Date: Thu, 1 Apr 1999 14:13:39 -0500
From: Mike-O
Subject: Re: Welcome back - now, what does the future hold for us?
X-Digest: Volume 12 : Issue 13
There are just too many people who think like this, and as a result we
have to put up with software ridden with security problems that anyone
with more than half a brain and INTERNET access can exploit!
The D.I.S.A. have shown time and time again that any one just using
hacking techniques downloadable from Publically Available INTERNET
"naughty" sites, can, and usually do, get access to the target, and can
do their worst. I some cases DISA "hackers" were able to get into the
majority of so called secure US military sites, and in the majority of
cases they were not detected.
What is needed is to shout from the rooftops about security holes in
defective software peddled on the gullable public by the likes of
Microso= ft etc, until they are forced to produce FREE patches for their
DEFECTIVE software. Perhaps someone will successfully sue a major SW
producing company for negligence when they suffer losses from buggy
software.
Mike Orton CPhys., MInstP.
30 years in computing from Stretch and Atlas to the Pentium PC.
References: Showing how serious the problem really is.
[Ref.1.]
Feedback, New Scientist, 15 July,1995 p92. (extract)
The DISA tried hacking into "secure" US military systems using methods
obtained from INTERNET hacking sites. They tried 10,000 attacks. Of
which 8800 were successful, and ONLY 440 were detected, and only 22
prompted a reaction!
Ref. 2.
Computer Security: New Scientist 18/5/96 Phillip Cohen.
"Companies turn a blind eye to diddlers and spoofers" P6 FBI survey
conducted by the Computer Security Institute. 428 Corporate, Government and
Academic Institutes asked.;
41% admitted that their security had been broken by hackers during
the past year.
37% said no, they hadn't, and 22% didn't know!.
"Crimes go unreported because institutions worry that advertising their
vulnerability mightundermine their client's confidence";
Ref. 3.
"Computer Security is "not protection, it's delay"
Reporting on a security audit of 15,000 Pentagon systems in which
vulnerabilities had previously been pointed out to system managers for
correction, the Information Warfare Division of the Defence Information
Systems Agency (D.I.S.A.), found that it was able to gain access to almost
nine out of ten of the systems simply by using publicly available
techniques. A top Agency administrator says that security managers need to
focus less on preventing outside penetration and more on detecting
intrusions and reacting with immediate shutdowns. "You have to view
security as buying you time. It's not protection. Its delay."
Computer World 3rd Mar '97,.
Ref. 4.CIA WARNS AGAINST "INFORMATION WARFARE"
CIA Director George Tenet told the Senate Government Affairs Committee
recently that China and several other nations are developing
"extraordinary" information warfare capabilities, and warned that everyone
- - from foreign nations' intelligence and military forces, to industrial
competitors, to everyday citizens -- are at risk. According to Tenet, "It
is clear that national developing these programs recognise the value of
attacking a country's computer systems both on the battlefield and in the
civilian arena." National Security Agency head Lt. Gen. Kenneth Minihan
concurred, saying "We are seeing the tip of the iceberg. Even when attacks
are detected and reported, we rarely know who the attacker was."
(Information Week 6 Jul. 98) =
Ref.5 RAND, "CyberWar is Coming!", John Arquilla and David Ronfeldt,
1993, http://gopher.well.sf.ca.us:70/0/Military/cyberwar
Ref..6. COMPUTER SECURITY DOWN, LOSSES UP
Two recently conducted studies report that losses experienced by Fortune
1000 companies as a result of computer break-ins were higher last year than
ever before, despite increased spending on computer security measures. A
study by the Computer Security Institute and the FBI estimates 1997 losses
from computer crime at $136 million, up 36% from 1996. About half the
respondents cited the INTERNET as a frequent point-of-attack, with the
remainder citing internal corporate networks as the favoured break-in
point.
Meanwhile, a study by WarRoom Research LLC found that a large majority of
Fortune 1000 companies have experienced a break-in by an outsider in the
past 12 months, with more than half reporting more than 30 security
breaches during that time period. Nearly 60% reported losses of $200,000
or more for each intrusion. Mitch Kabay, director of education at the
International Computer Security Association, notes that even these figures
may be understating the problem: "It's not possible to have truly accurate
information on break-ins, because you can't know how many of them went
completely undetected and you can't be sure how many of them are not
reported." One former cracker, who recently completed a prison sentence
for his activities, says networks are getting more vulnerable, not less:
"You don't need even a basic skill level to get in."
(INTERNET Week 23 Mar 98)
Ref. 7 The standard statistics for Computer Systems vulnerabilities via
the INTERNET, come from the Defence Information Systems Agency (DISA's)
Vulnerability Analysis and Assessment Program. Under the program, DISA
personnel attempt to penetrate computer systems at various military service
and Defence agency sites via the INTERNET. From 1992 to 1996, DISA has
conducted 38,000 attacks on U.S. DoD computer systems to test how well they
are protected. DISA successfully gained access 24,700 times (65%). Of these
successful exploitations, 23,712 went undetected (96%). Of the 988 detected
incidents, 27% were reported back to DISA. Therefore, only 1 in 150
successful attacks drew an active defensive response from the organisations
being tested. These statistics are diagrammed in the U.S. General
Accounting Office (GAO) report to congress, "Information Security, Computer
Attacks at Department of Defence Pose Increasing Risks", May 1996,
GAO/AIMD-96-84. And are reprinted in many textbooks, such as "Business Data
Communications, 3rd ed.", Stallings and Van Slyke, 1997, Chapter 17 Network
Security.
Ref.8 Infowar in general:
Journal of Infrastructure Warfare - http://www.iwar.org.Signal9
http://www.signal9.com
ENSURE TECHNOLOGIES http://www.ensuretech.com
http://www.infowar.com/new_iwc/new_iwc.html-ssi
http://iw.windermeregroup.com/
Interesting Virus info. http://www.windermeregroup.com.
Ref.9 http:// www.washtimes.com
Hackers testify they can crash INTERNET service in a half-hour
By James W. Brosnan
SCRIPPS HOWARD NEWS SERVICE
A band of seven hackers from Boston told a Senate Committee yesterday that
they could bring down the foundations of the INTERNET in 30 minutes.
Testifying under their INTERNET aliases -- Mudge, Brian Oblivion, Space
Rogue, Kingpin, Weld Pond, John Tan and Stefan Von Neumann -- the hackers
said that by interfering with the links between long-distance phone
carriers such as AT&T and MCI they could disrupt INTERNET service for a
couple of days.
The hackers, known collectively as LOpht, opened a series of hearings
by Senate Governmental Affairs Committee Chairman Fred Thompson, Tennessee
Republican, on the security of government and commercial computer and
telecommunication networks.
Mr. Thompson released a pair of reports by the congressional General
Accounting Office that said the State Department and the Federal Aviation
Administration's air control system are highly vulnerable to hacking.
In a test, congressional investigators accessed the travel itineraries
of U.S. diplomats, employment records and e-mail traffic and were even able
to take control of the State Department's computers. Much of the FAA report
was so scary it was classified.
Utilities, stock exchanges, the Federal Reserve and taxpayer credit
and medical records also are at risk, Mr. Thompson said.
"It seems the more technologically advanced we've become the more
vulnerable we've become," he said. "Our nation's underlying information
infrastructure is riddled with security flaws."
The LOpht hackers blamed the poor security on the patchwork nature of
the INTERNET networks, government laxity and the indifference of makers of
operating systems and software to security concerns. "Simple security
measures are missing from almost all the software sold to companies today,"
Mudge said. For instance, while Microsoft claims its Windows NT server
for businesses is more secure than Windows 95 for personal users, Weld Pond
said hackers usually can break into an NT system in less than a day. Mr.
Thompson predicted it is only a matter of time before Microsoft and other
software makers find themselves being sued by a company whose system has
been penetrated through their software.
Not all the testimony was bleak. The hackers said it is far easier to
interfere with service than to change data or issue commands. For instance,
the Global Positioning Satellite system used in military and some civilian
aircraft for navigation can be jammed, but it is unlikely a hacker could
move a satellite's position, the hackers testified. Still, Space Rogue
said, a determined group of hackers could "wreck havoc in the country."
The LOpht hackers, who are in their 20s and 30s, meet in a Boston loft
after their day jobs to probe for weaknesses in computer, cellular phone
and other communications networks. They then alert the targets about any
weaknesses and in some cases make the information public if the targets do
not improve security.
L0pht are at http://l0pht.com/ Remember L zero pht ! [Pronounced LOFT]
[Ref.10 ] IT MANAGERS STRIKE BACK
An increasing number of large companies are mad as you-know-what and aren't
taking it any more -- they're arming their systems with software capable of
launching counterattacks on crackers that invade their computer networks.
A study titled "Corporate America's Competitive Edge" indicates that 30% of
the 320 Fortune 500 companies interviewed say they now have such software
installed. The tactic, known as "strikeback," runs the gamut from passive
collection of information on hackers to deter further intrusion, to a "Ping
of Death" that shuts the intruding system down. Security experts warn that
strikeback systems, taken too far, could pose serious legal and technical
problems. For example, the strikeback user must be sure the attack is
targeted at the correct system, or face the litigious consequences. In a
recent case involving the Defence Department, "the DoD was lucky it knew
who was attacking and could get the right people," says the director of
penetration services at Secure Computing. "In many cases, you can't be
completely sure of who's attacking." Some reports have indicated that 80%
of intrusions occur inside an organisation, and 65% to 70% of those are
mistakes. (InternetWeek 7 Dec 98)
Ref.11. "Maximum Security: A Hacker's Guide to Protecting Your INTERNET
Site and Network". The ISBN is 1575212684. The author is
"anonymous,root@netherworld.net". Original title: "Cracking the Net: A
Hacker's Guide to INTERNET Security" but changed by publisher. ($49.95)
Available from Computer Literacy Book Store, Tysons Corner,VA =
On order at Chapters, K Street, Washington, D. C.
Available from www.amazon.com under original title
Ref.12 Hacking/security Web and FTP sites.
Back issues of the Happy Hacker Digest and Guides to (mostly)
Harmless Hacking at http://techbroker.com/happyhacker.html.
Super Swedish Happy Hacker site (in English):
http://w1.340.telia.com/~u34002171/hhd.html
Phrack (a hacking) Magazine can be obtained from the following sites:
http://www.phrack.com
ftp://ftp.ishiboo.com/phrack
http://www.infonexus.com/~daemon9/Projects
ftp://azrael.phrack.com/pub/phrack
http://www.nmrc.org/compute/intrude.html
http://www.leviathan.org/phrack.html
The Happy Hacker Digest Webpage, located at
http://www.cs.utexas.edu/users/matt/hh.html,
RSnakes' Hacking Webpage http://members.tripod.com/~havoc00/corner.shtml
http://www.secnet.com ftp://ftp.secnet.com
A good tutorial on some of the issues of cracking Windows NT passwords may
be found at http://ntbugtraq.rc.on.ca/samfaq.htm
Ref.13. REPORT ON CYBER-TERRORISM
A new report on national security, titled "CyberCrime, CyberTerrorism and
CyberWarfare," calls for a complete overhaul of U.S. national security
agencies and policies in order to avoid crippling sabotage of the nation's
and corporate America's information infrastructure. The report, which is
the product of the Centre for Strategic and International Studies' Global
Organised Crime project headed up by former FBI and CIA director William
Webster, chronicles the results of a recent joint chief of staff exercise
code-named "Eligible Receiver." The exercise involved a group of security
experts, known as a "red team," that used software widely available from
cracker Web sites to demonstrate the capability to penetrate and disable
major portions of the U.S. electric power grid and deny computer systems to
the entire Pacific military command and control operation. The report
recommends the establishment of private sector-organised groups that would
evaluate and endorse information security standards in various industries,
coupled with increased government support for such efforts and the
development of a national security policy for the Information Revolution.
"The private sector cannot sit back and wait for government to lead," says
Sen. Charles Robb (D-Va.), a member of the Senate Select Committee on
Intelligence. (InternetWeek 16 Dec 98)
Ref.14 " Phrack Magazine" P51-16
Title: MS Security Plugs Not Airtight
Author: Nick Wingfield
(May 22, 1997, 12:45 p.m. PT) Microsoft (MSFT) is still struggling to
completely patch Windows 95 and NT against INTERNET hacker attacks.
Article goes into technique, with references.
Ref.15
INTERNET VANDALS STRIKE USIA WEB SITE
The Web site of the United States Information Agency, which is used by
American diplomats abroad for statements on American policy or texts of
official speeches, was broken into recently by INTERNET vandals who left on
the USIA system a "Trojan Horse" piece of computer code that caused basic
hardware damage and the destruction of the site. A USIA computer
specialist said security for the site would be beefed up. "We simply can't
have this happening every six months. People rely on us." (New York Times
21 Jan 99).
Ref.16 REMARKS BY THE PRESIDENT ON KEEPING AMERICA SECURE FOR THE 21ST
CENTURY at National Academy of Sciences Washington, D.C. January 22,
1999 Last May, at the Naval Academy commencement, I said
terrorist and outlaw states are extending the world's fields of battle,
from physical space to Cyberspace.
We must be ready -- ready if our adversaries try to use computers to
disable power grids, banking, communications and transportation networks,
police, fire and health services -- or military assets.
More and more, these critical systems are driven by, and linked together
with, computers, making them more vulnerable to disruption. Last spring, we
saw the enormous impact of a single failed electronic link, when a
satellite malfunctioned -- disabled pagers, ATMs, credit card systems and
television networks all around the world. And we already are seeing the
first wave of deliberate cyber attacks -- hackers break into government and
business computers, stealing and destroying information, raiding bank
accounts, running up credit card charges, extorting money by threats to
unleash computer viruses. We have to be ready for adversaries to launch attacks that could paralyse utilities and services across entire regions.
Ref. 17. CLINTON PROPOSES $1.4 BILLION FOR COMPUTER SECURITY
As part of its call for new spending on advanced technology R&D, the
Clinton administration is proposing that $1.464 billion be spent on "critical
infrastructure protection and computer security," an increase of 40% over
what's currently spent in this area. Most of the funding is earmarked for
applied research on computer security through the Defense Department, but
about $3 million would go toward new computer science scholarships with the
goal of creating a "cyber-corps" of electronic network defenders. Congress
is likely to approve or even increase the proposed funds, according to Rep.
Curt Weldon (R-Penn.), who chairs the House Armed Services Subcommittee on
research. (Science 29 Jan 99)
Mike Orton. CPhys., MInstP., DCT(Batt).,MSRP.,PGCE(Wales)., April 1999.
e-mail: Mike_Orton_HARLECH@CompuServe.com =