The first known cyberattack occurred in 1998, and was a limited attempt by Tamil guerrillas to swamp Sri Lankan embassies with e-mail, according to U.S. officials.(1) This attack may have been crude and ineffective but it set the stage for more serious cyberattacks in the future.
While the use of hacking or more appropriately named cracking techniques have been used by unscrupulous individuals (mostly teenagers) for over 10 years in the United States to gain unauthorized access to computer systems, the use of these techniques by states or organized groups to deliberately disable or destroy the computer systems and infrastructure of their enemies is a relatively recent phenomena.
In 1999, an Associated Press report detailed an apparent coordinated electronic attack by the Chinese on Internet web sites operated by the Falun Gong meditation group.(2) The report stated that at least one hacking attempt appeared to have been traced back to a Chinese national police bureau in Beijing.
Attack Methods
The vast majority of electronic attacks involve amateurs who have copied programs from the Internet or from their friends. Armed with these programs, the attackers, most of whom are still in school or are school age, can and have caused damages running in the millions of dollars. Other hackers attack computer systems merely for the thrill of the attack itself and leave “calling cards” as to their visits, or simply do it in order to brag to their friends.
Often a hacker will gain access and open a “back door,” a separate entry point to the computer system, which allows the hacker to enter the system undetected at will and provides a sense of ownership over the system. Knowing that the system is his for the taking provides a feeling of absolute power, an emotional state that is frequently necessary for the hacker’s self-esteem.
A further measure of control involves inserting a “Trojan Horse” into the system files. This is a program which a system accepts, usually because it is not detected or because it is recognized as a benign file. Trojan Horses often contain malicious code in the form of “Logic Bombs,” which are programs residing in a system without interfering with the system operation until activated through the passage of a certain amount of time or the occurrence of a certain event. Upon activation, the Logic Bomb may do anything its designer has programmed it to do, including destroying the system files or spreading viruses.
A virus is by definition a program that reproduces itself. It may destroy or alter data or use system memory, or it may simply reproduce itself, but it generally stays within the computer system. Worms are similar to viruses in that they copy themselves over and over, generally degrading system resources, but they are designed to reproduce across computers systems (for example, through e-mail) and are therefore potentially much more dangerous. Even the most innocuous of these are vicious, however, and cause serious problems for computer systems. Although the total number of viruses (and worms) is unknown, one leading manufacturer of anti-virus software advertises that its program protects against over 50,000 viruses.
Just how much damage do they cause? The latest estimates of one of the more recent worldwide virus, the “Love Bug,” which originated in the Philippines and quickly spread to both Europe and the United States, indicate that the damage to computer systems may have run as high as $10 billion.(3) This virus was allegedly created by college students as a research project. Imagine what a terrorist group could accomplish with determination and a fundamental understanding of computer technology.
A growing form of cyberterrorism common in Europe (and beginning to be used in the United States) is Cyber-extortion. The typical scenario in this criminal activity occurs when an individual or group threatens to destroy, publish or sell data files of a company if a certain fee is not paid or an action by the company is not undertaken. Often the extortionists will have gained entry into the system files and left a “calling card” in order prove the validity of the threat. Companies frequently accede to the demands rather than report the threat to the police because they understand the damage that can be done and also because they are afraid of the effect on their customer or client base if a security breach of client data becomes publicly known.
Perhaps the most devastating computer attacks occurring from 1999 to 2001 have been “Denial of Service” (DoS) attacks or “Distributed Denial of Service” (DDoS) attacks, often caused by “Mail Bombs.” In a DoS attack, a computer (or a group of computers in the case of an organized attack) is directed to flood the target system with e-mail or requests for information. A DDoS attack accomplishes the same goal using captured, third party computers. In this type of attack, third party computer systems (called Zombies) are in essence hijacked and used to flood the target system with requests for information or e-mails, thereby totally overwhelming the target system and shutting it down for commercial traffic.
DoS and DDoS attacks cost private industry only $77,000.00 in 1998, but cost an estimated $8 million in damages during the first two months of the year 2000 alone.(4) In the United States, Mail Bombs have been used by eco-terrorists to tie up their adversaries, with over 50,000 e-mails being sent in 1998 to a Swedish facility that conducts research using monkeys.(5) The DoS attacks of the last few years have caused considerable damage to major U.S. Corporations, yet they appear to have been directed by teenagers, not organized terrorist groups. The magnitude of damage which could be caused by a well organized and orchestrated attack carried out simultaneously from numerous locations is staggering to computer security professionals. Richard Clark, a National Security Council analyst, advised in December, 2000, that the U.S. government believes tens of thousands of innocent computer systems may have already been turned into Zombies that hackers could use to cripple the Internet.(6)
The Targets
Most experts feel that military installations, power plants, air traffic control centers, banks and telecommunication networks themselves are the most likely targets for a cyberterrorist attack. Other targets include police, medical, fire and rescue systems, which could easily be damaged, along with Wall Street brokerage firms and water/sewage systems.
During the Gulf War in 1990, a group of Dutch hackers calling themselves “High Tech for Peace” approached diplomats in the Iraqi Embassy in Paris. The hackers offered to disrupt the electronic network handling logistics messages between bases in the U.S. and U.S. military units in Saudi Arabia if the Iraqi Government paid a fee of $1 million. The Iraqis refused, but in reality they probably should have accepted the offer. A study later showed that 25 percent of the electronic messages coming into Saudi Arabia were uncoded and were totally vulnerable to interception and disruption. Had this offer been accepted the U.S. military supply lines would have been severely affected.(7)
In a recent briefing before the U.S. Congress, George Tenet, Director of the U.S. Central Intelligence Agency, said at least a dozen countries are developing programs to attack other nations' information and computer systems. China, Libya, Russia, Iraq, and Iran are among those developing such systems. Additionally, a new classified National Intelligence Estimate reports at least one instance to date of active cybertargeting of the United States by a foreign nation.(8)
In 1996, a Swedish hacker, moving through cyberspace from London to Atlanta to Florida, rerouted and tied up telephone lines to 11 counties, put 911 emergency service systems out of commission, and impeded the emergency responses of police, fire, and ambulance services.(9)
While many of the foreign cyberattacks grab the headlines, domestic cyberattacks are increasing at an alarming rate with the number of pending FBI cases involving cyberattacks increased from 128 in 1996, to 1,154 in 1999.(10)
Nor are the cyberattacks limited to business and educational establishments. In 1998, the FBI executed search warrants on the homes of two California high school students after determining that they had gained entry to a number of government computer sites. Their hacker assaults on the Pentagon, NASA, and a U.S. nuclear weapons research lab were described by a deputy defense secretary as the most organized and systematic attack on U.S. computers ever discovered. To make the Pentagon attack hard to trace, the hackers routed it through the United Arab Emirates. They were directed in this attack by a teenage hacker in Israel.(11) While all of those involved were arrested, in a typical case little punishment is imposed on teen hackers due to their age. The situation is even more complicated with the discovery of a teenage hacker in another country. In most recent situations, the United States has left the prosecution of teenagers to the discretion of their home country, even if extradition treaties would allow prosecution here.
The vulnerability of technologically advanced countries such as the United States to cyberattacks became acutely apparent through government studies of the Y2K problem in 1999. It was discovered that the “triad” of electric power, banking, and telecommunications was especially susceptible to cyberattacks because of the heavy use of computers in these industries and the mandated use of telecommunications to link the computers. The interdependence of these industries makes protection against electronic intrusion vital to the continuation of an advanced society. When it is understood that without telecommunications, both banking and electric power will fail; that without electric power, both telecommunications and banking will fail; and that without banking, the economic infrastructure of a country will fail, then the magnitude of the problem can be seen.
James D. Kallstrom, former chief of engineering at the FBI laboratory in Quantico, Virginia, in discussing the possibility of computer network based cyberattacks, advised:
We are using the efficiencies of technology and the Information Age to control everyday things like traffic lights, 911 systems, the environment of buildings, the communications network, and the power grid. We even control the water supply with computers. We are doing more and more things like that. In the old days…Fort Knox was the symbol of how we protected things of great value: we put them in buildings with thick walls and concrete. We put armed guards at the doors, with sophisticated multiple locks and locking bars. We could even build a moat and fill it with alligators…. Today [with] things of that same value, you wonder if some teenager is going to go in on the phone lines and steal it all. We are not equipped to deal with those issues both in the government and private industry.(12)
Brian Jenkins, an analyst at the Rand Corporation, a U.S. think tank, expressed a similar view:
In the past, when terrorists wanted to conspire, they usually had to get together and meet in person. Nowadays, they can take to the Internet and find like-minded believers, even if they don't know them already. We have not even begun to comprehend the consequences of the Internet to create an army. Their ability to communicate with one another, to find reinforcement -- even justification -- for crazy views is of extraordinary importance.(13)
The Future
It has been estimated that 90 percent of all criminals in the U.S. are now computer literate.(14) This percentage would indicate a dramatic increase in the number of computer crimes overall, including the use of computers for terrorist acts. As the computer literacy of terrorists increases, so should the number of cyberattacks by terrorist groups show a corresponding increase.
There has never been a greater need for joint government and private industry cooperation to meet what will likely be the next great threat to the security of our nation’s infrastructure. Reaction on the part of cyberattack victims (in both government and private industry sectors) continues to vary widely to both published and unpublished attacks. Some companies have taken an extremely aggressive stance, even to the point of reversing DoS attacks and actually counterattacking the DoS originators.(15) On the opposite end of the spectrum, many companies merely attempt to close the door to the attack and quietly look for ways to defeat attacks in the future, giving as little publicity as possible to the attack and hoping the attacker will seek another victim in the future. Still other companies have opted for litigation and criminal action to stop the attacks, understanding that only by pursuing actions which inflict legal pain will attacks be stopped.
Recent technology has enabled government agencies to electronically search an attacking computer for evidence of the attack,(16) and the potential is not limited to purely defensive methods. According to the New York Times, the U.S. Department of Defense has set up a Cyberwarfare Center which provides offensive cyberwarfare capabilities, including strategies designed to “infect enemy software, upset enemy logistics, and disable enemy air defense systems.” One immediate usage for the Center’s programmers during the war in Kosovo was to conduct “attacks on Serbian computer systems in an effort to change banking records and deplete Serbian assets.”(17)
A review of published data indicates no unified approach in the defense of cyberattacks today, whether they be from teenage computer hackers or from dedicated terrorist groups bent on destroying the United States. While recent changes in state and national criminal laws have closed some of the more obvious loopholes, the basic fact is that as a nation we have failed to recognize the enormous nature of the threat to our society. Law enforcement attempts to plug gaping holes in electronic fences have been repeatedly and effectively thwarted by those who consistently place privacy above security. The recent attacks on the Pentagon and Twin Trade Towers of the World Trade Center may soften the resistance to law enforcement and intelligence surveillance legislation which, if passed, may include cell phone, Internet and e-mail tracing, increased access to credit-card billing information; roving wiretaps linked to people instead of telephones, tougher penalties for terrorist crimes; and new methods to follow financial transactions by suspected terrorist groups.
A recent analysis of past cyberattacks makes some ominous predictions for the near future as the U.S. engages in its war on terrorism:(18)
* Electronic information sites in the U.S. and allied countries will be exposed to increasing attempts at defacing for the purpose of spreading disinformation and propaganda.
* DoS attacks will increase, as will the use of worms and viruses.
* Unauthorized intrusions into U.S. systems and networks will result in critical infrastructure outages and corruption of vital data.
Until the threat is recognized as not random and isolated, not the pranks of a few talented but misguided individuals, but is rather the opening salvo of a massive and deadly serious assault against the very fabric of our technological culture, no effective steps will be taken to prevent and neutralize the threat. It may just be that until we experience an “Electronic Pearl Harbor,” we will continue to approach the problem in a piecemeal and ineffective manner, always playing catch-up with the other side and always at least one step behind in the ongoing war against computer literate criminals and cyberterrorists.
Preparation for the Attack
If one assumes that a future cyberattack is likely in some form, what are the steps, if any, which may be taken to protect networked governmental, corporate or even home computer systems? First and foremost, learn from other’s mistakes by undertaking the following specific steps:
Policy review
Every government and virtually every business in the United States now has at least one computer system. If employees have access to computers and systems, a review should be immediately taken of the current practices and procedures to determine appropriate use of network resources.
* Who has access and to which systems?
* What is their level of access?
* Exactly what are employees able to do with their access?
* Are written policies in place?
* Are they enforced?
Policy reviews should address e-mail and Internet use as well as basic security practices. There are many sample policies available and numerous reputable companies in existence that conduct security audits. Much of what they do is plain common sense, but is generally based upon known methods of intrusion. If your organization is contemplating the use of a physical/technology security service for a review of your procedures, insure that those who conduct the audit have ample experience in their fields – in other words, use the best people you can find. Once policies are written and/or upgraded, they should be implemented as part of normal training, and every employee should acknowledge the receipt of training by signature.
After review by appropriate legal counsel, consideration should be given to the use of an on-system warning screen advising the user that the system confers no privacy rights and is to be used by authorized personnel only for official government/company business. Users should be notified that the system is subject to being monitored for appropriate use (perhaps defining the term “appropriate use”). The warning should further advise that system resources are subject to being retained and reviewed by the government and may be furnished to others, including law enforcement agencies, at the discretion of the government. Finally, users should be notified that by using the system they understand and consent to the provisions of the warning.(19) If not placed in a warning screen, the above should be incorporated into the government policy and should be acknowledged by all employees having access to system resources.
Firewalls and Virus Checkers
Computers and networks without operating firewalls and up-to-date virus protection are similar to open entrance doors in homes – they are invitations for criminals to enter, steal, and vandalize.
Firewalls are generally considered necessary when using “always on” connections like T1 lines, cable and DSL connections because a typical telephone modem for a home line uses a different computer address (URL) each time the server is dialed. To test a particular computer’s vulnerability to outside probes, run the tests at Gibson Research or at the Symantec site. These will show the need for firewall protection or will show how much protection an existing firewall offers.
One additional bonus for firewalls that should not be overlooked is the filtering capacity that they offer. Most provide filtering options ranging from no filtering to totally paranoid, and site-blocking features prevent most (but not all) unauthorized site visits. E-mail programs provide the same provision for blocking unwanted e-mail, but their ability to filter is somewhat limited.
Virus checkers are relatively cheap and offer substantial protection from e-mail and Web viruses, but must be frequently updated to be effective. The once laborious process of updating has been simplified and now is easily accomplished through automatic updates or one-button clicks.
Most virus protection software is based on pattern recognition of known virus characteristics. Since these recognition patterns are developed only after new viruses are identified, they are unable to prevent new and unrecognized viruses. Because no virus checking software offers 100 percent protection, an examination of company computer operating policies should be mandatory with a goal of limiting Internet access to only those employees who have a need for Internet use in their jobs.
E-mail use also should be examined and policies formulated to restrict the receipt of attachments, which often contain viruses. Thought should be given to notifying employees that their e-mail usage is subject to being monitored (they should sign a statement of acknowledgement) and then periodically examine e-mail content for inappropriate or excessive usage. Finally, a retention period for e-mail messages should be established to decrease storage requirements and incidental exposure. This period should be more than 30 days but less than a year. The ability to retrieve e-mail messages may become extremely important in the event that a cyberattack or virus renders the system inoperable.
Password Protection
Individuals generally resist having to bother with passwords and when forced to do so, they often pick common words that are easily determined by scanning computers. To be safe, passwords should be a combination of letters and numbers and should be changed often. It is also a mistake to leave passwords in easily accessible places, such as under mouse pads or taped to the back of computers.
Security Patch Updates
Many attacks could be thwarted simply by installing system patches provided by software manufacturers to plug known security breaches. Network administrators and individuals should check system vendor sites often for upgrades designed to repair system deficiencies.
Along the same lines, administrators should frequently check the FBI’s National Infrastructure Protection Center (www.nipc.gov) site and Carnegie Mellon University’s CERT Coordination Center site, a federally funded research site (www.cert.org) for updated cyberattack information. The CERT site is particularly helpful for home computer users as it offers practical tips in non-technical language.
The National Infrastructure Protection Center (NIPC) also provides a forum (InfraGard) which encourages the exchange of information between the U.S. Government and private sector members. NIPC acts as a facilitator to its members through the dissemination and exchange of information about infrastructure protection. InfraGard may be accessed through the NIPC site above or directly through www.infragard.net.
Data Backup
One of most common complaints among computer users involves system crashes, whether they are caused by a virus, sabotage, or malfunction. Other than virus protection, the easiest and cheapest way to protect a system is through periodic data backups. Most home users and small businesses, however, seldom backup their data on a frequently scheduled basis, and when the crash comes, which it inevitably does, weeks or months of work can be lost. Nor is it enough to simply copy the data. Provisions should be made to store the data at a secure off-site location for fire and theft protection.
Backup procedures and schedules should be thoroughly covered in the governmental policy or procedure manual. In addition to electronic data backup, vital hard copy files should also be archived for the unlikely event that extended power or computer outages might occur. Protection against transient power outages should be provided by UPS battery backup systems to eliminate unnecessary down time, with thought given to implementing generator-supplied power supply for the entire computer system.
Internal Security
Finally, because most of the computer attacks today, including vandalism and theft, still originate from within organizations, internal security must be given more consideration. Information technology training, security education, and employee screening are all tools used to safeguard against internal attacks and theft. Periodic security audits from trusted outside agencies (discussed above), offer an unbiased view of the level of protection offered, as well as providing notice to company employees that infractions will likely be discovered and appropriate sanctions imposed.
While preventing all cyberattacks is impossible, with some basic planning and security awareness in mind, there are definite steps that companies, agencies and individuals can take to prepare their systems and personnel for the challenge. Failing to take these basic steps outlined above is akin to playing Russian roulette. Disaster may not strike immediately, but statistically it is bound to occur. What will you (or your organization) do when it does?
Conclusion
Many, if not most, governmental entities are on tightly restricted computer system budgets. Systems are expensive to purchase and maintain, especially with such a limited effective lifespan. If corners are to be cut, it is often in the systems security and training areas.
In light of the current threats, policy makers should carefully reconsider this view by asking one simple question: Just how much damage could be inflicted on my organization in a worst-case scenario attack on our computer system(s)? If a realistic initial appraisal determines a high level of vulnerability for continued operation, serious consideration should be given toward an immediate and thorough review of the organization’s information technology security. This security review can be implemented using the bullet point topics in the preceding section as guideposts. The review should begin with a policy review, and after inspection and corrective action on the other items have been completed, the policy should again be examined to insure all necessary changes have been incorporated.
It is not enough to make system and policy changes, however. All personnel (not just systems personnel) must be given adequate training in physical security, threat analysis, and emergency operations to insure that they understand likely threats and know what actions (including reporting procedures) to take in the event of a threat. In addition, computer systems personnel should be continuously trained in protection methods as outlined above and should be encouraged to be alert for potential violations and security breaches. The key to this training is to realistically portray the threat so that each employee understands his/her role in protecting both employees and the organization.
All personnel must understand that the likelihood of serious security breaches is now at such an increased level that their continued employment and possibly their physical safety depend upon compliance with organizational policy and threat consciousness. Security infractions and breaches must be thoroughly investigated and corrective action immediately taken, to include after-action reviews so that violations are not repeated. Employees should be encouraged to report violations, and inadvertent breaches should not be punished if reported. The idea is to prevent mistakes or violations from being buried through fear of reprisal rather than being reported and corrected.
Not all of the above suggestions are expensive. Many can be accomplished “in house,” and with a minimum of effort. All systems should be reviewed immediately, however, as we are faced with dangers never before seen. President Bush advised following the September 11 attacks that we would most likely be engaged in a long war against very determined terrorists. Based upon the available evidence, those who have proclaimed themselves to be our enemies are well prepared. Are we?
Endnotes
1. “U.S.: First cyberattack by terrorists,” Reuters Report, 5/5/98, (4/25/00).
2. “China Sect Claims Sites Under Attack,” Associated Press, 7/31/99, (4/25/00).
3. David Noack, “Love Bug' Damage Worldwide: $10 Billion,” ABP News, 5/8/00, (5/9/00).
4. Andrew Quinn, “Risky Business; Computer Security a Top Issue,” ABC News, 3/22/00, (3/25/00).
5. Miguel Llanos, “Eco-extremists using e-mail bombs,” MSNBC, 10/24/98, (11/2/98).
6. Michael Kirkland, “NSC: 'Zombies' could cripple 'Net,” UPI Report, 12/28/00, (12/29/2000).
7. John J. Fialka, War by Other Means, (New York: W.W. Norton, 1997), pp. 104-105.
8. Douglas Pasternak and Bruce B. Auster, “Terrorism at the touch of a keyboard,” US News and World Report, 7/13/98, p.37, (4/27/00).
9. Ibid.
10. Sue Pleming, “Freeh: Cyber attacks doubled in ’99,” Reuters, 3/28/00 <> (4/1/00).
11. Douglas Pasternak and Bruce B. Auster, “Terrorism at the touch of a keyboard,” US News and World Report, 7/13/98, p.37. (4/27/00).
12. Simson Garfinkel, Database Nation, (Sebastopol, California: O’Reilly & Associates, 2000), p. 224.
13. Jim Krane, “Terror's 'Dark Undercurrent' Rises in America,” APB News, 4/19/00, (4/20/00).
14. Richard S. Groover, “Overcoming Obstacles: Preparing For Computer-related Crime,” FBI Law Enforcement Bulletin, August, 1996, (4/26/00).
15. “Can you hack back?” CNN News, 6/1/00, (6/3/00).
16. Patrick Riley, “Feds Use Convicted Pedophile To Create Internet Spy Software,” Fox News, 8/16/00, (8/17/00).
17. Elizabeth Becker, Pentagon Sets Up New Center for Waging Cyberwarfare, New York Times, 10/08/99, p. A16.
18. Michael A. Vatis, “Cyber Attacks During the War on Terrorism,” Institute for Security Technology Studies at Dartmouth college, 9/22/01, 10/1/01.
19. William C. Boni and Gerald L. Kovacich, I-Way Robbery, Crime on the Internet, (Boston:Butterworth-Heinemann, 1999), p. 166.
No comments:
Post a Comment