General Information

Modified 21 June 2008

If your experience is at all like mine, you will find that you need to both educate and convince people — from the "on-the-front-lines" users to management. Here's some help.

AWST = Aviation Week and Space Technology
WSJ = Wall Street Journal
DOD = U.S. Department of Defense

Topics on this page:

Big-Money Losses (financial losses, satellite outages, piracy steganography)
U.S. Military Skepticism/Enthusiasm re "Network-Centric Warfare"
Incidents and Anecdotes
Government Warnings and Reactions (mostly U.S. Govt)
Internet Banking, SET, etc
COMSEC (Communications Security — attacking cellular/mobile telephony)
Offensive Information Warfare / Information Operations (Governmental computer warfare)
Further Reading

Big-Money Losses

Price Waterhouse Coopers estimated that "computer hackers costs businesses 45 billion dollars" in 1999.
A London banking organization paid millions of pounds to stop a two-year series of attacks mixing logic bombs with electromagnetic pulse weapons: London Sunday Times, 2 June 1996, pg 1; 9 June 1996, pg 1. Also, http://www.infowar.com discusses these events. Note that this is now widely thought to be overly hyped, if not a complete fabrication. Self-proclaimed "infowar" specialists carry on endlessly about possibly mythical HERF guns and EMP devices. Caveat emptor! Thorough HERF-gun-debunking is found at:
- http://sun.soci.niu.edu/~crypt/other/kooks.htm
- http://cgi.pathfinder.com/netly/article/0,2334,12321,00.html
Satellite losses
- A $200,000,000 Telstar satellite (and thus all its comm links) was taken out by an unexpected solar flare on 11 January 1997. I was teaching a course that week, and many students complained the next day that SpectraVision no longer worked in their rooms.... Science, 31 January 1997, pg 623, and Science News, 1 February 1997, pg 68.
- Similarly, Galaxy IV failed in May 1998 and took out over 80% of North American pagers.
- Galaxy VII failed 13 June 1998, dropped several hours of several cable TV networks. Some other satellite failed 4 July 1998, dropping several hours of DirectTV. In both cases, a control processor failed, but they eventually could switch to a backup processor. WSJ, 9 Jul 1998, Reuters.
- Former CIA analyst comments on vulnerability of civilian satellites (1995): http://www.fas.org/spp/eprint/civilsat.htm and GAO report (2002): http://www.fas.org/spp/eprint/civilsat.htm
Corporate computer crime costs the Australian economy A$ 18 billion per year. Australian Business News, 5 August 1996.

Chinese and Bulgarian factories, in concert with companies in countries that are close allies and trading partners of the U.S., steal software and pirate it as fast as the CD-ROM presses will run. See New York Times, 3 June 1996, pg D1, and CBS News, 28 May 1997. In Tallinn, Estonia, take bus #92 out to the big market at Kadaka Torg, where any CD-ROM is 250 Estonian Kroon, about US$ 20. They had Office '97 in October of 1996. In Sankt Peterburg, Russia, the big bootleg market is diagonal from the rear corner of the Gostinniy Dvor shopping arcade along Nevsky Prospekt. In Istanbul, Turkey, go to the weekend flea market on University Square, just outside the entrance to the Grand Bazaar. They had Office 2000 and Windows 2000 in June, 1999. All offer CD-ROM's intended as master disks for OEM's. Bulgaria has made a few "show raids" on companies like Unison, with little real effect. The following stats were in IW Magazine, http://www.iwmag.com, 16 July 1997, pg 8, citing the SPA:

Country	% of SW pirated	Annual US$ value of pirated SW
China	95%	$ 507,520,000
Russia	91%	$ 298,240,000
Indonesia	98%	$ 170,330,000
Philippines	92%	$ 56,740,000
Rest of CIS	96%	$ 38,490,000
Pakistan	92%	$ 16,730,000
Vietnam	98%	$ 11,410,000
Kuwait	90%	$ 10,080,000
Guatemala	90%	$ 7,460,000
Oman	96%	$ 7,350,000
Bahrain	92%	$ 4,230,000
Qatar	91%	$ 3,030,000

Digital watermarking, related to steganography (hiding messages in data), is discussed in Nature, 12 Dec 1996, pg 514; AWST, 20 Oct 1997, pg 13, and 3 Nov 1997, pg 17; Business Week, 1 Sep 97, pg 35; and New York Times, 17 Feb 1999. Playboy uses it to watermark imagery sold in electronic form, see http://www.digimarc.com or Secure Computing, Aug 1997, pg 15. IBM, NEC, Hitachi, Pioneer, and Sony plan to use it to prevent pirating of entertainment data. It's mature technology, it was used by Demaratus, a Greek, to send a message to the Spartans in the war between the Greeks and the Persians in 480 B.C. (see "The Histories" by Herodotus, and "The Code Book" by Simon Singh. Much later than that (in 1500!), it was described by the Benedictine monk Johannes Trithemius in Steganographia. He described a method of hiding text in a prayer book. The Air Force Research Lab, http://www.if.afrl.af.mil, wants to transfer their work on the technology to the civilian sector.
Experian (ex-TRW) credit reporting agency sold people their own credit reports on the Internet for maybe a day, before noticing that a bug caused some reports to be sent to the wrong people. See most any media around 16 Aug 1997....
For non-malicious (?) losses, see Scientific American, July 1997, pp 82-89, for a great article, "Taking Computers to Task" by W. W. Gibbs. The average office worker spends 5.1 hours per week unnecessarily fiddling with their machine — adjusting windows, changing background "wallpaper," or playing with their screensavers. This doesn't even count playing games! Boeing removed all games from their systems, fighting Microsoft's attempt to lower U.S. productivity by bundling games into operating systems under the silly premise of "they teach people how to use a mouse." Sun Microsystems prohibited fancy presentations, as they found that people quickly assemble quality technical information, but waste lots of time trying to make slides look pretty.

U.S. Military Skepticism/Enthusiasm re "Network-Centric Warfare"

Much of this depends on just what you mean by "network-centric warfare". Initially (maybe 1996-2000) it seemed to be used recklessly, and was the domain of much wild speculation (science fiction analogies) and dangerous enthusiasm (controlling warships with Windows NT). After maybe 2000 or so it seems to have really been working, but by then it really should have been called something more like "information-centric" or "communication-centric" warfare. The point is the sharing of information and how that information is used, not just the fact that there's a networked graphical interface.

In September 1997, the USS Yorktown, a Aegis-class missile cruiser, was left dead in the water for close to 3 hours because of a cascade of failures started by a Windows NT application that didn't prevent a divide-by-zero error. There's a design error here — who made NT a vital part of a warship!? See Government Computer News articles:
- 13 Jul 1998, http://www.gcn.com/archives/gcn/1998/july13/cov2.htm
- 31 Aug 1998, http://www.gcn.com/archives/gcn/1998/august31/1.htm
- 9 Nov 1998, http://www.gcn.com/archives/gcn/1998/november9/6.htm
And also Military and Aerospace Electronics articles: March 2001, pp 1, 5, "Navy Postmortem Tries to Pinpoint What Went Wrong With the `Smart Ship' ". Military and Aerospace Electronics,
Early enthusiasm for "Network-Centric Warfare"
- "Network-Centric Warfare", Vice Adm Arthur K. Cebrowski and John J. Garstka, U.S. Naval Institute Proceedings, Jan 1998, pp 28-35. At least for the USNI publications, this seems to be the article that kicked off the craze.
- "IT-21 Intranet Provides Big `Reachbacks' ", Rear Adm Robert M. Nutwell, U.S. Naval Institute Proceedings, Jan 1998, pp 36-38. A pretty good overview.
- "Moving the Navy Into the Information Age", Cmdr Michael S. Loescher, U.S. Naval Institute Proceedings, Jan 1999, pp 40-44. He seems to have watched way too much "Star Trek", as the article actually suggests working on "cloaking" and "shielding" as in that sci-fi TV show, plus "omniscience" and "telepathy".
- "The Power of e-Sailors", Vice Adm James R. Fitzgerald, U.S. Naval Institute Proceedings, Jul 1999, pp 62-63. A decent overview, at the expense of yet another unneeded neologism...
Skepticism/Caution regarding "Network-Centric Warfare"
- "Beware of Geeks Bearing Gifts", Lt Cmdr Eric Johns, U.S. Naval Institute Proceedings, Apr 1998, pp 74-76.
- "The Seven Deadly Sins of Network-Centric Warfare", Thomas P. M. Barnett, U.S. Naval Institute Proceedings, Jun 1999, pp 36-39.
- "The Smart Ship is Not the Answer", U.S. Naval Institute Proceedings, Jun 1998, pp 61-64. "Using Windows NT, which is known to have some failure modes, on a warship is similar to hoping that luck will be in our favor."
- "Network-Centric: Is It Worth the Risk?", Cmdr William K. Lescher, U.S. Naval Institute Proceedings, Jul 1999, pp 58-63.
A very useful and more recent overview of NCW in its broader and more mature sense is a series of articles in AWST, 27 Jan 2003, pp 37-59.

Incidents and Anecdotes

"Security through obscurity" has known to be ineffectual for well over a century. Auguste Kerckhoffs (1835-1903) stated that the security of a cryptosystem must not depend on keeping its algorithm secret. See his article "La cryptographie militaire", in Journal des sciences militaries, vol IX, pp 5-38, Jan 1883.
A 13 Oct 2007 Washington Post article "Shadowy Russian Firm Seen as Conduit for Cybercrime" reported, "An Internet business based in St. Petersburg has become a world hub for Web sites devoted to child pornography, spamming and identity theft, according to computer security experts. They say Russian authorities have provided little help in efforts to shut down the company. The Russian Business Network sells Web site hosting to people engaged in criminal activity, the security experts say. Groups operating through the company's computers are thought to be responsible for about half of last year's incidents of "phishing" VeriSign said that the Rock Group phishers used RBN to steal about US$ 150 million over the preceding year. Symantec said that RBN was "responsible for hosting Web sites that carry out a major portion of the world's cybercrime and profiteering." RBN does not have its own web site, you must contact its operators via instant-messaging or obscure Russian-language online forums. You must also prove that you are not a law enforcement investigator by demonstrating active involvement in theft of consumers' financial and personal data. Read the article: http://www.washingtonpost.com/wp-dyn/content/article/2007/10/12/AR2007101202461.html
A 19 Nov 2007 AWST article (pp 52-53) described the USAF 16th Space Control Squadron (SPCS), dedicated to "defensive counterspace" and detecting and locating jamming to satellite links. The article mentions:
In the early 1990s, about 20% of satcom support for Operation Desert Storm came from commercial fleets. Now about 80% of all satellite communications in Iraq and Afghanistan come from commercial spacecraft, which may in some cases simultaneously provide services to friendly forces, as well as adverseries.
It says that the 16th SPCS, based at Peterson AFB in Colorado, operates the new Rapid Attack Identification Reporting System (Raidrs), alerting its operators of interference to satellite communications links at UHF and the microwave C, K_u and X bands. It's designed and manufactured by Integral Systems of Lanham, Maryland. Each Raidrs site includes up to six 2.4-meter dish antennas to monitor signals, and a 3.7-meter antenna connected to a Blackbird system, said to operate like a spectrum analyzer. Two more 4.5-meter antennas are said to locate the distant ground-based jamming or interference source. The article made it sound as if the location is done by precise measurement of uplink signals reflected from the satellite bodies of the intended relay satellite and another satellite in a nearby orbit — an impressive achievement if correct.
Attacks against infrastructure, many mentioned in this article: http://www.iee.org/OnComms/sector/computing/Articles/Object/0482B3C1-D0B1-80C6-57EA91E4FB429C23
- 1999 — Malicious hackers took control of a Gazprom gas pipeline in Russia for around 24 hours.
- 2000 — A disgruntled ex-employee accessed the industrial control systems of a sewage treatment plant in Maroochy Shire, Queensland, Australia, and released at least a million liters of raw sewage into a river and onto the grounds of a hotel. From that article:
  "Located in a tourist area on the east coast, the sewage system has 142 pumping stations connected by radio to monitoring computers.
  The troubles began when the installation company, Hunter Watertech, finished installing the control system in December 1999 and the site supervisor for HWT, Vitek Boden, resigned 'under circumstances that are not exactly explained'. He applied to MSC for a position, but was rejected.
  he following month, January 2000, strange things started to happen. Pumps were not running when needed, alarms were not being reported to the control centre, and there was a loss of communications between the control centre and the pumping stations.
  [....]
  The evidence began to point to outside agents interfering with the system. With data logging this became more apparent when engineers noticed a spoofed pump station ID. The system was receiving signals from a pumping station ID that wasn't where it should have been — and it wasn't sending the right sort of signals. After inspecting one particular pump station site and re-coding its ID, it became clear that they were receiving signals coming in from a station that didn't exist. Radio monitoring was also starting to detect these transmissions. After nearly two months of baffling problems, on 16 March they began to get some hard evidence of what was going on. They spotted radio transmissions controlling various pump stations from the fake ID.
  [....]
  By this time, in the middle of March, a lot of faults were occurring and it was obvious that the hacker wasn't just playing around with the control system. There were sewage leaks, caused by overflowing tanks when pumps were turned off. The golf course next to the Hyatt Hotel was flooded with a million litres of sewage. A major overflow into a residential area and tidal canal polluted an estuary; in the surrounding area on Australia's Sunshine Coast, creeks turned black and cost the government Au$100,000 to set up an environmental monitoring programme."
- 2003 — The "Slammer" worm disabled a safety monitoring system at Davis-Basse nuclear power plant in Ohio, USA. Of course, this was not the original intent of the attack.
- 2007 — A former employee for a federally-owned canal system in California was charged with installing software that damaged a computer used to divert water out of a local river: http://www.theregister.co.uk/2007/11/30/canal_system_hack/ The Tehama Colusa Canal Authority operates two canals that move water out of the Sacramento River for use in irrigation and agriculture in Northern California. The perpetrator worked for the TCCA for more than 17 years before being fired on August 15, the date he is alleged to have installed the unauthorized software.
- 2007 — Lonnie Charles Denison was a SAIC contractor working as a UNIX systems administrator at the California Independent System Operator's data center controlling California's power grid. He had a dispute with his boss at SAIC and learned on 15 April that he had lost computer access privileges. Minutes later he broke a glass cover and hit the emergency power "off" button, shutting down the facility. This cut California off from the wholesale electricity market (although it did not cut off power to the state!). Allegedly he e-mailed a bomb threat the next day to a California ISO employee. In December he pled guilty, and faced up to five years in prison and $250,000 in fines.
  [The Register, 20 Apr 2007; http://www.theregister.co.uk/2007/04/20/terrorists_among_us_flee_flee/; Computerworld, 1 Jan 2008, pg 6; PC World http://www.pcworld.com/article/id,140587-c,hackers/article.html; and several other sources]
Here is an on-line library of WWW security breaches: http://www.csci.ca/
During the NATO attacks on Serbia in the spring of 1999, including the accidental bombing of the Chinese embassy, there were retaliatory attacks against NATO's public web server (instigated from Belgrade) and a number of U.S. government sites, including Dept of Interior, Dept of Energy, the National Park Service (!), and the U.S. embassy in China (instigated from Beijing and from groups supporting the Beijing government).
There were also attacks against U.S. and NATO systems from China. Federal Computer Week, 1 Sep 1999, http://www.fcw.com/pubs/fcw/1999/0830/web-china-09-01-99.html

The CIA named countries thought to be involved in industrial espionage or offensive infowarfare, and noted that several have been providers of Y2K fixes to U.S. firms (Network World 13 Sep 1999 pg 10):

Country	Industrial Espionage	Offensive IW initiative	Major US Y2K fix provider
Bulgaria	No	Yes	Limited
People's Republic of China	Yes	Yes	No
Cuba	Yes	Limited	No
France	Yes	Yes	No
India	Yes	Yes	Yes
Iraq	Yes	Yes	No
Ireland	No	No	Yes
Israel	Yes	Likely	Yes
Japan	No	Yes	Likely
Pakistan	No	No	Yes
Philippines	No	No	Yes
Russia	No	Yes	Yes
South Korea	No	Yes	Yes

NATO revealed that the Anti-Smyser-1 virus infected systems at its Pristina, Kosovo facility early in 2000. Affected systems mailed copies of a nine-page classified document detailing NATO rules of engagement for land operations in Kosovo to "random Internet users' mailboxes." [SC Magazine, Aug 2000, pg 18] Well, I doubt they were really random, but instead were entries in someone's address list. And who put classified documents on Internet-connected PCs subject to viruses??
In late 1999 a U.S. toy retailer was using etoys.com and noticed that a Swiss art group, for unknown reasons, was using etoy.com for entirely different purposes. The retailer sued to stop the use of etoy.com. Hacker groups labeled this as corporate greed against art and freedom of expression, and groups known as RTMark and the Electronic Disturbance Theater, among others, launched massive denial-of-service attacks against etoys.com. Network World, 20 Dec 1999, pp 1,56.
Computer security breaches cost businesses US$ 10,000,000,000 in 1997, as per statistics quoted by Anderson Consulting.
59% of businesses selling over the Internet reported security breaches in 1997, as per statistics quoted by Anderson Consulting.
In May 1998 an internal review of DOE facilities found serious security problems (classified info on open systems, ftp write permission, readable password files, etc) on 1,400 of 64,000 systems. Los Alamos had detected 15 security breaches in the preceding 6 months. Brock Meeks, MSNBC, 29 May 1998, Stark Abstracting.
A group of hackers broke into US DOD computers in fall 1997. It was well-publicized, they claimed to have stolen GPS controlling software to sell to terrorists, but DOD said it was just some administrative data.
During the 1991 Persian Gulf War, a group in Eindhoven, Netherlands broke into computers at 34 U.S. military sites and stole information about troop movements, missile capabilities, etc. They offered it to the Iraquis, but they figured it had to be a hoax. London Telegraph, 23 Mar 97.
It seems that about once a month there's a high-profile case of a government agency's Web page getting trashed. The only thing I have right at hand is the Washington Post, 20 Sep 96, on the "Federal Page", where the CIA's problem is described. Just one of many such attacks — see also the Justice Dept., USAF, both in late 1996, etc.
The SYN Flood attack was mentioned by name on the front page of USA Today, as well as in Time, 30 September 1996, pg 64.
Despite export laws, supercomputers are being sold to places like Russia's Ministry of Atomic Energy. New York Times, 27 Feb 1997, and AWST, 24 Feb 1997, pg 17. In the summer of 1997, it was China.
Speaking of export laws, I personally witnessed AIHA (American International Health Alliance), a program within USAID, shipping the non-exportable version of Netscape to Hospital #122 in the Name of Sokolov, in Sankt Peterburg, Russia, in October, 1996. This software includes the Secure Socket Layer technology that isn't supposed to leave the joint U.S.-Canadian boundary. Said hospital is still affiliated with Gosatomprom, the Russian equivalent to the US DOE, and thus the Russian nuclear power and weapons industry. Like most things in Russia, it also has more mafia connections than you can imagine. Lots of similarly connected hospitals throughout the ex-USSR, including those down in central Asia in Kazakhstan, Uzbekistan, Turkmenistan, Kyrgyzstan, and Tadzhikstan, got similar shipments. Nothing like a government agency violating a government regulation....

As for the rest of the story, after telling about this in a security course attended by folks from some three-letter government agencies, the U.S. Customs Service had a little chat with me to get all the details. So don't turn it in again. As they said in "Raiders of the Lost Ark",
— "Top people are working on it."
— "Who?"
— "Top people!"
Internet-distributed cryptographic attacks:
- For the ill-fated RSA challenge, "We bet you can't factor this 129-digit number," see Scientific American, August 1977. A Quadratic Seive distributed across the Internet broke it in 1994.
- RSA's RC5 48-bit challenge was broken in just over 13 days in February, 1997, using more than 5000 machines across the internet: click here for the story. This same effort would have broken the 40-bit challenge in 40 minutes.
- 56-bit DES was broken in mid-1997.
- 40-bit S/MIME was broken by a program written by Bruce Schneier in late 1997. 12 machines require less than three days, a thousand take 50 minutes.
This category is too fluid to keep up to date — every few weeks another announcement is made. If you're concerned about security, use 128-bit IDEA or Bruce Schneier's Blowfish or Twofish, available at http://www.counterpane.com
Hardware cryptographic attacks — The Electronic Frontier Foundation developed and built a dedicated platform for under US$ 250,000 that breaks DES-encrypted messages in 72 hours, an order of magnitude faster than the most recent distributed network attack. Much of the cost was design and development — the next one with the same performance would cost $50,000 or less. Speed to break DES on this architecture drops linearly with dollars spent on hardware, so forget all the U.S. government claims about hardware solutions being impossible. Also remember that this is cost for today's hardware, and cost per performance falls fast over time. http://www.eff.org/descracker/
Web spoofing — creating a "shadow copy" of pages, providing misleading data to victims: http://www.cs.princeton.edu/sip/pub/spoofing.html.
DNS spoofing — Early versions of DNS believe and cache unrequested "additional records" sent by a perpetrator. No need to hack someone's web page, just confuse DNS so it thinks your IP address matches the legitimate domain name. This was the September 1997 "CIA web page hack." Also, a perpetrator running an "alternative domain naming service" used this to substitute his web pages for those of www.internic.net (see Network World, 28 July 1997, page 10).
DNS boo-boo — For four hours in July 1997, Network Solutions Inc. installed a corrupted version of the .edu and .com domains on the root servers. Rumor is that this happens at least once a month.... See Network World, 21 July 1997, pg 8.
Exploits and their patches are listed at: http://www.warzone.org/
Cyberstalking — a goofy combination of buzzwords, but you know what I mean... Further proof that IRC and "chat rooms" are worse than useless.
- Resource list for cyberstalking issues: http://cyber.findlaw.com/criminal/cyberstalk.html
- U.S. Department of Justice 1999 report on cyberstalking: http://www.usdoj.gov/criminal/cybercrime/cyberstalking.htm
- National Center for Victims of Crime — state-by-state guide on stalking (about stalking, not a how-to!):
  - http://www.nvc.org/law.statestk.htm
  - http://www.ncsl.org/programs/lis/CIP/stalk99.htm
- 1999 — the earliest cyberstalking prosecution: http://detnews.com/men/stories/41019.htm
- US$ 10 million lawsuit against a pair of stalkers: http://www.naplesnews.com/today/l0cal/d387482a.htm

Government Warnings and Reactions

GAO said: there are about 250,000 probes of DOD systems per year; 95% of military communications at least touch the public switched networks; DOD is primarily reactive with no uniform policy for assessing risks, protecting systems, responding to incidents, or assessing damage; current work includes DARPA's Information Survivability program. Military and Aerospace Electronics, January 1997, pg 17; AWST, 13 Jul 1998, pp 67-70 (quoting Maj. Gen. John Casciano, USAF director of intelligence).
Another reference on that claim of "95% of military communications traverse the public switched network": Lt Gen Kenneth A Minihan, "Intelligence and Information System Security", Defense Intelligence Journal, v5 n1 (Spring 1996), pg 20.
DISA received reports of 575 attempts to break into DOD systems in 1997, but they estimate only 0.2% are reported. Thus probably about 287,500 serious attempts. AWST, 27 Apr 1998, pg 27.
The DOD urged the naming of an "information czar" and an "information warfare" center within the U.S. intelligence community. WSJ, 6 January 1997, pg B2.
Some people in DOD, or working for the defense/intel community, think future conflicts will be the domain of digital terrorists. Mafia-based states (like many in the ex-USSR), quasi-governmental organizations (IRA, ETA, HAMAS), or followers of warlords (Somalia, Chechnya, Myanmar) could launch highly disruptive attacks in which modern states would be at a disadvantage. AWST, 27 Apr 1998, 54-56.
NACIC, the National Counter-Intelligence Executive (http://www.ncix.gov/), warns of Internet activity by foreign intelligence entities. BNA Daily Report for Executives, 6 January 1997, pg A15.
The government is concerned about hacker threats to 911 service and all manner of "cyberterror" threats to networked controllers and computers. U.S. News and World Report, 13 July 1998.
"The U.S. military's growing dependance on a closely linked web of computers is a `recipe for a national security disaster'. " Only one of 150 attacks against DOD computer systems is detected. NSA says more than 120 countries have or are developing computer attacks. AWST, 20 January 1997, pp 60-61.
The director of the NSA warned (again) of threats of "cyber attacks" from foriegn governments and quasi-governmental organizations, AWST, 10 Feb 1997, pg 20-21, plus a series of reports on CNN in March 1997.
The USAF formed the 609th Information Warfare Squadron in early 1996. AWST, 29 April 1996, pg 52.
USAF Information Warfare Team is formed at Rome AFB. Director of CIA John Deutch says, "We have evidence that a number of countries around the world are developing the doctrine, strategies, and tools to conduct information attacks." GAO says hackers launched about 162,500 successful attacks on DOD systems in 1995, DISA/DSS says attacks double each year. AWST, 12 Aug 1996, pg 65-66.
ARPA/NSA/DISA/DSS Memorandum of Agreement for coordinating Infosec research programs: http://www.ito.darpa.mil/ResearchAreas/Information_Survivability/MOA.html.
The U.S. is ever more vulnerable to EMP attack (although the likelihood of such attack is seen as remote), AWST, 28 July 1997, pg 67. For work on more likely threats, see AWST, 30 June 1997, pg 51.
OK, so the Y2K rollover is behind us and civilization has not fallen (yet). There are still lots of chances for everything digital to fall apart, and before you know it we're racing around the desert looking for fuel, just like Mad Max. Ahem. Anyway, note that many current versions of Unix would have trouble at Mon Jan 18 22:14:07 2038 EST, when the number of seconds since the Unix Epoch (00:00:00 01 Jan 1970) rolls over MAXINT.
The U.S. Department of Commerce approved export of PGP on 28 May 1997, but only:
- To overseas offices of U.S. firms on an approved list....
- ....and if those overseas sites are not in embargoed countries (Cuba, Iran, Iraq, Libya, North Korea, Sudan, Syria, and Yemen)....
- ....and with keys under 40 bits without special approval, or 40-52 bits with key escrow.
Sun Microsystems instead sells their overseas customers 128-bit encryption code from Elvis+, a Russian company — if the code never enters the U.S., there's no restriction! See IEEE Spectrum July 1997 pg 1.
As for the reactions of a totalitarian government, the People's Republic of China: "E-mail has become increasingly restricted. Every scientist with a terminal has to register the secret password with the police. This was put in 15 months ago [April 1996], just during the period of explosive economic activity." An interesting abuse of the term "secret password". See Scientific American, July 1997, pg 18.
A good article, "Nation's `Infosec Gaps' Given New Scrutiny Post-Sept 11", quite realistic and practical as "information warfare" material goes, AWST, 28 Jan 2002, pg 59.

Internet Banking, SET, etc

MasterCard and Visa have developed the Secure Electronic Transaction protocol, or SET. IEEE Spectrum had a special issue on Internet banking in February 1997. Many of these URL's are taken from pages 77-80 there:

Specifications and FAQ's:
- SET specification: http://www.visa.com/cgi-bin/vee/sf/set/intro.html/
- SET from the vendor: http://www.mastercard.com/
- SSL specification: http://home.netscape.com/info/security-doc.html/ and http://www.lsn.com/ssl.htm/
- TLS specification: http://www.consensus.com/ietf-tls/tls-protocol-03.txt
- TLS Ongoing Events: http://www.consensus.com/ietf-tls/
- Cryptography FAQ: http://www.rsa.com/rsalabs/faq/index.html/
- RSA FAQ: http://www.rsa.com/rsalabs/faq/faq_misc.html/
- Netscape Security: http://www.netscape.com/newsref/ref/netscape-security.html/
- Traceability: Peter Gemmell's work on electronic cash at Sandia: http://www.cs.sandia.gov/psgemme/main.html/
Vendors and General Info:
- CyberCash: http://www.cybercash.com/
- FSTC: http://www.fstc.org/
- NetBill: http://www.ini.cmu.edu:80/netbill/
- First Virtual: http://www.fv.com:80/
- GC Tech: http://www.gctec.com/
- Entrust: http://www.entrust.com
- White papers on electronic bill payment: http://www.nacha.org/ and http://www.ramresearch.com/crdflash/cf2_28h.html/.
Internet Banking:
- Security First Network Bank: http://www.sfnb.com/
- Security First Technologies: http://www.s-1.com/
- Check-Free Payment Services: http://www.checkfree.com/newcons.html/
- Peachtree Software: http://www.peachtree.com/echeck.html/
- Integrion Financial Network: http://homepages.ihug.co.nz/~crump/Integrion/

COMSEC (Communications Security — attacking cellular/mobile telephony)

Digital AMPS (a GSM competitor once popular in North America, although now end-of-life) uses CAVE — Cellular Authentication and Voice Encryption. It has three main functions:
- Authenticate to the network that the unit requesting service is a legal subscriber.
- Generate codes to protect control channel data, including all digits dialed on the keypad (dialed numbers, plus later PIN's etc). Control channel data is encrypted with CMEA (Cellular Message Encryption Algorithm).
- Generate two keys to "mask" the digitized forward and reverse voice channels.
The voice "masking" was known to be cryptographically weak in 1992. On 20 March 1997, Bruce Schneier (author of Applied Cryptography) and David Wagner (UC Berkeley grad student) announced breaking CMEA. The response of the Cellular Telephone Industry Association (CTIA) was to lobby for laws to make it illegal to break their breakable system, so they can continue to advertise it to an unwary public as "unbreakable".... See Monitoring Times, June 1997, pp 28-29, and http://www.counterpane.com/ for more details.
Targeted eavesdroppers prefer the Harris Triggerfish or the CCS Digital Data Interpreter, which use the non-voice data streams to track frequency changes, cell hand-offs, etc. Top-of-the-line, but pricey! The OKI 900 controlled by the right software running on a laptop is a lower-budget cellular intercept platform that's still pretty capable.
For more details on GSM hacking, see the announcement of GSM cloning and how security-through-obscurity isn't security at all, see: http://www.isaac.cs.berkeley.edu/isaac/gsm.html
Late 1999 saw announcements of GSM cracking (which, for the U.S.A., effects "Digital PCS" as well). Summarizing from Bruce Schneier's "Crypto-Gram" newsletter, 15 December 1999, http://www.counterpane.com/, the relevant algorithms are:
- A3, the authentication algorithm to prevent phone cloning
- A5/1, the stronger of the two voice-encryption algorithms
- A5/2, the weaker of the two voice-encryption algorithms
- A8, the voice-privacy key-generation algorithm
Schneier says, "These algorithms were developed in secret, and were never published. "Marc Briceno" (with the Smartcard Developer Association) reverse-engineered the algorithms, and then Ian Goldberg and David Wagner at U.C. Berkeley cryptanalyzed them. Most GSM providers use an algorithm called COMP128 for both A3 and A8. This algorithm is cryptographically weak, and it is not difficult to break the algorithm and clone GSM digital phones. The attack takes just 2^19 queries to the GSM smart-card chip, which takes roughly 8 hours over the air. This attack can be performed on as many simultaneous phones in radio range as your rogue base station has channels. " Summarizing now, the breaks and the publishing dates are:
- A3 and A8 — Can always be broken in 8 hours over the air (as above). All A8 implementations tested did not use COMP128, they used a weakened form! (April 1998)
- A5/2 — Can be broken in real-time without any trouble. (August 1999) http://cryptome.org/gsm-crack-bbk.pdf
- A5/1 — Given the first two minutes of the conversation, one PC with 128 MB of RAM and two 73 GB hard drives can find the A5/1 key in about one second. (May 1999)
Then in Feb 2008 Schneier again commented on A5/1 cryptanalysis. There had been quite a bit of coverage of announcements of further A5/1 cryptanalysis and practical systems to break GSM keys. This 2008 attack is completely passive, requires about US$ 1000 in hardware, and breaks the key in about 30 minutes:
The industry (predictably) claimed this was all impossible, as it required unavailable hardware. Yeah, right. Well under US$ 10,000 should provide a high-quality intercept station. For details of the analysis:
- http://www.scard.org/gsm/
- http://www.jya.com/crack-a5.htm
And for a project to design and build a relatively inexpensive GSM receiver and crack A5/1:
- GSM receiver for US$ 700: http://www.thc.org/gsm/
- A5/1 cracking project: http://wiki.thc.org/cracking_a5/
Further GSM security and insecurity references:
- GSM Security FAQ: Have the A5 algorithms been broken? http://www.gsm-security.net/faq/gsm-a5-broken-security.shtml
- GSM Security Algorithms: http://www.gsmworld.com/using/algorithms/
If you want voice COMSEC on the cheap, check out PGPhone — you use your computer's audio interface and PGP software to encrypt and decrypt a pair of audio streams. Find it in the PGP section.

Offensive Information Warfare / Information Operations

What they call information warfare (IW) or information operations (IO) is out there, but good luck finding much in the open literature. Just a few brief mentions, like a few sentences in AWST 12 May 2003 pp 62-63. Also be aware that the U.S. Department of Defense uses "information operations" to mean offensive information warfare, including denial of service attacks against data and network connectivity, and more subtly, rendering data or network connectivity worthless by degrading the other side's confidence on it. But at the same time, the Central Intelligence Agency instead uses "information operations" to mean obtaining data statically stored on systems or transiting networks, in order to analyze it and obtain an understanding of the other side's plans.

More recently, see Digits of Doom [AWST, 24 Sep 2007, pg 74], suggested that the U.S. military had started attacking jihadist web sites in the preceding few months. The article mentions:

USAF Cyberspace Command, including the 67th Network Warfare Wing
US Army's 1st Information Operations Command and its Information Dominance Center
Joint Functional Component Command for Network Warfare (JFCC-NW), a part of U.S. Strategic Command and a joint operation with the National Security Agency.
"Some of its missions include disrupting and invading networks, mining computer bases for intelligence, manipulating data as an element of information warfare and monitoring enemy command-and-control systems."
"Even with that resume, 'these aren't the only groups involved,' says a senior electronic attack specialist. 'Some are less obvious, but more capable.' In fact, the staff of Deputy Defense Secretary Gordon England has, for some time, been studying the use of deception operations against terrorist networks."

In other stories:

AWST reported that IW/IO was successfully used by the USAF against Iraq during 1991 and against Yugoslavia during the "Kosovo conflict" of early 1999.
- AWST, 26 Feb 2001, pp 52-53. "The first attack was limited to reading the e-mail of Iraqi commanders. But by the next conflict the tools were much more sophisticated. False messages and targets were injected into Yugoslavia's complex computer-integrated air defense system."
- AWST, 12 April 1999, pp 24-26. " `We shut their eyes [radar] down through jamming,' [an Air Force official] said. `Also, Air Combat Command has been conducting a lot of information warfare activity. By that I mean getting into their computer system and screwing it up. We're trying to use that capability. By getting into the microwave net, you can insert viruses and deceptive computer communications.' "
- AWST, 23 Aug 1999, 31-32. That article describes attacks on radar and military messaging systems. There were other reports about U.S. attack on Yugoslav banks holding Slobodan Milosovic's deposits.
- AWST, 30 Oct 2000, pp 67-68. EC-130H Compass Call systems intended to penetrate air defense computer systems, planting false messages and targets, did quite well as per a USAF/USN analysis. But the EC-138E Commando Solo TV/radio broadcast aircraft are of decreasing relevance now that direct-broadcast satellite TV systems are common throughout the world.
AWST has had several articles, including series of articles in some issues:
- There was an overview, several articles in the 19 Jan 1998 issue, pp 52-60.
- A series of articles in late 1999: 8 Nov 1999, pp 81-83; 15 Nov 1999, pp 93-96; 15 Nov 1999, pp 102-103.
- A series of articles in an issue concentrating on information warfare: 26 Feb 2001, pp 50-64.
- In a discussion of the 1 Oct 2002 transition of U.S. Space Command into the new Strategic Command (StratCom), "Command officials are advocating StratCom be designated the IO integrator for regional info operations, providing a global perspective and coordinating with other government agencies." 14 Oct 2002, pg 63.
- Also see 4 Nov 2002 pg 30, and 25 Nov 2002 pg 58.
Network World repeated some info found in AWST and elsewhere, v17, no47 (20 Nov 2000), pp 1, 16.
The USAF Fact Sheet: http://www.af.mil/news/factsheets/Information_Warfare.html
The U.S. Air Force Information Warfare Center: http://www.afiwc.aia.af.mil/
The U.S. Navy Information Warfare Division: http://iwd.mugu.navy.mil/
The USAF formed the 609th Information Warfare Squadron in early 1996, basing it at Shaw AFB, SC. AWST, 29 April 1996, pg 52; AWST, 3 Aug 1998, pg 23. A second squadron is being formed in California by the Air National Guard. AWST, 21 Sep 1998, pg 65.
In July 1998, the U.S. DOD and intelligence community are interested, but at least as far as anyone is saying, ethical and operational problems remain. Could disinformation turn against us? Where is the line between "prepping the battlefield" and an act of war? What about peacetime uses? The Director of the CIA director said don't worry, "we're not asleep at the switch in this regard," and a Senate staff member on an oversight community says, "The Defense Department has next to nothing to say about this in an unclassified form." See the Washington Post, 8 July 1998, A1, A10, there may still be on-line copies at:
- http://jya.com/cyber-how.htm — Washington Post article
- http://jya.com/dsd061198.htm — DOD talk on cyber defense
- http://jya.com/dsd062298.htm — DOD talk on cyber defense
- Federal Computer Week had something on this same story:
  - http://www.fcw.com/pubs/fcw/1998/0713/fcw-newscyber-7-13-98.html
  - http://www.fcw.com/pubs/fcw/1999/0927/fcw-newscyberwar-09-27-99.html
U.S. News had something 13 July 1998.
Offensive information operations were part of an exercise in 1998, involving NSA, DISA, and the Air Intelligence Agency. AWST, 21 Sep 1998, pg 65.
China and other countries were already doing it in 1998, according to the directors of the CIA and NSA. Information Week, 6 Jul 1998.
The National Infrastructure Protection Center (NIPC) is intended to detect and analyze attacks. Housed within the FBI, staffed by FBI, CIA, NSA, Secret Service, DOT (!), and other agencies. Network World, 14 Sep 1998, pp 8,74.
In July 2002 President Bush signed National Security Presidential Directive 16, ordering the government to develop rules for information warfare — establish when and how to attack enemy computer networks, select targets, define who should authorize and launch the attacks. Washington Post, 6 Feb 2003.
In Feb 2003 the U.S. DOD Strategic Command Joint Task Force - Computer Network Operations (JTF-CNO) was being reororganized into two task forces. One for network defense, the other for computer network attack (CNA). Federal Computer World, 7 Feb 2003.
Nonsense has happened in the past, and will continue. A 1991 InfoWorld magazine joke turned into an urban legend, reported seriously, by U.S. News and World Report, regarding the NSA sending virus-laden printers to Iraq. Nonsense: http://www.vmyths.com/hoax.cfm?id=123&page=3


© Bob Cromwell Jul 2008. Created with `/bin/vi,` hosted on OpenBSD with Apache. Root password available here