
goal. More damage would be accomplished by taking the New York Stock
Exchange offline for a few days rather than actually bombing a building.
That said, financial institutions are one of the few parties recognised
in the hacker community for taking their security very seriously
indeed.
Given the predominance
of the IT-based industry and the familiarity of the Internet in
the USA and Western Europe, the terrorist groups that fit the motive
and mindset to use cracking could be closed religious or fanatical
groups whose value systems are so out of sync with the mainstream
that they feel threatened enough to take as much of the world with
them as they 'go under'. That, together with 'lone gunmen' and activism
campaigns - 'hacktavism' - are scenarios that appear to fit the
profile.
A Pakistani Internet
hacker known only as 'Dr Nuker', for example, has a message for
Americans: he and a cybercohort, one 'Mr Sweet', have not yet begun
to fight. The idea of Third World cyberpunks threatening the planet's
sole superpower might seem unlikely - unless, of course, you run
Internet sites at Lackland AFB or 86 other facilities their group
that the 'Pakistan Hackerz Club' (PHC), has struck in the past five
months.
The PHC's self-described
founder and perhaps the world's most prolific Web cracker today,
Dr Nuker admits he's a revolutionary, a 'cyberterrorist' with a
cause: freedom for Indian-controlled Kashmir. Yet by penning anti-Indian
missives on Internet sites run by the Naval Reserve Maintenance
Facility in Ingleside, the Karachi Stock Exchange and even the Disney
Guide, Dr Nuker not only has become a high-profile 'hacktivist'
- a computer cracker with a political or social goal - but a wild
card who hints he can wreak havoc far from home.
"We don't have any
intentions to compromise any sort of military or governmental database,
but in case there will be a cyber war with Pakistan, then we will
sure prove our knowledge, ability and skills," he warned in an e-mail
message. It may be no idle boast.
Today, employers,
even those running critical infrastructure, are hard-pressed to
not give employees Internet access; 401k retirement plans, health
insurance plans and others are starting to mandate it. Most employees
are on insecure, poorly administered, unreliable desktop operating
systems: the recipe for serious electronic mayhem.
Beyond the hype
Critics maintain
there is no such thing as cyberterrorism, and there is undoubtedly
a lot of exaggeration in this field. If your system goes down, it
is much more interesting to say it was the work of a foreign government
rather than admit it was due to an American teenage 'script-kiddy'
tinkering with a badly written CGI script. If the power goes out,
people light a candle and wait for it to return, but do not feel
terrified. If their mobile phones switch off, society does not instantly
feel under attack. If someone cracks a web site and changes the
content, terror does not stalk the streets. Some groups talk of
taking down power grids; while that would help in conjunction with
another type of attack, in itself it would be useless. Most grids
suffer infrequent black-outs anyway that are not terrorist-related.
In fact, terrorism campaigns using just computers are unlikely.
The sheer size of programmes works against the attacker more than
the defender. No one person can fully understand a programme comprising
over a million lines of code, especially if he/she did not write
it, and the defender has more people available. Critical programmes
that run infrastructure functions, such as traffic lights, are usually
custom-written, making them twice as difficult to attack.
Any system put together
in the last few years will have been implemented with security in
mind. Ironically, Y2K could prove to be a boon, as audits will give
detailed reports on exactly what is in a system and this information
can be used to boost security.
Most security-aware
organisations do not put highly sensitive (such as military or corporate)
data on servers that are accessible via the Internet and design
their Internet servers to be disposable and easily reinstalled from
compact disc (CD) or tape. These organisations also typically keep
their servers in restricted-access areas. Most organisations with
sensitive data also keep off-site back-ups. Write-once CDs are becoming
very popular as they are inexpensive, compact and convenient to
restore from. To cause serious and lasting damage, a terrorist would
need to destroy or corrupt not only the contents of the servers,
but also the off-site back-ups.
Reality bytes
In theory, cyberterrorism
is very plausible, yet in reality it is difficult to conduct anything
beyond simple 'script-kiddy' DoS attacks. Terrorists attempting
to sway a populace by fear would therefore be less interested in
such an attack unless they could carry out an extremely damaging
one on a repeatable basis or unless they used it to augment the
effects of a physical attack.
As things stand,
while a terror attack using crackers is potentially highly destructive,
the psychological impact of the disruption of services is still
much lower than that of a direct physical attack.
Johan
J Ingles-le Nobel is Deputy Editor of JIR, having previously
obtained his Masters at St Andrews University. He gratefully thanks
the contribution and advice of people at Slashdot.org.
| |
They met by
moonlight in August 1999: Chaos Computer Club organised a
three-day hacking event in Germany 'for nerds, hackers and
phreaks from all over the world'. For the 1,500 attendees,
the attractions included a Linux deathmatch, in which opposing
teams tried to infiltrate each other's computers, and the
Firewalling Project, in which a server's firewall was poked
and prodded for security vulnerabilities for fun.
|
| |
The 'Cult
of the Dead Cow' and 'L0pht Heavy Industries', élite
hacking groups that have shot to online prominence.
|
| |
The 'Cult
of the Dead Cow' and 'L0pht Heavy Industries', élite
hacking groups that have shot to online prominence.
|
| |
Easily downloadable
virus and hacking tools are very appealing to young thrill-seekers
('script-kiddies'), who are responsible for 99% of all hacking
attacks. However, lurking in the digital noise, an élite
hacker may make an attack that could truly worry corporate
security.
|
| |
Source: Jane's
|
| |
Source: Jane's
|
| |
Source: Jane's
|
Article Courtesy of Jane's
Intelligence Review
©Jane's Information Group 1999
|
