Red alert on the e-war front

[InfoSec News <isn () c4i org>]

http://www.newscientist.com/hottopics/tech/article.jsp?id=24024800

By Duncan Graham-Rowe 
New Scientist Magazine   
05 July 03

I'M SITTING in a swanky conference room in Washington DC, surrounded
by 65 computer experts from several businesses, and just about every
US government agency and branch of the military. Normally their job is
to defend the computer networks of such weighty establishments as the
Department of Defense, the FBI, the National Security Agency, Air
Force Intelligence, the Marine Corps and several large corporations.  
But everyone has switched allegiance. Today, we're the bad guys.

We have enrolled in hacking school. Using only our cunning and some
basic software tools downloaded from the internet, we are about to
learn about breaking into computer networks. The reason so many
military, security and corporate bodies have sent people along to this
event is a growing concern that the US is vulnerable to a full-scale
electronic attack. In February, President Bush published a "National
Strategy to Secure Cyberspace". It pointed out that, given a malicious
intent, potential adversaries now have access to internet-based tools
that could seriously harm the nation 's infrastructure. We are not
talking here about simply defacing a website or putting it out of
action for a few hours. With networked computers running the phone
lines, air traffic systems, water supply, dams, power stations,
financial markets and services, food distribution, communications,
healthcare and emergency services, a return to the Stone Age could be
just a few hacks away. "Waiting to learn of an imminent attack before
addressing important critical infrastructure vulnerabilities is a
risky and unacceptable strategy," the report says. "Cyber attacks can
burst onto the Nation 's networks with little or no warning and spread
so fast that many victims never have a chance to hear the alarms."

"It's not a matter of if, it's a matter of when," says Winn Schwartau,
head of the Florida-based security consultancy Interpact, and joint
organiser of this event. And so my co-conspirators, reasoning that it
makes sense to err on the side of caution, have turned out here to
learn the art of hacking getting to know how their enemies might work,
and so making themselves better able to work out strategies to foil
them.

The plush surroundings aside, the technical set-up we have in front of
us is highly realistic, says Tim Rosenberg of White Wolf consultants,
co-organiser of this cyber-war game. It includes a miniature version
of the internet, with a bogus company network on one end and ourselves
on the other. "The only unrealistic thing is that we know that you're
coming," Rosenberg says.

Of course, Schwartau and security consultants like him could be (and
have been) accused of hyping the problem; there are books to be sold,
courses to be run and lucrative cyber-defence contracts to gain. Much
of the concern about cyber-terrorism seems to be fired by anecdotes
about hacks or attempted hacks, or even just hackers sniffing around
the power companies it 's hard to find any concrete evidence that a
cyber-attack is imminent.

But even if there is a plausible threat, couldn't we ensure that all
critical networks are kept securely cut off from the rest of the
world? Unfortunately, the answer is no. Many companies, including the
utilities, rely on their interconnectedness to trade. Even the air
traffic control system is not entirely disconnected. According to
Daniel Mehan, the US Federal Aviation Administration 's assistant
administrator for information services, it is no longer practical to
completely separate air traffic management networks from the rest of
the world it would simply be too expensive to set up. "It 's very,
very hard to get at the air traffic system," says Mehan "But you will
never develop a system that can 't have any intrusion ever."

One source of vulnerability comes from a class of programs called
SCADAs, which stands for supervisory control and data acquisition
systems. It is programs of this type that allow electricity, gas and
water supply networks to be managed from a central control point. "It
used to be the case that we 'd open floodgates by turning a wheel,"  
says Howard Schmidt, vice-chair of the Critical Infrastructure
Protection Board, set up by President Bush in October 2001. "Today
it's done through a keyboard, often through a remote system."

SCADAs used to be home-grown, purpose-built systems, closed off from
the rest of the world. But now, as companies come under increasing
pressure to maximise profits, hardly anyone can afford to use
custom-built software any more. "The Chinese use the same SCADA
vendors as they use here in America," says Bill Flynt, formerly the
director of homeland infrastructure security threats office for the US
Army, and now at TRC Solutions, a security company based in Kansas
City, Missouri. That has left us with generic SCADAs gateways to the
companies operating on publicly accessible networks. These days, one
cyber-attack fits all.

It is now 5 years since the Clinton administration started paying
attention to the claims that the US was vulnerable to a cyber-attack.  
The first response was to issue a directive called the Presidential
Decision Directive 63 Protecting America 's Critical Infrastructures,
which called for national centres to be established to warn of
computer attacks and respond to them. The trouble is that no one
seemed to want to get involved.

Clinton's solution was to try to enlist the help of the private sector
by setting up information-sharing networks. It also encouraged
companies to invest more seriously in IT security something they had
previously been unwilling to do. The idea was that a central
organisation run by the FBI would be used by companies to share
information about any threats, weaknesses, viruses or oddities they
spotted.

Unfortunately many companies didn't reckon there was much in it for
them. The FBI appeared willing to receive information but was less
forthcoming when it came to handing it out. For many companies, the
idea that they and their competitors might share sensitive information
with the same third party went wholly against the grain. With no
satisfactory way to deal with it, cyber-security problems remained
just one of the costs of doing business and certainly not something to
let the shareholders know about. "Less than 10 per cent of
cyber-crimes get investigated because CEOs are reluctant to get the
police involved," says Harris Miller, president of the Information
Technology Association of America.

Does it really only take a few point-and-clicks to bring down a
superpower? No. At the very least, such a task would require an
enormous number of highly trained, highly motivated terrorists working
in a closely coordinated and meticulously planned attack. And even
given this scenario, some consultants, such as James Lewis of the
Center for Strategic & International Studies, an independent public
policy research institute, say that the threats have been wildly
overstated.

Lewis's assessment of cyber-terrorism, published last December,
concludes that "the Internet is a new thing, and new things can appear
more frightening than they really are." Power companies are used to
dealing with sudden problems such as fallen power lines or computer
malfunctions, he points out. Temporary failures are almost routine,
yet most of the time people on the outside know nothing of any
difficulties. While 70 per cent of US power companies had suffered
cyber-attacks in the first six months of 2002, none of the attacks had
caused a power failure. The idea that a cyber-attack could cripple the
entire nation doesn 't hold up, Lewis says.

Whatever the truth about the credibility of the threat, many companies
are preparing themselves to deal with such an attack, Schwartau says
try one and you might be in for a surprise. Although using electronic
countermeasures is illegal, many companies have apparently put
programs in place that respond to an attack by disabling the attacking
computers.

Have they thought this through? If there's one thing I've learned in
hacking school, it 's that hackers take over other people's machines
and hide behind them. If cyber-war does break out, who knows what
damage an electronic counter-attack could do to the very critical
infrastructure it is trying to protect? Friendly fire and collateral
damage may be about to go digital.



Date & Time Monday, 0800 hours

We 've barely slept for days. But our reconnaissance is now complete;  
finally, we can begin. My personal objective is simple break into an
electrical power company, bring down as much of the electricity grid
as I can, and plunge a large part of the US into darkness. While I do
this, my accomplices will attack the rest of the grid and other parts
of the country 's critical infrastructure the banks, the transport
systems, utilities, communications, food supply, and so on. Our aim
total disruption.
 
 

Date & Time Monday, 1400 hours

If I'm to do any serious damage I need to become god of the computer
network I'm attacking. If I can pose as the network 's administrator I
can then do pretty much what I want to any computer on the network
change passwords, delete files, even bring the entire network down.  
All I need to do is get my hands on the file called sysadmin, the
system administrator 's access file. But to do this, I need to get
inside the company 's machines.

Any computer connected to the internet needs an Internet Protocol (IP)  
address to identify itself, and my reconnaissance has already told me
which IP addresses have been allocated to the company I 'm targeting.  
That's not hard, as IP addresses are publicly available. Some of these
computers function as website or email servers and will talk to
anyone. Machines intended solely for company use will be more picky,
and the sysadmin file is almost certainly going to be behind one of
these computers.

To find the hidden computers, I use one of the many programs that were
originally developed for system administrators to use across a network
but have since become one the mainstays of every hacker 's arsenal.  
These programs can usually be freely downloaded from the net. The one
I 'm using scans a list of IP addresses like a roll-call, shouting out
IP addresses to see who 's out there. Any machine that fails to
respond must be a protected system that is deliberately trying to
remain invisible. Sure enough, one IP address on my target system
fails to respond.

Another scanning program tells me what kinds of task the machines are
being used for. One operates the file transfer protocol (FTP), another
is an email server and another is a Microsoft Internet server and
probably hosts the company's website. This, I decide, is going to be
my back door into the network.
 
 

Date & Time Monday, 2100 hours

Once inside the company network, I need to find out how other company
computers address the computer where sysadmin resides. A sure-fire way
to find out is to take over a router somewhere on the internet between
me and the company 's network. Routers are vital parts of the internet
that direct data traffic around the net. The machine that wouldn 't
respond when I sent out its IP still has to use the internet somehow,
so the router will be aware of it and it will respond to calls from
the router.

Fortunately for an attacker like me, routers are designed to be
accessed remotely, so that engineers can maintain large numbers of
them from a single location. Using a program downloaded from the
Internet I find the router I'm looking for. I try accessing it by
pretending to be a network engineer. If I'm lucky the username and
passwords I need to do this will still be set to their default
settings. Far too often this is the case. After trying a few obvious
ones "password" and "1234" I get lucky. In fact the password turned
out to be the moniker of the router.

Now I am in a position to do some damage. Taking control of the
router, as I have done, is like taking control of the points at a
railway junction. Instead of misdirecting trains, I would be
controlling data. I could, if I wanted to, stop any internet traffic
entering or leaving this company. This kind of attack, called "denial
of service", is estimated to cost the US economy alone millions of
dollars a year. I'm not tempted by this option, however I'm intent on
getting inside the company 's network. Now I can simply ask the router
which computers it can "see". And because this request is coming from
a router, it doesn't trigger any of the systems that are supposed to
detect intruders. Sure enough, I see the IP address of the computer
I'm after and the router gives the name it is known by on the network
I'm attacking. I am ready for the assault.
 
 

Date & Time Tuesday 0900 hours

I am about to attack the web server. I dig out the name of the
webmaster I found it listed on the website, along with his email
address. The first part of the address is most likely his login to the
system, but I still need a password. After a few failed guesses I
decide to go for a good old-fashioned brute-force approach it's time
to roll out the password cracker, a program that will attempt millions
of possible passwords for you, starting with the obvious ones.

Several hours and countless cups of coffee later, I'm in. I am now in
a position to deface the company's website. But that would be small
beer compared with my mission objective. I'm going for the jugular.

I am now officially trespassing. I run a search to see which other
computers this server is connected to. My luck seems to be drying up.  
This server seems to link to just about every other server the company
has except the one I want. Clearly the people who set up the network
are not as dumb as I'd hoped. But one of the computers it links to
does look promising a Sun machine running a database that might well
be used to keep records of the company's e-commerce transactions. If
that's what it is, it will be connected to every other machine in the
company. By querying the database I see that it is indeed connected to
my target computer. I can now access this legitimately because I'm
coming at it from the inside. It tells me there is yet another
computer behind it and this holds the sysadmin file. That's it I am in
control. Now, to delete all the files
 


Date & Time Tuesday, 1200 hours

Having successfully cracked the network, I was in the mood for
whooping and high-fiving with my co-conspirators. Sadly, it was not to
be. By the time I had completed my mission, there were only four of us
left in the room myself and the three designers of the network who had
kindly agreed to show me, step-by-step, how to achieve what the other
65 programmers had figured out hours ago. America has nothing to fear
from me.

message ends
 
 


-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.