With the 1990s propensity to dot.com everything that moves, ‘hacking’ and ‘cyberterrorism’ have become subjects of intense media coverage. Almost daily, hitherto unknown security specialists warn of potential catastrophes: news that gets picked up by the media and crosses the globe with impunity. Johan J Ingles-le Nobel discussed the subject with programmers at Slashdot to profile so-called cyberterrorists and examine the viability of cyberwarfare.
Cyberterrorism is a buzzword of 1999. Indeed, with the remarkable growth of the Internet, hacking horror stories have reached new heights of publicity, leading to a veritable media frenzy. Yet careful examination of the issue reveals much of the threat to be unsubstantiated rumour and media exaggeration. The exaggeration is understandable, however — these technologies underpin our entire society, and what paper can resist printing a scoop revealing that banks are being blackmailed with threats of attacks on their computers, or that a military satellite has been hijacked by hackers? The idea that an anonymous teenager working alone from his bedroom can wreak electronic havoc on the far side of the world makes for good press.
What is a hacker?
Nothing gets a hacker’s back up quicker than someone confusing a hacker with cracker. The term ‘hacker’ refers to an individual who programmes enthusiastically (even obsessively), enjoys programming or is especially good at programming; a ‘cracker’ is somebody who breaks into another’s computer systems or digs into their code (to make a copy-protected programme run). Yet the boundaries have become somewhat blurred and the popular understanding of these terms is is quite wrong: ever since Hollywood produced ‘Wargames’, based on Kevin Mitnic’s cracking activities (known as ‘exploits’), the term ‘hacking’ has become synonymous with unauthorised access into restricted systems — which is ‘cracking’. In today’s world, such activity also includes the deliberate defacement of websites. Hackers are quick to point out that there is a code of hacker ethics that precludes any profit from the activity — the only motive is the activity itself — but they are not naïve: realising the potential for misuse, they divide themselves into ‘white-hat’ hackers (ethical hackers) and ‘black-hat’ hackers (crackers).
According to hackers, 99% of cracking incidents can be blamed on so-called ‘script-kiddies’. These are usually young people who manage to acquire some ‘cracking tools’ somewhere on the Internet and are keen try them. They choose a ‘cool’ target (such as NASA, the Pentagon or the White House) and launch the tools. Older, more established
hackers see them as upstarts. Think of a kid walking down a corridor testing doorknobs; whilst they are more than capable of defacing websites such as that of the Central Intelligence Agency (CIA), their actions are seen as the equivalent of putting down a whoopie cushion on the chair of the UN Secretary General — juvenile, noisy and somewhat embarrassing, but ultimately without real effect. Says Mick Morgan, webmaster to the UK’s Queen Elizabeth: “I have nightmares about waking up to find graffiti (which is all it is) on one of my customer’s sites.”
However, even minor exploits illustrate one of the many paradoxes facing computer security. Specific websites, intended for the computer systems administrators and webmaster audiences, monitor the security vulnerabilities (bugs) in software that allow exploits to take place. The purpose of these websites is to distribute the corrective programming ‘patches’ that rectify the bugs. However, such sites are open to the public and are therefore the ideal place for crackers to discover new cracks. The result of this is that the vast majority of methods used by crackers to break into sites are known and there are patches available. This means that many believe the responsibility for security breaches lies not with the software supplier but with the company that owns and operates the system. Thus, if a company suffers a security breach, that highlights its own negligence or incompetence, which, along with the bad publicity associated with intrusions, makes it unsurprising that many companies are reluctant to publicise security breaches of their systems. This is especially true of the financial sector: there have been rumours for several years that banks have been blackmailed by hackers; confirmation has never been forthcoming.
Global estimates vary, but a JIR extrapolation based on mid-1990 estimates by Bruce Sterling, author of The Hacker Crackdown: Law and Disorder on the Electronic Frontier, puts the total number of hackers at about 100,000, of which 10,000 are dedicated and obsessed computer enthusiasts. A group of 2501,000 are in the so-called hacker ‘élite’, skilled enough to penetrate corporate systems and to unnerve corporate security. Given the huge number of people working as programmers for the online economy (the technical side of which requires much the same skills as those required by a hacker), the totals are sure to rise. According to the Center for Research on Electronic Commerce at the University of Texas, in 1998 the Internet economy was worth US$301.4 billion, providing 1.2 million jobs in the USA alone.
The minimum skill-set needed to be a ‘script-kiddy’ is simply the ability to read English and follow directions. Indeed, much can be gleaned from books or documents and mailing lists online such as ‘L0pht’ bulletins and ‘Phrack’, whilst exploits can be learned from websites such as ‘bugtraq’, ‘rootshell’ or ‘packetstorm’. In fact, virus-writing and exploit code is common, and some is even automated.
However, to launch a sophisticated attack against a hardened target requires three to four years of practice in C, C++, Perl and Java (computer languages), general UNIX and NT systems administration (types of computer platform), LAN/WAN theory,remote access and common security protocols (network skills) and a lot of free time. On top of these technical nuts and bolts, there are certain skills that must be acquired within the cracker community.
‘Hi, I’m Cheryl, I’m new in IT support. I’m having trouble with the modem bank. Can you check the modem to make sure it’s turned on? Also, can I have the number to make sure I’m using the right one?’ Of course, being a diligent and helpful worker, the recipient of such a call may be only too happy to help.
Tools of the trade
The cracker skillset is more common in highly educated individuals taught in the USA and Western Europe, although anyone with enough intelligence and time can pick it up without formal schooling. In fact, the skills are not at all rare or unusual, being the same as those required for an average, small or medium-sized company network system administrator: a position which commands among the lowest pay in the computer industry. The chances are that there is a university drop-out in your town with all of these prerequisites. That said, a list of qualifications does not fully explain their make-up, as the skillset is more to do with lifestyle than specific capabilities. Some people collect baseball cards; others analyse [computer network] protocols.
Attacks happen in various guises, from the simple and automated to the highly disguised and sophisticated. Crackers also write their own tools, which are disseminated in the underground. Certain system diagnostic tools and other cracker script tools can significantly automate the process of cracking less secure systems. At the low end of the sophistication scale there are activism websites, such as ‘Floodnet’, which hold web-page functionality that automates the process of reloading another website’s pages in an attempt to make the system ‘overheat’ so that it ceases to work. This is a form of the most common exploit, Denial of Service (DoS), which comes in many forms. It is most common due to webmasters and web server administrators creating poorly written Common Gateway Interface (CGI) scripts (website programming). Exploiting the poorly written code is no great feat. In the words of one hacker: “Any punk kid could do this to any organisation without any trouble whatsoever.”
Computer specialists suggest that, while annoying, such unsophisticated DoS attacks have a hidden danger: they could mask the use of specialist software custom-written by an élite cracker amid the noise of the barrage of multiple automated attacks. Other tools exist that are designed by the hacker community, such as BO2000, which was specifically created to embarrass Microsoft’s Windows NT security. In fact, the size of the black market in software (computer programmes) is enormous. Not only can exploit tools be procured in this manner, but they can easily be found online.
Social engineering is a term describing the process whereby crackers engineer a social situation that allows any potential cracker to obtain access to an otherwise closed network. This access could either be permanent (infiltrating an insider into the organisation who enables outside access), or temporary. Indeed, the scenario has a stunning simplicity about it: “Hi, I’m Cheryl. I’m new in IT support. I’m having trouble with the modem bank. Can you check the modem to make sure it’s turned on? Also, can I have the number to make sure I’m using the right one?” Of course, being a diligent and helpful worker, the recipient of such a call is only too happy to help.
Most previous instances of information technology (IT) security violations have been attributable to ‘inside jobs’, which is why there has been significant controversy recently about US concerns hiring foreign programmers to rectify Y2K issues.
Having gained access, a cracker can either install code directly into the systems on the spot or add a transmitter device. To illustrate a scenario, after gaining access to a facility as cleaning staff, the perpetrator could put a small computer, itself connected to the main network, into the base of a lamp with an infra-red port (network connection) aimed out the window of an office or linked to a mobile phone. This gives an active presence on the target network and, more importantly, remote access to the device from anywhere within line of sight. In commercial environments, the security teams that search for bugs (bugs in the classical sense — ‘listening devices’) with receivers do not generally do infra-red profiles of a building; such a device will not transmit unless active, so sweeping for it is more difficult than trying to detect a bug that is monitoring audio.
Cellular modems also work, but are potentially detectable by radio-frequency sweeps. However, for corporate espionage it is an easy matter to pre-position several such systems and then take advantage of security vulnerabilities to gain permanent entry to the system. The phone company makes entry easy if the location is near a residential area as a receiving mobile phone just needs to be plugged into the network interface (telephone connection) of any house. Such attacks are not new, but the scale of machines necessary to realise them is down to 4in2 of PC board for an amateur willing to spend a little time shopping in the back of a technology magazine. “For less than US$1,000 you could build such systems and disguise them as appliances like lamps,” said Paul Roberts, a US-based information security (INFOSEC) specialist.
Espionage on other computers by remotely monitoring the electro-magnetic (EM) signals they emit whilst in use is possible today, albeit expensive. Figures of $35,000 are quoted as estimates for a remote monitoring station in a van, for example, although the cost is coming down. “EM snooping technology might very well come into the reach of the advanced information security hobbyist or the determined criminal in the next five to 10 years,” said Markus G Kuhn from the Computer Laboratory at Cambridge University in the UK.
Exploits come mainly in three species: DoS; destruction of information (erasing); and corruption of information (spoofing).
As indicated previously, DoS attacks take the form of overloading the processes of the computer hosting the website (the server), which then shuts itself down. Recently, a new form of such attacks has become prevalent — the ‘distributed co-ordinated attack’ — in which thousands of servers are used in unison. “It’s possible to detect the attack, but it is very hard to block it using current software,” said Thomas Longstaff, senior technical researcher for the Software Institute at Carnegie Mellon University. However, a co-ordinated attack to bring down a government’s or a corporation’s computer systems cannot be maintained long enough to be little more than a nuisance. Yet while only annoying at the moment, as interconnectivity increases and the importance of the online economy becomes manifest, such exploits will have serious financial implications. That said, recovery from such an attack tends to be fast.
Erasing is considered very difficult to conduct because any system worth attacking is also worth backing up. UK and US interbank transactions are backed up daily with multiple remote tapes, so any cracker wanting to destroy the interbank market will cause the loss of at most one day’s transactions. However, this is not without consequence: consumer confidence in the banking system might drop to unprecedented levels were exploits to be publicised.
Viruses are a form of erasure most computer users are familiar with. Indeed, as a teenager Robert Morris accidentally launched a virus that shut down most of the Unix-based computers in the USA in the 1980s. Much can be said for judging the security implications of information technology by the fact that virus protection is now standard on any company computer. A good thing too, as 1999’s ‘Melissa virus’ was the first of a new generation of Microsoft-targeted viruses that are self-replicating by sending themselves forward in an email entitled ‘Important message from . . .’ to the people listed in a person’s Outlook Express email package without their knowledge. The ‘Bubbleboy’ virus promises to be worse, as you just have to receive it to be affected. Erasing attacks can be guarded against through multiple, remote (in both geography and network topology) back-ups, taken at sufficient frequency that the maximum possible loss is bearable for the system (the ‘safe frequency’). Any system for which the safe frequency is too low for the defence to be practical (such as a power grid) tends be kept remote from networks, although this is not always the case.
Yet for every solution there is a problem. The effectiveness of back-ups can be circumvented by malicious programming that corrupts one random byte in the data; even though the back-ups look good, the data is bad. There is no way of telling unless the whole tape is recovered to find the one or two data files that have changed and examining them ‘with a microscope’. The problems are obvious if someone had 10 weeks of back-ups, each with different bits of bad data, and all the back-ups were infected. There would be no way to know which data was good and which was bad. Indeed, if the cracker knows enough about the system he/she is attacking, recovery may be impossible.
Spoofing is much more difficult to guard against. This kind of attack comes in two guises: attempts to create phoney records or phoney messages in a system (such as creating false bank accounts); or attempts to create phoney instructions to the processing system, causing a failure of the system. This is as bad as an erasing attack. The easiest way to defend against non-destructive spoofing is again to use back-ups and to operate double-entry book-keeping, which traces every record to its creation and requires consistency between numerous (again, preferably topologically remote) sources. This multiplies the difficulty of an attack as the attacker has to break several systems instead of just one. By appearing to be a user, however, a cracker could manipulate data or corrupt the hardware by installing a virus, for example. While this would not be quite like a bomb going off, it could have much worse long-term repercussions.
Destructive spoofing aimed at the processor rather than its records is a different matter. Causing the processor to execute phoney instructions could allow an attacker to erase records, transmit phoney messages and, potentially, cover his/her tracks well enough to escape consistency checks. This kind of attack is more difficult than any other — usually the only way to get another machine to execute rogue instructions is to exploit ‘buffer overflows’, overloading the temporary data buffer on computers.
Nightmare scenarios are based on such attacks. “We could wake one morning and find a city, or a sector of the country, or the whole country having an electric power problem, a transportation problem or a telecommunication problem because there was a surprise attack using information warfare,” claims Richard Clarke, the US National Security Council adviser who heads counterterrorism efforts. Whilst alarmist, precedents do exist, as evidenced by Gail Thackaray, recognised as one of the premier cracker-catchers in the business: “One hacker shut down a Massachusetts airport, 911 emergency service and the air traffic control system while playing with the municipal phone network, and another hacker in Phoenix invaded the computer systems of one of the public energy utilities, attaining ‘root’ level privileges on the system controlling the gates to all the water canals from the Grand Canyon south.” These examples involved individuals rather than organised groups, and none of them were politically motivated.
In warfare as well as in business, IT is the great equaliser. Its low financial barrier to entry relative to heavy industry allows even the poorest organisations an IT effectiveness equal (or nearly equal) to large corporations.
The greatest advantage the covert warfare arms of major nation-states (such as the CIA or Mossad) have over small terrorist organisations is the financial wherewithal to develop massive intelligence networks using the best equipment. IT levels the playing field in this regard.
Because sensitive military computers are required to be kept as far away from the Internet as possible, unless there was some major oversight or an incidence of social engineering, a military system cannot be directly attacked. However, there is always a weak link in the chain: for example, an army depends on Vendor A for supplies/ equipment, and Vendor A depends on parts from Vendor B, and so on. Somewhere in that chain is a vulnerability due to the massive networks, technological dependence and just-in-time ordering systems. Indeed, although direct attacks on critical infrastructure are unlikely, if on a network that has a link into it elsewhere, then one vulnerability is all it takes. Strikes in one automotive plant have effectively shut down large car makers. Most US automotive plants are also government contractors supplying vehicles and replacement parts to the military: an obvious target for planting viruses during war.
Some people collect baseball cards, others analyse protocols
Cyberterrorism is not only about damaging systems but also about intelligence gathering. The intense focus on ‘shut-down-the-power-grid’ scenarios and tight analogies with physically violent techniques ignore other more potentially effective uses of IT in terrorist warfare: intelligence-gathering, counter-intelligence and disinformation.
Disinformation is easily spread; rumours get picked up by the media, aided by the occasional anonymous e-mail. Cracking into a government server and posting a new web page looks impressive and generates publicity, but cracking into a government server and reading private email is much more valuable to terrorists. This gives cyberterrorists valuable details about the thought and operations of their adversaries, and can aid in planning conventional attacks. Furthermore, if terrorists can penetrate the security of an enemy organisation’s computer networks, they do not need to do any damage to be militarily effective. Rather, they can quietly copy information to process at their leisure, without having to physically smuggle it out of secure facilities. False or misleading information can be planted in (or deleted from) databases, undermining the effectiveness of organisations relying on that information. In today’s environment, authentication via strong encryption is still rare and IT makes forgery easy. Credentials can be forged to fool authorities or the media for purposes of disinformation or to enhance covert physical activities.
As pointed out by Clifford Stoll in The Cuckoo’s Egg, automated ‘data mining’ techniques can be used to search for useful patterns in vast stores of insecure and seemingly unrelated data. A bank may assume its electronic fund transfer system is the most vital system to protect, but a terrorist may only want access to the financial records of persons or groups that are the bank’s customers. This may not even involve destruction of data, as the pure information is often much more valuable than simply destroying random records. Reconnaissance attacks such as these are difficult to stop but extremely damaging. In the long-term banking scenario, the terrorist may simply choose to track sources of funding based on deposit records to harm the person or group who is the target. In a situation like this, going into the bank to destroy the information is only a temporary setback and will raise attention. Why destroy a valuable point of information gathering by doing something short-term like disrupting operations?
Nevertheless, for the terrorist, cracking might be used for more than just destroying data. Attacking an information system would be a good way to either distract the target or otherwise enable the terrorist to perform a physical attack. An example might be to crack into an airline and delete transport manifests to cover the transport of illegal materials. Had Shoko Asahara and the Aum Shinrikyo group been able to crack the Tokyo power system and stop the subways, trapping passengers on the trains, the number of casualties caused by their 1995 Sarin gas attack might have been significantly larger. If a determined group wanted to bring New York to its knees, what better way than to combine a physical bombing campaign with simultaneous IT attacks on the power grid, hospitals, emergency services and the media?
Turning to the larger picture, in warfare the party that runs out of funds first loses. Thus, the objective of warfare may not just be to inflict as much
physical damage as possible, but instead be to maximise financial damage. The Irish Republican Army (IRA) learnt to use this concept very effectively in recent years, sufficiently occupying the resources of the British government through infrastructural attacks (as opposed to direct attacks against people). This suggests that, in the future, stock markets or other primary financial institutions might become high-profile targets and the most effective means of accomplishing a terrorist’s goal. More damage would be accomplished by taking the New York Stock Exchange offline for a few days rather than actually bombing a building. That said, financial institutions are one of the few parties recognised in the hacker community for taking their security very seriously indeed.
Given the predominance of the IT-based industry and the familiarity of the Internet in the USA and Western Europe, the terrorist groups that fit the motive and mindset to use cracking could be closed religious or fanatical groups whose value systems are so out of sync with the mainstream that they feel threatened enough to take as much of the world with them as they ‘go under’. That, together with ‘lone gunmen’ and activism campaigns — ‘hacktavism’ — are scenarios that appear to fit the profile.
A Pakistani Internet hacker known only as ‘Dr Nuker’, for example, has a message for Americans: he and a cybercohort, one ‘Mr Sweet’, have not yet begun to fight. The idea of Third World cyberpunks threatening the planet’s sole superpower might seem unlikely — unless, of course, you run Internet sites at Lackland AFB or 86 other facilities their group that the ‘Pakistan Hackerz Club’ (PHC), has struck in the past five months.
The PHC’s self-described founder and perhaps the world’s most prolific Web cracker today, Dr Nuker admits he’s a revolutionary, a ‘cyberterrorist’ with a cause: freedom for Indian-controlled Kashmir. Yet by penning anti-Indian missives on Internet sites run by the Naval Reserve Maintenance Facility in Ingleside, the Karachi Stock Exchange and even the Disney Guide, Dr Nuker not only has become a high-profile ‘hacktivist’ — a computer cracker with a political or social goal — but a wild card who hints he can wreak havoc far from home.
“We don’t have any intentions to compromise any sort of military or governmental database, but in case there will be a cyber war with Pakistan, then we will sure prove our knowledge, ability and skills,” he warned in an e-mail message. It may be no idle boast.
Today, employers, even those running critical infrastructure, are hard-pressed to not give employees Internet access; 401k retirement plans, health insurance plans and others are starting to mandate it. Most employees are on insecure, poorly administered, unreliable desktop operating systems: the recipe for serious electronic mayhem.
Beyond the hype
Critics maintain there is no such thing as cyberterrorism, and there is undoubtedly a lot of exaggeration in this field. If your system goes down, it is much more interesting to say it was the work of a foreign government rather than admit it was due to an American teenage ‘script-kiddy’ tinkering with a badly written CGI script. If the power goes out, people light a candle and wait for it to return, but do not feel terrified. If their mobile phones switch off, society does not instantly feel under attack. If someone cracks a web site and changes the content, terror does not stalk the streets. Some groups talk of taking down power grids; while that would help in conjunction with another type of attack, in itself it would be useless. Most grids suffer infrequent black-outs anyway that are not terrorist-related. In fact, terrorism campaigns using just computers are unlikely. The sheer size of programmes works against the attacker more than the defender. No one person can fully understand a programme comprising over a million lines of code, especially if he/she did not write it, and the defender has more people available. Critical programmes that run infrastructure functions, such as traffic lights, are usually custom-written, making them twice as difficult to attack.
Any system put together in the last few years will have been implemented with security in mind. Ironically, Y2K could prove to be a boon, as audits will give detailed reports on exactly what is in a system and this information can be used to boost security.
Most security-aware organisations do not put highly sensitive (such as military or corporate) data on servers that are accessible via the Internet and design their Internet servers to be disposable and easily reinstalled from compact disc (CD) or tape. These organisations also typically keep their servers in restricted-access areas. Most organisations with sensitive data also keep off-site back-ups. Write-once CDs are becoming very popular as they are inexpensive, compact and convenient to restore from. To cause serious and lasting damage, a terrorist would need to destroy or corrupt not only the contents of the servers, but also the off-site back-ups.
In theory, cyberterrorism is very plausible, yet in reality it is difficult to conduct anything beyond simple ‘script-kiddy’ DoS attacks. Terrorists attempting to sway a populace by fear would therefore be less interested in such an attack unless they could carry out an extremely damaging one on a repeatable basis or unless they used it to augment the effects of a physical attack.
As things stand, while a terror attack using crackers is potentially highly destructive, the psychological impact of the disruption of services is still much lower than that of a direct physical attack.
Johan J Ingles-le Nobel is Deputy Editor of JIR, having previously obtained his Masters at St Andrews University. He gratefully thanks the contribution and advice of people at Slashdot.org.
They met by moonlight in August 1999: Chaos Computer Club organised a three-day hacking event in Germany ‘for nerds, hackers and phreaks from all over the world’. For the 1,500 attendees, the attractions included a Linux deathmatch, in which opposing teams tried to infiltrate each other’s computers, and the Firewalling Project, in which a server’s firewall was poked and prodded for security vulnerabilities for fun.
The ‘Cult of the Dead Cow’ and ‘L0pht Heavy Industries’, élite hacking groups that have shot to online prominence.
The ‘Cult of the Dead Cow’ and ‘L0pht Heavy Industries’, élite hacking groups that have shot to online prominence.
Easily downloadable virus and hacking tools are very appealing to young thrill-seekers (‘script-kiddies’), who are responsible for 99% of all hacking attacks. However, lurking in the digital noise, an élite hacker may make an attack that could truly worry corporate security.