General Information
If your experience is at all like mine, you will find that you need to
both educate and convince people — from the "on-the-front-lines" users
to management.
Here's some help.
-
AWST = Aviation Week and Space Technology
-
WSJ = Wall Street Journal
-
DOD = U.S. Department of Defense
Telecommunication Outages
-
Undersea Cable Losses
-
1929 —
An earthquake in Newfoundland
broke twelve trans-Atlantic cables by
triggering a massive undersea avalanche.
-
2005 —
A portion of the
SEA-ME-WE 3 submarine cable
(running from Germany, down the Atlantic coast
and across the Mediterranean and Red Sea,
to Arabia, Pakistan, India and Sri Lanka,
then through Southeast
and East Asia and to Australia)
broke 35 kilometers south of Karachi.
This disrupted almost all of Pakistan's
communications with the rest of the world.
-
2006 —
The
SEA-ME-WE 3 submarine cable
was severed 26 December
by a magnitude 7.1 earthquake off the coast
of Taiwan, causing a major disruption in
Internet service to East Asia.
-
2007 —
Pirates stole an 11 kilometer section of the
T-V-H (Thailand - Vietnam - Hong Kong)
cable
in hopes of selling the 100 tons of cable
as scrap.
LIRNEasia has a story about this.
-
2008 events —
-
23 January —
The
FALCON
cable was cut, disrupting service
between Persian Gulf states and India.
-
30 January —
The
SEA-ME-WE 4
and
FLAG telecom
cables were almost simultaneously
damaged several kilometers apart
in the Mediterranean Sea
near Alexandria, Egypt.
There has been speculation that both
were damaged by a ship dragging its
anchor, but port video footage shows
no ship passing through the area
where the damage occurred.
-
1 February —
The
FALCON cable
was cut between Muscat, Oman and
Dubai, UAE.
-
3 February —
A cabled called DOHA-HALOUL
connect Qatar to the UAE was damaged,
between the Qatari island of Haloul
and the UAE island of Das.
-
4 February —
SEA-ME-WE 4
is cut at another location,
near Penang, Malaysia.
-
19 December —
FLAG telecom,
SEA-ME-WE 3,
and
SEA-ME-WE 4
cabes are cut in the Mediterranean,
disconnecting Sicily, Malta,
and Alexandria, Egypt,
and disrupting 75% of data and voice
communication between the Middle East
and Asia and the rest of the world.
The
GO-1
cable linking Sicily to Malta
was also cut.
The reason was unclear, France Telecom
issued
a press release
saying they had
been cut by either bad weather
conditions or a ship's anchor.
-
For a
description
of these outages, see:
http://en.wikipedia.org/wiki/2008_submarine_cable_disruption
-
2009 events —
In late July,
the SAT-3 cable
was damaged, causing Internet connectivity
problems or complete outages in multiple
west African countries including
Benin, Togo, Niger, and Nigeria.
Togo and Niger were completely offline,
while Benin maintained some connectivity only by
rerouting traffic through neighboring countries.
All three used alternative satellite links to
maintain some connectivity.
Nigeria had a 70% bandwidth loss, causing
problems in banking, government, and mobile
networks (and probably slowing down all those
offers allegedly from the Widow Abacha
to share $12 MILLION US DOLLAR
with random e-mail recipients).
-
Satellite Losses
-
2007 —
XM Satellite Radio was off the air for a day
in May,
see the
Washington Post article
for details.
"The company blamed a software glitch for
the interruption."
-
2007 —
Dish Network was out 19 and 22 August
for two hours and a half hour respectively:
http://www.multichannel.com/blog/350000435/post/1710013571.html
-
2007 —
Alaskan public television was out on 20 August
due to some satellite problems.
http://kakm.org/2007/08/20/satellite-outage-alert/
-
2006 —
The Optus B1 satellite lost contact 30 March
and among other things cut off
some television service to New Zealand.
http://www.geekzone.co.nz/forums.asp?forumid=48&topicid=7237
and
http://en.wikipedia.org/wiki/Optus_Fleet_of_Satellites#Failures
-
2004 —
Intelsat Americas-7 (formerly Telstar 7,
later Galaxy 27)
experienced a several-day power failure on
29 November 2004.
http://en.wikipedia.org/wiki/Intelsat
-
1998 —
Galaxy IV failed in May
and took out over 80% of North American pagers
for several days.
Wire news service including Reuters was
effected.
CBS and NPR had to use
backup transmission links.
The primary control processor had failed
due to tin whisker growth.
http://www.cnn.com/TECH/computing/9805/22/satellite_security/index.html
and
http://en.wikipedia.org/wiki/Galaxy_IV
-
1998 —
Galaxy VII failed 13 June and
dropped several hours of several
cable TV networks.
Some other satellite failed 4 July 1998,
dropping several hours of DirectTV.
In both cases, a control processor failed,
but they eventually
could switch to a backup processor.
WSJ, 9 Jul 1998, Reuters.
-
1997 —
A $200,000,000 Telstar satellite
(and thus all its comm links) was
taken out by an unexpected solar flare
on 11 January.
I was teaching a course that week, and many
students complained the next day that
the pay-per-view movies no longer worked
in their rooms....
Science, 31 January 1997, pg 623, and
Science News, 1 February 1997, pg 68.
-
1995 —
Intelsat 511 was disabled for a few hours
by an electrostatic discharge event,
taking out some Australia-USA links.
The event fired a thruster and turned the
satellite out of alignment for the links
to Earth.
http://www.ips.gov.au/Educational/1/3/11
-
Former CIA analyst comments on vulnerability of
civilian satellites (1995):
http://www.fas.org/spp/eprint/civilsat.htm
and GAO report (2002):
http://www.fas.org/spp/eprint/civilsat.htm
Big-Money Losses
-
See the
collection of cost estimates
at
http://www.securitystats.com/sspend.html
—
a nice collection of many estimates.
-
This has been a big problem for several years and
it just grows.
As per Anderson Consulting, in 1997:
-
Computer security breaches cost businesses
US$ 10,000,000,000.
-
59% of businesses selling over the Internet
reported security breaches.
That was in 1997, losses will be much
higher now!
-
A London banking organization allegedly paid
millions of pounds to stop a
two-year series of attacks mixing logic bombs
with electromagnetic pulse weapons:
London Sunday Times, 2 June 1996, pg 1;
9 June 1996, pg 1.
Note that this story is now widely thought
to be overly hyped and possibly
a complete fabrication,
especially the part about the
electromagnetic pulse weapons.
Some self-proclaimed
"infowar specialists"
carry on endlessly about
HERF guns and EMP devices.
Caveat lector!
-
Chinese and Bulgarian factories,
in concert with companies
in countries that are close allies and trading partners
of the U.S.,
steal software and pirate it as fast as the CD-ROM
presses will run.
In
Tallinn, Estonia,
take bus #92 out to the big market at Kadaka Torg.
In
Sankt Peterburg, Russia,
the big bootleg market is diagonal from the
rear corner of the Gostinniy Dvor shopping arcade along
Nevsky Prospekt.
In
Istanbul, Turkey,
go to the weekend flea market on University Square,
just outside the entrance to the Grand Bazaar.
All offer CD-ROM's intended as master disks for OEM's.
Bulgaria has made a few "show raids" on companies like Unison,
with little real effect.
-
Digital watermarking, related to steganography
(hiding messages in data), has been around a long time:
-
It was used by Demaratus, a Greek,
to send a message to the Spartans
in the war between the Greeks and the Persians
in 480 B.C. [see
"The Histories" by Herodotus,
and "The Code Book" by Simon Singh]
-
Much later than that (in 1500!),
it was described by the Benedictine monk
Johannes Trithemius in Steganographia.
He described a method of hiding text
in a prayer book.
-
Playboy
has used it it to watermark imagery sold in
electronic form since 1997:
https://www.digimarc.com/,
Secure Computing, Aug 1997, pg 15.
-
It's been discussed in non-specialist
publications since the mid-1990s:
-
Nature, 12 Dec 1996, pg 514
-
AWST, 20 Oct 1997, pg 13,
and 3 Nov 1997, pg 17
-
Business Week, 1 Sep 97, pg 35
-
New York Times, 17 Feb 1999.
-
The Air Force Research Lab,
http://www.wpafb.af.mil/afrl/ri/,
wants to transfer their work on the technology
to the civilian sector.
-
For huge losses most people willingly ignore, see
Scientific American, July 1997, pp 82-89,
for a great article,
"Taking Computers to Task" by W. W. Gibbs.
-
The average office worker spends 5.1 hours
per week unnecessarily fiddling with
their machine —
adjusting windows,
changing background "wallpaper,"
or playing with their screensavers.
This doesn't even count playing games!
-
Boeing removed all games from their systems,
fighting Microsoft's attempt to lower
U.S. productivity by
bundling games into operating systems under
the silly premise of
"games teach people how to use a mouse."
-
Sun Microsystems prohibited fancy presentations,
as they found that people can quickly assemble
quality technical information
but they will waste lots of time
trying to make slides look pretty.
Cyberwar — Military applications of network attack and defense
This section grew enough to get its own page
addressing:
-
How the meaning of "network-centric warfare" has changed,
and associated skepticism and enthusiasm for it.
-
Actual
examples of international conflict carried out on the Internet,
and what may or may not be additional cases.
-
Offensive Information Warfare, also called
Information Operations.
Click here for that page.
COMSEC (Communications Security) —
attacking cellular/mobile & GSM telephony
-
To intercept both directions of a cellular telephony conversation,
the eavesdropper will need to listen somewhere near the handset.
However, in many cases (consider phone interfaces to banks or airlines,
where sensitive PINs and other information is passed) it could be
adequate to intercept just the link from the base station to the handset.
-
Digital AMPS
(a GSM competitor once popular in North America, although
now end-of-life)
uses CAVE (Cellular Authentication, Voice Privacy and Encryption)
and CMEA (Cellular Message Encryption Algorithm).
These perform three main functions:
- Authenticate to the network that the unit requesting service is a
legal subscriber.
- Generate codes to protect control channel data, including all digits
dialed on the keypad (dialed numbers, plus later PIN's etc).
Control channel data is encrypted with CMEA (Cellular Message
Encryption Algorithm).
- Generate two keys to "mask" the digitized forward and reverse
voice channels.
The voice "masking" was known to be cryptographically weak in 1992.
On 20 March 1997, Bruce Schneier (author of Applied Cryptography) and
David Wagner (UC Berkeley grad student) announced breaking CMEA.
The response of the Cellular Telephone Industry Association (CTIA) was to
lobby for laws to make it illegal to break their breakable system, so they
can continue to advertise it to an unwary public as "unbreakable"....
See Monitoring Times, June 1997, pp 28-29, and
http://bt.counterpane.com/
for more details.
-
Targeted eavesdroppers prefer the Harris Triggerfish
or the CCS Digital Data Interpreter, which use the non-voice data streams
to track frequency changes, cell hand-offs, etc.
Top-of-the-line, but pricey!
The OKI 900 controlled by the right software running on a laptop is a
lower-budget cellular intercept platform that's still pretty capable.
-
For more details on GSM hacking, see the announcement of GSM cloning
and how security-through-obscurity isn't security at all, see:
http://www.isaac.cs.berkeley.edu/isaac/gsm.html
-
Late 1999 saw announcements of GSM cracking (which, for the U.S.A.,
effects "Digital PCS" as well).
Summarizing from Bruce Schneier's "Crypto-Gram" newsletter,
15 December 1999,
http://bt.counterpane.com/,
the relevant algorithms are:
-
A3, the authentication algorithm to prevent phone cloning
-
A5/1, the stronger of the two voice-encryption algorithms
-
A5/2, the weaker of the two voice-encryption algorithms
-
A8, the voice-privacy key-generation algorithm
Schneier says,
"These algorithms were developed in secret, and were never published.
"Marc Briceno" (with the Smartcard Developer Association) reverse-engineered
the algorithms, and then Ian Goldberg and David Wagner at U.C. Berkeley
cryptanalyzed them.
Most GSM providers use an algorithm called COMP128 for both A3 and A8.
This algorithm is cryptographically weak, and it is not difficult to break
the algorithm and clone GSM digital phones.
The attack takes just 2^19 queries to the GSM smart-card chip, which takes
roughly 8 hours over the air. This attack can be performed on as many
simultaneous phones in radio range as your rogue base station has channels.
"
Summarizing now, the breaks and the publishing dates are:
-
A3 and A8 — Can always be broken in 8 hours over
the air (as above). All A8 implementations tested did not use COMP128,
they used a weakened form! (April 1998)
-
A5/2 — Can be broken in real-time without
any trouble. (August 1999)
http://cryptome.org/gsm-crack-bbk.pdf
-
A5/1 — Given the first two minutes of the
conversation, one PC with 128 MB of RAM and two 73 GB hard drives
can find the A5/1 key in about one second. (May 1999)
Then
in Feb 2008 Schneier again commented on
A5/1 cryptanalysis.
There had been quite a bit of coverage of announcements of
further A5/1 cryptanalysis and practical systems to break GSM keys.
This 2008 attack is completely passive, requires about US$ 1000 in hardware,
and breaks the key in about 30 minutes:
-
The industry (predictably) claimed this was all impossible,
as it required unavailable hardware.
Yeah, right.
Well under US$ 10,000 should provide a high-quality intercept station.
For details of the analysis:
And for a project to design and build
a relatively inexpensive (US$ 700) GSM receiver and crack A5/1:
http://wiki.thc.org/gsm/
-
Further GSM security and insecurity references:
-
August 2009 saw further reports on making A5/1 cracking more practical
and less academic:
-
December 2009 brought further A5/1 cracking results:
-
An article from late December 2009
reported that a complete GSM intercept station could now be built
for about $4000, and it can handle the random channel hopping.
A 2TB
Rainbow Table
is used to rapidly find the encryption key.
A low-end intercept station could be built around a PC with a
medium-end graphics card, at least 2TB of disk storage, and two
GNURadio USRP2 computer-controlled receivers.
A few minutes of conversation will be required to gather enough
information.
More elaborate and expensive systems using FPGA devices could
break the encryption "almost instantaneously".
-
Yes, the much stronger A5/3 algorithm is available.
But it is almost completely unused!
At the end of 2009, only one network operator seemed to be using it.
-
If you want voice COMSEC on the cheap, check out
PGPfone
—
you use your
computer's audio interface and PGP software to encrypt and decrypt a
pair of audio streams.
-
If you are more interested in GSM jamming and otherwise denying service
with decoy GSM cells:
-
From an article about the common use of cell phones by prisoners
despite its illegality, in
Urgent Communications,
a trade magazine for public-service and emergency radio communications
("Arresting Developments", August 2010, pp 42-47):
-
South Carolina's prison system found 3,024 cell phones
among its population of 24,000 inmates, a 1:8 ratio,
in the 2009 fiscal year.
-
A Texas correctional facility was found to have 239 cell
phones in use in one 400-inmate wing.
-
CellAntenna
makes cellular systems: in-building repeaters, signal boosters,
antennas, etc.
CJam Cellular Jamming Technology
seems to be CellAntenna under another name,
and they openly market cell phone jamming systems.
-
Security Intelligence Technologies
builds and sells GSM jammers.
-
Bomb Jammer
builds and sells GSM jammers,
including their "VIP 200 Bomb Jammer".
Many of these companies market their products as jammers just for
the control links for improvised explosive devices (IEDs).
-
Netline Communications Technologies,
of Israel, sells a system called CellTrack.
It has multiple covert devices that can detect a variety of
GSM/cellular standards simultaneously,
tied into a central computer doing the overall analysis.
-
Armed Forces International
provides information on a vendors of a range of military-related
products.
DNS (Domain Name System) Security Issues
DNS should work as follows:
-
The human user types www.cromwell-intl.com
into a browser.
The browser recognizes that this is not an IP address,
and it makes a library call to the resolver.
That creates a DNS query packet asking for an A
record for the fully-qualified domain name (FQDN).
This is a relatively simple UDP datagram.
-
That DNS query is sent to the client's nameserver.
If you are reading this at home, that means the
DNS server specified by your ISP when your system
used DHCP to get its IP configuration.
If you are at work, then it would be your
corporate DNS server.
Either way, the DNS server is willing to do some work
on behalf of the client and answer its questions
because it's a client.
-
That nameserver (labeled "ISP nameserver" below)
doesn't know and it doesn't know who to ask.
So it asks a server authoritative for the entire
.com domain, "Where is the nameserver
for the cromwell-intl.com domain?",
asking for an NS record.
The root servers are authoritative for .com
and so its IP address is coded into the DNS server
software.
-
The .com server answers the direct question
and also passes along the answer to the obvious
next question, "What are their IP addresses?".
As it turns out, there are two.
One question was asked, there were two answers and
two additional pieces of useful information.
-
Your nameserver now picks one of those servers
and asks the original question,
"What is the IP address for www.cromwell-intl.com?".
-
That nameserver responds that
www.cromwell-intl.com
is really an alias.
The canonical name is cromwell-intl.com
and its IP address is 75.146.106.233.
This information should be good for a while,
feel free to cache it for 3,600 seconds.
-
Your ISP returns that information to your client,
which receives it and passes the information along
to the browser application.
It makes a connection to TCP port 80 on that
IP address, and this page loads.
-
Meanwhile your nameserver is caching that information
in case some client asks the question within the
Time To Live value.
Below you see those numbered steps as ASCII art:
[1,2] client -----------------------> ISP nameserver
DNS query:
www.cromwell-intl.com A record
[3] ISP nameserver --------------------> .com name server
DNS query:
cromwell-intl.com NS
[4] ISP nameserver <-------------------- .com name server
DNS answer:
cromwell-intl.com NS = ns31.domaincontrol.com
cromwell-intl.com NS = ns32.domaincontrol.com
Additional resource record:
ns31.domaincontrol.com A = 216.69.185.16
ns32.domaincontrol.com A = 208.109.255.16
[5] ISP nameserver --------------------------------> ns31.domaincontrol.com
DNS query:
www.cromwell-intl.com A
[6] ISP nameserver <-------------------------------- ns31.domaincontrol.com
DNS answer:
www.cromwell-intl.com CNAME = cromwell-intl.com
Additional resource record:
cromwell-intl.com A = 75.146.106.233
TTL = 3600 seconds
[7,8] client <----------------------- ISP nameserver <---> cache
DNS answer:
www.cromwell-intl.com CNAME = cromwell-intl.com
Additional resource record:
cromwell-intl.com A = 75.146.106.233
TTL = 3600 seconds
What the attacker wants to do:
The attacker wants to fool many people into looking at the
wrong web site.
They build a bogus web site on some server.
It looks like something people would trust, for example,
a clone of the citibank.com web site.
Of course, it is just going to steal information if
anyone visits it and believes it's really Citibank!
They will then try to fool as many DNS servers as possible
into beliving that the IP address for www.citibank.com
and citibank.com is whatever IP address they have
for their bogus site.
Note that they could have a digital certificate from
Verisign or whoever, completely valid for their IP address
and whatever their domain really is.
Your browser would be happy to connect to that server via
HTTPS and it would report no problem.
You would have to examine the certificate details and see
that it was issued to some organization in
Russia
instead of Citibank, and what is the probability of you
doing that every time you use a banking site?
So how do the bad guys fool the world-wide DNS infrastructure?
Problem #1 — Stateless DNS
Early versions of the BIND DNS server did not keep track
of which questions they had asked.
If they got an answer, they assumed it was relevant and put
it in the cache.
So the bad guy does this:
-
Someone should run the reverse service,
providing PTR (or "pointer") records saying,
for example, that
75.146.106.233 corresponds to
cromwell-intl.com.
Really this is done as a DNS PTR record:
233.106.146.75.in-addr.arpa IN PTR cromwell-intl.com
The bad guy takes responsibility for providing
this service for
his small block of IP addresses.
Let's say he's at 89.122.224.52.
That IP address belongs to a Romanian ISP from which
I see a bunch of probes.
Our theorized hacker has a DNS server responsible for
at least this part of the reverse space under
in-addr.arpa:
52.224.122.89.in-addr.arpa IN PTR hackerpc.romtelecom.ro
or something like that....
-
The bad guy does some surveillance
to find name servers running old and vulnerable
nameserver software:
-
Find the IP addresses for a bunch of
Internet Service providers.
-
For each of those IP addresses, run this
command:
$ dig @IP version.bind chaos txt
That should just fail, but sloppily
configured servers will answer.
Some of those will report old versions,
effectively announcing, "I am vulnerable!"
-
For each vulnerable DNS server,
each one of which represents an entire domain or
organization about to be misled,
the bad guy intentionally attempts
a connection that will fail.
A good example would be to
connect to TCP port 23, the TELNET service,
on the nameserver itself.
-
That target nameserver is probably going to try to
resolve the attacker's IP address back to a hostname,
meaning that
it will send a DNS query for the PTR
record to the nameserver
under the bad guys contol.
-
That nameserver responds with the requested answer:
52.224.122.89.in-addr.arpa IN PTR hackerpc.romtelecom.ro TTL=3600
However, it also sends some additional resource
records in that DNS reply packet.
These are unsolicited responses,
answers to questions that were not asked:
www.citibank.com IN A 89.122.224.52 TTL=31536000
citibank.com IN A 89.122.224.52 TTL=31536000
www.bankofamerica.com IN A 89.122.224.52 TTL=31536000
bankofamerica.com IN A 89.122.224.52 TTL=31536000
and so on, trying to inject bogus information about the
IP addresses of banking sites with a time to live
of one year.
-
Now when any client of that vulnerable nameserver
resolves any of those hostnames to an IP
address, they are given the bogus answer
corresponding to the hacker's hostile site.
This was the technology behind the September 1997
"CIA web page hack" and many more attacks
since.
This is called a cache poisoning attack.
Problem #2 — The Kaminsky DNS Vulnerability
Dan Kaminsky discovered a
very serious problem in DNS
and publicized it in the summer of 2008.
Left out of the above explanation was the detail that DNS
packets contain a field called the Query ID.
This allows a DNS server to match answers to questions,
and it allows newer DNS implementations with some sense
of state to tell if a given answer corresponds to a question
that they had asked.
The problem is that
the Query ID is reasonably easy to guess
in many DNS server implementations.
The bad guy now:
-
Builds a DNS server claiming to be authoritative
for a sensitive domain like
citibank.com.
However, it will always give the bad guy's IP address
as the answer to any address queries!
-
Surveils Internet DNS servers to find ones
probably vulnerable to this attack.
-
For each one, make some legitimate queries
to estimate the state of the Query ID field.
-
Ask a question that will require the target
server to send a query to the
citibank.com nameserver.
Ask for the IP address of a hostname
known not to exist,
"What is the IP address of
utterlybogus.citibank.com?
Since the nameserver very likely will not answer
questions for clients not within its domain,
the bad guy simply forges the source IP address
on the DNS query datagram.
It will get to the server just fine as long as the
bad guy's ISP does not do sanity checking, and the
bad guy will have selected an ISP that does not do
sanity checking in order to support this and many
other attacks.
-
Using a network of compromised PCs under his control,
the bad guy launches a blizzard of bogus DNS
responses with various Query ID values.
His hope is that one of them will be correct.
Depending on the predicability of the Query ID field
and the number of compromised hosts under his control,
this may be very likely indeed.
Each of those packets uses Authority records to
delegate further questions about the
citibank.com domain to the
bad guy's bogus server.
"I don't know the answer, but you can find the
answer by asking the nameserver
ns1.citibank.com
and its IP address is
89.122.224.52."
However, that is the bad guy's hostile DNS server.
Now every question about the citibank.com
domain will be sent to the bad guy's DNS
server — he effectively owns the
citibank.com domain as far as
that victim nameserver's domain is
concerned.
This is also a cache poisoning attack,
but it is far more powerful.
So, how do you avoid being a victim?
Your DNS server needs to be running up-to-date DNS software!
Patched DNS server software will randomize both the UDP
port used for its queries and the Query ID field itself.
Unfortunately, six or so months after Kaminsky's discovery
was announced to great fanfare, mention in newspapers and
so on,
over 25% of the DNS servers on the Internet were
found to still be running out of date and vulnerable
software!
The djbdns DNS server
by Daniel J Bernstein has correctly randomized both the
source UDP port and Query ID since the beginning.
Many people find his
djbdns
easier to configure than the much more commonly used
BIND software from ISC.
Incidents and Anecdotes
-
"Security through obscurity" has known to be ineffectual
for well over a century.
Auguste Kerckhoffs (1835-1903) stated
that the security of a cryptosystem must not depend on
keeping its algorithm secret.
See his article "La cryptographie militaire",
in Journal des sciences militaries,
vol IX, pp 5-38, Jan 1883.
-
U.S. Government fear-mongering about
electrical power grid hacking:
-
The U.S. Department of Homeland Security
released a very contrived video
in
September 2007
showing catastrophic failure of an
electrical power generator.
This got notoriety as the "Aurora Generator
Test", conducted in March 2007.
But it was largely interpreted as little more
than an intentional scare story by DHS.
-
Then "CIA senior analyst Tom Donahue"
seems to have gone on a
one-man fright crusade:
-
"A CIA analyst told attendees at a SANS
Institute conference that hackers
infiltrated an overseas power grid
to knock out power.
Senior analyst Tom Donahue did not say
which cities were affected, or for how
long power was cut. The warning came
in the wake of a U.S. Department of
Homeland Security video demonstrating
a hacker taking over a power grid."
SC Magazine, March 2008, pg 14
-
"We have information, from multiple
regions outside the United States, of
cyber intrusions into utilities,
followed by extortion demands,"
Donohue said at the SCADA 2008 Control
System Security Summit in New Orleans
[16 Jan 2008].
"We suspect, but cannot confirm,
that some of these attackers
had the benefit of inside
knowledge," he said. "We have
information that cyberattacks
have been used to disrupt power
equipment in several regions
outside the United States. In
at least one case, the disruption
caused a power outage affecting
multiple cities. We do not know
who executed these attacks or
why, but all involved intrusions
through the Internet."
http://www.govexec.com/dailyfed/0108/011808j1.htm, 18 Jan 2008
-
June 2008 —
"Last month the National Journal cited two
computer security professionals, who in
turn cited unnamed U.S. intelligence
officials, in reporting that China's
People's Liberation Army may have
cracked the computers controlling the
U.S. power grid to trigger the cascading
blackout that cut off electricity to
50 million people in eight states and a
Canadian province
[in August, 2003]"
But cyber security consultant Paul Kurtz,
who worked at the White House at the time of
the blackout, said they're no truth to the
claim and many others have backed him up.
-
April 2009 —
This same story appeared, again,
in the Wall Street Journal this time
(4 April 2009, article by Siobhan Gorman).
The article is based on anonymous sources and
"former national-security officials".
It goes on to re-hash "CIA senior analyst
Tom Donahue",
making this just yet another cycle of the
same old scare story.
-
April 15, 2009 —
Time magazine observes that
there have been no instances of
cyberattacks taking down
national power grids.
-
It has been observed that these scary
stories are suspiciously correlated with
US Government announcements of the need
for increased surveillance.
http://blog.wired.com/defense/2008/01/hackers-take-do.html
See the following section about attacks
on infrastructure
for things that really did happen.
-
Russian Business Network (RBN)
cyber-crime organization:
-
A 13 Oct 2007 Washington Post
article
"Shadowy Russian Firm Seen as Conduit for
Cybercrime"
reported,
"An Internet business based in
Saint Petersburg has become a world
hub for Web sites devoted to child
pornography, spamming and identity
theft, according to computer
security experts.
They say Russian authorities have
provided little help in efforts to
shut down the company.
The Russian Business Network
sells Web site hosting to people
engaged in criminal activity, the
security experts say.
Groups operating through the company's
computers are thought to be responsible
for about half of last year's
incidents of "phishing"
VeriSign said that the Rock Group phishers
used RBN to steal about US$ 150 million over
the preceding year.
Symantec said that RBN was
"responsible for hosting Web sites that
carry out a major portion of the
world's cybercrime and profiteering."
RBN does not have its own web site, you must
contact its operators via instant-messaging or
obscure Russian-language online forums.
You must also prove that you are not a law
enforcement investigator by demonstrating
active involvement in theft of consumers'
financial and personal data.
-
Russky Newsweek described
"the world of Russian hackers" in
December 2009.
It mentions the apparently connections between
international conflict on the Internet
between Russia and Estonia and Georgia,
attacks against Citigroup, and massive identity
theft and spamming.
But it's still uncertain if RBN was really one
criminal vast organization or if it was a
host to multiple Internet based gangs.
Interesting anecdote in that article include:
-
"Aleksandr Gostev, director of
Kaspersky Labs, a global
research and threat analysis
center, believes that RBN's
servers are located in Panama."
-
"According to one study, the
network comprised 406 addresses
and 2090 domain names by the
end of 2007."
-
"The original RBN was behind the
cyberattack on Estonia, Paget
says, and, according to a study
by the U.S. Cyber Consequences
Unit (US-CCU), one of its
successors was behind the
virtual assault on Georgia."
-
"One of RBN's most prosperous
businesses is Internet
pharmacies, with the
international organization
Spamhaus naming Canadian
Pharmacy as the main propagator
of criminal cyberschemes."
The bootleg medications are produced in
India, and several dozen virtual
pharmacies makes sales mostly to the U.S.
-
"According to Dmitry Golubov, who
describes himself as the leader
of the Internet Party of
Ukraine, a group of 20 to 25
people account for 70 percent
of the world's spam. 'A
database of active e-mails
costs money,' says Golubov.
'For example, a million
addresses of purchasers of
access to porn resources costs
$25,000 to $30,000.'"
-
U.S. military use of commercial telecommunication links:
-
Early 1990s —
"About 20% of satcom support for Operation Desert Storm
came from commercial [satellite] fleets."
AWST 19 Nov 2007 pp 52-53.
-
1995-1996 —
95% of military communication at least touches the
public switched networks.
DOD is primarily reactive with no uniform policy for assessing risks,
protecting systems, responding to incidents, or assessing damage.
Military and Aerospace Electronics, January 1997, pg 17;
AWST, 13 Jul 1998, pp 67-70
(quoting Maj. Gen. John Casciano, USAF director of intelligence);
Lt Gen Kenneth A Minihan,
"Intelligence and Information System Security",
Defense Intelligence Journal,
vol 5 n 1 (Spring 1996), pg 20.
-
2007 —
"Now about 80% of all satellite communications in Iraq and
Afghanistan come from commercial spacecraft, which may in
some cases simultaneously provide services to friendly forces,
as well as adverseries.
AWST 19 Nov 2007 pp 52-53.
-
2008 —
"Roughly 85% of [U.S.] military satellite communications are
processed by commercial entities,
but those services are purchased in an ad hoc fashion."
AWST Oct 13, 2008, pg 34.
-
A 19 Nov 2007 AWST article (pp 52-53)
described the USAF 16th Space Control Squadron (SPCS),
dedicated to "defensive counterspace"
and detecting and locating jamming to satellite links.
It says that the 16th SPCS, based at Peterson AFB in Colorado,
operates the new Rapid Attack Identification Reporting System (Raidrs),
alerting its operators of interference to satellite communications
links at UHF and the microwave C, Ku and X bands.
It's designed and manufactured by Integral Systems of Lanham, Maryland.
Each Raidrs site includes up to six 2.4-meter dish antennas
to monitor signals, and a 3.7-meter antenna connected to a Blackbird
system, said to operate like a spectrum analyzer.
Two more 4.5-meter antennas are said to locate the distant ground-based
jamming or interference source.
The article made it sound as if the location is done by
precise measurement of uplink signals
reflected from the satellite bodies of the intended relay satellite
and another satellite in a nearby orbit — an
impressive achievement if correct.
-
USB storage devices and issues for the military
-
"Colombia's struggling guerrila movement appears to have suffered
yet another defeat because of technology.
The names of more than 9,000 rebels have fallen into
government hands.
Two government officials said this week [26 Sep 2008]
that soldiers raiding a rebel camp in February [2008]
found a memory stick that held the names, aliases and
identity numbers of 9,387 rebels —
and even included the photos of some of them."
The group was FARC, the Revolutionary Armed Forces of Columbia.
New York Times
26 Sep 2008, pg A8.
-
USB storage devices have been stolen from U.S. military bases
in Afghanistan
by local cleaning staff and sold in the local bazaars:
-
Attacks against infrastructure, many mentioned in
the article found here.
Meanwhile, do not be frightened by
apparently weak claims of hacker attacks on the U.S. power network,
debunked in
elsewhere on this page.
-
1999 — Malicious hackers took control of a Gazprom gas pipeline
in Russia for around 24 hours.
-
2000 — A disgruntled ex-employee accessed the industrial
control systems of a sewage treatment plant in Maroochy Shire,
Queensland, Australia, and released at least a million liters
of raw sewage into a river and onto the grounds of a hotel.
From
that article:
"Located in a tourist area on the east coast,
the sewage system has 142 pumping stations connected
by radio to monitoring computers.
The troubles began when the installation company,
Hunter Watertech, finished installing the control system
in December 1999 and the site supervisor for HWT,
Vitek Boden, resigned 'under circumstances that are
not exactly explained'.
He applied to MSC for a position, but was rejected.
he following month, January 2000, strange things started
to happen.
Pumps were not running when needed, alarms were not being
reported to the control centre, and there was a loss of
communications between the control centre and
the pumping stations.
[....]
The evidence began to point to outside agents interfering
with the system.
With data logging this became more apparent when
engineers noticed a spoofed pump station ID.
The system was receiving signals from a pumping station ID
that wasn't where it should have been — and
it wasn't sending the right sort of signals.
After inspecting one particular pump station site and
re-coding its ID, it became clear that they were
receiving signals coming in from a station that didn't exist.
Radio monitoring was also starting to detect these
transmissions.
After nearly two months of baffling problems, on 16 March
they began to get some hard evidence of what was going on.
They spotted radio transmissions controlling various
pump stations from the fake ID.
[....]
By this time, in the middle of March, a lot of faults were
occurring and it was obvious that the hacker wasn't
just playing around with the control system.
There were sewage leaks, caused by overflowing tanks when
pumps were turned off.
The golf course next to the Hyatt Hotel was flooded with
a million litres of sewage.
A major overflow into a residential area and tidal canal
polluted an estuary; in the surrounding area on Australia's
Sunshine Coast, creeks turned black and cost the government
Au$100,000 to set up an environmental monitoring programme."
-
2003 —
The "Slammer" worm disabled a safety monitoring system at
Davis-Basse nuclear power plant in Ohio, USA.
Of course, this was not the original intent of the attack.
-
2007 —
A former employee for a federally-owned canal system in California
was charged with installing software that damaged
a computer used to divert water out of a local river,
as described in The Register (UK).
The Tehama Colusa Canal Authority
operates two canals that move water out of the Sacramento River
for use in irrigation and agriculture in Northern California.
The perpetrator worked for the TCCA for more
than 17 years before being fired on August 15, the date he is alleged
to have installed the unauthorized software.
-
2007 — Lonnie Charles Denison was a SAIC contractor working as
a UNIX systems administrator at the California Independent System
Operator's data center controlling California's power grid.
He had a dispute with his boss at SAIC and learned on 15 April that
he had lost computer access privileges.
Minutes later he broke a glass cover and hit the emergency
power "off" button, shutting down the facility.
This cut California off from the wholesale electricity market
(although it did not cut off power to the state!).
Allegedly he e-mailed a bomb threat the next day to a California ISO
employee.
In December he pled guilty, and faced up to five years in prison
and $250,000 in fines.
The Register,
20 Apr 2007;
Computerworld, 1 Jan 2008, pg 6;
PC World
and several other sources]
-
A good article about
"The Great Firewall of China", the national firewall in
People's Republic of China
from The Atlantic Monthly —
http://www.theatlantic.com/doc/200803/chinese-firewall
-
In May 1998 an internal review of DOE facilities found serious security
problems (classified info on open systems, ftp write
permission, readable password files, etc) on 1,400 of 64,000 systems.
Los Alamos had detected 15 security breaches in the preceding 6 months.
Brock Meeks, MSNBC, 29 May 1998, Stark Abstracting.
-
Hardware cryptographic attacks — The Electronic Frontier Foundation
developed and built a dedicated platform in 1998
for under US$ 250,000 that
breaks DES-encrypted messages in 72 hours, an order of magnitude faster
than the most recent distributed network attack.
Much of the cost was design and development — the next one with the
same performance would cost $50,000 or less.
Speed to break DES on this architecture drops linearly with dollars spent
on hardware, so forget all the U.S. government claims about hardware
solutions being impossible.
Also remember that this is cost for today's hardware,
and cost per performance falls fast over time.
Click here for the EFF article.
-
Cyberstalking —
Further proof that IRC and "chat rooms" are worse than useless.
Government Warnings and Reactions
Further Reading
-
Here is an excellent paper on not overlooking the non-technical
details when doing network threat analysis:
http://www.itoc.usma.edu/Workshop/2001/Authors/Submitted_Abstracts/paperT2C2(32).pdf
-
Here is a nice archive of security white papers on many topics:
http://www.securitydocs.com/
-
For current research and development, see Purdue's CERIAS group:
http://www.cerias.purdue.edu/
-
The classic Unix security paper is in
AT+T Bell Labs Technical Journal, October 1984.
-
See
the Trusted Product Evaluation Program frequently-asked-question list
on computer security
-
Disaster recovery is a whole field in itself.
Check out the Disaster Recovery Journal at
http://www.drj.com.
For a light introduction,
IEEE Spectrum, December 1996, pg 49.
-
A very scholarly treatment of Internet congestion models is in
Science,, vol 277, 25 July 1997, pp 477, 535-537.
-
For far more reading, check the hotlist at Purdue's CERIAS project:
http://www.cerias.purdue.edu/tools_and_resources/hotlist/
-
Keep looking — here are some more WWW sites to check out.
