Information Warfare

What is Information Warfare?

Information Warfare is any action utilizing information or information systems against an opponent.

- P.V. Radatti

The Goals of InfoWar

When practiced by individuals, the goals tend to be familiar:

  1. Thrill - "Joy Rides" & Random Acts
  2. Money, especially for drugs
  3. Revenge (The most dangerous)
  4. Political ("spiking trees" mentality)

Computer joy rides appear to be the most common but can still damage a system and a company's integrity. Who would put money in a bank that admitted to a break-in?

Hackers

Are not necessarily an enemy of your company. In fact, they may not know or care who you are. If there is nothing of interest on your system then it will be used as an attack platform to reach other systems.

Things of greatest interest are:

  1. Unrestricted Internet access
  2. Unrestricted ability to make outgoing telephone calls
  3. Any interesting security systems, source code or information

LESSONS LEARNED:

  • Make your system uninteresting. Blend in with the crowd. Never allow public accounts.
  • Make your system hard to crack. Maybe they will go look for an easier to crack system.
  • Remove the benefits of cracking your system
  • No in house connections - No outgoing modems - No outgoing Telnet, ftp, etc.....

Hackers as Friends?

Dangerous, Heresy, but...

  • Many hackers are single, teenage males with high IQ and social problems. While many people watch Television, they play with computers. If they trust you, they can be friendly and will happily tell you how they cracked your system. It's "bragging" rights.
  • Companies can utilize this type of hacker to strengthen their defenses against corporate and national industrial espionage. The usual cost is a few pizzas and old equipment.
  • Discount everything they say that sounds unbelievable unless they provide proof.
  • Do not give them free access to your system or offices. Never fully trust them!

This is a STREET SMART way of handling your systems but requires people, technical skills and some risk that you may not want to commit.

If you do choose to use this method. Be very aware of what you are doing. Choose who will be your interface very very carefully. I can't stress this point enough. This can be a managed risk but only if you use the correct people.

How to Use Hackers

  • Hackers in the wild are a mixed bag. They are as different as everyone else and some are dangerous.
  • When using this type of hacker, one approach is to attend a meeting and listen. Tell them why you are there and never lie. Treat them like nervous people.
  • Read their magazines, printed and on-line. Don't trust everything you read in the on-line editions.
  • Use their BBS systems.

One of the benefits of using Hackers as an unofficial support team is that it is like building resistance to poison. You can take small amounts so that you survive over a long period of time and built resistance to a full scale attack. Think of Hackers as a Hostile Test Team. A concept that many of us are already comfortable with.

In fact, your hackers, may even defend you against outsiders if they view it as an attack against one of their allies.

Hackers for Hire

  • There are Computer Security Consultants who can do everything that the hackers do. They won't work for pizza, but they can be trusted.
  • There are also Hackers for Hire. Some have been caught, convicted and reformed. They should be trustworthy.

Using Hackers and Consultants for hire is easier to sell to your upper management, but costs real money. The risk is very low but you have to work hard to find a consultant that is well matched to your needs. Don't be afraid to demand results.

The Goals of Industrial InfoWar

When practiced by companies or foreign governments on behalf of their industries, the goals are also familiar:

  1. Destroy the competition
  2. Steal research & product information
  3. Find company weaknesses
  4. Discredit competition
  5. Interfere with business processes
  6. Grab customers or "good deals"
  7. Steal money and/or equipment (rare)

THIS IS YOUR BIGGEST WORRY. THIS IS REAL. BE VERY CONCERNED. THIS IS NOT THE FUTURE, IT IS THE PRESENT AND MOST PEOPLE ARE IGNORING IT!

Industrial Espionage

  • Industrial espionage rose 260% to 350% since the late 1980s.
  • One government study found 97% of computer break-ins were undetected.
  • Over 1.2 million computer penetrations were reported in 1992. (Internet World February 1995)
  • Doing the math, I arrived at: 2,340,000 break-ins (1,200,000 X 1.97)

Look at that number! It's over 2 MILLION break-ins per year! Are you one of them? Can you tell? Most people suffer the results of a break-in and never know it. Their data is compromised, their processes may be trojaned and the company directors may be at legal risk for not taking reasonable precautions.

The Goals of Global InfoWar

When practiced by foreign governments the goals can be harder to understand, especially for North Americans who have a tradition of trusting their governments and hold privacy as "a right"

  • Steal information from their own industry. This is a great deal! No one is going to sue a national government. They create jobs and improve their economy without large R&D expenditures by stealing your research.
  • Military.

(Not the subject of this presentation)

Ignore this at your own risk! Foreign governments are well funded, well trained, determined and can be protected by diplomatic immunity. If they are attacking you over the Internet they may not even be breaking the law.

Who Me?

A problem that has attracted far too little attention to date is that of industrial espionage committed by or with the assistance of foreign intelligence services.

I am not going to suggest that foreign industrial espionage is the greatest difficulty American industry faces in seeking to succeed in the global market. But it is a real problem that costs the U.S. economy billions of dollars annually and appears to be growing rapidly.

Really? Me?

  • A South Korean computer company penetrates an American competitor with a mole who plants a bug in the United States companies fax machine.
  • Maintenance workers walk into a U.S. companies office overseas and reprogram the telephone switching equipment to enable outsiders to eavesdrop.
  • An American scientist goes from lab coat to turncoat, selling foreign pharmaceutical companies trade secrets that had cost $750 million in R&D costs to acquire. (Senator Cohen)

How, Who?

While much industrial espionage is solely the work of private firms, in many cases foreign governments assist or even direct economic spying activities. French intelligence has long engaged in large-scale industrial espionage programs, penetrating foreign businesses, intercepting their telecommunications, and conducting a reported 10 to 15 break-ins each day at Parisian hotels to copy documents business people have left in their rooms. The information acquired is passed on to French industry. (Senator Cohen)

Governments?

The governments of Japan, Germany, Belgium, the Netherlands, and other allies, as well as such countries as China, are also reported to spy on behalf of their countries' industry. (Senator Cohen)

This is the threat that can destroy your company, your national industry and your job opportunities. Consider the American semi-conductor, television and appliance industries. These attacks are not limited against United States companies. Any where there is an illicit gain to be made some one will attempt it. Ask foreign affiliates about their company security policies.

There is a Cost to Everything

There is a cost in capital assets and manpower in ensuring information security.

IS IT WORTH THE COST?

The answer has to be based upon the following factors:

  • How common are attacks?
  • What is the direct cost of what I am protecting?
  • What are the indirect costs of what I am protecting?
  • What are the intangible costs?

2) The data cost $100,000 to collect and process
3) The loss or damage to the data could put the company 6 months behind schedule costing you the loss of customer support.
4) Your competitor gains part of your market share. 60 Minutes shows up at your office.

How Often Are There Security Problems?

Dain Gary, manager of the Computer Emergency Response Team, reports that his group logs three to four security breaches on the Internet each day. In 1993 there were 773 reported intrusions. I don't have the 1994 numbers, however, Gary expected a 50% increase over the 1993 number. The real numbers are probably even higher. (Internet World, February 1995)

I think these are very low numbers.

The Cost of Security

The cost of security should be balanced against the cost of what you are trying to protect AND the damage caused by not protecting it.

Is it justified to spend $2000 in security protecting $500 in equipment? Yes, if the cost of lost labor, customer satisfaction or other indirect costs exceeds the $2000 cost of security

Customer satisfaction can be enhanced if they know that you have good security. It pleases customers to know that their competitors won't be tipped off to their activities by doing business with you.

Bullet 2 - 100 engineers sitting around for 8 hours waiting for the computer to be fixed.

    100        Engineers
    x $60    per hour
    x  8    Hours per day
-------------------------------------------------------------
    $48,000 wasted in one day because of a computer failure

The BIG Cost of Security

It has been reasonably estimated that on a national basis, the cost of security packages sold to commercial ventures exceeds the total cost of all losses due to break-ins or software attacks.

The problem is that the losses are spread across a small group who shoulder the entire burden while the cost of security packages are spread nationally. Of course the losses would be astronomical if no one had purchased any security packages.

What is the Risk to Me?

If your system is "interesting" or you have low security, then you increase your risk.

The security risk and its cost can be likened to major medical insurance. Everyone complains about the cost but everyone who can afford it has it because while the risk of a major medical incident is low, the cost to the individual is very high.

No one wants to pay for life insurance until after they die. Buying security products is like buying insurance. It spreads your risk across all available systems by making your site less attractive.

This analogy works even better if you consider medical insurance and cancer treatment.

Factors

We know that attacks are common and increasing, but it's a big world and unless we stand out from the herd, there is safety in numbers, for now!

  1. The cost of an attack to a company can be life threatening to the organization.
  2. The risk of attack is small but increasing and sometimes fatal.

How Do I Protect Myself?

Know what the hackers know:

  • Computers have lots of holes.
  • Human engineering is common.
  • Security procedures are often sloppy or not followed.
  • Physical security often isn't

 

Routers and Firewalls

Do not connect your company network to the Internet unless you use a fire wall AND routers to protect it. Many salesmen try to sell routers as fire walls. Routers are not fire walls! TCP/IP can be tunnelled. Read the following papers:

Security Problems in the TCP/IP Protocol Suite by S. M. Bellovin

Network (In)Security Through IP Packet Filtering by D. Brent Chapman

TCP/IP

Most TCP/IP filtering systems rely upon the accuracy of the IP source address. This is a bad assumption since IP source addresses can easily be faked.

Packet filtering is very useful if you check packets from the outside to ensure they do not have source addresses from inside systems. In this case, you know the address is faked.

Packets

TCP/IP Source Routing tells routers how to route a packet. This can be used to attack your system. Routers should be programmed to ignore routing instructions.

IP packets can be fragmented in order to move between different frame sizes. (FDDI to Ethernet) Fragmented packets can be taken over by an attacker. Nothing keeps someone from setting up their system with your IP address. Do you use rhosts?

If you were told to trust everyone on a list with the money in your pocket and you didn't have a way of really knowing if someone that tells you they are someone on the list is really the person listed, would you trust them? This sounds ridiculous, but computers do it every day using the dot-rhosts option. Dot-rhosts tells your system to trust other systems but there is no real authentication unless you install a package to do so.

Ports

Know what the hackers know:

  • Random Unix ports are often not random.
  • BSD Unix based systems often reserve ports below 1024 for privileged processes.
  • System V Unix TCP/IP networking draws heavily from BSD.
  • Many vulnerable services, such as X-windows and a few database servers, use server ports at or above 1024.

Hackers probably know the system internals better than your own staff.

NIS (Yellow Pages)

Know what the hackers know:

  • NIS, (formally Yellow Pages) can be easily taken over by an attacker.
  • NFS can be easily "bent" to serve the needs of an attacker.
  • R-commands are a big risk. (rlogin, rsh ....)

An IBM PC on the network can fake being the NIS (yellow pages) master server and take over root.

Email

Know what the hackers know:

  • All email messages can be read by anyone on the path they take. Putting anything valuable in Internet Email is the same as publishing it in a national newspaper.
  • There is no Authentication or Non-Repudiation of Email.
  • Email spoofing is easy and fun. I send a friend an Email that appeared to originate from "god@heaven.org." to congratulate him on his new baby.

Bullet 2 - Unless you do it yourself.

Broadcast Network

Know what the hackers know:

  • Everything on a Broadcast network (TCP/IP) can be intercepted and read by anyone on the path. This includes your userid/password combination.
  • Any workstation or PC can be configured to read the network.
  • Does your network configuration consider data pathing?
  • Messages can be injected or altered.
  • Physical eavesdropping is easy and more common than you think.

Bullet 1 - The passwords are transmitted in the clear.

Bullet 2 - Or use a sniffer, etc....

Bullet 3 - What is the smallest physical path between two points? What physical path is the most secure and has the least number of computers on it? This not only improves security but increases effective bandwidth of the network by subnetting

Bullet 4 - Example: Security cameras in commercial buildings.

Security Tools

Know what the hackers know:

  • Security tools like COPS and Crack are often used by hackers to probe for holes.
  • The /etc/passwd and /etc/group files are almost always stolen for off-line processing.
  • The "find" command can be used to look for sticky bit set files that can be used by an attacker. For example, if a file is found, owned by root with the sticky bit set, a copy of "/bin/sh" can be copied to it and then executed as roo.

Bullet 1 - You can also reverse the hacker's tools and use them for your benefit.

Bullet 2 - Unless you use shadow passwords or a hand held authentication device.

Bullet 3 - I usually find hundreds of these files on a network, many of them unprotected at permission level 777.

Publications

Know what the hackers know:

  • Hackers are bookworms. You should be too.
  • Good bookstores have large computer sections. There is always a security section.

 

Get the following books:

  • Unix Security by N. Derek Arnold McGraw-Hill, ISBN 0-07-002560-6 {PBK}
  • Information Warfare by Winn Schwartau Thunder's Mouth Press, ISBN 1-56025-080-1
  • Unix System Administration Handbook by Evi Nemeth, Garth Snyder, Scott Seebass Prentis-Hall, ISBN 0-13-933441-6

As a simple matter of trust, you should be able to know when someone is lying to you.

You Are Not Secure!

If you know what the hackers know, you can protect yourself better. If you can't learn what the hackers know, then find someone who can. Security software packages are "canned" knowledge. You are not secure!

Bullet 4 - At least don't fall to a false sense of security.

Final Word

  • Physical security - auto-locking doors and alarm systems are required for rooms with computer or phone systems.
  • If you are in R&D, arrange for outside security audit experts.
  • Don't connect critical systems to the internet.
  • Have strong security policies on the books and practice them.
  • Buy "canned" knowledge in the form of hardware and software security packages.