General Information
Modified 21 June 2008
If your experience is at all like mine, you will find that you need to
both educate and convince people — from the "on-the-front-lines" users
to management.
Here's some help.
-
AWST = Aviation Week and Space Technology
-
WSJ = Wall Street Journal
-
DOD = U.S. Department of Defense
Big-Money Losses
-
Price Waterhouse Coopers estimated that "computer hackers costs
businesses 45 billion dollars" in 1999.
-
A London banking organization paid millions of pounds to stop a two-year
series of attacks mixing logic bombs with electromagnetic pulse weapons:
London Sunday Times, 2 June 1996, pg 1; 9 June 1996, pg 1.
Also,
http://www.infowar.com
discusses these events.
Note that this is now widely thought to be overly hyped,
if not a complete fabrication.
Self-proclaimed "infowar" specialists carry on endlessly about
possibly mythical HERF guns and EMP devices.
Caveat emptor!
Thorough HERF-gun-debunking is found at:
-
Satellite losses
-
A $200,000,000 Telstar satellite (and thus all its comm links) was
taken out by an unexpected solar flare on 11 January 1997.
I was teaching a course that week, and many students complained the
next day that SpectraVision no longer worked in their rooms....
Science, 31 January 1997, pg 623,
and Science News, 1 February 1997, pg 68.
-
Similarly, Galaxy IV failed in May 1998 and took out over 80% of North
American pagers.
-
Galaxy VII failed 13 June 1998, dropped several hours of several
cable TV networks.
Some other satellite failed 4 July 1998,
dropping several hours of DirectTV.
In both cases, a control processor failed, but they eventually
could switch to a backup processor.
WSJ, 9 Jul 1998, Reuters.
-
Former CIA analyst comments on vulnerability of civilian satellites (1995):
http://www.fas.org/spp/eprint/civilsat.htm
and GAO report (2002):
http://www.fas.org/spp/eprint/civilsat.htm
-
Corporate computer crime costs the Australian economy A$ 18 billion
per year.
Australian Business News, 5 August 1996.
- Chinese and Bulgarian factories,
in concert with companies
in countries that are close allies and trading partners of the U.S.,
steal software and pirate it as fast as the CD-ROM presses will run.
See New York Times, 3 June 1996, pg D1,
and CBS News, 28 May 1997.
In Tallinn, Estonia, take bus #92 out to the big market at Kadaka Torg,
where any CD-ROM is 250 Estonian Kroon, about US$ 20.
They had Office '97 in October of 1996.
In Sankt Peterburg, Russia, the big bootleg market is diagonal from the
rear corner of the Gostinniy Dvor shopping arcade along
Nevsky Prospekt.
In Istanbul, Turkey, go to the weekend flea market on University Square,
just outside the entrance to the Grand Bazaar.
They had Office 2000 and Windows 2000 in June, 1999.
All offer CD-ROM's intended as master disks for OEM's.
Bulgaria has made a few "show raids" on companies like Unison,
with little real effect.
The following stats were in IW Magazine,
http://www.iwmag.com, 16 July 1997, pg 8, citing the SPA:
| Country |
% of SW pirated |
Annual US$ value of pirated SW |
| China | 95% | $ 507,520,000 |
| Russia | 91% | $ 298,240,000 |
| Indonesia | 98% | $ 170,330,000 |
| Philippines | 92% | $ 56,740,000 |
| Rest of CIS | 96% | $ 38,490,000 |
| Pakistan | 92% | $ 16,730,000 |
| Vietnam | 98% | $ 11,410,000 |
| Kuwait | 90% | $ 10,080,000 |
| Guatemala | 90% | $ 7,460,000 |
| Oman | 96% | $ 7,350,000 |
| Bahrain | 92% | $ 4,230,000 |
| Qatar | 91% | $ 3,030,000 |
-
Digital watermarking, related to steganography
(hiding messages in data), is discussed in
Nature, 12 Dec 1996, pg 514;
AWST, 20 Oct 1997, pg 13,
and 3 Nov 1997, pg 17;
Business Week, 1 Sep 97, pg 35;
and
New York Times, 17 Feb 1999.
Playboy uses it to watermark imagery sold in electronic form, see
http://www.digimarc.com or Secure Computing, Aug 1997, pg 15.
IBM, NEC, Hitachi, Pioneer, and Sony plan to use it to prevent pirating
of entertainment data.
It's mature technology,
it was used by Demaratus, a Greek, to send a message to the Spartans
in the war between the Greeks and the Persians in 480 B.C. (see
"The Histories" by Herodotus,
and "The Code Book" by Simon Singh.
Much later than that (in 1500!),
it was described by the Benedictine monk
Johannes Trithemius in Steganographia.
He described a method of hiding text in a prayer book.
The Air Force Research Lab,
http://www.if.afrl.af.mil,
wants to transfer their work on the technology to the civilian sector.
-
Experian (ex-TRW) credit reporting agency sold people their own credit reports
on the Internet for maybe a day, before noticing that a bug caused some
reports to be sent to the wrong people.
See most any media around 16 Aug 1997....
-
For non-malicious (?) losses, see
Scientific American, July 1997, pp 82-89, for a great article,
"Taking Computers to Task" by W. W. Gibbs.
The average office worker spends 5.1 hours per week unnecessarily fiddling
with their machine — adjusting windows, changing background "wallpaper,"
or playing with their screensavers.
This doesn't even count playing games!
Boeing removed all games from their systems, fighting Microsoft's attempt
to lower U.S. productivity by bundling games into operating systems under
the silly premise of "they teach people how to use a mouse."
Sun Microsystems prohibited fancy presentations, as they found that
people quickly assemble quality technical information,
but waste lots of time trying to make slides look pretty.
U.S. Military Skepticism/Enthusiasm re "Network-Centric Warfare"
Much of this depends on just what you mean by "network-centric warfare".
Initially (maybe 1996-2000) it seemed to be used recklessly,
and was the domain of much wild speculation (science fiction analogies)
and dangerous enthusiasm (controlling warships with Windows NT).
After maybe 2000 or so it seems to have really been working, but by
then it really should have been called something more like
"information-centric" or "communication-centric" warfare.
The point is the sharing of information and how that information is used,
not just the fact that there's a networked graphical interface.
-
In September 1997, the USS Yorktown, a Aegis-class missile cruiser,
was left dead in the water for close to 3 hours because of a cascade
of failures started by a Windows NT application that didn't prevent
a divide-by-zero error.
There's a design error here — who made NT a vital part of a warship!?
See Government Computer News articles:
And also Military and Aerospace Electronics articles:
March 2001, pp 1, 5,
"Navy Postmortem Tries to Pinpoint What Went Wrong With the `Smart Ship' ".
Military and Aerospace Electronics,
-
Early enthusiasm for "Network-Centric Warfare"
-
"Network-Centric Warfare",
Vice Adm Arthur K. Cebrowski and John J. Garstka,
U.S. Naval Institute Proceedings,
Jan 1998, pp 28-35.
At least for the USNI publications, this seems to be the article
that kicked off the craze.
-
"IT-21 Intranet Provides Big `Reachbacks' ",
Rear Adm Robert M. Nutwell,
U.S. Naval Institute Proceedings,
Jan 1998, pp 36-38.
A pretty good overview.
-
"Moving the Navy Into the Information Age",
Cmdr Michael S. Loescher,
U.S. Naval Institute Proceedings,
Jan 1999, pp 40-44.
He seems to have watched way too much "Star Trek",
as the article actually suggests working on "cloaking" and
"shielding" as in that sci-fi TV show,
plus "omniscience" and "telepathy".
-
"The Power of e-Sailors",
Vice Adm James R. Fitzgerald,
U.S. Naval Institute Proceedings,
Jul 1999, pp 62-63.
A decent overview, at the expense of
yet another unneeded neologism...
-
Skepticism/Caution regarding "Network-Centric Warfare"
-
"Beware of Geeks Bearing Gifts",
Lt Cmdr Eric Johns,
U.S. Naval Institute Proceedings,
Apr 1998, pp 74-76.
-
"The Seven Deadly Sins of Network-Centric Warfare",
Thomas P. M. Barnett,
U.S. Naval Institute Proceedings,
Jun 1999, pp 36-39.
-
"The Smart Ship is Not the Answer",
U.S. Naval Institute Proceedings,
Jun 1998, pp 61-64.
"Using Windows NT, which is known to have some failure modes,
on a warship is similar to hoping that luck will be in our favor."
-
"Network-Centric: Is It Worth the Risk?",
Cmdr William K. Lescher,
U.S. Naval Institute Proceedings,
Jul 1999, pp 58-63.
-
A very useful and more recent overview of NCW in its broader and more mature
sense is a series of articles in AWST, 27 Jan 2003, pp 37-59.
Incidents and Anecdotes
-
"Security through obscurity" has known to be ineffectual for
well over a century. Auguste Kerckhoffs (1835-1903) stated
that the security of a cryptosystem must not depend on
keeping its algorithm secret.
See his article "La cryptographie militaire",
in Journal des sciences militaries,
vol IX, pp 5-38, Jan 1883.
-
A
13 Oct 2007 Washington Post article
"Shadowy Russian Firm Seen as Conduit for Cybercrime"
reported,
"An Internet business based in St. Petersburg has become
a world hub for Web sites devoted to child pornography, spamming
and identity theft, according to computer security experts.
They say Russian authorities have provided little help in efforts
to shut down the company.
The Russian Business Network sells Web site hosting to people
engaged in criminal activity, the security experts say.
Groups operating through the company's computers are thought to be
responsible for about half of last year's incidents of "phishing"
VeriSign said that the Rock Group phishers used RBN to steal about US$ 150
million over the preceding year.
Symantec said that RBN was "responsible for
hosting Web sites that carry out a major portion of the world's
cybercrime and profiteering."
RBN does not have its own web site, you must contact its operators via
instant-messaging or obscure Russian-language online forums.
You must also prove that you are not a law enforcement investigator
by demonstrating active involvement in theft of consumers' financial
and personal data.
Read the article:
http://www.washingtonpost.com/wp-dyn/content/article/2007/10/12/AR2007101202461.html
-
A 19 Nov 2007 AWST article (pp 52-53) described the USAF
16th Space Control Squadron (SPCS), dedicated to "defensive counterspace"
and detecting and locating jamming to satellite links.
The article mentions:
In the early 1990s, about 20% of satcom support for Operation
Desert Storm came from commercial fleets.
Now about 80% of all satellite communications in Iraq and
Afghanistan come from commercial spacecraft, which may in
some cases simultaneously provide services to friendly forces,
as well as adverseries.
It says that the 16th SPCS, based at Peterson AFB in Colorado,
operates the new Rapid Attack Identification Reporting System (Raidrs),
alerting its operators of interference to satellite communications
links at UHF and the microwave C, Ku and X bands.
It's designed and manufactured by Integral Systems of Lanham, Maryland.
Each Raidrs site includes up to six 2.4-meter dish antennas
to monitor signals, and a 3.7-meter antenna connected to a Blackbird
system, said to operate like a spectrum analyzer.
Two more 4.5-meter antennas are said to locate the distant ground-based
jamming or interference source.
The article made it sound as if the location is done by precise measurement
of uplink signals reflected from the satellite bodies of the intended
relay satellite and another satellite in a nearby orbit — an
impressive achievement if correct.
-
Attacks against infrastructure, many mentioned in this article:
http://www.iee.org/OnComms/sector/computing/Articles/Object/0482B3C1-D0B1-80C6-57EA91E4FB429C23
-
1999 — Malicious hackers took control of a Gazprom gas pipeline
in Russia for around 24 hours.
-
2000 — A disgruntled ex-employee accessed the industrial
control systems of a sewage treatment plant in Maroochy Shire,
Queensland, Australia, and released at least a million liters
of raw sewage into a river and onto the grounds of a hotel.
From
that article:
"Located in a tourist area on the east coast,
the sewage system has 142 pumping stations connected
by radio to monitoring computers.
The troubles began when the installation company,
Hunter Watertech, finished installing the control system
in December 1999 and the site supervisor for HWT,
Vitek Boden, resigned 'under circumstances that are
not exactly explained'.
He applied to MSC for a position, but was rejected.
he following month, January 2000, strange things started
to happen.
Pumps were not running when needed, alarms were not being
reported to the control centre, and there was a loss of
communications between the control centre and
the pumping stations.
[....]
The evidence began to point to outside agents interfering
with the system.
With data logging this became more apparent when
engineers noticed a spoofed pump station ID.
The system was receiving signals from a pumping station ID
that wasn't where it should have been — and
it wasn't sending the right sort of signals.
After inspecting one particular pump station site and
re-coding its ID, it became clear that they were
receiving signals coming in from a station that didn't exist.
Radio monitoring was also starting to detect these
transmissions.
After nearly two months of baffling problems, on 16 March
they began to get some hard evidence of what was going on.
They spotted radio transmissions controlling various
pump stations from the fake ID.
[....]
By this time, in the middle of March, a lot of faults were
occurring and it was obvious that the hacker wasn't
just playing around with the control system.
There were sewage leaks, caused by overflowing tanks when
pumps were turned off.
The golf course next to the Hyatt Hotel was flooded with
a million litres of sewage.
A major overflow into a residential area and tidal canal
polluted an estuary; in the surrounding area on Australia's
Sunshine Coast, creeks turned black and cost the government
Au$100,000 to set up an environmental monitoring programme."
-
2003 —
The "Slammer" worm disabled a safety monitoring system at
Davis-Basse nuclear power plant in Ohio, USA.
Of course, this was not the original intent of the attack.
-
2007 —
A former employee for a federally-owned canal system in California
was charged with installing software that damaged
a computer used to divert water out of a local river:
http://www.theregister.co.uk/2007/11/30/canal_system_hack/
The Tehama Colusa Canal Authority
operates two canals that move water out of the Sacramento River
for use in irrigation and agriculture in Northern California.
The perpetrator worked for the TCCA for more
than 17 years before being fired on August 15, the date he is alleged
to have installed the unauthorized software.
-
2007 — Lonnie Charles Denison was a SAIC contractor working as
a UNIX systems administrator at the California Independent System
Operator's data center controlling California's power grid.
He had a dispute with his boss at SAIC and learned on 15 April that
he had lost computer access privileges.
Minutes later he broke a glass cover and hit the emergency
power "off" button, shutting down the facility.
This cut California off from the wholesale electricity market
(although it did not cut off power to the state!).
Allegedly he e-mailed a bomb threat the next day to a California ISO
employee.
In December he pled guilty, and faced up to five years in prison
and $250,000 in fines.
[The Register, 20 Apr 2007;
http://www.theregister.co.uk/2007/04/20/terrorists_among_us_flee_flee/;
Computerworld, 1 Jan 2008, pg 6;
PC World
http://www.pcworld.com/article/id,140587-c,hackers/article.html;
and several other sources]
-
Here is an on-line library of WWW security breaches:
http://www.csci.ca/
-
During the NATO attacks on Serbia in the spring of 1999,
including the accidental bombing of the Chinese embassy,
there were retaliatory attacks against NATO's public web server
(instigated from Belgrade) and a number of U.S. government sites,
including Dept of Interior, Dept of Energy, the National Park Service (!),
and the U.S. embassy in China (instigated from Beijing and from
groups supporting the Beijing government).
-
There were also attacks against U.S. and NATO systems from China.
Federal Computer Week, 1 Sep 1999,
http://www.fcw.com/pubs/fcw/1999/0830/web-china-09-01-99.html
-
The CIA named countries thought to be involved in industrial espionage
or offensive infowarfare, and noted that several have been providers
of Y2K fixes to U.S. firms (Network World 13 Sep 1999 pg 10):
| Country | Industrial Espionage | Offensive IW initiative | Major US Y2K fix provider |
| Bulgaria | No | Yes | Limited |
| People's Republic of China | Yes | Yes | No |
| Cuba | Yes | Limited | No |
| France | Yes | Yes | No |
| India | Yes | Yes | Yes |
| Iraq | Yes | Yes | No |
| Ireland | No | No | Yes |
| Israel | Yes | Likely | Yes |
| Japan | No | Yes | Likely |
| Pakistan | No | No | Yes |
| Philippines | No | No | Yes |
| Russia | No | Yes | Yes |
| South Korea | No | Yes | Yes |
-
NATO revealed that the Anti-Smyser-1 virus infected systems at its
Pristina, Kosovo facility early in 2000.
Affected systems mailed copies of a nine-page classified document detailing
NATO rules of engagement for land operations in Kosovo to "random Internet
users' mailboxes."
[SC Magazine, Aug 2000, pg 18]
Well, I doubt they were really random, but instead were entries in
someone's address list.
And who put classified documents on Internet-connected PCs subject to viruses??
-
In late 1999 a U.S. toy retailer was using etoys.com and noticed
that a Swiss art group, for unknown reasons, was using etoy.com
for entirely different purposes.
The retailer sued to stop the use of etoy.com.
Hacker groups labeled this as corporate greed against art and freedom of
expression, and groups known as RTMark and the Electronic Disturbance
Theater, among others, launched massive denial-of-service attacks
against etoys.com.
Network World, 20 Dec 1999, pp 1,56.
-
Computer security breaches cost businesses US$ 10,000,000,000 in 1997,
as per statistics quoted by Anderson Consulting.
-
59% of businesses selling over the Internet reported security breaches in 1997,
as per statistics quoted by Anderson Consulting.
-
In May 1998 an internal review of DOE facilities found serious security
problems (classified info on open systems, ftp write
permission, readable password files, etc) on 1,400 of 64,000 systems.
Los Alamos had detected 15 security breaches in the preceding 6 months.
Brock Meeks, MSNBC, 29 May 1998, Stark Abstracting.
-
A group of hackers broke into US DOD computers in fall 1997.
It was well-publicized, they claimed to have stolen GPS controlling
software to sell to terrorists, but DOD said it was just some
administrative data.
-
During the 1991 Persian Gulf War, a group in Eindhoven,
Netherlands broke into computers at 34 U.S. military
sites and stole information about troop movements, missile capabilities, etc.
They offered it to the Iraquis, but they figured it had to be a hoax.
London Telegraph, 23 Mar 97.
-
It seems that about once a month there's a high-profile case of a government
agency's Web page getting trashed.
The only thing I have right at hand is the Washington Post, 20 Sep 96,
on the "Federal Page", where the CIA's problem is described.
Just one of many such attacks — see also the Justice Dept., USAF, both in
late 1996, etc.
-
The SYN Flood attack was mentioned by name on the front page of
USA Today,
as well as in Time, 30 September 1996, pg 64.
-
Despite export laws, supercomputers are being sold to places like Russia's
Ministry of Atomic Energy.
New York Times, 27 Feb 1997,
and AWST, 24 Feb 1997, pg 17.
In the summer of 1997, it was China.
-
Speaking of export laws, I personally witnessed AIHA (American
International Health Alliance), a program within USAID, shipping the
non-exportable version of Netscape to Hospital #122 in the Name of Sokolov,
in Sankt Peterburg, Russia, in October, 1996.
This software includes the Secure Socket Layer technology that isn't
supposed to leave the joint U.S.-Canadian boundary.
Said hospital is still affiliated with Gosatomprom, the Russian equivalent
to the US DOE, and thus the Russian nuclear power and weapons industry.
Like most things in Russia, it also has more mafia connections
than you can imagine.
Lots of similarly connected hospitals throughout the ex-USSR,
including those down in central Asia in Kazakhstan, Uzbekistan, Turkmenistan,
Kyrgyzstan, and Tadzhikstan, got similar shipments.
Nothing like a government agency violating a government regulation....
As for the rest of the story, after telling about this in a security
course attended by folks from some three-letter government agencies,
the U.S. Customs Service had a little chat with me to get all the details.
So don't turn it in again.
As they said in "Raiders of the Lost Ark",
— "Top people are working on it."
— "Who?"
— "Top people!"
-
Internet-distributed cryptographic attacks:
-
For the ill-fated RSA challenge, "We bet you can't factor this
129-digit number," see Scientific American, August 1977.
A Quadratic Seive distributed across the Internet broke it in 1994.
-
RSA's RC5 48-bit challenge was broken in just over 13 days in February, 1997,
using more than 5000 machines across the internet:
click here for the story.
This same effort would have broken the 40-bit challenge in 40 minutes.
-
56-bit DES was broken in mid-1997.
-
40-bit S/MIME was broken by a program written by Bruce Schneier in late 1997.
12 machines require less than three days, a thousand take 50 minutes.
This category is too fluid to keep up to date — every few weeks another
announcement is made.
If you're concerned about security, use 128-bit IDEA or Bruce Schneier's
Blowfish or Twofish, available at
http://www.counterpane.com
-
Hardware cryptographic attacks — The Electronic Frontier Foundation
developed and built a dedicated platform for under US$ 250,000 that
breaks DES-encrypted messages in 72 hours, an order of magnitude faster
than the most recent distributed network attack.
Much of the cost was design and development — the next one with the
same performance would cost $50,000 or less.
Speed to break DES on this architecture drops linearly with dollars spent
on hardware, so forget all the U.S. government claims about hardware
solutions being impossible.
Also remember that this is cost for today's hardware,
and cost per performance falls fast over time.
http://www.eff.org/descracker/
-
Web spoofing — creating a "shadow copy" of pages, providing misleading
data to victims:
http://www.cs.princeton.edu/sip/pub/spoofing.html.
-
DNS spoofing —
Early versions of DNS believe and cache unrequested "additional records"
sent by a perpetrator.
No need to hack someone's web page, just confuse DNS so it
thinks your IP address matches the legitimate domain name.
This was the September 1997 "CIA web page hack."
Also, a perpetrator running an "alternative domain naming service"
used this to substitute his web pages for those of
www.internic.net (see Network World, 28 July 1997, page 10).
-
DNS boo-boo — For four hours in July 1997, Network Solutions Inc. installed
a corrupted version of the .edu and .com domains on the
root servers.
Rumor is that this happens at least once a month....
See Network World, 21 July 1997, pg 8.
-
Exploits and their patches are listed at:
http://www.warzone.org/
-
Cyberstalking — a goofy combination of buzzwords, but
you know what I mean...
Further proof that IRC and "chat rooms" are worse than useless.
Government Warnings and Reactions
-
GAO said: there are about 250,000 probes of DOD systems per year;
95% of military communications at least touch the public switched networks;
DOD is primarily reactive with no uniform policy for assessing risks,
protecting systems, responding to incidents, or assessing damage;
current work includes DARPA's Information Survivability program.
Military and Aerospace Electronics, January 1997, pg 17;
AWST, 13 Jul 1998, pp 67-70 (quoting Maj. Gen. John Casciano,
USAF director of intelligence).
-
Another reference on that claim of "95% of military communications traverse
the public switched network":
Lt Gen Kenneth A Minihan, "Intelligence and Information System Security",
Defense Intelligence Journal, v5 n1 (Spring 1996), pg 20.
-
DISA received reports of 575 attempts to break into DOD systems in 1997,
but they estimate only 0.2% are reported.
Thus probably about 287,500 serious attempts.
AWST, 27 Apr 1998, pg 27.
-
The DOD urged the naming of an "information czar" and an "information
warfare" center within the U.S. intelligence community.
WSJ, 6 January 1997, pg B2.
-
Some people in DOD, or working for the defense/intel community,
think future conflicts will be the domain of digital terrorists.
Mafia-based states (like many in the ex-USSR),
quasi-governmental organizations (IRA, ETA, HAMAS),
or followers of warlords (Somalia, Chechnya, Myanmar)
could launch highly disruptive attacks in which modern states would
be at a disadvantage.
AWST, 27 Apr 1998, 54-56.
-
NACIC, the National Counter-Intelligence Executive
(http://www.ncix.gov/),
warns of Internet activity by foreign intelligence entities.
BNA Daily Report for Executives, 6 January 1997, pg A15.
-
The government is concerned about hacker threats to 911 service and all
manner of "cyberterror" threats to networked controllers and computers.
U.S. News and World Report, 13 July 1998.
-
"The U.S. military's growing dependance on a closely linked web of
computers is a `recipe for a national security disaster'. "
Only one of 150 attacks against DOD computer systems is detected.
NSA says more than 120 countries have or are developing computer attacks.
AWST, 20 January 1997, pp 60-61.
-
The director of the NSA warned (again) of threats of "cyber attacks"
from foriegn governments and quasi-governmental organizations,
AWST, 10 Feb 1997, pg 20-21,
plus a series of reports on CNN in March 1997.
-
The USAF formed the 609th Information Warfare Squadron in early 1996.
AWST, 29 April 1996, pg 52.
-
USAF Information Warfare Team is formed at Rome AFB.
Director of CIA John Deutch says, "We have evidence that a number of
countries around the world are developing the doctrine, strategies,
and tools to conduct information attacks."
GAO says hackers launched about 162,500 successful attacks on DOD systems
in 1995, DISA/DSS says attacks double each year.
AWST, 12 Aug 1996, pg 65-66.
-
ARPA/NSA/DISA/DSS Memorandum of Agreement for coordinating Infosec research
programs:
http://www.ito.darpa.mil/ResearchAreas/Information_Survivability/MOA.html.
-
The U.S. is ever more vulnerable to EMP attack (although the likelihood of
such attack is seen as remote),
AWST, 28 July 1997, pg 67.
For work on more likely threats, see
AWST, 30 June 1997, pg 51.
-
OK, so the Y2K rollover is behind us and civilization has not fallen (yet).
There are still lots of chances for everything digital to fall apart,
and before you know it we're racing around the desert looking for fuel,
just like Mad Max.
Ahem.
Anyway, note that many current versions of Unix would have trouble at
Mon Jan 18 22:14:07 2038 EST, when the number of seconds since the
Unix Epoch (00:00:00 01 Jan 1970) rolls over MAXINT.
-
The U.S. Department of Commerce approved export of PGP on 28 May 1997, but only:
- To overseas offices of U.S. firms on an approved list....
- ....and if those overseas sites are not in embargoed countries (Cuba, Iran,
Iraq, Libya, North Korea, Sudan, Syria, and Yemen)....
- ....and with keys under 40 bits without special approval,
or 40-52 bits with key escrow.
Sun Microsystems instead sells their overseas customers 128-bit
encryption code from Elvis+, a Russian company — if the code never enters
the U.S., there's no restriction!
See IEEE Spectrum July 1997 pg 1.
-
As for the reactions of a totalitarian government,
the People's Republic of China:
"E-mail has become increasingly restricted. Every scientist
with a terminal has to register the secret password with the
police. This was put in 15 months ago [April 1996], just
during the period of explosive economic activity."
An interesting abuse of the term "secret password".
See Scientific American, July 1997, pg 18.
-
A good article,
"Nation's `Infosec Gaps' Given New Scrutiny Post-Sept 11",
quite realistic and practical as "information warfare" material goes,
AWST, 28 Jan 2002, pg 59.
Internet Banking, SET, etc
MasterCard and Visa have developed the Secure Electronic Transaction
protocol, or SET.
IEEE Spectrum had a special issue on Internet banking
in February 1997.
Many of these URL's are taken from pages 77-80 there:
- Specifications and FAQ's:
- Vendors and General Info:
- Internet Banking:
COMSEC (Communications Security —
attacking cellular/mobile telephony)
-
Digital AMPS (a GSM competitor once popular in North America, although
now end-of-life)
uses CAVE — Cellular
Authentication and Voice Encryption.
It has three main functions:
- Authenticate to the network that the unit requesting service is a
legal subscriber.
- Generate codes to protect control channel data, including all digits
dialed on the keypad (dialed numbers, plus later PIN's etc).
Control channel data is encrypted with CMEA (Cellular Message
Encryption Algorithm).
- Generate two keys to "mask" the digitized forward and reverse
voice channels.
The voice "masking" was known to be cryptographically weak in 1992.
On 20 March 1997, Bruce Schneier (author of Applied Cryptography) and
David Wagner (UC Berkeley grad student) announced breaking CMEA.
The response of the Cellular Telephone Industry Association (CTIA) was to
lobby for laws to make it illegal to break their breakable system, so they
can continue to advertise it to an unwary public as "unbreakable"....
See Monitoring Times, June 1997, pp 28-29, and
http://www.counterpane.com/
for more details.
-
Targeted eavesdroppers prefer the Harris Triggerfish
or the CCS Digital Data Interpreter, which use the non-voice data streams
to track frequency changes, cell hand-offs, etc.
Top-of-the-line, but pricey!
The OKI 900 controlled by the right software running on a laptop is a
lower-budget cellular intercept platform that's still pretty capable.
-
For more details on GSM hacking, see the announcement of GSM cloning
and how security-through-obscurity isn't security at all, see:
http://www.isaac.cs.berkeley.edu/isaac/gsm.html
-
Late 1999 saw announcements of GSM cracking (which, for the U.S.A.,
effects "Digital PCS" as well).
Summarizing from Bruce Schneier's "Crypto-Gram" newsletter,
15 December 1999,
http://www.counterpane.com/,
the relevant algorithms are:
-
A3, the authentication algorithm to prevent phone cloning
-
A5/1, the stronger of the two voice-encryption algorithms
-
A5/2, the weaker of the two voice-encryption algorithms
-
A8, the voice-privacy key-generation algorithm
Schneier says,
"These algorithms were developed in secret, and were never published.
"Marc Briceno" (with the Smartcard Developer Association) reverse-engineered
the algorithms, and then Ian Goldberg and David Wagner at U.C. Berkeley
cryptanalyzed them.
Most GSM providers use an algorithm called COMP128 for both A3 and A8.
This algorithm is cryptographically weak, and it is not difficult to break
the algorithm and clone GSM digital phones.
The attack takes just 2^19 queries to the GSM smart-card chip, which takes
roughly 8 hours over the air. This attack can be performed on as many
simultaneous phones in radio range as your rogue base station has channels.
"
Summarizing now, the breaks and the publishing dates are:
-
A3 and A8 — Can always be broken in 8 hours over
the air (as above). All A8 implementations tested did not use COMP128,
they used a weakened form! (April 1998)
-
A5/2 — Can be broken in real-time without
any trouble. (August 1999)
http://cryptome.org/gsm-crack-bbk.pdf
-
A5/1 — Given the first two minutes of the
conversation, one PC with 128 MB of RAM and two 73 GB hard drives
can find the A5/1 key in about one second. (May 1999)
Then
in Feb 2008 Schneier again commented on
A5/1 cryptanalysis.
There had been quite a bit of coverage of announcements of
further A5/1 cryptanalysis and practical systems to break GSM keys.
This 2008 attack is completely passive, requires about US$ 1000 in hardware,
and breaks the key in about 30 minutes:
-
The industry (predictably) claimed this was all impossible,
as it required unavailable hardware.
Yeah, right.
Well under US$ 10,000 should provide a high-quality intercept station.
For details of the analysis:
And for a project to design and build a relatively inexpensive GSM
receiver and crack A5/1:
-
Further GSM security and insecurity references:
-
If you want voice COMSEC on the cheap, check out PGPhone — you use your
computer's audio interface and PGP software to encrypt and decrypt a
pair of audio streams.
Find it
in the PGP section.
Offensive Information Warfare / Information Operations
What they call information warfare (IW) or information operations (IO) is
out there, but good luck finding much in the open literature.
Just a few brief mentions, like a few sentences in
AWST 12 May 2003 pp 62-63.
Also be aware that the U.S. Department of Defense uses
"information operations" to mean offensive information warfare,
including denial of service attacks against data and network connectivity,
and more subtly, rendering data or network connectivity worthless by
degrading the other side's confidence on it.
But at the same time, the Central Intelligence Agency instead uses
"information operations" to mean obtaining data statically stored
on systems or transiting networks, in order to analyze it and
obtain an understanding of the other side's plans.
More recently, see Digits of Doom [AWST, 24 Sep 2007, pg 74],
suggested that the U.S. military had started attacking jihadist web sites
in the preceding few months.
The article mentions:
-
USAF Cyberspace Command,
including the 67th Network Warfare Wing
-
US Army's 1st Information Operations Command
and its
Information Dominance Center
-
Joint Functional Component Command for Network Warfare (JFCC-NW),
a part of U.S. Strategic Command and a joint operation with
the National Security Agency.
"Some of its missions include disrupting and invading networks,
mining computer bases for intelligence,
manipulating data as an element of information warfare
and monitoring enemy command-and-control systems."
-
"Even with that resume, 'these aren't the only groups involved,'
says a senior electronic attack specialist.
'Some are less obvious, but more capable.'
In fact, the staff of Deputy Defense Secretary Gordon England
has, for some time, been studying the use of deception
operations against terrorist networks."
In other stories:
-
AWST reported that IW/IO was successfully used by the USAF
against Iraq during 1991 and
against Yugoslavia during the "Kosovo conflict" of early 1999.
-
AWST,
26 Feb 2001, pp 52-53.
"The first attack was limited to reading
the e-mail of Iraqi commanders. But by the next conflict the
tools were much more sophisticated. False messages and targets
were injected into Yugoslavia's complex computer-integrated
air defense system."
-
AWST,
12 April 1999, pp 24-26.
" `We shut their eyes [radar] down through jamming,'
[an Air Force official] said.
`Also, Air Combat Command has been conducting a lot of information
warfare activity.
By that I mean getting into their computer system and screwing it up.
We're trying to use that capability.
By getting into the microwave net, you can insert viruses and
deceptive computer communications.' "
-
AWST, 23 Aug 1999, 31-32.
That article describes attacks on radar and military messaging systems.
There were other reports about U.S. attack on Yugoslav banks holding
Slobodan Milosovic's deposits.
-
AWST, 30 Oct 2000, pp 67-68.
EC-130H Compass Call systems intended to penetrate air defense
computer systems, planting false messages and targets, did quite
well as per a USAF/USN analysis.
But the EC-138E Commando Solo TV/radio broadcast aircraft are of
decreasing relevance now that direct-broadcast satellite TV systems
are common throughout the world.
-
AWST
has had several articles, including series of articles in some issues:
-
There was an overview, several articles
in the 19 Jan 1998 issue, pp 52-60.
-
A series of articles in late 1999:
8 Nov 1999, pp 81-83;
15 Nov 1999, pp 93-96;
15 Nov 1999, pp 102-103.
-
A series of articles in an issue concentrating on information
warfare:
26 Feb 2001, pp 50-64.
-
In a discussion of the 1 Oct 2002 transition of U.S. Space Command
into the new Strategic Command (StratCom),
"Command officials are advocating StratCom be designated the
IO integrator for regional info operations,
providing a global perspective and coordinating with
other government agencies."
14 Oct 2002, pg 63.
-
Also see 4 Nov 2002 pg 30, and 25 Nov 2002 pg 58.
-
Network World repeated some info found in AWST and
elsewhere,
v17, no47 (20 Nov 2000), pp 1, 16.
-
The USAF Fact Sheet:
http://www.af.mil/news/factsheets/Information_Warfare.html
-
The U.S. Air Force Information Warfare Center:
http://www.afiwc.aia.af.mil/
-
The U.S. Navy Information Warfare Division:
http://iwd.mugu.navy.mil/
-
The USAF formed the 609th Information Warfare Squadron in early 1996,
basing it at Shaw AFB, SC.
AWST, 29 April 1996, pg 52;
AWST, 3 Aug 1998, pg 23.
A second squadron is being formed in California by the Air National Guard.
AWST, 21 Sep 1998, pg 65.
-
In July 1998,
the U.S. DOD and intelligence community are interested, but at least as far
as anyone is saying, ethical and operational problems remain.
Could disinformation turn against us?
Where is the line between "prepping the battlefield" and an act of war?
What about peacetime uses?
The Director of the CIA director said don't worry,
"we're not asleep at the switch in this regard,"
and a Senate staff member on an oversight community says,
"The Defense Department has next to nothing to say about this in an
unclassified form."
See the Washington Post, 8 July 1998, A1, A10,
there may still be on-line copies at:
-
U.S. News had something 13 July 1998.
-
Offensive information operations were part of an exercise in 1998,
involving NSA, DISA, and the Air Intelligence Agency.
AWST, 21 Sep 1998, pg 65.
-
China and other countries were already doing it in 1998,
according to the directors of the CIA and NSA.
Information Week, 6 Jul 1998.
-
The National Infrastructure Protection Center (NIPC) is intended to
detect and analyze attacks.
Housed within the FBI, staffed by FBI, CIA, NSA, Secret Service, DOT (!),
and other agencies.
Network World, 14 Sep 1998, pp 8,74.
-
In July 2002 President Bush signed
National Security Presidential Directive 16,
ordering the government to develop rules for information warfare — establish
when and how to attack enemy computer networks,
select targets, define who should authorize and launch the attacks.
Washington Post, 6 Feb 2003.
-
In Feb 2003 the U.S. DOD Strategic Command
Joint Task Force - Computer Network Operations (JTF-CNO)
was being reororganized into two task forces.
One for network defense,
the other for computer network attack (CNA).
Federal Computer World, 7 Feb 2003.
-
Nonsense has happened in the past, and will continue.
A 1991 InfoWorld magazine joke turned into an urban legend,
reported seriously, by U.S. News and World Report,
regarding the NSA sending virus-laden printers to Iraq.
Nonsense:
http://www.vmyths.com/hoax.cfm?id=123&page=3
Further Reading
-
Here is an excellent paper on not overlooking the non-technical
details when doing network threat analysis:
http://www.itoc.usma.edu/Workshop/2001/Authors/Submitted_Abstracts/paperT2C2(32).pdf
-
Here is a nice archive of security white papers on many topics:
http://www.securitydocs.com/
-
RFC 2196 is the Site Security Handbook.
75 pages of free good stuff!
http://www.cis.ohio-state.edu/htbin/rfc/rfc2196.html
Also see
ftp://nic.merit.edu/documents/fyi/fyi8.txt
-
RFC 2504 is the Users' Security Handbook.
More good stuff!
http://www.cis.ohio-state.edu/htbin/rfc/rfc2504.html
-
For current research and development, see Purdue's CERIAS group:
http://www.cerias.purdue.edu/
-
There's a good introductory article in IEEE Spectrum,
August 1997, pp 56-63.
-
The classic Unix security paper is in
AT+T Bell Labs Technical Journal, October 1984.
-
The Trusted Product Evaluation Program frequently-asked-question list
on computer security is at:
http://www.radium.ncsc.mil/tpep/process/faq.html
-
For password design and maintenance, see:
"Automated Password Generator (APG)",
NIST publication FIPS 181,
05 Oct 1993, and
"A Random Word Generator for Pronouncable Passwords",
Gasser, M., MTR-3006, ESD-TR-75-97, AD-A017676, Mitre report,
November 1975, and
"DoD Password Management Guideline", 12 Apr 1985, CSC-STD-002-85,
a.k.a. the "green book", and
"Password Usage",
NIST Publication FIPS 112, 30 May 1985.
For a look at why it's important, see
"Password Security: A Case History,"
Morris, R., Thompson, K., Communications of the ACM, v. 22 n. 11,
Nov. 1979, pg. 594-597.
-
Disaster recovery is a whole field in itself.
Check out the Disaster Recovery Journal at
http://www.drj.com.
For a light introduction,
IEEE Spectrum, December 1996, pg 49.
-
Fervently making backup tapes?
Good!
But have you considered the longevity of your storage media?
Check out Scientific American, January 1995, pg 42.
-
For an easy-to-read explanation of the debate over just how the next version
of the Internet Protocol, a.k.a. IPv6, will incorporate authentication and
privacy with Secure IP, a.k.a. IPSec, look at "Mr Protocol Feels Secure,"
in Sun Expert, December 1996, pg 22.
Well, easy-to-read, that is, if you understand the current version of IP....
-
For general convince-your-personnel material, check out
Scientific American, March 1994, pg 90; and December 1995, page 88.
-
http://www.ncsa.com/library/library.html
has technical convince-your-personnel material.
-
http://www.cert.org/research/JHThesis/index.html
has a technical analysis of security incidents on the Internet, 1989-1995.
-
A very scholarly treatment of Internet congestion models is in
Science,, vol 277, 25 July 1997, pp 477, 535-537.
-
See
http://www.jya.com/crypto.htm for loads of detailed cryptography info.
-
Privacy issues are discussed in
Forbes, 3 Feb 1997.
-
"What is Information Warfare"
is available from the Government Printing Office
(by Martin C. Libicki, August 1995, National Defense University series,
G.P.O. 1996-405-201:40005).
Much enthusiasm and anecdotes, light on technical facts and realism.
Note the section where he discusses William Gibson's science-fiction
novels and the movie "TRON" as possible models!
Well, it's out there, and some people may consider it important.
Not me....
-
Two government references that look better are:
- NIST Special Publication 800-12
- NIST Special Publication 800-14
The first is a reference book on computer security, costs about $18,
the second is NIST guidelines, costs about $7.50.
-
Dan Farmer's site
http://www.trouble.org/
has lots of statistics and some good white papers.
-
You may find this handy:
http://www.stl.nps.navy.mil/~jimorale
-
For far more reading, check the hotlist at Purdue's CERIAS project:
http://www.cerias.purdue.edu/tools_and_resources/hotlist/
-
Keep looking — here are some more WWW sites to check out.
Security Page