Information Security News mailing list archives
News Analysis: The NIPC's Film Debut
From: William Knowles <wk () C4I ORG>
Date: Fri, 12 May 2000 00:56:54 -0500
http://www.zdnet.com/intweek/stories/columns/0,4164,2567361,00.html By Lewis Z. Koch The federally sponsored video Solar Sunrise - about a worldwide manhunt for hackers, climaxing in the arrest of two Cloverdale, Calif., kiddies for recreational hacking - makes The Matrix seem like a documentary. Solar Sunrise is a co-production of the National Counterintelligence Center, the Federal Bureau of Investigation and the FBI's newest subdivision, the National Infrastructure Protection Center, led by Michael Vatis. The NIPC claims its "mission is to serve as the U.S. government's focal point for threat assessment, warning, investigation and response for threats or attacks against our critical infrastructures . . . telecommunications, energy, banking and finance, water systems, government operations and emergency services . . . ." The NIPC, in its words, protects "the foundation upon which our industrialized society is based." In other words, "Preserving the American computer way of life as we know it." You can purchase this video from FilmComm, at 1-800-944-9134, for $12.28. Better yet, just read this synopsis. This tale of hacking horror began Feb. 4, 1998, when U.S. military troops were being readied for a possible incursion into Iraq. This was not about Mafiaboy, and the target was not e-commerce servers. Instead, producers cut to two California teens who, with some help from a young Israeli hacker, allegedly broke into some minor military systems and stole some account names and passwords. The narrator gravely intoned: "The intrusion seems to be coordinated and they target computer systems at the heart of the military buildup. Damage to these systems could halt the flow of transportation, personnel and medical supplies." The military didn't know who was poking around on its computers, so it was not unreasonable for it to assume a worst case scenario. Rebecca Gurley Bace, president of Infidel, the computer security boutique, put in 12 years at the National Security Agency and did consulting work for the Central Intelligence Agency and the FBI. She was sympathetic to the immediate plight the military was facing when trying to accurately gauge the severity of this particular "attack." "The problem for them," Bace said, "was attempting to make a rational decision about how vulnerable the military was on the Internet. They were making that decision based on information simply not perceptible to them. All of us are basically deaf, blind and, most disturbingly, blissfully unaware of the sensory challenges a computer attack creates. Things seem to happen . . . chaotically, with no warning or apparent logical protection. And that's scary." White House aides, Department of Justice types, the FBI and the military responded to this type of chaos by . . . panicking. Eventually the hack depicted in the wildly overdramatic Solar Sunrise video amounted to . . . nothing. Mac, Stimpy and Analyzer's excellent adventures Solar Sunrise re-enacts a massive worldwide tracking effort by federal and private Internet service provider personnel, and even has armed FBI agents running up stairs and flashing badges as they catch two teen-age amateur hackers. Known by their handles as Mac - aka Makaveli - and Stimpy, the two were being "tutored" in the art of hacking via Internet relay chat by a 20-year-old Israeli hacker operating on his own. The "tutor" hacker, known as Analyzer, trained them in techniques to break into Department of Defense computers, claims the narrator. Indeed, Mac and Stimpy did get in and, according to the video, stole some account names and passwords from a few computers at Andrews Air Force Base. That's it. One base, a few computers, and some names and passwords. Period. But If you listen closely to the video, there's an interesting element to Mac and Stimpy's hacking. The hack could have been totally prevented if the military had only fixed the holes and vulnerabilities in its computer systems - holes and vulnerabilities it already knew existed. "Although this flaw in the system, and the software necessary to fix it, have been publicized since December [1997]," the narrator admits, "Pentagon computer experts haven't focused on this potential back door into their systems." Bear in mind, falling asleep on guard duty is punishable by imprisonment in the stockade. The fact is, the military had been provided with the fixes months prior to the hack. It simply failed to do what it was instructed to do: fix the computers. Four days after the Solar Sunrise - as the incident was code named - attacks started, the dangerous California teen duo had "friendly" chats with FBI agents in their homes, ratting each other out rather than risk an opportunity to have new and excellent adventures in jail cells. The video narrator puts it in a slightly different way: "Both teen-agers are interviewed in their homes, and both admit to breaking into DOD computers. After some initial hesitation, Mac tells investigators what he knows about his teacher, Analyzer . . . ." As the video clearly states: "In the end, the Solar Sunrise invasions of military sites proved to be purely recreation." Nevertheless, Deputy Secretary of Defense Dr. John Hamre, the Pentagon's lead infowarrior, in a briefing for reporters - and later in closed door sessions before Congress - in 1998 and 1999 called Solar Sunrise "the most organized and systematic attack the Pentagon has seen to date" - even when he knew that it was just a couple of teen-agers and a young Israeli poking around. Much ado about nothing Thanks to the NIPC's Vatis, the adventures of Mac, Stimpy, and Analyzer have been immortalized in the Solar Sunrise video. Other than to hype a couple of kid hackers and the brilliance of the FBI and the NIPC, why was this picayune incident immortalized in a video that cost thousands to make? The FBI and the NIPC refuse to answer any questions about who wrote, edited and directed the video, except with the credit line "Executive Producer Catherine Kiser, FBI Supervising Special Agent." The FBI also refuses to answer any other questions about the video, including its cost, citing "administrative" reasons. Vatis won't discuss what he says on the video; he doesn't even bother to give any reason. So much for accountability in law enforcement. "Cyberspace knows no boundaries," Vatis intones in his video. After this staggering brain dump, Vatis informs us that his mission is just that - to establish boundaries in cyberspace. To reiterate: "The NIPC is to coordinate the government's activities that are directed at detecting, preventing, warning of and responding to cyberintrusions - particularly those directed at critical infrastructures" - which, translated, means put up and enforce boundaries as established by Vatis. On Feb. 29, Vatis warned the Senate Judiciary Committee, the Criminal Justice Oversight Subcommittee and the House Judiciary Committee that danger lurks everywhere on the Internet. He ticked off the list for legislators: insiders, hackers, virus writers, criminal groups, terrorists, foreign intelligence and information warriors. Everywhere we turn another federal official wants more wire tapping, tracing of computer messages, a computer-based digital collection system for monitoring wiretaps, new restrictions on the Freedom of Information Act, laws to weaken encryption, monitoring of travel on the Internet and even a Reserve Officers Training Corp.-like CyberService. Limiting our freedoms isn't going to make the Internet any safer. That kind of security only happens when government, industry and individuals take responsibility for securing computers - and don't spend time promoting information security paranoia such as Solar Sunrise at taxpayers' expense. Lewis Z. Koch has been an investigative reporter for over 30 years. Currently he is a special correspondent for CyberWire Dispatch. He can be reached at lzkoch () mediaone net *-------------------------------------------------* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen. Alfred. M. Gray, USMC --------------------------------------------------- C4I Secure Solutions http://www.c4i.org *-------------------------------------------------* ISN is sponsored by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- News Analysis: The NIPC's Film Debut William Knowles (May 14)