August 7 998 Network Security

The reaction from privacy advocates was subdued. Those advocates are against any kind of key for encrypted data and the Electronic Privacy information Center, for one, does not believe that the new proposal solves the privacy problem but simply lets companies sell more products overseas.

In a separate development a number of senators said that after the summer recess they would work to pass a bill that loosens restrictions on encrypted software. The move has bi- partisan support and the senators said the present policy jeopardizes individual privacy, the security of the Internet, and US competitiveness.

CIA fears America is vulnerable

Barbara Gengler

The CIA is talking about the possibility of ‘high tech’ attacks against the US especially by the Chinese. This issue was tackled by CIA Director George Tenet as he spoke to a Senate panel on government affairs about the threat of the vulnerability of critical information to potentially devastating high tech attacks. Tenet said that future enemies, whether nations, groups or individuals, who seek to harm the US in non-traditional attacks could significantly harm both the military power and economy.

“Potential attackers range from national intelligence and military organizations, terrorists, criminals, industrial competitors, hackers and disgruntled or disloyal insiders.” He pointed out that just as foreign governments and their military services have long

emphasized the need to disrupt the flow of information in combat situations, they now stress the power of ‘Information Warfare’ when targeted against civilian information infrastructures.

Tenet cited an article in the China’s People’s Libefafion Daily which stated, “an adversary wishing to destroy the United States only has to mess up the computer systems of its banks by high-tech means. This would disrupt and destroy the US economy. If we overlook this point and simply rely on the building of a costly army.. .it is just as good as building a contemporary Maginot Line.”

He also cited an interview late last year in which a senior Russian official commented, ‘that an attack against a national target such as transportation or electrical power distribution would by virtue of its catastrophic consequences, completely overlap with the use of weapons of mass destruction”.

Tenet said that as these anecdotes clearly demonstrate, the battle space of the information age will extend to our domestic infrastructure. ‘Our electric power grids and our telecommunications networks will be targets of the first order. An adversary capable of implanting the right virus or accessing the right terminal can cause massive damage.”

“Many of the countries whose information warfare efforts we follow realize that in a conventional military confrontation against the US, they cannot prevail. They countries recognize that cyber attacks against civilian computer systems in the US represent the kind of asymmetric option they will need to level the playing field

during an armed crisis against the US,” he said.

He added that terrorists, while unlikely to mount an attack on the same scale as a nation, can still do considerable harm. “What’s worse, the technology of hacking has advanced to the point that many tools which required in-depth knowledge a few years ago have become automated and more ‘user- friendly’.”

“It may even be possible for terrorists to use amateur hackers as their unwitting accomplices in a cyber attack.

Computer crime and airforce information systems

Frank Rees

According to Wing Commander Peter Wythes of the Royal Australian Airforce (RAAF), the impact of interfering with RAAF information systems could render it ineffective as an airforce. Consequently, it is important for organizations like the RAAF to identify quickly interference with its information systems to distinguish between criminal activity, and activity that is a security threat, a precursor to conflict, or even a form of information warfare.

In the Australian Defence Force Journal (May/June 1998) Wing Commander Wythes illustrates the scope of computer crime’s potential impact on the RAAF.

“Fraudulent adjustments of information and records to disguise the theft of stores and equipment, or to falsely create entitlements, can be

0 1998 Elsevier Science Ltd 7

Network Security August 7 998

performed by RAAF personnel and other Defence employees. Also, data held in RAAF information systems could be fraudulently adjusted to disguise improper or negligent maintenance practices. For example, warehouse staff might adjust records relating to the integrity of an aircraft component which they substituted to make up for a shortfall in a stock take. Although the item may be something as simple as a bolt, and of relatively minor value, subsequent fitment of the undetected facsimile component to an aircraft could result in a catastrophic failure, leading to the loss of a valuable asset and possibly the lives of the aircrew.”

Software piracy is not a particularly significant problem for the RAAF as its proprietary software has little utility beyond airforce purposes. On the other hand, computer espionage is an extremely significant issue for the RAAF.

Wing Commander Wythes continued. ‘In the military domain, classified information such as capabilities, vulnerabilities, strategies and dispositions may be extracted or manipulated. Substantial resources are expended in the development and application of layered security systems to prevent unauthorized access to classified information systems because the loss or compromise of classified information could have a disastrous impact on the RAAF and the defence of Australia. Systems that cost a fortune to develop could be rendered obsolete, and complete weapons systems could be neutralized.”

a

He said that the consequent loss to the nation in losing a complete weapons system was incalculable. The loss or inability to use a weapon system or platform, if associated with conflict, could literally result in ‘loosing the farm’.

The threat of unauthorized access to its information systems, has, by far, the greatest impact on the RAAF. Access to unclassified logistics information on resupply to an activity or location can disclose consumption rates and rates of effort. Analysis of this information can provide details of the mean time between failure of components, indicate the weakest areas in weapons systems, and also disclose details of a Defence contract. Besides the threat of foreign espionage, a likely motive for unauthorized access to RAAF information systems is to gain commercial advantage among the many organizations whose profitability depends on Defence contracts to provide goods and services to the RAAF.

He said that the RAAF’s reliance on information technology had not diminished its susceptibility to the use of the computer as a tool for committing traditional offences such as embezzlement, larceny and forgery - principally committed by its own personnel. The vulnerability to this type of crime was greatest when the new technology and systems were introduced. A new technology and stores resupply system introduced in the early 1990s provided a greater number of people who were inclined to abuse the system with the oppdftunity to do so; opportunities that hitherto had been denied them.

Aside from computer-related economic crimes, there was also computer-related infringement

of privacy: use of incorrect data, illegal collection and storage of data, illegal disclosure and misuse of data, and infringement of privacy laws. He said that there was a critical need to have correct and assured data in certain RAAF computers. For example, any incompatible data in a modern fighter aircraft Mission Computer will prevent operation of the aircraft.

‘Any corruption of the databases that feed the Mission Computers used in aircraft could ground the fleet just as effectively as destroying each aircraft. Such an attack on this weapons system and platform, through its information systems, would be more sinister, and could be carried out more covertly than any other form of destructive force. Such an attack is not limited to the more obvious military hardware, but could be conducted against distribution systems, or any one of the myriad of systems that contribute to Australia’s military capability, and which are highly reliant on information technology”, said Wing Commander Wythes.

Another category of computer crime was sabotage, sometimes subtle and performed remotely. He said that several devices now available could negate, destroy or incapacitate computers and information systems, and many more were being developed. Successful use of these devices caused temporary or permanent failure of electronic circuits, and they could be broadly grouped into three main types: RF Directed Energy Weapons, Electromagnetic Bombs and other general information weapons. Wing Commander Wythes noted experiments in the US to counter-attack hackers where the United States Air Force has devised ways of physically

0 1998 Elsevier Science Ltd

August 7 998 Network Security

damaging computers used in hacker attacks.

Computer crime, said Wing Commander Wythes, could come in many guises in the RAAF. but generally leads to one or more forms of direct or indirect loss by theft, inefficiencies or

consequential loss. Among these crimes computer espionage and unauthorized access to its information is the predominant threat confronting the RAAF. The challenge to investigators examining interference with RAAF information systems is to quickly identify the offender and

their motives to determine whether a police response to criminal matters is required, or a military response, to an attack on Australia, is justified.

Acknowledgements fo Australian Defence Force Journal.

Managing Network

Security: The Seedy Side

of Security Fred Cohen

Over the last few years, computing has changed to an almost purely networked environment, but the technical aspects of information protection have not kept up. As a result, the success of information security programmes has increasingly become a function of our ability to make prudent management decisions about organizational activities. This series of articles takes a management view of protection and seeks to reconcile the need for security with the limitations of technology.

This article represents the beginning of my faurth year of writing monthly articles on information protection for Network Security. It started back in August 1995 when I wrote the fist in the ‘Internet Holes’ series, which changed to the ‘Managing Network Security’ series about half way through 1996. Because of this anniversary, I have decided to dedicate this month’s article to something completely different - not!

Actually, this month’s article is about the seedy side of security. If this sounds like something for the London Times or the Star, I hope they pick it up and give me a big royalty for it.

In recent months, my consulting

work through third party firms has picked up considerably, and more and more I find myself teamed with 22-year-old self- proclaimed experts who charge outrageous fees, know very little about information protection, and use off-the-shelf tools to demonstrate some technical vulnerability that they don’t understand the implications of.

Clients seem to prefer to have six people who know almost nothing show up for a week, charge $60 000, and produce a few hundred pages of unreadable listings with little or no analysis over having two or three people show up for a day, charge $15 000, and produce a customized, short, readable report indicating the business implications of what

they found and what they need to change in order to reduce the risks appropriately. If you are a major accounting firm, you can pay $120 000 instead of $60 000 and they will throw in a day of a senior partner who will tell you that you need them to provide you with several million more dollars worth of expertise to fix the problems with your network.

Once they buy the big study, their resources are committed, and regardless of the quality of the results, they need to declare that they have contributed something valuable. They shelve the actual results, but make a management presentation to tell management that all this paper supports what they originally postulated - that they need more budget for security. Management, which doesn’t understand the report at ail, decides to cut the baby in half. They provide limited budget increases because they know that their employees are trying to do good things and because they trust their employees - if for no other reason than because they don’t know enough to disagree - but it usually corresponds to an article in the paper about a big computer break-in somewhere else.

Trust me

The ‘trust me’ argument is indeed a powerful one. When the

0 1998 Elsevier Science Ltd 9