AFCEA Argentina

Countering Non-lethal Information Warfare

Hank Kluepfel

Lessons learned on foiling the Information Superhighwayman of the North American public switched telephone network.

The United States relies for its very existence--economically, socially, and politically--on an extraordinary sophisticated and intricate set of long-distance networks for energy distribution, communication, and transportation. Because these networks also rely upon each other, a truly serious disruption in any one will cascade quickly through the others, rending the vital fabric of our nation at its most crucial points. Under these circumstances, the ability to respond to national security crises will at least be severely constrained and may be completely interrupted for some crucial interval. Thus, in addition to their serious vulnerabilities to accidents and nature, these networks present a tempting target to terrorists and to any antagonist contemplating an international move contrary to U.S. interests.1

America's Hidden Vulnerabilities, CSIS, 19842

While warnings such as the one cited above predicted potentially catastrophic consequences, the fragility of today's global networks of computer based systems, used to business process re-engineer America's industrial and military infrastructure into lanes on the Information Superhighway, together with concerns over information warfare, are taking front burner attention on the agenda's of military and civilian agencies within the United States. A September 1993 Department of Defense report said it best: "if hired by terrorists, hackers could cripple the Nation's telephone system, create significant public health and safety problems, and cause serious economic shocks." 3

This paper will, hopefully describe and help to further set the stage for the establishment and realization of a defensive information warfare security baseline architecture for the NII Information Superhighway and its global partners and components throughout their lifecycle, from research and development to deployment and beyond.

The best offense is often a good defense

Pogo said it best, "we have met the enemy and it's us." Following a rash of intrusion incidents into Unclassified but sensitive Department of Defense computers systems, the DOD is now taking positive Defensive Information Warfare 4 steps to assess and correct its potential information warfare vulnerabilities. For the past year hired hackers within various agencies of the Department of Defense have been conducting "sweeps" and vulnerability assessments of agency sites and network systems connected to MILNET/Internet. According to

new reports posted to the SPACE Warfare Website, http:\\ infosec.nosc.mil/infosec.html-ssil, the testing consisted of making use of the same types of tools that hackers use when they penetrate into systems connected to the Internet. Although the specific results of such testing are restricted to the affected sites and the infowarriors conducting the tests, general findings present a dour state of readiness and response to information warfare on the information superhighway.

While much has been learned over the last ten years in securing the information superhighway's public switched network infrastructure, even greater emphasis must be placed on addressing security in cyberspace.

Security and Information Assurance as it applies to telecommunications in Defensive Information Warfare may be viewed as classical quality problem.

Lack of constancy of purpose: There must be a clear goal related to security, privacy, and assurance beyond the immediate and often short term, reactive efforts.
Emphasis on short term results: Security is seem as a destination rather than a journey.
Audits and Self Assessment Deficiencies: Auditors find and report on troubling exploitable vulnerabilities and inadequacy of controls only to have the reports collect dust waiting for the second and third follow-on report to find exacerbated vulnerabilities. Self Assessments are often inadequate in scope and depth, often tending to tell management want they want to hear. On the contrary, when people in the organization clearly understand corporate objectives, they measure themselves against those objectives.6 Unfortunately, security objectives for industry or government are not well defined and understood with respect to the robustness issues in a heterogeneous, multi-vendor, multi-carrier/service provider environment of the NII.
Mobility of Management: Does not imbue trust in employees, contractors and vendors; or offer long term assurances that the problem is being adequately addressed in emerging technologies.
Measurements are Meaningless: Since less than five percent of intrusions are ever detected by systems administrators, and only five percent of those detected ever get reported to management, law enforcement or other incident tracking system, striving for "Zero incidents" may realize the narrow focused objective only to leave the infrastructure even more vulnerable to compromise.
Recovery costs far outweigh prevention: Numerous studies of software quality and physical design have shown that designing it right the first time is far more cost effective than piecemeal reinforcements and recovery efforts.
Excessive potential liabilities: The potential for product liability and negligence often keeps security on the hush for fear of potential consequences if the vulnerabilities be known or inadequate corrective actions applied.

As the information superhighway e.g., national, defense and global information infrastructures, becomes the metaphor of choice, for the potential virtual infrastructure of electronic commerce, many believe that privacy and security will become the linchpin of this 21st Century vision for a National Information Infrastructure, NII.

A new report issued by the Clinton Administration, summed it up this way:

If the NII is to succeed, a structure or a collection of structures -- a security architecture -- must exist to ensure security. The NRC report states: "This security architecture must include technical facilities, recommended operational procedures, and means for recourse within the legal system." This architecture will be based on a variety of public and private institutions and policies. Although an architecture will define how institutions, policies, and technologies interconnect, a sound security architecture will consist not of rigidly prescribed technologies or solutions, but must be able to flexibly adapt to change. The report also notes that such an architecture will require research and development over time.

As the United States as a whole becomes increasingly reliant on the NII for communications and information, other key components of the U.S. infrastructure will become dependent on it. For example, the power grid, transportation systems, financial institutions, and economic transaction data will all be dependent on the NII. Security weaknesses in the NII can place those infrastructure elements at risk. Hence a significant attack on the NII would be a threat to our national security in addition to the significant personal and economic harm it would cause.8

In an international economy and social infrastructure that is growing more dependent everyday on its communications networks, more attention must be placed on the security and integrity of the components and interfaces of those critical structures by all interconnected service providers, vendors and users. The old adage that the chain is only as strong as the weakest link has never been as true as it is today when applied to the issue of network security and integrity. It is with that tone that this paper is written to help identify the potential information warfare threat and address the cascading vulnerable infrastructure on which the information superhighway is being built.

Information Superhighway Field of Dreams

Over the last twenty years the number of compromised systems, routers, networks and development systems supporting the developing information superhighway have escalated and may very well approach nearly a quarter of a million nodes.

Dialing for data in the Public Switched Network

While there is no definite intruder threat profile for the PSN, many are adults with previous criminal records for computer related crimes committed when they were juveniles. In 1987, Herbert Zinn, a 17 year old hacker who called himself Shadowhawk electronically broke into logistic support systems of the North Atlantic Treaty Organization, NATO, AT&T #5ESS installation systems for the AUTOVON systems at Robins Airforce Base and several AT&T Operations Support Systems R&D data bases and support systems, stealing source code to 55 programs ranging from development code for installing switching systems to Artificial Intelligence, AI, language. He was detected by AT&T's investigations into allegations of threatening messages left by Shadowhawk on a hacker bulletin board in Texas.

Shadow Hawk was later found guilty of violating the Computer Fraud and Abuse Act of 1986 in Federal District Court in Chicago and sentenced to nine months in prison. In addition to a prison term, he was ordered to pay a $10,000 fine, and serve two and a half years of federal probation when released from prison. That case was a foretelling of the more serious LOD and MOD incidents to follow.9 While no classified material was obtained, the government viewed the $21,000 in software programs stolen from the computer used by NATO as "sensitive".

Kevin Lee Poulsen, AKA Dark Dante, a 31 year old individual, with a long history of computer hacking going back to age fourteen, currently under indictment in California for espionage is charged with breaking into computer systems of Pacific Bell and wiretapping the contents of sensitive communications including US Air Force Classified Information on planned targets in the event of a war.

Intruders often align themselves into groups of individuals with similar interests and skills, e.g., the Master of Deception or MOD who were convicted in Federal Court in New York City for breaking into some of the nation's most sophisticated computer systems to gain illegal access to the computers of Bank of America, Southwestern Bell, Martin Marietta, TRW Information Services and New York University, among others. The five were also accused of selling information, such as people's credit reports, that they obtained illegally from the systems. The hackers, an ethnically mixed group from working-class neighborhoods around New York City, defied the stereotype of young computer aficionados as affluent suburbanites. They met through computer bulletin boards, and knew one another by nicknames like ``Outlaw,'' ``Corrupt'' and ``Acid Phreak.''

In a written statement submitted to the federal district court, Corrupt admitted to illegal activities as a member of MOD:

1) I agreed to possess in excess of fifteen passwords which permitted me to gain access to various computer systems including all systems mentioned in the indictment and others. I did not have authorization to access these systems. I knew at the time that what I did was wrong.

2) I used these access devices and in doing so obtained the value of time I spent within these systems as well as the value of the passwords themselves which I acknowledge was more than $1000.

3) I intentionally gained access to what I acknowledge are Federal interest computers and I acknowledge that work had to be done to improve the security of these systems which was necessitated by my unauthorized access.

4) I was able to monitor data exchange between computer systems and by doing so intentionally obtained more passwords, identifications and other data transmitted over ...net and other networks.

5) I acknowledge that I and others planned to share passwords and transmitted information across state boundaries by modem or telephone lines and by doing so obtained the monetary value of the use of the systems I would otherwise have had to pay for.

Among the ways I and others agreed to carry out these acts are the following:

1. I was part of a group called MOD.

2. The members of the group exchanged information including passwords so that we could gain access to computer systems which we were not authorized to access.

3. I got passwords by monitoring ...net, calling phone company employees and pretending to be computer technicians, and using computer programs to steal passwords. I participated in installing programs in computer systems that would give the highest level of access to members of MOD who possessed the secret password. I participated in altering telephone computer systems to obtain free calling services such as conference calling and free billing among others.

Finally, I obtained credit reports, telephone numbers and addresses as well as other information about individual people by gaining access to information and credit reporting services. I acknowledge that on November 5, 1991, I obtained passwords by monitoring ...net.

Corrupt and his MOD colleagues had apparently gained access to a vendor supported Operations, Administration, Maintenance and Provisioning, OAM&P, "debug" port to telephone companies backbone networks. By exploiting the group based or default password for the diagnostic tool, the intruders then executed the packet monitoring program to read the data traffic at various points in the telco's PPSN, e.g., X.25 multiplexers.

By reading the data on the X.25 nodes and gateways the intruders were able to capture logins and passwords transiting over or used within the packet network. With the help of the compromised logins and associated passwords, the intruders then attacked the downstream systems and networks.

All five of the defendants subsequently plead guilty and were sentenced to varying degrees of punishment ranging from probation to 14 months in a Federal Penitentiary followed by three months of home incarceration, followed by two years of probation and up to 600 hours of community service.

In another case, three adults and one juvenile, all members of the hacker group known as the Legion of Doom, were convicted and sentenced to prison in the Fall of 1990 in Federal court in Atlanta for their part in compromising the computer systems of BellSouth.

The defendants, who used the handles Leftist, Urvile, Prophet and Fry Guy admitted accessing the carrier's internal backbone X.25 packet network to penetrate the carriers OAM&P centers, systems and databases to affect fraudulent service creation and modification, add call forwarding to customer lines and monitor customer communications.

In yet another case, a hacker based in Europe claimed to have the ability to shut-down a major computer based financial network located in the United States by affecting environmental support systems such as power, cooling/heating and ventilation systems. Telco and financial community investigations found a related security risk involving building environmental systems, which allowed potentially vulnerable remote access to heating, air conditioning, humidity, power and elevators alarms and control settings. Since many of the network nodes supporting the PSN and its customers are designed to operate in controlled environmental conditions, a potential vulnerability existed which if exploited by an intruder could cause catastrophic troubles to the network.

Intruders believe that the three easiest ways to penetrate a system are:

impersonate an authorized employee or vendor agent to affect the disclosure of sensitive access information or allow physical access to a facility housing critical systems
take advantage of the defaults shipped with the system and its software
fraudulently influence system hot line support personnel to give out information and or affect system changes e.g. the reset of a users password.

Many of the U S based hackers who have been apprehended and prosecuted for their crimes were found to have had indirect electronic association with hackers in Germany,Australia and Great Britain. The individuals located in

Germany are the same espionage operative hackers described by Clifford Stoll in his best selling book entitled "The Cuckoo's Egg." Known objectives for the attacks include financial gain, malicious destruction, and invasion of privacy.

It has become increasingly apparent that, without adequate attention to security, systems and networks are vulnerable to service quality impacting intrusions by unauthorized individuals (e.g., hackers) and groups (e.g., the hacker groups known as the Legion of Doom, 8LGM and Master of Deception). Such computer crimes always involve unauthorized persons, or persons who exceed their authorization, with adequate SKAM (Skills, Knowledge, Access and Motive) acting on exploitable vulnerabilities .Knowledge and access are often afforded the would-be intruder through the compromise of system security bulletins often found in public sources and redistributed by the hackers on their own cites in cyberspace such as http://www.8lgm.org/advisories.html-ssi

In the past, since it was very often not economically feasible to prevent intrusions, most service providers often focused their efforts on controlling losses through reactive deterrent and control measures.

Accordingly, and in recognition of the significant damage which might occur from such intrusions, a number of telecommunications carriers around the nation12 have begun to assess the effectiveness of security mechanisms in-place to protect the critical common environments supporting the interconnection of the global public network.

If we assess the current wave of Internet attacks and fraud on the growing volume of electronic commerce transactions we find surprising similar root causes.

It is easy to project that chaos is certain if we as a nation, industry and government do not clearly define, support and affect a holistic approach to network and information security focusing on root causes to intrusion to the NII/DII/GII. Technologies such as Asyvhronous Transfer Mode, ATM, are seen as the platforms of choice for the fastlane of the Information Superhighway. Yet effective solutions and standards have not been developed to address the authentication of the source of OA&M cells which could affect the integrity of network management controls and features such as switched virtual circuits, SVC.

Saying it another way, absent effective security policies, requirements, standards, working agreements for vulnerability closure information sharing, and penalties for non-conformance, chaos is certain and secure recovery readiness a necessity.

NOTES

1 AMERICA'S HIDDEN VULNERABILITIES Crisis Management in a Society of Networks, A Report of the Panel on Crisis Management of the CSIS, CSIS Science and Technology Committee, Center for Strategic and International Studies, Georgetown University, Washington, D.C., 1984

2 For 1995, the CSIS has revisited the topic area with its announcement of its Global Organized Crime Study, chaired by the Honorable Judge William Webster, former head of the Federal Bureau of Investigation and the Central Intelligence Agency. The emphasis on the new study is to assess the vulnerability of the information infrastructure as a forensic root cause for criminal exploitation on a global basis.

3 Congressional Record, Senate, Thursday, June 29, 1995 (legislative day of Monday June 19th) 104th Congress 1st Session Statement of Senator Kyl introducing the Kyl - Leahy Bill, S.982, The National Information Infrastructure Protection Act of 1995.

4 Information Warfare is the use of information and information systems as weapons in a conflict where information and information systems are the targets. Winn Schwartau, 1994

5 A complementary set of paradigms, offered by the author, to Demming's Seven Deadly Diseases, From Out of the Crisis, W. Edwards Demming,

6 Changing the Role of Top Management: Beyond Systems to People, Christopher Bartlett and Sumantra Ghosal, Harvard Business Review, May-June 1995,.

7 NII Security: The Federal Role, Office of Management and Budget, 1995

8 The telecommunications outages of 1990 and 1991 caused considerable concern and attention to be directed at the problem of network integrity, security and assurance. So great was the potential societal impact of such widescale outages that the Federal Aviation Administration of the United States revamped its Telecommunications Strategic Plan to significantly reinforce its reliability and security requirements. Realizing that the security threat to air traffic control has changed in character, as computer and telecommunications technologies have grown more powerful, the FAA created a multipoint plan document to address security throughout the lifecycle of its future telecommunications environment.

9 At the time of his arrest, Shadowhawk indicated that he was taking most of his instruction and guidance on system penetration from The Prophet, a member of the Legion of Doom. Although he had never met the Prophet or any other LOD members face to face they communicated over a Legion of Doom bulletin board known as PHREAK KLASS 2600 in Lubock Texas.

10 Russian mobsters loot US firms via computer; Cyberspace remains a lawless frontier, Washington Post, February 6, 1995.

11 The following references are offered for additional information on the threat:

� Kluepfel, Recipe For Hacker Heartburn, Security Management, January 1995

� Kluepfel, Securing a Global Village and its Resources, IEEE Communications Magazine, September 1994.

� Kluepfel, Current Security Issues of Open Networks, IEEE-ICCST, October 1990.

� Kluepfel, In Search of The Cuckoo's Nest: An auditing framework for evaluating the security of open networks, EDP Auditor Journal, Volume III, 1991.

12 Reference here is to the plethora of security threat information developed and mitigated by the President's National Security Telecommunications Advisory Committee, NSTAC. Composed of just under 30 senior executives representing the Nation's telecommunications, information service providers, equipment manufacturers and infrastructure dependent NSEP impacting community members e.g., national banking concerns, the NSTAC enables the Federal Government of the United States to work in partnership with industry to address a broad range of national security and emergency preparedness, NS/EP, issues. These currently include network security, standards for network infrastructure assurance, priority electric service restoration and refueling of critical telecommunications facilities, enhanced call completion for NS/EP users, the Telecommunications Service Priority (TSP) System, the Government Emergency Telecommunications System (GETS), Advanced Intelligent Network (AIN) for NS/EP, wireless digital services, potential vulnerabilities of common channel signaling (also known as Signaling System Number 7), and the NS/EP implications of the evolving National Information Infrastructure.