News Analysis: The NIPC's Film Debut

[William Knowles <wk () C4I ORG>]

http://www.zdnet.com/intweek/stories/columns/0,4164,2567361,00.html

By Lewis Z. Koch

The federally sponsored video Solar Sunrise - about a worldwide
manhunt for hackers, climaxing in the arrest of two Cloverdale,
Calif., kiddies for recreational hacking - makes The Matrix seem like
a documentary.

Solar Sunrise is a co-production of the National Counterintelligence
Center, the Federal Bureau of Investigation and the FBI's newest
subdivision, the National Infrastructure Protection Center, led by
Michael Vatis.

The NIPC claims its "mission is to serve as the U.S. government's
focal point for threat assessment, warning, investigation and response
for threats or attacks against our critical infrastructures . . .
telecommunications, energy, banking and finance, water systems,
government operations and emergency services . . . ." The NIPC, in its
words, protects "the foundation upon which our industrialized society
is based." In other words, "Preserving the American computer way of
life as we know it."

You can purchase this video from FilmComm, at 1-800-944-9134, for
$12.28. Better yet, just read this synopsis.

This tale of hacking horror began Feb. 4, 1998, when U.S. military
troops were being readied for a possible incursion into Iraq. This was
not about Mafiaboy, and the target was not e-commerce servers.
Instead, producers cut to two California teens who, with some help
from a young Israeli hacker, allegedly broke into some minor military
systems and stole some account names and passwords. The narrator
gravely intoned: "The intrusion seems to be coordinated and they
target computer systems at the heart of the military buildup. Damage
to these systems could halt the flow of transportation, personnel and
medical supplies."

The military didn't know who was poking around on its computers, so it
was not unreasonable for it to assume a worst case scenario.

Rebecca Gurley Bace, president of Infidel, the computer security
boutique, put in 12 years at the National Security Agency and did
consulting work for the Central Intelligence Agency and the FBI. She
was sympathetic to the immediate plight the military was facing when
trying to accurately gauge the severity of this particular "attack."
"The problem for them," Bace said, "was attempting to make a rational
decision about how vulnerable the military was on the Internet. They
were making that decision based on information simply not perceptible
to them. All of us are basically deaf, blind and, most disturbingly,
blissfully unaware of the sensory challenges a computer attack
creates. Things seem to happen . . . chaotically, with no warning or
apparent logical protection. And that's scary."

White House aides, Department of Justice types, the FBI and the
military responded to this type of chaos by . . . panicking.

Eventually the hack depicted in the wildly overdramatic Solar Sunrise
video amounted to . . . nothing.

Mac, Stimpy and Analyzer's excellent adventures

Solar Sunrise re-enacts a massive worldwide tracking effort by federal
and private Internet service provider personnel, and even has armed
FBI agents running up stairs and flashing badges as they catch two
teen-age amateur hackers.

Known by their handles as Mac - aka Makaveli - and Stimpy, the two
were being "tutored" in the art of hacking via Internet relay chat by
a 20-year-old Israeli hacker operating on his own.

The "tutor" hacker, known as Analyzer, trained them in techniques to
break into Department of Defense computers, claims the narrator.
Indeed, Mac and Stimpy did get in and, according to the video, stole
some account names and passwords from a few computers at Andrews Air
Force Base. That's it. One base, a few computers, and some names and
passwords. Period.

But If you listen closely to the video, there's an interesting element
to Mac and Stimpy's hacking.

The hack could have been totally prevented if the military had only
fixed the holes and vulnerabilities in its computer systems - holes
and vulnerabilities it already knew existed. "Although this flaw in
the system, and the software necessary to fix it, have been publicized
since December [1997]," the narrator admits, "Pentagon computer
experts haven't focused on this potential back door into their
systems." Bear in mind, falling asleep on guard duty is punishable by
imprisonment in the stockade.

The fact is, the military had been provided with the fixes months
prior to the hack. It simply failed to do what it was instructed to
do: fix the computers.

Four days after the Solar Sunrise - as the incident was code named -
attacks started, the dangerous California teen duo had "friendly"
chats with FBI agents in their homes, ratting each other out rather
than risk an opportunity to have new and excellent adventures in jail
cells. The video narrator puts it in a slightly different way: "Both
teen-agers are interviewed in their homes, and both admit to breaking
into DOD computers. After some initial hesitation, Mac tells
investigators what he knows about his teacher, Analyzer . . . ."

As the video clearly states: "In the end, the Solar Sunrise invasions
of military sites proved to be purely recreation."

Nevertheless, Deputy Secretary of Defense Dr. John Hamre, the
Pentagon's lead infowarrior, in a briefing for reporters - and later
in closed door sessions before Congress - in 1998 and 1999 called
Solar Sunrise "the most organized and systematic attack the Pentagon
has seen to date" - even when he knew that it was just a couple of
teen-agers and a young Israeli poking around.

Much ado about nothing

Thanks to the NIPC's Vatis, the adventures of Mac, Stimpy, and
Analyzer have been immortalized in the Solar Sunrise video.

Other than to hype a couple of kid hackers and the brilliance of the
FBI and the NIPC, why was this picayune incident immortalized in a
video that cost thousands to make?

The FBI and the NIPC refuse to answer any questions about who wrote,
edited and directed the video, except with the credit line "Executive
Producer Catherine Kiser, FBI Supervising Special Agent." The FBI also
refuses to answer any other questions about the video, including its
cost, citing "administrative" reasons. Vatis won't discuss what he
says on the video; he doesn't even bother to give any reason. So much
for accountability in law enforcement.

"Cyberspace knows no boundaries," Vatis intones in his video. After
this staggering brain dump, Vatis informs us that his mission is just
that - to establish boundaries in cyberspace. To reiterate: "The NIPC
is to coordinate the government's activities that are directed at
detecting, preventing, warning of and responding to cyberintrusions -
particularly those directed at critical infrastructures" - which,
translated, means put up and enforce boundaries as established by
Vatis.

On Feb. 29, Vatis warned the Senate Judiciary Committee, the Criminal
Justice Oversight Subcommittee and the House Judiciary Committee that
danger lurks everywhere on the Internet. He ticked off the list for
legislators: insiders, hackers, virus writers, criminal groups,
terrorists, foreign intelligence and information warriors.

Everywhere we turn another federal official wants more wire tapping,
tracing of computer messages, a computer-based digital collection
system for monitoring wiretaps, new restrictions on the Freedom of
Information Act, laws to weaken encryption, monitoring of travel on
the Internet and even a Reserve Officers Training Corp.-like
CyberService.

Limiting our freedoms isn't going to make the Internet any safer. That
kind of security only happens when government, industry and
individuals take responsibility for securing computers - and don't
spend time promoting information security paranoia such as Solar
Sunrise at taxpayers' expense.

Lewis Z. Koch has been an investigative reporter for over 30 years.
Currently he is a special correspondent for CyberWire Dispatch. He can
be reached at

lzkoch () mediaone net


*-------------------------------------------------*
"Communications without intelligence is noise;
Intelligence without communications is irrelevant."
Gen. Alfred. M. Gray, USMC
---------------------------------------------------
C4I Secure Solutions             http://www.c4i.org
*-------------------------------------------------*

ISN is sponsored by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".