Information Warfare - by happo6

VIEWS: 32 PAGES: 12

									           Information Warfare - New Frontiers of Destruction
                                                       by

                                                 Borys Pawliw


(Information Warfare is something that concerns us all, whatever industry sector we’re involved in.
The information supply chain affects virtually everyone in society and this has made it the target of
entities who wish to exert power, influence and control over various environments. This study was
done performed in order to inform the general public about an issue that is often mired in complex
terminology.)


Introduction
Until quite recently, warfare was concerned with the destruction of people, both military and civilian, as well
as physical infrastructures. To achieve this information was a powerful component; details of troop
movements, knowing the intentions of a king and even the morale of soldiers has decided the outcome of
many battles. Consequently, various techniques have been used to acquire and prevent the acquisition of
such knowledge by hostile forces. But now, in the information age, the advances made in technology have
rocketed the importance of information in the context of warfare and conflict to a new height unprecedented
in history. The combination of information and technology is now a powerful duality, a critical weapon support
system that . Its control of all aspects of warfare is incredible: it includes weapons deployment and targeting,
logistics and supply chain for the military / industrial complex, satellite imaging, electronic eves-dropping,
tactical and strategic decision support systems and every form of telecommunications. It all combines to
make the art of manipulating information a new battleground that advanced societies cannot afford to lose.
But as civilian personnel are now the targets of military action, civilian information systems also offer a very
tempting target to those with destructive intentions.

This is the realm of information warfare; a field where sustained attempts are made to degrade or destroy the
controls that run key infrastructures we take for granted, such as power distribution, telecommunications and
financial transfer systems. This dimension is one that we have been involved in via a number of channels,
mainly with attempts to secure systems against attack and general examinations of the vulnerabilities of
various systems. This paper will focus on some key topics related to this area from a number of
perspectives. This will include the recent spate of malware that has caused the headlines, the overall risks of
the Internet, telecommunications infrastructures, the human interface and the techniques used to enhance
security. Naturally, there are countless more topics we can address here (and will do so in the future), but we
feel that what we shall state here will give the reader a good idea of the main priorities.

Firstly, let us briefly define in more detail what Information Technology warfare is and why it has come into
prominence over the last few years.


Why this, Why now? - The Logic of it all
Golden Rule of Warfare: Whenever an adversary, whether actual or potential, begins to rely on something
(whether it be for their external utility [value to their society] or internal utility [personal happiness and
satisfaction levels]), it becomes that much more important for you to be able to disable or destroy it. This has
been the case with bridges, roads and factories in the past. Nowadays, information has assumed a role at
least as important as physical infrastructures in advanced Western nations. Information Technology (and by
that, we refer to both the utility of the information and the mechanisms used to generate, store and deliver it)
is now a resource that is critically relied upon by First World societies. It controls our financial systems, our
telecommunications, our power generation and distribution - just about every aspect of our comfortable lives
relies on mission critical IT. We are now at a stage whereby our dependence on it means its removal would
                                                                                                               1
have a devastating effect on our external and internal utility. Thus, its value as a target for disruption
increases the more advanced a society we become. Worryingly, the capabilities to safeguard these systems
are nowhere near as advanced as the abilities available to disable them, as has been shown recently.

So who would wish to destroy these systems we so need? The practitioners of cyber-warfare range from
curious teenagers to some of the most secretive bodies under government auspices. Motives range from
curiosity and a competitive spirit to bloody-minded vengeance, financial reward and political gain. Whatever
the motivation, it is fair to state that the capabilities of individuals to engage in cyber-warfare are outstripping
the ability of organizations to defend against those attacks. The extent of this vulnerability was recently
highlighted in unusually spectacular fashion.


Cyber-nukes with Stealth - Advanced Malware
In the minds of most people, IT means computers and when hostile attempts are made to attack computer
infrastructures, they take the form of viruses, or their close relatives worms and Trojan Horses. All of these
come under the general name nowadays of malware (short for malicious software). With the explosive
proliferation of Internet systems, e-mail and our dependence on PCs, the potential of malware to cause
massive disruption to individual's lives is greater than ever and will increase rapidly with the advance of the
Internet.

The wormExplore.zip program that struck in the early part of June 1999 brought a lot of factors to light. From
our own perspective, we were totally overwhelmed by the requests from some of our respective clients for
assistance in clearing up the malware and recovering wiped files, some of them bordering on panic. As a
result, we were set back considerably on other projects. This highlights another affect that malware has; the
efforts in fixing a problem divert massive time and resources away from other ventures; a domino effect that
adds to the total cost of correction.

This worm was devastating from a number of perspectives. Firstly, once it was sent from its original source, it
utilized an automatic mailing feature of Microsoft Outlook to replicate with incredible speed, sending itself via
e-mail to numerous targets that were contained in the unknowing sender's Address Book. Within a matter of
hours, it had infected hundreds of thousands of computers. Firewalls (hardware and software systems which
form a barrier between public and private networks) offered next to no protection against this particular
attack. The virus circumvented them by coming through the e-mail medium, which is not presently subject to
any meaningful checks. wormExplore.zip came as an attachment to the e-mail, specifically as a zipped
(compressed) document.

Normally, anti-virus programs should protect against this type of malware: the standard procedure is the
running of a virus scanner before opening the file. But with the speed of propagation and effect that this
worm exhibited, anti-virus programs are now largely ineffective in stopping something like this. Programs
from companies such as Norton and McAfee work via scanning files, searching for a data string (known as a
signature) that indicates the presence of a virus. These programs have thousands of virus signatures on file
and, upon finding a signature, can eliminate the virus whilst (usually) maintaining the integrity of surrounding
valid data.

The problem, obviously, is that the virus must be known about to be countered. However, all anti-virus
programs are useless against a virus that can replicate quickly across the Internet and various other network
types, infecting hundreds of thousands of computers within a day or so, often within a matter of a few hours.
A company such as McAfee, upon discovering a virus, immediately assigns a crack team to isolate it,
discover its characteristics and develop a program, or more specifically a patch to an existing program, that
counters it. But such a process usually takes 1-3 days, once the virus has been identified (itself something
that can take up to 1-2 days after it has been released into the e-ther) - remarkably fast, but not fast enough.
Unfortunately wormExplore.zip did its maximum damage about 3-4 days after it was released, which is too
fast to counter using present methods.

                                                                                                                  2
The effect of wormExplore.zip was highly destructive, searching out and deleting Microsoft files on a hard
drive. This is in contrast to the vast majority of other malware entities, which are little more than annoyances,
doing no more than taking up space and causing the odd crash. Whilst the destruction of Microsoft files
hardly constitutes a threat to the fabric of civilization, it does highlight that many people now have vital
business documents created by Microsoft products; the destruction of these files hampered to some degree
many large to medium size businesses...and had a much greater effect on a myriad of smaller enterprises.

Worse still, the virus was in many ways a 'stealth' virus; disguising its intent by coming in an e-mail format
from a known source with a friendly and familiar message tone. We are all aware of the rule of not opening
attached files from unknown sources (or forwarded files from people who should know better). However, this
virus came from a known source, even using a recently utilized subject field. Individual security practices by
people are bad enough, but when malware is capable of making itself appear as coming from a known /
trusted source, the chances of combating it are considerably diminished.

As an aside, it was quite disappointing to note that many of the procedures that we had set in place
previously for system security were not properly adhered to (even though those procedures may not have
prevented this incident). When we inquired as to why, responses were usually that they were found to be
'unnecessarily' rigorous, or that staff found some of them offensive, in that they indicated a lack of trust on
management's behalf. This may be valid, but why then do we bother with customs and metal detectors at
airports? Don't we trust our citizenry? Staff must look at system security as a sign of the company looking
after their interests, of being a totally necessary operation. If people are made well aware that IT security
procedures are in their own absolute interests, their acceptance and practice of them will increase
significantly.

Who was responsible for this mayhem? All that is known at this stage that is the malware originated in Israel.
With a high degree of certainty, we can safely say that wormExplore.zip is the product of one or maybe a few
malcontents, who wished to see how much destruction and discomfort they could cause. The psychology of
these people is beyond the scope of this article, but an educated guess is curious teens who believe that
they can get away with anything, to maybe someone in their twenties who for some reason has a grudge
against the world, maybe for missing out on the Internet stock boom...

Malware, in its various forms, is the most insidious weapon available to the attacker. And it will become
increasingly sophisticated in its capabilities. In the future, advanced malware will be able to dynamically
disguise itself against detection, being able to detect when an anti-virus program is operating. It would be
able to conceal its existence for days, propagating further and further and striking at a predetermined time. It
is possible to create malware that captures a user's logon script, which usually contains the pass-phrase to
high level access, e-mailing it to an anonymous address before deleting itself. More advanced versions
would even be able to encrypt themselves with PGP or S/MIME and use digital certificates. The possibilities
are as endless as they are frightening.

Why is all this possible? Normally, we do not approve of the passé sport of Microsoft bashing, because if
anyone is unhappy with a Microsoft product they are quite free to buy another program / operating system or
fix the problems themselves. But of course the vast majority of people in the world either cannot afford or do
not have the skills to do it. This places an extra responsibility of Microsoft to provide bullet-proof programs. It
also becomes clear that Microsoft has been largely responsible for releasing products onto the market that
do not make it sufficiently hard for people to exploit weaknesses. Microsoft is a company that through brilliant
marketing, some reasonably user-friendly products that are in most respects fairly well designed and being
at the right place at the right time, has achieved not so much market dominance as de facto standardization.
But success of this magnitude does carry an obligation, if only to prevent other companies from exploiting
the flaws of the products to their commercial advantage. The Seattle company should realize that it needs to
fix the considerable security holes in its products, as sooner rather than later increasingly sophisticated
attackers will target the weaknesses in more aggressive ways and cause a level of devastation that will
make wormExplore.zip seem like a non-event. Unless Microsoft lifts its game, a combination of malware and
consumer backlash may see it go the way of Apricot.

                                                                                                                 3
But poor software is not the only weakness of an IT system. Consider this: the typical new PC (as of mid
1999), running a 500 MHz Pentium III CPU, 128 MB RAM, 6.4 GB HDD, x6 DVD-ROM, can enter countless
trillions of discrete states (configurations) during its operation. This includes various states during boot-up
and during the execution / utilization of countless programs and other hardware devices. All of these actions
pose countless different opportunities for an attacker to gain unauthorized access to different levels of the
system. But again, it is malware that is needed to exploit vulnerable hardware.

So what can be done to counter malware? There is no doubt that many government / military entities have
devoted incredible resources to developing both offensive malware and defenses against it, most of which
will not be available in the public domain for many years, if at all. Regrettably, the sophistication of malware
even in the civilian arena is outpacing attempts to limit its effectiveness. There have been some attempts
made at developing programs that offer advanced malware protection: instead of searching for signatures of
known viruses, these programs search for data strings which are not consistent with known legitimate
programs and file types; unfortunately, the sheer number of programs and file types that have legitimate
uses mean these programs will require some fundamental breakthrough in programming technology before
they have any real usability. Until then, only a combination of incredible vigilance on the part of users and
much more serious attention paid to security matters by programmers will limit the destructiveness of
malware, and even then it is unlikely that the effects will be little more than marginally mitigated.


Solve it with Semtex - A more traditional approach to Information Warfare
Information warfare is by no means limited to pimply-faced teenagers sitting in front of computers - the
traditional methods of physical attacks still hold tremendous attraction to those bent on causing problems. As
an example, a devastating series of attacks would be to damage a transcontinental telecommunication
cable, or a major telecommunications junction. These attacks would take the form of traditional explosives
and there is very little that can be done to prevent it. While there are certain active and passive security
systems that monitor and protect some sensitive sites, the few of these do little more than advise people that
they have a minute or so before something very unpleasant will happen. Indeed, such is the proliferation of
mission critical systems that it would be all but impossible to secure them all with active defensive systems
able to repel an attempted attack.

Traditional sabotage by force is still a very attractive option in many cases, even with all the pitfalls
associated with the same. The negatives are, of course, that physical proximity to the target increases the
possibility of being compromised, the fact that resources are spread over a huge geographic distance and
require more time and money to be effective and the risk of unintended casualties is high. The advantages
are permanent destruction that cannot be corrected with a few keystrokes, and the (debatable) psychological
damage on the public of seeing blasted remains of key strategic sites.


A House of Cards - Just what is possible...and how?
So far we have examined what malware is, how it spreads and the use of more traditional means of
destruction. Now we will see how that information can be combined and put to some productively destructive
use.

A study we conducted a while ago concluded that it would be possible to assemble a team of 30 specialists
that would be able to cause close to $1 trillion dollars damage to the global economy within one month (but
with 2-3 months intensive lead planning that was not compromised). The team would comprise of roughly 20
computer and telecommunications specialists, with the remainder being explosives and spec-ops experts.
Either the former or latter are capable of causing large-scale problems on their own, but the combination of
the two will virtually annihilate any system redundancy. This would be accomplished by a series of attacks,
both physical and cyber, on the following:


                                                                                                              4
Power creation and distribution
Specialized systems control the grid networks that distribute power throughout a nation. They link power
stations (nuclear, hydro-electric, fossil fuel and solar / wind) into the distribution grids (power lines and
transformer stations included) that deliver electrical energy where needed. In most of the world, the actual
control systems can be remotely accessed by either public phone lines, dedicated secure lines (the locations
of which are not too difficult to obtain) and dedicated microwave links. Despite their crucial significance, the
security codes used to protect these systems are sometimes nowhere near that of secure, credit card
processing Internet sites (which themselves have many problems). It is not too difficult to be able to set up
remote transmitters or connect into lines that would be able to override legitimate control signals and shut
down the grids. We would concentrate our attacks on knocking out power to major industrial centers in the
North East of the US and financial centers of New York, Chicago and Denver. Worldwide, the financial
centers of Tokyo, London and Frankfurt would be targeted, along with heavily industrialized regions of Japan
and the key EC nations. Any systems that would not be able to be deactivated could be destroyed by radio
controlled explosives, which could be detonated via either a mobile phone or satellite link. Naturally,
targeting would also include power to water pumping facilities, the devastating effects of which are obvious
without further explanation being required.

Whilst not directly caused by sabotage, an incident in eastern Canada in January 1998 brought to the
forefront how completely crippling the denial of electricity could be to a modern society. An ice storm blacked
out much of the region, causing 7 million residents to lose power. Though power was quickly restored in
most cases, two weeks later over 500,000 people still had only intermittent electricity and some businesses
had to wait six more weeks until power was restored fully. The end result? Over 40 dead and an estimated
C$2 billion in total losses. During winter, that region of Canada is hardly an economic powerhouse - it is thus
obvious what a similar outage could do to a major industrial or financial center.


Financial transactions
The SWIFT system defines inter-bank transfers around the world, all but replacing the traditional telex
system. Even on quiet days, the system transfers several hundred billion dollars around the world and usual
volume is well into the trillion dollar range. Naturally, the security of the system is quite exceptional. Despite
this, it has 3 little known areas of vulnerability that are intrinsic to its architecture and very difficult to counter.
Armed with this knowledge and some very powerful mainframe computer resources, it is possible to bring a
substantial portion of the SWIFT system to standstill. Of course, if pure telecommunications links could also
be harmed, then a lesser amount of effort would need to be given to disabling SWIFT. If SWIFT could be
disabled for about 3-5 days, then a substantial number of financial institutions worldwide would collapse.


Internet
The very nature of the Internet makes it impossible to 'disable' it totally, but it is a useful medium by which to
connect to private networks and other 'secure' systems. Using various hardware and software devices to
increase anonymity, the Internet provides an excellent gateway to accessing and disabling a multitude of
other systems.


Telecommunications
These include both land based and satellite links; to infiltrate the networks would permit one to control power
distribution discussed earlier, affect the most vital communications medium that connects the world and the
single most critical component of the effectiveness of the Internet; to destroy the networks means no one
could utilize these systems to anywhere near full capacity. How would one accomplish this with a system that

                                                                                                                      5
is designed to be highly redundant? There are a number of options. In some countries which have older style
crossbar or side/side electromechanical switches, it is quite easy to seize and stack long distance trunk lines,
either inside or outside the country, with some knowledge of telephone control signals. The technique is
much harder with more modern electronic exchange systems, but is still possible if systems support in-band
control signaling. There are other techniques that involve EM-DEWs (Electro-Magnetic Directed Energy
Weapons), which are available to some entities, that can cause havoc with mobile phone systems. Mobile
phone systems (including AMPS, D-AMPS, GSM and CDMA) are much harder to target because of their
innate redundancy, but again attacks of certain switching systems would have severe affects. Satellite
systems present a different challenge; again it is possible to disable their ground stations, but a more
effective, if more difficult attack, is to change the orbit of various communication satellites and place them out
of alignment with ground signaling/relay stations. It has been proven possible with several test runs
performed by a certain company and, worryingly, by a team of hackers on British military satellite earlier in
1999.

The actual techniques that would be used for attacks like this vary tremendously and even a brief description
of them would take a few thousand words. Thus, we wish to draw your attention to one very advanced but
powerful attack in the IT field that is not widely used - this is known generally as 'buffer overflow'. Essentially,
what is done is to create a series of unusual commands that creates errors in processing and 'nonsense'
output: this is the buffer overflow. With a little bit of guesswork and some extra sniffing around, the
knowledge that can be gained from the overflow gives a critical understanding about various facets of the
system that is being targeted for penetration. It allows executable programs to be written that can be used to
gain further knowledge or compromise system security / data integrity. This technique is quite challenging
and hardly the fastest way to go about doing things, but remains one of the most certain ways that any
system can be breached.

However, if anyone was hell bent on causing real problems, then it would be desirable to employ traditional
forms of sabotage.

Explosives placed at several key junctures in the US and the EU would, when combined with electronic
attacks on systems, make a switch over to backup systems almost impossible. It would not be very difficult to
cut a major fiber-optic / copper cable undersea link with some diving equipment, a problem that would take a
few days to discover the exact location of and possibly a few weeks to rectify. It is important to note, if it is
not already clear, that redundancy in telecommunications systems makes it imperative to attack key
junctions / nodes, such as major exchanges. To completely knock out a network would have devastating
financial effects. As an example, the destruction of a single transoceanic fiber optic cable to 0% performance
will lead to revenue losses of around $1 million per second - and the extra costs associated from repairing it
and degradation of other aspect of the information supply chain whilst repair work was being done will
increase that figure significantly.

The above observations have looked at the destruction at a civilian level, but what of the military? The
effects would no doubt be almost as devastating. As much as 95% of US military communications is routed
through commercial cables, towers and satellite links, the figures for other Western nations being of a similar
order. Whilst there exists an impressive series of redundancy in the US military and significant reserve
capabilities, there is no doubt that a significant attack on civilian infrastructures would have more than a
nuisance value as to military C4I effectiveness.

The above facts are not lost on the military. The Pentagon conducted their own study, which concluded they
could do similar damage to what was described above with 30 individuals and about $15 million, but it would
take 6 months. We view this as a little conservative, but that may be a reflection of the fact that the Pentagon
is having trouble attracting quality people with top level hacking skills (which we find a little hard to accept),
or more hopefully, it is aware of extra security measures that key infrastructures have that are not widely
known. One hopes...




                                                                                                                  6
You, too, can start an Apocalypse - Hacking Software for All
The above is a great cause for concern in terms of magnitude of destruction. But even more worrying is who
actually has the capability of doing it. If the above were only possible by highly skilled individuals of
responsibility or government entities, we would all be able to rest assured that such developments would be
unlikely to occur except in extreme circumstances. But that is not the case now. There is no doubt that
technology is making it possible to defend against unauthorized access to IT systems...but more so, it is
putting increasingly sophisticated tools of attack within reach of greater numbers of lesser skilled individuals.

As an example, one of the most worrying trends in cyber-warfare is the increasing ease with which viruses
can be made by greater numbers of people. A few years ago, creation of a virus was the realm of skilled
computer experts, who would often spend hundreds of hours perfecting their programs. Now, thanks to the
proliferation of user friendly, menu driven virus creation programs available from many of the 2,700 warez
(hacking) sites that existed as of the end of June 1999, relatively unskilled programmers are capable of
designing reasonably sophisticated viruses. Within a few months time, it is entirely possible that someone
with no programming skills, but who is willing to spend maybe a hundred or so hours learning some crucial
techniques, will be able to create viruses which are as devastating as the best yet designed.

A few months ago, a certain company collaborated with a government body in the development of a SATAN
type tool, which was designed to be the last word (for at least a few months) in one stop shop automated
system hacking software. At just over 430 MB in size (not including dictionary files), it is most certainly one of
the most comprehensive programs of its kind yet devised. It was designed to sniff around and exploit
weaknesses in Windows NT, OS/2, Novell, Solaris and most UNIX systems, utilizing every kind of attack that
could conceivably be attempted, with the highest possible degree of automation. The program was native for
Solaris 2.1, but was designed in such a way as to be easily translated for other operating systems.

Naturally, the program had numerous (read a huge amount of) bugs that its creators had no time (or financial
incentive) to fix, but nevertheless the final client was quite excited by it. Whilst conspiracy theorists may well
suspect that secretive government bodies are now using this program for evil deeds against hostile powers
or citizens / corporations of dubious loyalty, the reality is much more mundane. The program was designed
to be studied and tested for countermeasures, as an example of what the private sector is capable of
providing that could be accessed by hostile elements. Of course, the creators were expressly forbidden from
disseminating this program. However, it is fairly obvious that there are other firms who would be able to
produce similar programs, but would be happy to make the same available to anyone for the right price.


Cyber-warfare Inc. - Corporate espionage
And for the right price, corporate espionage becomes a very enticing prospect for many companies. This is
the commercial end of cyber-warfare, estimated to cost enterprises around $10 billion per annum in terms of
value of information compromised, contracts lost and in money spent on advanced countermeasures, a
figure which is probably very conservative. But do not make the assumption that this form of cyber-warfare is
practiced exclusively by companies against other companies. It is widely acknowledged that the French
intelligence service maintains a dedicated arm against foreign corporations that compete against French
firms, namely defense firms such as Dassault and Matra. But it is a little unfair to single the French out for
special mention - MI6 of the UK, the CIA and the NSA in the US and every other intelligence service of note
is specifically instructed by its government to monitor information from other, supposedly friendly nations,
that may be useful for trade negotiations or to national companies that need information on rival product
development or market leads. Examples are widespread: the US has used the Echelon surveillance system
against Australia in wheat sales contracts to numerous countries and the Germans have used agents in
major US aerospace firms that compete against the Airbus consortium, to name but two incidents.

The most common forms of espionage practiced range from eavesdropping on rival firm's telephone
communications, interception of e-mail to planting agents in organizations to weed out critical data. The

                                                                                                                7
entire area of corporate espionage is one which will grow as information within organizations becomes an
even more valuable commodity for generating profit...and it is only a matter of time before actions become
more hostile in nature, moving into active attempts to degrade or destroy a target's IT infrastructures, as now
occurs with some governments.


Cyber-warfare - Ideas and Action
The US has some excellent cyber-warfare capabilities, as do Russia, Sweden and the UK. Indeed, Russian
efforts are quite advanced in many areas, thanks to an academic culture which stressed the importance of
mathematics and logic theory, two of the core competencies at the highest realms of computer science. The
present crisis in that country has not changed the fact that there are some exceptionally capable computer
specialists there, who are well able to cause considerable damage to an intended target. Cyber-warfare
capabilities are much easier (and infinitely cheaper) to develop than a fifth generation fighter aircraft and,
when properly applied, are capable of doing far more damage to an IT dependant society than a single
attack aircraft. Indeed, Russia could do amazing things with $100 million devoted to expanding its cyber-
warfare capabilities, which would otherwise be spent developing more traditional weapons systems which it
can nowhere near afford to bring to fruition. By contrast, a few networked computers staffed by capable
individuals would have a devastating capacity for playing havoc with key US infrastructures.

A good example of hostile cyber-warfare for strategic effect occurred less than two months ago. It should be
noted that during the recent action against Serbia, key Western Internet sites which had some connection to
Allied Force operations were subject to various cyber-warfare attacks. The most obvious of these was the
denial of service attack on the http://www.nato.int site. There were some sophisticated attempts to alter the
site's contents, but thanks to good security systems these proved unsuccessful. However, one simple, co-
ordinated attack had very damaging results. Large numbers of Serbs and Serb sympathizing Internet users
around the world mounted 'pinging' attacks, which consisted simply of sending a series of data packet
signals to measure the number of nodes between the pinging computer and the target host, as well as the
speed of the signal transfers. The target host responds to the incoming requests, slowing it down slightly.
The technique has quite legitimate uses, but when hundreds/thousands of people do this simultaneously, the
host becomes simply bogged down with responding to the pings and is rendered unusable for legitimate
users.

This is hardly a cause for unmitigated panic. No sensitive data is maintained on this server as it exists, like
the vast majority of other government Internet sites, as little more than an electronic brochure - sensitive data
is almost always maintained on very separate systems, which in NATO’s case is Chronos. But it did cause
severe embarrassment to NATO, which was most likely a key intention all along.

More worrying, however, was the use of e-mail and bulletin boards to give details of Allied attack flights from
the Aviano base in Italy and to a lesser degree from bases in the UK and Germany. This gave Serbian air
defenses a useful time reference as to when to expect the planes to strike and there remains a real
possibility that the loss of the single F-117 Nighthawk strike aircraft may have been in part caused by
Serbian gunners being told when to expect the arrival of the planes. The very real ability to rapidly transmit
information reliably around the world places the Internet's cyber-warfare capabilities in a league with
traditional intelligence and espionage techniques.


Man as the weakest link - Security and the human factor
What is a continued source of bemusement to many experts is how one dimensionally many people view IT
security services. One of the best examples was had recently when a large IT firm was called in to secure
the IT systems of a Fortune 300 company. The client believed that the consultants would simply have a look
at their computers. They expressed astonishment when the consultants started to question their staff
screening procedures, internal hierarchies of trust and even their cleaning and support staff, whilst

                                                                                                               8
simultaneously addressing the hardware and software issues. Yet the whole idea of IT security is a total
package, one that must place as much emphasis on the human as well as technical element. Indeed, it is the
disgruntled employee, especially a systems administrator, who poses a far greater threat to the security of a
system than any external force.

Despite this, we often see very disturbing examples of total disregard, deliberate or otherwise, of security
procedures. It seems systems security is regarded by many as a chore, an annoyance that, if circumvented
in some times / places / ways, will not be noticed and not cause any damage. In most cases, that is the way
it turns out. So is the fact that most people will not need car insurance between the 0745 UTC 24th October
and 2154 UTC 8th November, 1999. But who would take that risk? Systems security procedures need to be
drilled into people over and over again, so that they would look upon choosing a bad pass-phrase in the
same manner as leaving a car door unlocked with keys in the ignition in a high crime neighborhood. When
individuals start to regard IT security with the same seriousness that they regard the safety of their person
and personal effects, that is when real results will be achieved.

Talking with some of the most experienced people in this sector, one soon learns that the most sophisticated
buffer overflow techniques (described later), state of the art computers to crunch passwords and the most
brilliant computer scientists and mathematicians...all of these pale in terms of what they can do next to a
single, disgruntled insider. It is not so much the outside hacker, but the insider that organizations need to
fear. A study by the Gartner Group showed that, by a ratio of 4 to 1, 'serious' breaches of IT security were
perpetrated by employees, not by external elements. That brings a whole new human dimension to IT
warfare; staff morale and loyalty...as well mechanisms to ensure that the latter factor is being checked on a
reasonably regular basis. Again, an integrated approach is required. But is the enormous cost of something
like this worth it?

Organizations need to balance risk. What is the incentive for someone to attempt to attack a system, from
either an internal and external vantage point? An international charitable organization that is not involved in
politically 'hot' issues is hardly a prime target for attack, whereas a large financial institution would be prime
target for both criminals attempting to make fraudulent transactions and anarchists trying to make a political
point. Similarly, there is not much sense in spending hundreds of thousands of dollars attempting to
circumvent a system if the reward is going to be maybe a few thousand dollars on a one off basis. Assuming
this, the best initial start for a company is to do a security audit, either via internal resources or by contracting
external assistance.

We are often called upon to perform tasks like this. Unfortunately, we usually find more security weaknesses
than our clients can afford to fix: many of the weaknesses would require substantial system redesign or even
a near total scrapping of existing systems. Thus, we are faced with creating a prioritization list, based on
time, cost and likelihood of being discovered, that determines which security holes are filled and which are
left unfilled to hopefully remain undiscovered. This is hardly optimal and something we are not happy in
doing: what happens if a system administrator becomes disgruntled with a company and suddenly
remembers a certain report...?

One very disturbing aspect which highlights a number of weaknesses in system security is an attack on US
DoD computers in February of 1998, which was perpetrated by two teenagers in the US and one in Israel.
The attack actually disrupted troop deployments to the Persian Gulf. The Director of the NSA, Lt. General
Minihan, described the attack as 'moderately disruptive' and stated that 'the vulnerabilities exploited are
relatively easily fixed'. These comments, whilst not incorrect, are hardly reassuring in light of the following.

Firstly, the attackers, whilst certainly above average in their capabilities, were hardly of magna cum laude
quality: the fact that they were able to find a weakness means a huge number of other individuals would be
able to do the same. Secondly, the attack focused on a weakness in the Solaris operating system that was
known about for over a year before the attack and system administrators at the DoD were instructed to fix it
in the preceding December. The reasons why they failed to do so are still unclear. The fact that it was easily
fixed is not the issue: the fact it wasn't fixed until after the heavily publicized attack reflects very real
problems relating to systems management, responsibility, motivation and perhaps morale. Weaknesses and
                                                                                                                   9
vulnerabilities are well known in many critical systems, but unfortunately at least part of the Three Monkeys
syndrome is prevalent among many system administrators in the US military, as well as in the civilian arena.


The Answers - Security solutions for a silly planet
So what are the solutions? The overall answers are: more money (naturally!); more awareness of the
problem amongst key players and a more serious approach to it all. No surprises there. More specifically, the
mechanics of enhancing systems security are indicated below:


Redundancy
This simply refers to having duplicate, or better still multiple, copies of hardware and software which mirror
those of the primary system. If one component fails, another is automatically brought on line. Most major
financial institutions have a total mirror system, including staff, which duplicates the functions of the primary
in the event of catastrophic failure, such as a terrorist bombing. Naturally, the cost of something like this
makes it highly prohibitive except for the wealthiest of organizations, the demand for total integrity of their
information systems warranting the huge cost.


Shadows
Information security is usually the job of the IT department in an organization, but can all the individuals in it
be trusted? Many organizations feel the answer is yes...generally. In order to allay any fears, senior
management in an organization sometimes wishes to gain a 'master eye', otherwise known as a shadow.
These are essentially mirrors of advanced audit logs, but well hidden within the system and usually unknown
to anyone within the IT department. Generally, the only person who has access to this system is the CEO
and one other individual so appointed by them. This allows for an ultimate overview capability to be provided
to an individual as near to absolute trust as it is possible to get. The shadow is usually set up by an external
entity as part of another project. Of course, the shadow's coding needs to be completely hidden, as must be
the method of transmitting the data to the intended recipient. The cost of this type of system is incredible -
usually running well into the $2-3 million dollar range for large IT systems, as each shadow must be carefully
and uniquely designed after detailed studies of total system architecture.


Diversity
Diversity is one area that many entities adopt out of necessity, but perhaps do not implement in the way
most advantageous to enhancing security. This technique essentially means using components or sub-
systems of various designs in the same system that were not originally meant to integrate seamlessly. This
offers the advantage in defending against a single type of attack, as different systems have different
vulnerabilities. System diversity is, unfortunately, incredibly expensive to integrate into one seamless
package and explains why IT companies have so much work. Also, diversity may cause unforeseen and
unintended interactions that create new vulnerabilities. One tactic which employs the concept of diversity is
out-of-band signaling, a technique that separates the input control channels from those that handle the
actual data content.


Cryptography
This is one of the main defenders against cyber-warfare, making the data useless to anyone not in
possession of the pass-phrase/private keys. However, via the use of digital signatures, cryptography also
authenticates the originator's identity and verifies that any data has not been tampered with en-route.
                                                                                                               10
Cryptography does always do much to prevent access to a system, but it does make the data unusable if the
system is compromised. Unfortunately, the best cryptography is still available only in the US and not
externally, which is good news for US companies, but not so good for other nation's firms, which must make
do with cryptography that is often able to be compromised by the US intelligence agencies.


Firewalls
Firewalls offer some protection against unauthorized intrusion, however they should not give the total peace
of mind that some people believe they provide. As mentioned earlier, these are dedicated hardware /
software systems which form the juncture between public and private networks. Their weaknesses stem
mainly from poor password protection and operating system weaknesses plus some program vulnerabilities
that make it possible that a concentrated attack will breach system security.


Intrusion tolerance
This is one theory that is quite sensible in its approach, if a little pessimistic (or realistic). It assumes the
worst, in that access controls will fail at times, so a layered security approach is adopted. The stored data is
thus encrypted, compressed and / or broken into complex segments that are useless unless combined in the
correct manner. Intrusion tolerance also includes the 'hells gateway' concept which we are quite fond of, that
involves creating a deliberate pathway or weakness in a system which only the most capable of attackers
would find...a pathway that leads to nowhere, whilst still convincing the attacker they are heading in the right
direction, by giving away some enticements, in the form of small packets of data or a mirage of penetrating
further into a multi-layered security system.


Staff Training and Morale
This encompasses the full gamut; it includes making certain staff are fully aware of system security
responsibilities and are kept up to date with new developments in an easily accessible manner. It should also
include enhancing staff awareness of attempts to break into systems, whether by electronic or other means.
Next, staff need to be simply kept satisfied with their treatment by their wage payer; bitter staff, unhappy with
company work practices, pay or other decisions are the most dangerous threat to security a company has;
having appropriate staff morale and sense of loyalty will severely diminish the resources a company has to
devote to tackling this most dangerous of vulnerabilities.

All of the above are useless in themselves, but when combined with each other in an intelligent approach
that assesses real risk, then information warfare becomes much, much harder to perpetrate against an
organization.


Conclusion
It should now be obvious that the scope of the subject is impossible to address in anything less than a set of
encyclopedic type references. Information warfare is a new frontier that demands constant and detailed
attention in a huge scope of areas. It counts amongst its practitioners teenage pranksters to top flight
scientists working on the most classified of government programs, all with wildly different agendas,
capabilities and ultimate intentions. No one is safe from it as long as he or she wishes to live in an
information intensive society. It is only a combination of the above discussed factors that enable mitigation of
the effects of cyber-warfare. But as the above is unlikely across a broad scale, we should all be prepared for
more malware catching the e-society unawares and making life that much more annoying. Whether a lone
individual teenager or a government sponsored attack, cyber-warfare will become a new form of terrorism


                                                                                                              11
which will have a serious affect on all our lives into the new millenium. We can only hope that we are able to
limit the number of these attacks and mitigate the most negative affects of the ones that can't be prevented.



Borys Pawliw is the Director IT and Research at Nysâs Results Group. He is based in Sydney, Australia and
can be reached at borys.pawliw@nysas.com




                                                                                                           12

								
To top