Network Security
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
update on pentagon computer attacks
- From: Paul Howell
- Date: Mon Mar 08 07:48:18 1999
This story is in today's New York Times.
http://www.nytimes.com/library/tech/99/03/cyber/articles/08defense.html#1
It makes the distinction between probing and attacks, and how people
(hackers) attemtp to evade detection by slow scans from different IP
addresses.
As news media stories about computer crime go, this is one of the
better ones I've read.
< paul
Hacker 'Attacks' on Military Networks May Be
Closer to Espionage
By PETER WAYNER
In recent weeks, Government officials involved with defense have
described a new kind of "cyberwar" being fought on the Internet, with
unknown hackers unleashing relentless assaults on military computers.
"Are we under constant attack? Absolutely," said
Representative Curt Weldon, a Pennsylvania
Republican who heads the Military Research and
Development Subcommittee of the House Armed
Services Committee, in a telephone interview on
Friday. Weldon held a closed-door briefing last month
at which military officials told House members that the Pentagon was facing
new threats from hackers.
"Attack" is a strong word, one that might bring to mind the Japanese strike
on Pearl Harbor. But some computer security experts stress that while the
hacker activity that the House heard about is a potential threat, calling it an
attack could be an overstatement. Much of it appears to be something closer
to cold war espionage than a bombing run.
The Naval Surface Warfare Center in Dahlgren, Va., first detected the
unusual activity that John J. Hamre, the Deputy Secretary of Defense,
described to the House last month. Fred Kerby, the information system
security manager at the center, characterized it as a "low and slow scan,"
designed to map out military computer networks without attracting
attention.
Drew Dean, a computer security expert at Xerox's Palo Alto Research Center,
said it could be misleading to characterize this kind of scan as a full attack.
"It's a precursor to attack," he said. "If someone I didn't know scanned my
machine, I would assume it was an unfriendly act." Dean noted, however,
that there are often legitimate and innocent reasons for a computer user to
check out another machine across the Internet.
In fact, the Norwegian Supreme Court was recently asked to rule on whether
or not such scanning was illegal. The court decided that it was not, because
it was similar to a knock on the door, not forced entry.
A hacker wanting to learn something about an organization's computer
network might begin by scanning the network with the "ping" protocol, which
sends a small packet of data to a computer and asks it to respond to see if it
is connected to the network. This is equivalent to calling a list of sequential
telephone numbers and seeing who answers.
Kerby at the Naval Surface Warfare Center said that most military sites
routinely block out ping requests. "We don't allow them through," he said.
"We regard them as an ankle biter... We just note that they came up and
rang the door bell, but we had everything secured before they got here."
Some hackers use more sophisticated probes. It is possible, for instance, to
see if a computer accepts electronic mail by sending a trial message. This
information can be exploited, in some cases, because older versions of the
popular electronic mail program known as Sendmail have numerous
security holes that could give a hacker access to a system. Robert Tappan
Morris Jr., then an undergraduate at Cornell University, used one such hole
to launch a "worm" program that crippled the Internet in 1988.
In the case of the latest probes, the hackers tried to conceal the scale of
their effort by sending requests from a number of different computers.
"This is what's known as a coordinated attack," said John Green, a senior
security analyst at the Naval Surface Warfare Center. "It's not detected by
most commercial detection systems. What made this significant is that it
was low and slow. We would get very few packets from each site."
The Dahlgren center discovered these distributed probes with a new
surveillance system they designed called "Shadow," which looks for patterns
in data traffic. In this case, it analyzed packet flows over several months and
revealed that many machines were being completely probed.
"Instead of hitting 65,536 ports on one computer, they'll be probing one or two
ports on each computer, then one or two on another computer," Kerby said.
After some time, all of the ports on each computer would have been
systematically probed by several machines acting in concert.
"Scanning or probing is just a reconnaissance effort," Green said. "Once they
gather a map of your network, they can then go back and target the
machines that they've discovered."
Assessing the real danger of this activity is difficult to do. Many people use
tools like the ping protocol to test and debug their networks. In fact, those
probing the military networks may be using the same tools used routinely by
the network administrators, because they have both legitimate and
illegitimate uses.
Determining the scope of the hackers' effort is also hard, in part because the
Department of Defense refuses to say much about them. The investigation is
still unfolding and is also classified.
The Pentagon has said that, as is the case with the vast majority of hacking
attempts, the recent probes did not result in the penetration of any
computers storing sensitive information. Also, the Dahlgren center said it
found a way to thwart this method of probing, and has told all military
services about the remedy. It has posted the Shadow software on its Web site
so any organization can use it freely.
Some security experts and critics of the military budget dismiss the recent
talk of "cyberwar" as a public relations effort, designed to get Congress to
increase defense spending. They point out that truly sensitive government
computers are not even connected to the Internet. It is important to ask,
they say, whether the activity described to Congress was an attempt to
launch missiles or just probes of innocent desktop computers used to surf
the Web.
"It would not surprise me if this was a public relations maneuver," said Winn
Schwartau, a security consultant and author of the book "Information
Warfare," in a telephone interview on Friday.
Schwartau said, however, that the nation is not spending enough to defend
itself from enemies armed with computers and hacking expertise. "Maybe
they're being more open about it to help with the overall awareness that
America is sorely lacking," he said.
"Is surveillance an offensive activity?" Schwartau asked. "Under the cold-war
mentality, it was. A U2 surveillance of Russia was considered offensive.
Some satellite surveillance was considered offensive."
Military computers have long been a favorite target of members of the
hacker underground wanting to show off their skills. But Representative
Weldon said it is important not to dismiss all hacking attempts as the work of
computerized joyriders.
"I can tell you, I know there are countries out there that are putting money
into information warfare," he said. "You know, they can't match our military,
so they take what they have: high-performance computers and people who
know systems. Then you work on compromising our systems."
Weldon noted that the Defense Department is not the only target of
malicious hackers. "We know of banks who've had their firewalls broken and
money transferred out, and they're not going to talk about it," he said. The
private sector needs to cooperate more with the government in this area, he
said.
|
