Computers & Security, 20 (2001) 568-572
Incalculable potential for damage by cyber-terrorism Stephen Hinde
The attacks on 11th September were physical attacks on organizations and their employees. But it could just as easily have been a cyber attack. Indeed a cyber attack coupled with the physical attack could have wrought far greater damage. In the wake of the disaster, The Federal Bureau of Investigation’s counterintelligence division issued an advisory to all public and private sector members of its InfraGard programme – a group of companies and government agencies – to intensify both physical and cyber-security.According to data security experts, there are concerns that co-ordinated cyber-attacks might be launched against the US telecommunications grid.
Infrastructure overload As it was, the Internet slowed up and many people could not get on because of the heavy demand, not just for instant update, especially as so many in Europe were at work when the attack occurred, but also because so many of the news sites were video – adding to the volume of the web traffic. An estimated 80% of the Internet sites in the US experienced downtime. Somewhat reminiscent of the Denial of Service attacks of 7th February 2000, (see Computers & Security Journal Volume 19 Issue 2 for details). Infrastructure overload, whether deliberate, or an accident of timing such as seeking information (Twin
568
Towers attack, Starr Report into President Clinton) results in the same outcome - denial of service. Customers of Demon Internet’s ADSL and leased line division suffered a double failure as a result of the terrorist attack and the Nimda worm. Internet connections from Telehouse in New York, a major site for transferring information across the Internet, were badly affected by the attack on the World Trade Center. As a result, Demon, and other Internet Service Providers, had to look for other sources of bandwidth to keep its services running. During reconfiguration to take into account the loss of services at Telehouse something went wrong. At around the same time the Nimda worm was making its presence felt - not in the infrastructure of Demon, but through the huge increase of traffic generated by its infected customers. About 10% of Demon’s ADSL customers were affected, with some without access for three days. Experts are also concerned that US hackers might retaliate against government and corporate websites in the Middle East, spawning counter attacks on the US. We have already had a foretaste of this between Israeli and Palestinian sites as part of the current difficulties and between the US and China as a result of the spy plane incident earlier this year.
0167-4048/01$20.00 © 2001 Elsevier Science Ltd
Computers & Security, Vol. 20, No. 7
The need for security vigilance Utimaco Safeware, the Internet security specialist, expects increased demand for professional security systems that provide effective protection against targeted attacks by cyber terrorists. Experts primarily fear revenge attacks from terrorists over the Internet in the wake of any possible US military action. The global data and financial network has many points that make it vulnerable to attack, manipulation and sabotage. In such places cyber terrorists could launch highly effective attacks on financial markets and commercial centres with the potential for incalculable damage. The exchange of information between security services is also at risk. The FBI has proven contacts between Osama bin Laden and hackers who successfully infiltrated the Internet servers of the American Defence Information Systems Agency. Flight security systems are also possible targets for attack with the potential for high levels of damage. Analysts from Gartner and the American National Infrastructure Protection Center (NIPS) have recommended that companies and government bodies now carry out thorough checks on their security systems to detect any possible gaps. Companies that until now have been satisfied with 90% security levels in their network should try to get as close to 100% security as possible.
...and security guarantees? But, according to Paul Strassman, former Chief Information Officer at the US Department of Defense, IT directors will soon have to take personal responsibility for the computer systems under their remit and be prepared to sign guarantees for the integrity of their networks. He warned that: “IT is a weapon for economic power. A terrorist’s aim is to disable and paralyze, and the most obvious target for high pay-offs is the Internet, If you are working for a company with 5,000 servers and you have not put in the necessary protection, your system could be held responsible for generating damage. CIOs will have to sign to certify their systems are secure, and they had better start getting ready for this.Would a CIO sign to
certify that he has protected the company against Nimda today?” Strassman went on to say the authorities will be issuing new requirements and standards for security, and are likely to set up stringent measures to deal with those found negligent. Thomas Horton, Chairman, National Association of Corporate Directors addressing the issue of Information Security Governance said: “Just as an audit committee does no auditing, a board of directors cannot provide information security. But by asking trenchant questions and insisting on clear, responsible answers, the board can provide a level of needed oversight to this vital business function that is adequate and necessary, and in doing so, exercise its essential duty of care.” He was quoted in Information Security Governance: What directors need to know.This document was developed by the Institute of Internal Auditors in co-operation with the National Association of Corporate Directors, and supported by the Critical Infrastructure Assurance Office of the [US] Department of Commerce and was based on the six related summit conferences held during 2000. The Critical Infrastructure Assurance Office was, inter alia, charged by President Clinton with creating national awareness about the importance of information security to the nation’s critical infrastructure. The American Institute of Certified Public Accountants, the Information Systems Audit and Control Association, the Information Systems Security Association and the US Chamber of Commerce also partnered in the project. (see http://www.theiia.org to obtain a copy of the report or http://www.ciao.gov for details about critical infrastructure protection and assurance). Current technologies for Internet security make it possible to securely identify both people and Web servers by digital certificates, non-hackable smartcards or biometric techniques. Security gateways allow standard browser security functions to be used more extensively to authenticate users and servers and also for encryption. These can also effectively prevent unauthorised accesses before they reach the actual firewall systems. The integrated digital
569
Incalculable potential for damage by cyber-terrorism/Stephen Hinde
signatures in browsers or email programs safeguard against manipulation and deception. There are also intrusion detection systems (IDS).These are designed to prevent attacks on computer systems. And like the Borg of Star Trek fame, are meant to learn from each attempt and to assimilate this knowledge into the detection engine.The question for computer auditors and security professionals is how effective are the detectors. I commented in my editorial about whether the puffing smoke directly into a smoke detector was indicative that the alarm will work when there is real smoke in the room. Andrew Hiles, founder of Survive!, conducted trials of the efficacy of smoke detectors when he worked at the UK Atomic Energy Authority at Harwell, England. He demonstrated that even with highly sensitive VESDA detectors installed in accord with the British Standard on fire protection (BS6266), it took over 45 minutes for the smoke to trigger the detectors because of air turbulence caused by the air conditioning system. Thus detectors that exceeded the British Standard were proven to be inadequate to the task. Testing smoke detectors is something that I think we could all manage. Testing intrusion detection system software is an all together more esoteric science. Help is claimed to be at hand from ISS X-Force, who has been researching a new attack tool that can be used to launch a stress test of intrusion detection systems.The new tool, dubbed “Stick” by its creators, has been reported to reduce performance, and/or deny service to many commercial IDS products. Stick has been reported to direct thousands of overt attacks at IDS systems. The additional processing required by IDS systems to handle the new load causes a Denial of Service (DoS) to occur. Stick does not employ any new methods, nor does it expose any new flaws in signature-based IDS. Stick uses the straightforward technique of firing numerous attacks at random from random source IP addresses to purposely trigger IDS events. The IDS system will attempt to keep up with the new flood of events, but if incoming events cross the IDS detection threshold, a DoS might result.The effectiveness of the Stick attack is a function of the attacker’s available bandwidth. Stick is essentially a flooding tool, so if a large bandwidth link is available to the attacker, he or she may be more successful.
570
The attack of the four headed worm A damaging new computer worm, Nimda (admin spelled backwards), spread through the Internet a week after the terrorist attack, eating its way into home computers and major web servers alike, slowing traffic to a crawl and threatening e-commerce by infecting websites as well as email. Although Nimda has spread more slowly than Love Bug and Homepage, it has caused far more damage to the organizations it has infected. First detected in Korea, the worm has been particularly active in the UK, the US and Hong Kong. Unlike Code Red, which targeted major servers and routers, the new combination of a computer virus and worm also attacks home and small business computers, extending the burden of protecting the health of the Internet from the communications industry to everyday users. The attack came one week to the day since the terrorist attack on the World Trade Center and the Pentagon, and a group of hackers called the Dispatchers had threatened such activity, according to an advisory issued by the National Infrastructure Protection Center. However, Attorney General John Ashcroft was quoted by the AP as saying that: “There is no evidence to link the worm to last week’s attack.” Nimda is both a virus and a worm with a Trojan horse thrown in for good measure. It is a virus because it is a type of program attached to other programs and documents and spread by email, and a worm because it attacks computers directly. It has a Trojan horse because it sneaks in and looks for back doors left open by previous infections. Nimda is a combi virus which uses two basic infection methods but applies these through four channels of attack. Where Code Red took advantage of a single known vulnerability in Microsoft’s Internet Information Server (IIS), Nimda tests for one of about 16 vulnerabilities. Nimda arrives in an email without a subject line and with an attachment titled “readme.exe” or “admin.dll” that is disguised as an audio file. If
Computers & Security, Vol. 20, No. 7
Microsoft Outlook’s email program isn’t patched, just opening the email - even if the attachment isn’t opened - allows Nimda to send copies of itself to everyone in the infected user’s address books. Most other email programs require the attachments to be opened for the worm to cause damage. I commented in the last issue of Computers & Security about old security vulnerabilities and the risks posed to organizations who do not implement patches in a timely manner. Computer viruses and worms are growing in strength and sophistication, according to the email security firm MessageLabs. One in every 300 emails now carries a virus, up from one in 700 a year ago. If this continues, MessageLabs said, by the year 2007, one in every ten emails would be infected by a virus. “What we see with Nimda are several pages from old play books being combined in a way we have not seen before, with the added capability of affecting web servers, business and home computer users,” said Ian Hameroff, business manager, security solutions, CA. “Based on the characteristics of Nimda, this may be a proof of concept threat to test the Internet waters. Preventing future outbreaks of similar threats can only be accomplished through the vigilant practice of patch application, risk and policy assessment, and a fortified defense of Internet security solutions.” According to David Perry, global director for education at Trend Micro, the Nimda worm could have caused major problems had it been given a seriously malicious payload. He believes one of the reasons we are seeing so many viruses that have more nuisance value than posing a real threat to data stems from the psychological profile of the writers: “A lot of viruses are being written by hapless kids who are more interested in gaining international notoriety than in causing real damage.” Indeed, John de Wit, the perpetrator of the Anna Kournikova virus has insisted that he is incapable of writing code. That he is one of a growing number of “script kiddies” who download toolkits from the Internet and build their own viruses with a minimum of technical knowledge. Incidentally, it looks like he will escape with a light sentence because few organizations are willing to admit that they were
infected by the Anna Kournikova virus. Until organizations stand up to be counted, we will continue to see an escalation of this type of attack. Effective protection from viruses needs an up todate virus checker installed. Not only installed, but the latest version installed in a timely manner. And imposed from the centre - not left to the vagaries of individual employees. According to Mark Sunner, chief technical officer of MessageLabs, too many businesses rely on employees to stop viruses by updating anti-virus software on their computers, increasing the number of vulnerabilities to virus infection dramatically. Furthermore, some sectors of the economy are better at installing anti virus software than others. Thus, if you deal more with these sectors you are more at risk. MessageLabs have reported that routine audits found more viruses among manufacturing clients than among retailers or banks. But they are not quite bottom of the pile. According to MessageLabs, viruses are more rampant within government systems.
But the real threat is from inside It is not just the failure of individual employees in ensuring their anti-virus software is up to-date that puts an organization at risk. According to research from IDC, the majority of malicious security problems come from within your organization. Ninety percent of security breaches come from within companies, with half of those coming from disgruntled employees, IDC said: “Malicious attacks from within organizations is a great concern because they can be more targeted at specific information and aspects of IT systems that will cause the most damage.” Lapses in security can often be pinned on a failure to integrate security policies across the whole IT infrastructure. Databases, networks and applications have built-in security features that most organizations have built-in security features that most organizations implement, but few look at security across all their IT platforms.
571
Incalculable potential for damage by cyber-terrorism/Stephen Hinde
The bitten bites back Greg Halpern, president and CEO of Circle Group Internet, certainly wasn’t the first CEO to see his company hit by cyber vandalism. But he is one of the few who has successfully fought back to save his company’s reputation. Halpern was mortified in August 2000 when he received 100 or so complaints about spam-emails allegedly coming from his company.A father of three, Halpern was shocked to learn people he had never contacted accused his company of sending pornography to them - and to their children. Halpern and his team determined a mysterious culprit had attacked Circle Group Internet, a funding and consulting source for emerging technology companies, on three separate occasions. During each attack, the vandal sent as many as 1.5 million pornographic emails to random recipients. “This type of activity is no joke,” Halpern says. “People’s reputations - their livelihoods - are on the line. We had to protect our company and staff. Once we realised this was the result of malicious attacks, we set out to reverse-engineer the process and to trackdown the culprit.” Halpern and his team spent about two weeks retracing the vandal’s steps.The team found a sophisticated nation-wide trail in which the vandal routed encrypted emails through a variety of Internet Service Providers (ISPs) and over numerous long-distance carriers’ lines in order to cloak his identity. After working through six layers of cloaked ISPs and servers, Halpern’s team finally reached the ISP address of a person in Arizona who knew the identity of the vandal, residing in Florida. Halpern filed a lawsuit in Florida and won an undisclosed monetary settlement from the culprit. Aside
572
from the financial punishment, the settlement demanded a public apology and a commitment to stop using the Internet to harm others. “It was a matter of principle for us. The Internet can be a powerful tool for education, for business and for entertainment - but we can’t let people take advantage of the technology to defame others or to send objectionable material to children,” Halpern says.
Cyber clues for Twin Tower outrage The effort of Halpern and his team are small in comparison to the massive efforts of law enforcement agencies around the world to track down the terrorists who carried out the attrocities on September 11. In the UK, the government has frozen the data traffic for the month before the outrage under RIPA (Regulation of Investigatory Powers Act 2000).Telephone traffic, voice, text, locational data for mobile telephony, and emails are all being examined as are CCTV systems. In addition credit card, share dealing and banking transactions have forensic teams examining them. The investigations are the largest single forensic examination of electronic data there has ever been. Gaps in surveillance of suspected terrorists in the UK have already been revealed and were caused by a lack of interface between computer systems of two law enforcement agencies. Law enforcement agencies around the world are on a rapid learning curve about computer forensics and where there are gaps. Additional surveillance legislation and regulation together with expertise learned through this investigation are already bringing about a step change in their abilities to protect and detect.