[iwar] [fc:Oops.-.try.again:.Corporations.Risk.Harboring.Infoterrorists.through.Negligence]

From: Fred Cohen (fc@all.net)
Date: 2002-01-07 17:25:22
Next message: Fred Cohen: "[iwar] [fc:Making.sense.out.of.nonsense.-.Media.coverage.of.the.Intifada]"
Previous message: Fred Cohen: "[iwar] [fc:'Network.nation'.will.foil.terror]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-Id: <200201080125.g081PMd03205@red.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
From: Fred Cohen <fc@all.net>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Precedence: bulk
Date: Mon, 7 Jan 2002 17:25:22 -0800 (PST)
Subject: [iwar] [fc:Oops.-.try.again:.Corporations.Risk.Harboring.Infoterrorists.through.Negligence]
Reply-To: iwar@yahoogroups.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 8bit

Corporations Risk Harboring Infoterrorists through Negligence
 By Jacques Halé, Infosec News, 1/7/2002
<a href="http://www.infosecnews.com/opinion/2002/01/02_02.htm">http://www.infosecnews.com/opinion/2002/01/02_02.htm>
   Terrorism is not a new phenomenon but has gained special popularity
recently. What is surprising is that the threat to the Internet as an
economic
 infrastructure has not yet dawned on the business community. Ever since
the use of IT in warfare, defense experts have been especially
 interested, as part of intelligence and counter-intelligence, in the
activity of foreign powers and potential cyberterrorists over all
communication
 channels, but their expertise enables them to understand also the
nature of the threats to the Internet as the backbone of the national
and
 international economy. 
 One expert, Paul Strassmann, is an associate of the Butler Group. He
has served as an expert member of a number of U.S. military commissions
 concerned with information warfare and has studied this field for at
least ten years. The knowledge of these military experts is now relevant
to the
 non-defense world as well, and it needs to be translated into practical
measures for the rest of us, as we discuss below.

 We have come to rely on the Internet for commerce as well as ordinary
modern life; in fact we rely on it as much as on the telephone. During
 different crises in recent years the Internet has often been the
communication channel of choice - after the attack in Manhattan on 11th
 September, mobile phones or even land line phones became saturated or
even impossible to operate. Short messages (SMS) and the web were the
 most reliable media for communities and individuals.

 Communication in most commercial activities is now conducted almost
exclusively over the Internet, with a decreasing use of telephone, fax
and
 land mail. E-commerce is growing as a proportion of the overall
commercial transactions and represents probably around 5 percent of the
total
 exchanges in value, a remarkable figure for an innovation that is only
about four years old. Because the strong interdependence of the various
 economic processes, crippling the Internet would instantly paralyze the
whole global economy.

 Even if the Internet is out of action for a few hours, the consequences
will be felt for a long time afterwards. Some well-publicized outages in
high
 profile web sites, like Yahoo, Amazon, CNN, Buy.com and eBay, or the
Stock Exchange in 2000, showed that the indirect effects in terms of
 longer-term loss of custom or stock market value far exceed the already
considerable direct loss of trade. And many non-commercial activities
are
 moving onto the Internet, some life-critical, such as remote medical
diagnostics and treatment.

 Because the Internet is an ideal replacement for communication in time
of crisis, an attack on the Internet would be most effective if
coordinated
 with a natural or man-made crisis - another major terrorist attack for
example.

 What would be the most effective method of attack? Viruses can spread
in a spectacularly short time: 24 to 36 hours round the globe. This
costs
 of lot of effort and money to neutralize and is a kind of pollution
that we could do without. But viruses are not fast enough for the kind
of
 blitzkrieg that would be intended by malevolent global terrorists. The
most effective way to temporarily disable the Internet would be through
a
 massive distributed denial-of-service (DDoS) attack that would cripple
a significant proportion of the routers. The Internet was designed by
ARPA
 engineers to be resilient to nuclear attacks on mainland America but
not to the more subtle but persuasive threat of a software borne device.

 This is not warmongering but facing a stark, real possibility,
especially as we can do something about it. Our responsibility as IT
professionals is
 both passive and active. Our passive responsibility is in terms of the
risk of becoming an unsuspecting collaborator with the terrorists, and
our
 active responsibility is to take the appropriate measures for defense.

 The mechanism of DDoS is well known: the 'spore' of the contamination -
to borrow form the field of bio terrorism - is a special form of
software
 virus called a zombie. The zombie is received like other viruses
through email attachments or other downloaded executable files. It
installs itself at
 a discreet location in the computer where it can access the Internet
communication ports, sending periodical reports of its existence to the
 originator of the virus, the 'Master'. Millions of copies of the zombie
can thus be disseminated to millions of unsuspecting user systems over a
 period of time.

 At a date chosen by the Master, the zombies receive almost
simultaneously the order to flood a particular web address with
meaningless but
 constant messages. This will create a congestion of part of the network
that could trigger a cascade of failures throughout the entire network.
It
 is not necessary that all zombies are online at the same time; only a
fraction need to be activated to trigger a successful disruption. With
the
 growing popularity of 'always on' technologies, there is more and more
opportunity for both contamination and DDoS attacks. A variation of this
 scenario would be to exploit the known vulnerabilities of the Microsoft
Internet Information Server (IIS), which is used in some 40 percent of
 Internet servers.

 The core of the strategy of DDoS attacks relies on the failure of
innocent bystanders to prevent the infection of their own system - and
the
 implications of this new state of affairs are vast. This has
consequences for both individual users of the web and IT professionals.

 Every ordinary, individual user needs to understand what is happening.
Surfing the Net may have dangerous consequences if the appropriate
 protections are not in place: individual firewalls and up-to-date
anti-virus software. For systems managers, service providers, CIO and IT
 directors, the implication could (will) be more prescriptive, in the
shape of a new legal framework. It is likely that an operator's license
for
 operating connected computer systems will be required, regulating the
use of the information and communication infrastructure. The process of
 implementing the necessary legislation and regulatory controls is
likely to be swift and businesses must be prepared to act. In fact new
legislation
 is being drafted by the U.S. senate in that direction and the E.C. is
likely to follow suit.

 What is that legislation likely to do? The following are likely:

 CIOs would become agents acting on behalf of national cybersecurity
interests in safeguarding servers, workstations and networks under their
 control. Their infosecurity responsibilities would become subject to
regulation, similar to that of a CFO who can be jailed if malpractices
can be
 proved in their custody of financial accounts. Ensuring that adequate
security measures have been taken to protect the systems in the CIOs'
care
 will then not only be a question of good commercial practice but also
of legal accountability.

 Suppliers of IT equipment and Internet software would become liable if
they do not update known security flaws in their products that have
 previously been vulnerable to cyberattacks. In this respect, the
punitive damages could be comparable to what has been imposed on firms
 producing tobacco products or defective pharmaceuticals.

 Software engineers and network operators could need a license to
practice their trade in the same way as existing regulations impose
strict
 training, qualification verification and regulatory compliance testing
on operators of equipment such as lorries, airplanes, x-rays and
handlers of
 radioactive substances.

 In conclusion, I recommend that computer and network executives need to
anticipate major changes in their responsibilities with regard to
 information security that could be enforced by new legislative
measures. Executives should start also making contingency plans to
protect their
 systems in case of significant interruption in Internet services.
Boards of directors will be seeking assurances that business operations
are able to
 continue without damage if Internet services are seriously degraded. As
in the case of the much-anticipated Y2K problem, preparation and
 planning may be all that's necessary to prevent a mere possibility
becoming a predictable disaster.

 Dr Jacques Halé is research director with the Butler Group
(www.butlergroup.com), a firm of IT industry analysts based in the U.K.

------------------------ Yahoo! Groups Sponsor ---------------------~-->
Tiny Wireless Camera under $80!
Order Now! FREE VCR Commander!
Click Here - Only 1 Day Left!
http://us.click.yahoo.com/WoOlbB/7.PDAA/ySSFAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
Next message: Fred Cohen: "[iwar] [fc:Making.sense.out.of.nonsense.-.Media.coverage.of.the.Intifada]"
Previous message: Fred Cohen: "[iwar] [fc:'Network.nation'.will.foil.terror]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
This archive was generated by hypermail 2.1.2 : 2002-12-31 02:15:02 PST