How an e-mail virus could cripple a nation

[InfoSec News <isn () c4i org>]

Forwarded from: William Knowles <wk () c4i org>

http://www.zdnet.com/anchordesk/stories/story/0,10738,2914453,00.html

Robert Vamosi,
Senior Associate Editor,
CNET/ZDNet Reviews
August 11, 2003 

With a publicly available search engine, a few well-chosen e-mail 
addresses, and off-the-shelf viral code, anyone can commit an act of 
cyberterrorism--or so says Roelof Temmingh, technical director of 
SensePost, a South African computer security company. 

Speaking at the recent Black Hat Briefings and Defcon 11 conferences, 
Temmingh explained that the current methods of assailing computer 
networks--denial-of-service attacks (DoS) or remote 
break-ins--inconvenience too few people to really impact a nation's 
information infrastructure. The sort of exploit that could really hurt 
a country, Temmingh suggests, would more likely be based on e-mail 
viruses, a concept he outlined in a recent paper [1]. 

HOPEFULLY, learning about how the unthinkable could happen should help 
us prepare for and minimize the damage of such an event, should it 
ever occur. 

Temmingh and his associates got a chance to investigate his theory 
while working with a South African bank. They decided to see how easy 
it would be to infect a bank's computer systems (which presumably are 
pretty secure) with an e-mail-borne virus. 

Since e-mail attachments are relatively easy for IT departments to 
detect, they started by imbedding in an e-mail message a link to a Web 
site that could have contained malicious code (but didn't, because the 
team didn't want to actually infect the bank's computers). Of the 
thirteen IT people working at the bank, eight downloaded the 
executable file linked to in the e-mail, and five actually executed 
the code on their desktop systems. This means, had the virus been 
real, the bank's entire network could have been infected. 

FROM THIS experiment Temmingh extrapolated that a cyberterrorist could 
effectively deliver malicious code to any organization, anywhere in 
the world. If that individual sent the infected e-mail simultaneously 
to individuals in government agencies and the military, it could have 
devastating effects on a country's ability to communicate, carry out 
business, and defend itself. 

The key to this attack is finding real e-mail addresses to target. For 
this, Temmingh wrote a few scripts that use Google to search for 
public references to e-mail addresses on the Web. The scripts allow 
him to search for e-mails from a given country, and hunt in particular 
for individuals working for telecommunication and financial companies, 
energy providers, governmental departments, the military, the media, 
prominent local businesses, and hospitals. 

There are plenty of addresses available, especially on bulletin boards 
and in discussion forums. If a malicious user could infect just one 
government system (even if it's the desktop machine of a low-ranking 
official), he could, in theory, infect larger government computer 
systems as well. 

WITHIN MINUTES of running the scripts at the Black Hat conference, 
hundreds of e-mails belonging to U.S. military and government 
employees showed up on Temmingh's presentation screen. Judging from 
the collective gasp from the audience (comprised mainly of U.S. 
government, military, and private computer security experts), Timmingh 
made his point. 

Some may not agree with me, but I don't think talking and writing 
about this sort of attack is a blueprint for disaster. Rather, 
becoming informed about how cyberterrorists could hurt us helps our 
security community learn how to protect against these threats. 

The U.S. government has long worried that a cyberattack could cripple 
our nation's infrastructure. Before Sept. 11, it was one of the White 
House's key security concerns. But we were betting cyberterrorists 
would have to be very clever to pull something like this off. It turns 
out that's not true. Now that we're aware of how easy it could be to 
carry out such an attack, we must turn our attention to making sure 
we're prepared for it. 

[1] http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-sensepost/bh-us-03-sensepost-paper.pdf



*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
----------------------------------------------------------------
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
================================================================
Help C4I.org with a donation: http://www.c4i.org/contribute.html
*==============================================================*



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.