- Email: [email protected]
What InfoSec Professionals Should Know About Information Warfare Tactics by Terrorists
What InfoSec Professionals Should Know About Information Warfare Tactics by Terrorists Part 2 The first part of this article (Computers & Security, Vol. 21, No. 1) defined terrorism and the aims of terrorists. Part 1 also discussed different tactics which may be employed to hide data from governments and official agencies including steganography. The second part of the article considers other methods of data hiding as well as the different types of attack which may be used by terrorists. Finally it offers advice to information security professionals looking to counter the affects of such terrorist actions.
Cryptography It makes sense that if you are a terrorist and you want to communicate using the Internet, you are not going to risk your life or your liberty to people not being able to recognize the use of steganography on its own. As the steganographic software is not interested in the type of material that it is incorporating into the carrier file, it will hide an encrypted message just as happily as it will hide a clear text message. An encryption program scrambles information in a controlled manner through the use of a cryptographic key. In the past, you sent a message encrypted with a particular key to someone and they had to be in possession of the same key to decrypt the message. This is known as symmetrical cryptography. This, unfortunately, meant that you had to communicate the key to the person to whom you were sending the message. This was achievable for governments that have the infrastructure to distribute the cryptographic keys in a secure manner, however,
this type of approach is just not realistic for the general public to consider. It is only in recent years that the technology has increasingly been found in the public domain. Perhaps the best known of the publicly available high grade encryption systems is Pretty Good Privacy (PGP), the system developed by Phil Zimmerman. As a result of the prominence that PGP has achieved, this discussion will concentrate the description of cryptography on this system.
Dr Gerald L. Kovacich and Andy Jones, MBE
PGP is a public-key encryption software package that was initially intended for the protection of electronic mail. Since PGP was published domestically in the USA as a freeware offering in 1991, it was very quickly taken and adopted all over the world, with the result that it has become the de facto worldwide standard for encryption of email. The author of the software was under investigation for a period of about three years by authorities (the United States’ Customs Service) who were investigating a possible breach in the arms control relating to the export of weapons, which includes high-grade encryption. It is one of the nonsenses of the age of technology that it was considered to be an offence to export the software package that incorporated the encryption algorithm, but there seemed to be no problem with leaving the country with the algorithm printed onto a t-shirt. The investigation into the situation was finally closed without Zimmerman being indicted, in January 1996. It is interesting that in at least one interview, Zimmerman stated, as part of the rationale for the development of PGP, that the software was now used all over the world, particularly in Central America, in Burma and by the
0167-4048/02US$22.00 ©2002 Elsevier Science Ltd
113
Gerald L. Kovacich and Andy Jones What InfoSec Professionals Should Know – Part 2
government in exile from Tibet, by human rights groups and human rights activists who were documenting the atrocities of death squads and keeping track of human rights abuses. He went on to state that he had been told by these groups that, if the governments involved were to gain access to the information that had been encrypted, all of the individuals involved would be tortured and killed.
presence on the Web. While the PIRA is the best known of the groups that represent one side of the conflict, there are a large number of other groups that claim to be active in the Province. The other main groups are: • Continuity Irish Republican Army • Combined Loyalist Military Command • Irish National Liberation Army
Propaganda Another of the reasons that a terrorist organization may use the Internet is to spread the organization’s message and further the cause. For this, the Internet is an outstanding tool. It is the most widely used, uncontrolled medium that has international reach. The number of organizations that have exploited this reach and lack of censorship is huge. Some of the better examples of this are the Provisional Irish Republican Army (PIRA), the Euskadi Ta Askatasuna (ETA), the Mexican Zapatistas or the Chechen rebels. The PIRA has a well-founded presence on the Internet through the auspices of its political wing, Sinn Fein, and publications with a strong online presence such as An Phoblact. Websites that support the aspirations and the ‘cause’ of the PIRA can be found in a number of countries and some good examples are the Sinn Fein home page [1] or Sinn Fein Online [2]. Other informative sites can be found at the Irish Republican Network [3] or the Trinity Sinn Fein website [4]. In addition to the large number of sites that provide information on the IRA, other sites provide a different perspective on the conflict in Northern Ireland, some of the sites providing a more balanced view than others, but undoubtedly, that statement in itself demonstrates a prejudice as other people would take a different view of the balance of reporting of the sites. The conflict in Northern Ireland is one of the longest running of the ‘terrorist’ actions that has taken place in the English speaking world and, not surprisingly, attracts a lot of comment and debate and
114
• Irish People’s Liberation Organization • Irish Republican Army • Loyalist Volunteer Force • Real Irish Republican Army • Ulster Defence Association • Ulster Freedom Fighters The majority of these also have, to a greater or lesser degree, a Web presence, and some of the more notable of these are: • The Irish People’s Liberation Organization [5] which represents another view of the republican perspective a loyalist view can be found at the Ulster loyalist Web page [6]. • The Ulster Volunteer Force (UVF) presence with the UVF page of the Loyalist Network [7]. In addition to all of these many partisan views of the situation, there are a number of sites that attempt to provide a ‘neutral’ view of the situation. Examples of these sites can be found at Rich Geib’s Universe [8] or the Irish Republican Army Information Site [9]. Other sites that provide insight into the attitudes of, and towards, the various parties in the province can be found at Vincent Morley’s flags Web page [10] and a unionist Mural Art from Belfast page [11]. An example of a terrorist site from another part of Europe is the case of the Euskadi Ta Askatasuna (ETA). This violent terrorist group,
Gerald L. Kovacich and Andy Jones What InfoSec Professionals Should Know – Part 2
which lays claim to a portion of Northern Spain and Southern France, has its own Web presence to present the case for its grievances and to explain culture and history and to justify its actions and seek support. As with other similar groups, it has its supporters and detractors, both of which groups use the Web to try to influence the opinion of the readership. In the case of supporters of ETA and the Basque state, which they, themselves, refer to as ‘Euskal Herria’, the primary Web pages are the Euskal Herria Journal, which promotes itself as Basque journal [12] and puts forward the aims and expectations of the group that it represents and the Basque Red Net [13], which puts forward a very well developed argument based on the culture and history of the area. A view of ETA from the Spanish Government can be seen at the Ministry of the Interior page on the terrorist group that has the title ‘ETA – Murder as Argument’ [14]. This Web page is produced in three languages, Spanish, French and English, to enable the widest reasonable readership of the arguments presented. One French view of the issues can be seen at the website of the Mediapaul Project [15]. In an example from Central America, the Zapatista rebels in the Chiapas region of Mexico have become one of the most successful examples of the use of information systems and communications by a hugely outnumbered and out-resources group of activists. The Zapatistas used the Internet to outmanoeuvre the Mexican Government and to bring world pressure to bear on a situation that was entirely internal to Mexico. The use of the Internet gained the Zapatistas not only support from throughout Mexico but also from the rest of the world. It will also now be used as a template for actions in other parts of the world and the implications of the Zapatista rebellion will have an effect on other confrontations with contemporary capitalist economic and political policies.
The surge of support for this, to European and North American eyes, very parochial action in a central American republic, came when a report, written for Chase Emerging Markets clients by Riordan Roett was apparently leaked to Silverstein and Cockburn’s Counterpunch newsletter. The report was found to call for the Mexican government to “eliminate” the Zapatistas in order to demonstrate its command over the internal situation in Mexico. When this news and the report were posted on the Web, there was a worldwide reaction against the Mexican Government, America, and the American bank that had commissioned the report. Part of the response to this news was an increase in the hacking of Mexican Government websites. In addition, the Electronic Disturbance Theater (EDT) [16] released what they referred to as a digital translation of the Zapatista Air Force Action, which they called the Zapatista tribal port scan. This was carried out to commemorate a non-electronic act that involved, on 3 January 2000, the Zapatista Air Force ‘bombarding’ the Mexican Army federal barracks with hundreds of paper airplanes on each of which was written a message for the soldiers monitoring the border. Despite the fact that the action in the Chiapas region has effectively been underway since 1994, there is still support and online action such as that by the EDT in 2001. In the former Soviet Union, the situation with regard to the ongoing conflict in Chechnya is one that the media is now starting to class as an ‘information war’. The Chechen separatists are primarily represented on the Internet by two sites, one from the Chechen Republic of Ichkeria and the other from Kavkaz-Tsentr [17]. The Ichkeria site is seldom updated, but the Kavkaz-Tsentr, is reported as an example of a professional approach to information war. This site is kept up to date with daily reports on Chechen military successes against Russian forces, as well as more light-hearted items and the events that surround Chechnya.
115
Gerald L. Kovacich and Andy Jones What InfoSec Professionals Should Know – Part 2
According to numerous reports from organizations, including the BBC, Moscow is applying the same tactics that it observed NATO using in the former Republic of Yugoslavia to try to win the information war in Chechnya. In the previous Chechen war that started in 1994, the then fledgling commercial station NTV showed graphic pictures from both sides of the conflict, however, now the Russian broadcasters and press are much more selective in the reporting of the fighting. The Kavkaz-Tsentr site has repeatedly been targeted by hacker attacks since at least 1999. The hackers have repeatedly defaced the website with anti-Chechen images and slogans and have redirected traffic intended for the site to a Russian Information Center site, however, the site has generally managed to restore normal operations within 24 hours.
Vigilanties and the reaction to the World Trade Center and Pentagon attacks This has been inserted here as the case that will be highlighted shows the dangers of ‘vigilanties’ and people who, for the best of intentions, take actions for which they have not researched the background information. The action in question was reported by Brian McWilliam of Newsbytes [18] on 27 September 2001, who revealed that members of a coalition of vigilante hackers had mistakenly defaced a website of an organization that had had offices in the World Trade Center. The hacker group, called the Dispatchers, attacked the website of the Special Risks Terrorism Team, which in fact was owned by the Aon Corporation. The other sites that were attacked by this group were both in Iran, which for the geographically challenged is not in Afghanistan, and is in fact hostile to the Taliban regime and Osama Bin Laden. One can understand the anger and the frustration and the desire to strike out in the aftermath of the attacks, but this type of action, by uninformed and non-representative individuals does much
116
to damage relationships with countries and organizations that have not (at least in recent years) caused any offense and are in fact sympathetic to the cause.
Denial-of-service When a terrorist organization cannot achieve its objective by the means that are normally used, the bullet and the bomb, it has the potential to use the Internet and the connectivity of the systems on which we now rely so heavily to gain the impact that is desired. There are a number of advantages and disadvantages to this approach, but if the normal techniques cannot be used, it allows another vector of attack to be utilized that has the advantages of being untraceable to the source and non-lethal. When compared to the average activity of a hacker, who has a limited capability in terms of equipment and sustainability, the terrorist will normally have a greater depth of resources and of motivation. An action that is taken in support of a cause that is believed will have a much higher motivation to succeed than the whim of an idle mind or simple curiosity.
What is a denial of service attack? A ‘denial-of-service’ attack is characterized by an attempt by an attacker or attackers to prevent legitimate users of a service from using that service. Types of denial-of-service attacks that may be seen are: • Network flooding, resulting in the prevention of legitimate network traffic attempts to disrupt connections between two machines, which results in the prevention of access to a service, attempts to prevent a particular individual from accessing a service, attempts to disrupt service to or from a specific system or person. Not all disruptions to service, even those that result from malicious activity, are necessarily denial-of-service attacks. Other types of attack may include a denial-of-service as a
Gerald L. Kovacich and Andy Jones What InfoSec Professionals Should Know – Part 2
component, but the denial-of-service itself may be part of a larger attack. • The unauthorized use of resources may also result in a denial-of-service. For example, an intruder might make use of your anonymous ftp area as a location where they can store illegal copies of software, using up disk space, using CPU time, and generating network traffic that consumes bandwidth.
The impact Denial-of-service attacks can disable either the computer or the network. In doing so, this can neutralize the effectiveness of your organization. Denial-of-service attacks can be carried out using limited resources against a large, sophisticated or complex sites. This type of attack may be an ‘asymmetric attack’. An asymmetric attack is one where a less capable adversary takes on an enemy with superior resources or capabilities. For example, an attacker using an old PC and a slow modem might be able to attack and overcome a much faster and more sophisticated computer or network.
Types of attack Denial-of-service attacks may manifest themselves in a number of forms and be targeted at a range of services. There are, primarily, three types of denial-of-service attacks: • Destruction or alteration of configuration information for a system or network. An incorrectly configured computer may not operate in the intended way or operate at all. An intruder may be able to alter or destroy the configuration information and prevent the user from accessing their computer or network. For example, if an intruder can change information in your routers, the network may not work effectively or at all. If an intruder is able to change the registry settings on a Windows NT machine, the system may cease to operate or certain functions may be unavailable.
• Consumption of precious resources. Computers and networks need certain facilities and resources in order to operate effectively. This includes network bandwidth, disk space, CPU time, applications, data structures, network connectivity, and environmental resources such as power and air conditioning. • Physical destruction or modification of network elements. The primary problem with this type of attack is that of physical security. In order to protect against this type of attack, it is necessary to defend against any unauthorized direct access to the elements of your system, whether that be computers, routers, network elements, power and air conditioning supplies, or any other components that are critical to the network. Physical security is one of the main defences that are used in protecting against a number of different types of attacks in addition to denial-of-service. Denial-of-service attacks are normally targeted against the network elements. The technique that is normally used in an attack is to prevent the host from communicating across the network. One example of this type of attack is the ‘SYN flood’ attack. In this type of attack, the attacker initiates the process of establishing a connection to the victim’s machine. It does this in a way that prevents the completion of the connection sequence. During this process, the machine which is the target of the attack has reserved one of a limited number of data structures required to complete the impending connection. The result is that legitimate connections cannot be achieved while the victim machine is waiting to complete bogus ‘half-open’ connections. This type of attack does not depend on the attacker being able to consume your network bandwidth. Using this method, the intruder is engaging and keeping busy the kernel data structures involved in establishing a network connection.
117
Gerald L. Kovacich and Andy Jones What InfoSec Professionals Should Know – Part 2
References 1
Sinn Fein website. http://www.sinnfein.ie/
2
Sinn Fein Online http://www.geocities.com/ sinnfeinonline/
3
http://www.geocities.com/ diarmidlogan/
4
http://www.csc.tcd.ie/~sinnfein/
5
http://www.irsm.org/irsp/
6
http://www.ulsterloyalist.co.uk/ welcome.htm
7
http://www.houstonpk.freeserve. co.uk/uvfpg.htm
8
Rich Geib’s Universe. http://www.rjgeib.com/thoughts/ter rorist/response1.html
9
Irish Republican Army Information Site. http://www.geocities.com/ CapitolHill/Congress/2435/
10 Vincent Morley’s Flag Webpage. http://www.fotw.stm.it/flags/gbulste.html 11 Unionist Murals from Belfast. http://www.geocities.com/Heartlan d/Meadows/7985/mural.html 12 The Basque Journal. http://free.freespeech.org/ehj/html/ freta.html 13 Basque Red Net, http://www.basque-red.net/cas/ enlaces/e-eh/mlnv.htm 14 Spanish Ministry of the Interior Web page. http://www.mir.es/oris/ infoeta/indexin.htm 15 http://www.ac-versailles.fr/etabliss/ plapie/MediaBasque2001.html#ancr e45175 16 Electronic Disturbance Theater website, http://www.thing.net/ ~rdom/ecd/ecd.html 17 Kavkaz Tsentr website. www.kavkaz.org 18 Hacking Vigilantes Deface WTC Victim’s Site. Brian McWilliam, Newsbytes, 17 Sept 2001. 19 CERT goes down to DoS attacks, By Sam Costello, IDG News Service, 05/23/01 20 The NIPC publication is available at http://www.nipc.gov/publications/hi ghlights/2001/highlight-01-10.pdf
The effect of this is that an attacker can execute an effective attack against a system on a very fast network with very limited resources. According to a report posted on 23 May 2001, the Computer Emergency Response Team/Coordination Center (CERT/CC), one of the most important reporting centres for Internet security problems, was offline for a number of periods during Tuesday and Wednesday as a result of a distributed denial-ofservice attack [19]. The CERT/CC posted a notice on its website on Tuesday saying that the site had been under attack since 11:30 a.m. EST that day and, as a result, at frequent intervals it was either unavailable or access to the site was very slow. The CERT/CC is a government-funded computer security research and development (R&D) centre that is based at Carnegie Mellon University. The site monitors Internet security issues such as hacking, vulnerabilities, and viruses, and issues warnings about such issues and incidents. According to the report, the organization was still able to conduct its business and had not lost any data. The centre issues warnings and sends alerts through email. News of the attack on CERT/CC came on the day after researchers at the University of California at San Diego issued a report stating that over 4000 DoS attacks take place every week. A distributed denial-of-service attack, such as the one experienced by the CERT/CC comes when an attacker has gained control of a number of PCs, referred to as zombies, and uses them to simultaneously attack the victim. According to an unclassified document [20] published 10 November by the NIPC, technologies such as Internet relay chat (IRC), Web-based bulletin boards and free email accounts enable extremist groups to adopt a structure that has become known as ‘leaderless resistance’. Some extremist groups have adopted
118
the leaderless resistance model, in part, to “limit damage from penetration by authorities” that are seeking information about impending attacks. According to the report, which was prepared by NIPC cyber-terrorism experts, “An extremist organization whose members get guidance from emails or by visiting a secure website can operate in a coordinated fashion without its members ever having to meet face to face.” In addition to providing a means of secure communications, the range and diversity of Internet technologies also provides the extremists with the means to deliver a “steady stream of propaganda” intended to influence public opinion, and also as a means of recruitment. The increasing technical competency of extremists also enables them to launch more serious attacks on the network infrastructure of a nation state that go beyond email bombing and Web page defacements, according to the NIPC. According to a separate article on international terrorism by a professor at the Georgetown University, the leaderless resistance strategy is believed to have been originally identified in 1962 by Col. Ulius Amos, an anti-Communist activist and this approach was advocated, in 1992, by a neo-Nazi activist, Louis Beam.
Lessons Learned The are many lessons for the InfoSec professional to learn from the 11 September 2001, attacks on the World Trade Center. The lessons are based on the lack of security and defences indicated by the successful attacks, e.g. airport security, aircraft security. As an InfoSec professional, it is clear that some of the most basic processes that can assist in making your networks and information more secure from all those who threaten them are ignored. They include:
Gerald L. Kovacich and Andy Jones What InfoSec Professionals Should Know – Part 2
• Users are allowed access often without preemployment background checks; after they no longer need access, their IDs and passwords remain on the system.
• One must aggressively follow-up where there are vulnerabilities or where personnel are not complying with the InfoSec policies, procedures and processes.
• InfoSec personnel are often overworked and otherwise too busy to follow-up periodically to determine if the accesses are still required. They rely on the users (or company management) to ‘turn themselves in’ when they no longer need access or leave the company or government agency.
• Profiling must be done of users to determine their normal work habits; and those operating outside the norm, must be aggressively investigated.
• Physical access to facilities and IT devices, e.g. desktop computers networked to local area networks, the Internet, intranets, etc., is weak or non-existent. • Often InfoSec responsibilities are given to employees as an ‘additional job’ with little or no training, e.g. a records clerk in a hospital making almost a minimum wage. • Employees are not checked as they carry removable media out of the facility; sometimes not even checked, and the authority verified, when carrying hardware out of the facility. • Networks and computer devices are poorly secured. • InfoSec budget is kept to a minimum in order to save money or spend it on other ‘higher priorities’. • And of course, the constant spreading of computer viruses. What are we to learn from this horrendous tragedy; well, at least the following: • Prior to access to IT devices that store, transmit and process sensitive information, a background check of an individual must be conducted and accesses verified and validated on a regular basis. • Physical security of facilities should be hardened.
• InfoSec is important and must accordingly have sufficient budget to do the job right. • InfoSec staff should be highly trained, certified and paid accordingly. • InfoSec professionals must always be alert to potential attacks and be in a position to successfully defend against those attacks; plan for the unexpected.
Authors This article was written by Andy Jones, Group Business Manager, Secure Information e-BusinessSystems, QinetiQ (formerly known as DERA/MOD), Malvern, UK; and Dr Gerald L. Kovacich, ShockwaveWriters.com. The article contains excerpts from their forthcoming book, Introduction to Global Information Warfare, written with Perry Luzwick, Logicon; to be published by Auerbach Publishers in March 2002.
• A current and often tested emergency/disaster recovery/contingency plan must be in place and all applicable personnel trained on what to do in the event various incidents occur. • InfoSec professionals must understand, especially in the United States, that the world has drastically changed and it is a more dangerous and inhospitable place — we are at war. Get on an InfoSec ‘war footing’. Also remember that: • A ‘second Pearl Harbor’ has occurred and the warnings of a coming ‘electronic Pearl Harbor’ may not be far off and you may be a victim. • You’ve seen what global terrorists can do to the world financial community through their bombing attack of the World Trade Center. Imagine what they could do by ‘electronic bombing’ of the world’s financial computer networks. • The increased threat of global terrorism is real, and sooner or later, they will use cyberspace weapons, and your systems may be one of their targets. They already are computer
119
Cryptography It makes sense that if you are a terrorist and you want to communicate using the Internet, you are not going to risk your life or your liberty to people not being able to recognize the use of steganography on its own. As the steganographic software is not interested in the type of material that it is incorporating into the carrier file, it will hide an encrypted message just as happily as it will hide a clear text message. An encryption program scrambles information in a controlled manner through the use of a cryptographic key. In the past, you sent a message encrypted with a particular key to someone and they had to be in possession of the same key to decrypt the message. This is known as symmetrical cryptography. This, unfortunately, meant that you had to communicate the key to the person to whom you were sending the message. This was achievable for governments that have the infrastructure to distribute the cryptographic keys in a secure manner, however,
this type of approach is just not realistic for the general public to consider. It is only in recent years that the technology has increasingly been found in the public domain. Perhaps the best known of the publicly available high grade encryption systems is Pretty Good Privacy (PGP), the system developed by Phil Zimmerman. As a result of the prominence that PGP has achieved, this discussion will concentrate the description of cryptography on this system.
Dr Gerald L. Kovacich and Andy Jones, MBE
PGP is a public-key encryption software package that was initially intended for the protection of electronic mail. Since PGP was published domestically in the USA as a freeware offering in 1991, it was very quickly taken and adopted all over the world, with the result that it has become the de facto worldwide standard for encryption of email. The author of the software was under investigation for a period of about three years by authorities (the United States’ Customs Service) who were investigating a possible breach in the arms control relating to the export of weapons, which includes high-grade encryption. It is one of the nonsenses of the age of technology that it was considered to be an offence to export the software package that incorporated the encryption algorithm, but there seemed to be no problem with leaving the country with the algorithm printed onto a t-shirt. The investigation into the situation was finally closed without Zimmerman being indicted, in January 1996. It is interesting that in at least one interview, Zimmerman stated, as part of the rationale for the development of PGP, that the software was now used all over the world, particularly in Central America, in Burma and by the
0167-4048/02US$22.00 ©2002 Elsevier Science Ltd
113
Gerald L. Kovacich and Andy Jones What InfoSec Professionals Should Know – Part 2
government in exile from Tibet, by human rights groups and human rights activists who were documenting the atrocities of death squads and keeping track of human rights abuses. He went on to state that he had been told by these groups that, if the governments involved were to gain access to the information that had been encrypted, all of the individuals involved would be tortured and killed.
presence on the Web. While the PIRA is the best known of the groups that represent one side of the conflict, there are a large number of other groups that claim to be active in the Province. The other main groups are: • Continuity Irish Republican Army • Combined Loyalist Military Command • Irish National Liberation Army
Propaganda Another of the reasons that a terrorist organization may use the Internet is to spread the organization’s message and further the cause. For this, the Internet is an outstanding tool. It is the most widely used, uncontrolled medium that has international reach. The number of organizations that have exploited this reach and lack of censorship is huge. Some of the better examples of this are the Provisional Irish Republican Army (PIRA), the Euskadi Ta Askatasuna (ETA), the Mexican Zapatistas or the Chechen rebels. The PIRA has a well-founded presence on the Internet through the auspices of its political wing, Sinn Fein, and publications with a strong online presence such as An Phoblact. Websites that support the aspirations and the ‘cause’ of the PIRA can be found in a number of countries and some good examples are the Sinn Fein home page [1] or Sinn Fein Online [2]. Other informative sites can be found at the Irish Republican Network [3] or the Trinity Sinn Fein website [4]. In addition to the large number of sites that provide information on the IRA, other sites provide a different perspective on the conflict in Northern Ireland, some of the sites providing a more balanced view than others, but undoubtedly, that statement in itself demonstrates a prejudice as other people would take a different view of the balance of reporting of the sites. The conflict in Northern Ireland is one of the longest running of the ‘terrorist’ actions that has taken place in the English speaking world and, not surprisingly, attracts a lot of comment and debate and
114
• Irish People’s Liberation Organization • Irish Republican Army • Loyalist Volunteer Force • Real Irish Republican Army • Ulster Defence Association • Ulster Freedom Fighters The majority of these also have, to a greater or lesser degree, a Web presence, and some of the more notable of these are: • The Irish People’s Liberation Organization [5] which represents another view of the republican perspective a loyalist view can be found at the Ulster loyalist Web page [6]. • The Ulster Volunteer Force (UVF) presence with the UVF page of the Loyalist Network [7]. In addition to all of these many partisan views of the situation, there are a number of sites that attempt to provide a ‘neutral’ view of the situation. Examples of these sites can be found at Rich Geib’s Universe [8] or the Irish Republican Army Information Site [9]. Other sites that provide insight into the attitudes of, and towards, the various parties in the province can be found at Vincent Morley’s flags Web page [10] and a unionist Mural Art from Belfast page [11]. An example of a terrorist site from another part of Europe is the case of the Euskadi Ta Askatasuna (ETA). This violent terrorist group,
Gerald L. Kovacich and Andy Jones What InfoSec Professionals Should Know – Part 2
which lays claim to a portion of Northern Spain and Southern France, has its own Web presence to present the case for its grievances and to explain culture and history and to justify its actions and seek support. As with other similar groups, it has its supporters and detractors, both of which groups use the Web to try to influence the opinion of the readership. In the case of supporters of ETA and the Basque state, which they, themselves, refer to as ‘Euskal Herria’, the primary Web pages are the Euskal Herria Journal, which promotes itself as Basque journal [12] and puts forward the aims and expectations of the group that it represents and the Basque Red Net [13], which puts forward a very well developed argument based on the culture and history of the area. A view of ETA from the Spanish Government can be seen at the Ministry of the Interior page on the terrorist group that has the title ‘ETA – Murder as Argument’ [14]. This Web page is produced in three languages, Spanish, French and English, to enable the widest reasonable readership of the arguments presented. One French view of the issues can be seen at the website of the Mediapaul Project [15]. In an example from Central America, the Zapatista rebels in the Chiapas region of Mexico have become one of the most successful examples of the use of information systems and communications by a hugely outnumbered and out-resources group of activists. The Zapatistas used the Internet to outmanoeuvre the Mexican Government and to bring world pressure to bear on a situation that was entirely internal to Mexico. The use of the Internet gained the Zapatistas not only support from throughout Mexico but also from the rest of the world. It will also now be used as a template for actions in other parts of the world and the implications of the Zapatista rebellion will have an effect on other confrontations with contemporary capitalist economic and political policies.
The surge of support for this, to European and North American eyes, very parochial action in a central American republic, came when a report, written for Chase Emerging Markets clients by Riordan Roett was apparently leaked to Silverstein and Cockburn’s Counterpunch newsletter. The report was found to call for the Mexican government to “eliminate” the Zapatistas in order to demonstrate its command over the internal situation in Mexico. When this news and the report were posted on the Web, there was a worldwide reaction against the Mexican Government, America, and the American bank that had commissioned the report. Part of the response to this news was an increase in the hacking of Mexican Government websites. In addition, the Electronic Disturbance Theater (EDT) [16] released what they referred to as a digital translation of the Zapatista Air Force Action, which they called the Zapatista tribal port scan. This was carried out to commemorate a non-electronic act that involved, on 3 January 2000, the Zapatista Air Force ‘bombarding’ the Mexican Army federal barracks with hundreds of paper airplanes on each of which was written a message for the soldiers monitoring the border. Despite the fact that the action in the Chiapas region has effectively been underway since 1994, there is still support and online action such as that by the EDT in 2001. In the former Soviet Union, the situation with regard to the ongoing conflict in Chechnya is one that the media is now starting to class as an ‘information war’. The Chechen separatists are primarily represented on the Internet by two sites, one from the Chechen Republic of Ichkeria and the other from Kavkaz-Tsentr [17]. The Ichkeria site is seldom updated, but the Kavkaz-Tsentr, is reported as an example of a professional approach to information war. This site is kept up to date with daily reports on Chechen military successes against Russian forces, as well as more light-hearted items and the events that surround Chechnya.
115
Gerald L. Kovacich and Andy Jones What InfoSec Professionals Should Know – Part 2
According to numerous reports from organizations, including the BBC, Moscow is applying the same tactics that it observed NATO using in the former Republic of Yugoslavia to try to win the information war in Chechnya. In the previous Chechen war that started in 1994, the then fledgling commercial station NTV showed graphic pictures from both sides of the conflict, however, now the Russian broadcasters and press are much more selective in the reporting of the fighting. The Kavkaz-Tsentr site has repeatedly been targeted by hacker attacks since at least 1999. The hackers have repeatedly defaced the website with anti-Chechen images and slogans and have redirected traffic intended for the site to a Russian Information Center site, however, the site has generally managed to restore normal operations within 24 hours.
Vigilanties and the reaction to the World Trade Center and Pentagon attacks This has been inserted here as the case that will be highlighted shows the dangers of ‘vigilanties’ and people who, for the best of intentions, take actions for which they have not researched the background information. The action in question was reported by Brian McWilliam of Newsbytes [18] on 27 September 2001, who revealed that members of a coalition of vigilante hackers had mistakenly defaced a website of an organization that had had offices in the World Trade Center. The hacker group, called the Dispatchers, attacked the website of the Special Risks Terrorism Team, which in fact was owned by the Aon Corporation. The other sites that were attacked by this group were both in Iran, which for the geographically challenged is not in Afghanistan, and is in fact hostile to the Taliban regime and Osama Bin Laden. One can understand the anger and the frustration and the desire to strike out in the aftermath of the attacks, but this type of action, by uninformed and non-representative individuals does much
116
to damage relationships with countries and organizations that have not (at least in recent years) caused any offense and are in fact sympathetic to the cause.
Denial-of-service When a terrorist organization cannot achieve its objective by the means that are normally used, the bullet and the bomb, it has the potential to use the Internet and the connectivity of the systems on which we now rely so heavily to gain the impact that is desired. There are a number of advantages and disadvantages to this approach, but if the normal techniques cannot be used, it allows another vector of attack to be utilized that has the advantages of being untraceable to the source and non-lethal. When compared to the average activity of a hacker, who has a limited capability in terms of equipment and sustainability, the terrorist will normally have a greater depth of resources and of motivation. An action that is taken in support of a cause that is believed will have a much higher motivation to succeed than the whim of an idle mind or simple curiosity.
What is a denial of service attack? A ‘denial-of-service’ attack is characterized by an attempt by an attacker or attackers to prevent legitimate users of a service from using that service. Types of denial-of-service attacks that may be seen are: • Network flooding, resulting in the prevention of legitimate network traffic attempts to disrupt connections between two machines, which results in the prevention of access to a service, attempts to prevent a particular individual from accessing a service, attempts to disrupt service to or from a specific system or person. Not all disruptions to service, even those that result from malicious activity, are necessarily denial-of-service attacks. Other types of attack may include a denial-of-service as a
Gerald L. Kovacich and Andy Jones What InfoSec Professionals Should Know – Part 2
component, but the denial-of-service itself may be part of a larger attack. • The unauthorized use of resources may also result in a denial-of-service. For example, an intruder might make use of your anonymous ftp area as a location where they can store illegal copies of software, using up disk space, using CPU time, and generating network traffic that consumes bandwidth.
The impact Denial-of-service attacks can disable either the computer or the network. In doing so, this can neutralize the effectiveness of your organization. Denial-of-service attacks can be carried out using limited resources against a large, sophisticated or complex sites. This type of attack may be an ‘asymmetric attack’. An asymmetric attack is one where a less capable adversary takes on an enemy with superior resources or capabilities. For example, an attacker using an old PC and a slow modem might be able to attack and overcome a much faster and more sophisticated computer or network.
Types of attack Denial-of-service attacks may manifest themselves in a number of forms and be targeted at a range of services. There are, primarily, three types of denial-of-service attacks: • Destruction or alteration of configuration information for a system or network. An incorrectly configured computer may not operate in the intended way or operate at all. An intruder may be able to alter or destroy the configuration information and prevent the user from accessing their computer or network. For example, if an intruder can change information in your routers, the network may not work effectively or at all. If an intruder is able to change the registry settings on a Windows NT machine, the system may cease to operate or certain functions may be unavailable.
• Consumption of precious resources. Computers and networks need certain facilities and resources in order to operate effectively. This includes network bandwidth, disk space, CPU time, applications, data structures, network connectivity, and environmental resources such as power and air conditioning. • Physical destruction or modification of network elements. The primary problem with this type of attack is that of physical security. In order to protect against this type of attack, it is necessary to defend against any unauthorized direct access to the elements of your system, whether that be computers, routers, network elements, power and air conditioning supplies, or any other components that are critical to the network. Physical security is one of the main defences that are used in protecting against a number of different types of attacks in addition to denial-of-service. Denial-of-service attacks are normally targeted against the network elements. The technique that is normally used in an attack is to prevent the host from communicating across the network. One example of this type of attack is the ‘SYN flood’ attack. In this type of attack, the attacker initiates the process of establishing a connection to the victim’s machine. It does this in a way that prevents the completion of the connection sequence. During this process, the machine which is the target of the attack has reserved one of a limited number of data structures required to complete the impending connection. The result is that legitimate connections cannot be achieved while the victim machine is waiting to complete bogus ‘half-open’ connections. This type of attack does not depend on the attacker being able to consume your network bandwidth. Using this method, the intruder is engaging and keeping busy the kernel data structures involved in establishing a network connection.
117
Gerald L. Kovacich and Andy Jones What InfoSec Professionals Should Know – Part 2
References 1
Sinn Fein website. http://www.sinnfein.ie/
2
Sinn Fein Online http://www.geocities.com/ sinnfeinonline/
3
http://www.geocities.com/ diarmidlogan/
4
http://www.csc.tcd.ie/~sinnfein/
5
http://www.irsm.org/irsp/
6
http://www.ulsterloyalist.co.uk/ welcome.htm
7
http://www.houstonpk.freeserve. co.uk/uvfpg.htm
8
Rich Geib’s Universe. http://www.rjgeib.com/thoughts/ter rorist/response1.html
9
Irish Republican Army Information Site. http://www.geocities.com/ CapitolHill/Congress/2435/
10 Vincent Morley’s Flag Webpage. http://www.fotw.stm.it/flags/gbulste.html 11 Unionist Murals from Belfast. http://www.geocities.com/Heartlan d/Meadows/7985/mural.html 12 The Basque Journal. http://free.freespeech.org/ehj/html/ freta.html 13 Basque Red Net, http://www.basque-red.net/cas/ enlaces/e-eh/mlnv.htm 14 Spanish Ministry of the Interior Web page. http://www.mir.es/oris/ infoeta/indexin.htm 15 http://www.ac-versailles.fr/etabliss/ plapie/MediaBasque2001.html#ancr e45175 16 Electronic Disturbance Theater website, http://www.thing.net/ ~rdom/ecd/ecd.html 17 Kavkaz Tsentr website. www.kavkaz.org 18 Hacking Vigilantes Deface WTC Victim’s Site. Brian McWilliam, Newsbytes, 17 Sept 2001. 19 CERT goes down to DoS attacks, By Sam Costello, IDG News Service, 05/23/01 20 The NIPC publication is available at http://www.nipc.gov/publications/hi ghlights/2001/highlight-01-10.pdf
The effect of this is that an attacker can execute an effective attack against a system on a very fast network with very limited resources. According to a report posted on 23 May 2001, the Computer Emergency Response Team/Coordination Center (CERT/CC), one of the most important reporting centres for Internet security problems, was offline for a number of periods during Tuesday and Wednesday as a result of a distributed denial-ofservice attack [19]. The CERT/CC posted a notice on its website on Tuesday saying that the site had been under attack since 11:30 a.m. EST that day and, as a result, at frequent intervals it was either unavailable or access to the site was very slow. The CERT/CC is a government-funded computer security research and development (R&D) centre that is based at Carnegie Mellon University. The site monitors Internet security issues such as hacking, vulnerabilities, and viruses, and issues warnings about such issues and incidents. According to the report, the organization was still able to conduct its business and had not lost any data. The centre issues warnings and sends alerts through email. News of the attack on CERT/CC came on the day after researchers at the University of California at San Diego issued a report stating that over 4000 DoS attacks take place every week. A distributed denial-of-service attack, such as the one experienced by the CERT/CC comes when an attacker has gained control of a number of PCs, referred to as zombies, and uses them to simultaneously attack the victim. According to an unclassified document [20] published 10 November by the NIPC, technologies such as Internet relay chat (IRC), Web-based bulletin boards and free email accounts enable extremist groups to adopt a structure that has become known as ‘leaderless resistance’. Some extremist groups have adopted
118
the leaderless resistance model, in part, to “limit damage from penetration by authorities” that are seeking information about impending attacks. According to the report, which was prepared by NIPC cyber-terrorism experts, “An extremist organization whose members get guidance from emails or by visiting a secure website can operate in a coordinated fashion without its members ever having to meet face to face.” In addition to providing a means of secure communications, the range and diversity of Internet technologies also provides the extremists with the means to deliver a “steady stream of propaganda” intended to influence public opinion, and also as a means of recruitment. The increasing technical competency of extremists also enables them to launch more serious attacks on the network infrastructure of a nation state that go beyond email bombing and Web page defacements, according to the NIPC. According to a separate article on international terrorism by a professor at the Georgetown University, the leaderless resistance strategy is believed to have been originally identified in 1962 by Col. Ulius Amos, an anti-Communist activist and this approach was advocated, in 1992, by a neo-Nazi activist, Louis Beam.
Lessons Learned The are many lessons for the InfoSec professional to learn from the 11 September 2001, attacks on the World Trade Center. The lessons are based on the lack of security and defences indicated by the successful attacks, e.g. airport security, aircraft security. As an InfoSec professional, it is clear that some of the most basic processes that can assist in making your networks and information more secure from all those who threaten them are ignored. They include:
Gerald L. Kovacich and Andy Jones What InfoSec Professionals Should Know – Part 2
• Users are allowed access often without preemployment background checks; after they no longer need access, their IDs and passwords remain on the system.
• One must aggressively follow-up where there are vulnerabilities or where personnel are not complying with the InfoSec policies, procedures and processes.
• InfoSec personnel are often overworked and otherwise too busy to follow-up periodically to determine if the accesses are still required. They rely on the users (or company management) to ‘turn themselves in’ when they no longer need access or leave the company or government agency.
• Profiling must be done of users to determine their normal work habits; and those operating outside the norm, must be aggressively investigated.
• Physical access to facilities and IT devices, e.g. desktop computers networked to local area networks, the Internet, intranets, etc., is weak or non-existent. • Often InfoSec responsibilities are given to employees as an ‘additional job’ with little or no training, e.g. a records clerk in a hospital making almost a minimum wage. • Employees are not checked as they carry removable media out of the facility; sometimes not even checked, and the authority verified, when carrying hardware out of the facility. • Networks and computer devices are poorly secured. • InfoSec budget is kept to a minimum in order to save money or spend it on other ‘higher priorities’. • And of course, the constant spreading of computer viruses. What are we to learn from this horrendous tragedy; well, at least the following: • Prior to access to IT devices that store, transmit and process sensitive information, a background check of an individual must be conducted and accesses verified and validated on a regular basis. • Physical security of facilities should be hardened.
• InfoSec is important and must accordingly have sufficient budget to do the job right. • InfoSec staff should be highly trained, certified and paid accordingly. • InfoSec professionals must always be alert to potential attacks and be in a position to successfully defend against those attacks; plan for the unexpected.
Authors This article was written by Andy Jones, Group Business Manager, Secure Information e-BusinessSystems, QinetiQ (formerly known as DERA/MOD), Malvern, UK; and Dr Gerald L. Kovacich, ShockwaveWriters.com. The article contains excerpts from their forthcoming book, Introduction to Global Information Warfare, written with Perry Luzwick, Logicon; to be published by Auerbach Publishers in March 2002.
• A current and often tested emergency/disaster recovery/contingency plan must be in place and all applicable personnel trained on what to do in the event various incidents occur. • InfoSec professionals must understand, especially in the United States, that the world has drastically changed and it is a more dangerous and inhospitable place — we are at war. Get on an InfoSec ‘war footing’. Also remember that: • A ‘second Pearl Harbor’ has occurred and the warnings of a coming ‘electronic Pearl Harbor’ may not be far off and you may be a victim. • You’ve seen what global terrorists can do to the world financial community through their bombing attack of the World Trade Center. Imagine what they could do by ‘electronic bombing’ of the world’s financial computer networks. • The increased threat of global terrorism is real, and sooner or later, they will use cyberspace weapons, and your systems may be one of their targets. They already are computer
119