The next battlefield: the information highway

The growing reliance on the Internet by the military and its suppliers has dramatically improved communications but also made its systems much more vulnerable to information attacks

Th Acfb03

By John McHale

The growing reliance on the Internet by the military and its suppliers has dramatically improved communications but also made its systems much more vulnerable to information attacks. Military leaders are forced to move from preventing threats to managing them during the onslaught of information warfare

Th Acfb03
Click here to enlarge image

In the 1974 film, "The Godfather Part II," the character Michael Corleone tells us "if history has taught us anything it is that you can kill anyone." Recent history in the information age has taught us a similar lesson — a hacker can attack anyone's computer, from the family down the street to military forces deployed during time of war and the highest echelons of government.

Th Acfb05
Click here to enlarge image

Imagine a foreign government deploying information warriors to hack into the U.S. military's classified digital network to order ships to the wrong destinations or planes to bomb the wrong targets. The classified areas represent only a small part of military cyberspace. Think what havoc a cyberwarrior could wreak upon unclassified channels dealing with payroll shipments or the distribution of food to soldiers in the field, says Rob Clyde, vice president of security and co-founder of Axent Technologies in American Fork, Utah. Unpaid and unfed soldiers might create a serious morale problem during wartime.

Th Acfb07
Click here to enlarge image

Today's military is becoming more and more dependent on the high-performance, commercial-off-the-shelf (COTS) technology that makes digital battlefields and networked ships possible, but also makes these same systems vulnerable to information attacks unless they are managed properly.

Th Acfb09
Click here to enlarge image

The difficulty in tracing information attacks to their sources and the lack of legal clout to enforce laws against such attacks in foreign countries is forcing military leaders to move from their traditional mission of preventing threats to a more business-like approach of managing threats, says Dennis McCallum, member of the senior technical staff at Logicon, a Northrop Grumman company in Herndon, Va.

The military is fairly vulnerable, says Tom Haigh, chief technical officer for Secure Computing Corp. in San Jose, Calif. However, the military is not alone; the rest of the government and the private sector is vulnerable as well.

About 80 percent of the military is not secure, estimates Paul Zavidniak, member of the senior technical staff for Logicon. Many systems need to be overhauled to add security and laws also need to be updated to better prosecute computer crime, he adds.

Fighting an information war is a measure/countermeasure operation, Clyde explains. Once a hacker attacks a system, computer security experts design a method to stop that attack. Until the hacker finds a new avenue of attack, it is a continuous cycle, Clyde explains.

"Attackers have it easier [than defenders]," states Bruce Schneier, founder and chief technical officer for Counterpane Internet Security in San Jose, Calif., in his new book Secrets & Lies: Digital Security in a Networked World. "They can cheat. They can invent new science and new technology to attack systems already in place. They can use techniques the defenders never considered. They don't have to follow the defender's threat model," Schneier writes.

"The defender occupies what Karl von Clausewitz calls 'the position of the interior,'" Schneier writes. "An attacker needs to find one successful attack: one minor vulnerability that the defender forgot to close. A defender, on the other hand, needs to protect against every possible attack. He needs to think of everything; he can't afford to miss one."

Typical cyber attacks

The most popular type of cyber attacks are the ones everyone hears about — the challenging attacks by teenage hackers that involve cyber toxins such as the love letter viruses that affect businesses worldwide, Haigh continues.

Hacking may be fun and challenging to some, but messing with systems can also affect lives — whether it is ordering spare parts for equipment in battle or maintaining blood supplies. Contaminated information, for example, could corrupt medical records shipments and result in patients receiving the wrong blood types, which could sicken or even kill them, pointed out Art Money, Assistant Secretary of Defense for C3I and chief information officer for the U.S. Department of Defense (DOD) at the DEFCON 8.0 conference in Las Vegas this past summer.

Th Acfb0b
Click here to enlarge image

DEFCON gathers members of the hacker community, whom Money asked to apply their superior expertise and skills to defensive information warfare — possibly for the U.S. government — not to attack public and private systems. Money appealed to hackers in the audience to realize the damage they do, and how their efforts can put lives at risk. He asked them to act responsibly so that he and his colleagues can spend more time focusing on "the ones that really keep me up at night — the ones we haven't even detected," Money said.

Money points out that the government does have offensive information ability as "a weapon in its quiver," but he laments that government experts use this ability rarely, if ever. "It is only used with presidential approval as if it were a nuclear release," he says.

In Secrets and Lies, Schneier recommends a get-tough policy against computer hackers worldwide. He proposes a solution involving "an increase in the prosecution of people who engage in criminal activity and for the issuance of fair sentences." Companies, he points out, are reluctant to prosecute computer criminals "because they fear retaliation. The reality is that until we prosecute the criminals, they will continue to disseminate attack tools and break into computer networks," Schneier writes. "Once we start prosecuting criminals, hacking into other people's networks will be much less cool."

Prosecutors also need to get in step with effective ways to pursue cyber criminals, says Secure Computing's Haigh. "The legal profession has a long way to go in information security." Often, while tracing an attack to its source they get tangled up investigating companies whose systems the actual perpetrator used to cover his tracks, he adds.

Hitting back

Many information systems administrators, once attacked, want to attack back, but attempts at cyber retaliation may not be the best approach, advise officials at Internet Security Systems (ISS) in Atlanta, Ga. Instead, ISS officials recommend a defensive approach. The problem with attacking back is that you may not hit the right target, says Chris Klaus, chief technical officer and founder of ISS. Often the actual attacker, he points out, will masquerade as another company, Klaus explains.

Legal prosecution also may be difficult, even after information warfare experts identify a perpetrator, Klaus says. For example "the author of the love letter virus was recently let go scott free" because of the lack of sufficient hacker laws in countries that do not even have adequate copyright laws, he adds.

The growing popularity of electronic business conducted over the Internet also can leave government agencies and private companies vulnerable to attacks — and also provides a rich opportunity for would-be hackers, Klaus explains. Three or four years ago most hacker attacks were graffiti attacks on Web pages that served primarily as brochures, Klaus says. Many companies will not even prosecute because they do not want it known that they were attacked because it may hurt business, he explains.

Security and COTS

The goal of DOD leaders is "to assure a unified flow of information to the warfighter and deny the enemy the same," Money told DEFCON attendees. That goal includes assuring a unified flow of information in a business sense as well; both need to work in a secure environment, he added.

However the communications technology that DOD experts use is increasingly based on commercial-off-the-shelf (COTS) technology. Now all the services share a common communication network and technology.

One problem: the increased commonality also may mean that people and countries unfriendly to the U.S. occasionally can listen in and even participate in military operations by using cyberspace to perform acts of disinformation.

There is a belief among some military leaders that the increased commonality and reliance on open architectures creates a more vulnerable environment than existed among the stovepipe systems of the past. However, some experts in the information-security industry tend to disagree.

It is possible, for example, to contaminate COTS hardware and software in the manufacturing process before the government even gets it. Perpetrators could a small change in a chip's design to make it fail when used, or could place so-called "Easter eggs" in an operating system.

Easter eggs are applications hidden in software code that users can access with a certain type of keystroke, Logicon's McCallum explains. Some the more famous Easter eggs involve versions of Microsoft Excel, he continues. One version has a complete flight simulator running in it and an earlier version has a Dungeons and Dragons type of game hidden by a group calling themselves the Hall of Tortured Souls, McCallum explains.

Hackers may also plant a so-called "Trojan horse," which will trigger a denial-of-service attack months after being planted in the system — and there may be no way to trace it, Haigh says.

COTS-based systems and open-source operating systems and application software might be more secure because so many experts are analyzing its weaknesses as opposed to traditional stovepipe systems, Clyde says.

Keeping the existence and details of certain software programs secret — called "security by obscurity" — can be effective when dealing with highly classified systems that only involve a small number of people, Clyde says. However, some systems — military and government — involve thousands of users worldwide and demand the performance and commonality of COTS technology.

If a system is designed with security by obscurity, then that security "is delicate," Schneier states in Secrets and Lies. "A bad system design is secure as long as the details remain secret, but quickly breaks once they are released. A good system design is secure even if the details are made public."

Open-source security

Open-source operating systems such as Linux also have a tendency to generate the same kind of suspicion as COTS technology. Skeptics ask, if everybody has access to the code how can you make it secure?

Actually the effect can be just the opposite, Clyde says, provided you have everyone working on a system and working twice as hard updating security flaws. Conversely, systems based on security by obscurity, by definition, do not have as much effort put into updating their security measures because very few people have access to it, he adds.

"Security researchers ... do not have the time nor the inclination, to examine every piece of source code that is published," Counterpane's Schneier states in Secrets and Lies. "So while opening up source code is a good thing, it is not a guarantee of security. I could name a dozen open-source security libraries that no one has ever heard of [or evaluated]. On the other hand the security code in the various open-source secure Unix flavors has been looked at by a lot of crackerjack security engineers." Open-source flavors of Unix include Linux and Free BSD.

However, Linux is not a "Fort Knox" operating system, Clyde says. It is just as vulnerable as Windows NT or Solaris, only in different ways, he explains. If someone is smart enough to build an operating system, there will be someone smart enough to hack it, Clyde notes.

" ... simply publishing the code does not automatically mean that security problems are fixed promptly when found," Schneier continues in his book. "There's no reason to believe that a two-year-old piece of open-source code has fewer security flaws than a two-year-old piece of proprietary code. If the open source code has been well examined, this is likely to be true. But just because a piece of open-source code had been open source for several years does not, by itself, mean anything.

"Software isn't automatically secure because it is open source, just as it isn't automatically insecure because it is proprietary," Schneier continues.

A big organization like the DOD, for example, might better off if hackers are attacking its COTS-based systems than would be a small organization using a small obscure system, Clyde says. As a large network it will be easier to fix those security holes than it would for a small obscure system, he says. The larger organizations simply have more resources.

COTS security solutions

The military and the government use commercial software because it makes economic sense; the best way to secure these systems is through commercial providers such as Symantec and Axent, which provide a variety of security products and back it up with support, says Ron Moritz, senior vice president and chief technical officer for Symantec in Cupertino, Calif. Symantec recently reacquired Axent.

"We're seeing 110 to 120 new viruses a month, and 10 to 15 every day," Moritz says. As new computer viruses appear the Symantec Antivirus Research Center develops identification and detection for these viruses, and provides either a repair or delete operation, thus keeping users protected against the latest virus threats.

These are the types of advantages that users of open systems have, Moritz says. Commercial security companies can provide these solutions to millions of users almost immediately, he adds. After the love letter virus hit, for example, Symantec experts had a solution available within 24 hours and were on top of the more than 31 variants followed the love letter virus, he adds.

Axent and ISS have research teams — SWAT and X-Force respectively — that track the different types of cyber attacks worldwide. Axent's SWAT team has a list of more than 30,000 different web sites that enable anyone to download attack software, Axent's Clyde says. You no longer have to be a guru to hack an Internet site or operating system, Clyde says. "There is even one system, L0phtcrack, — created by L0pht, a group of security consultants — that attacks Windows NT passwords and is easier to use than Excel," he adds.

Common sense

Common sense also plays a part in security defense, says Robert Lupo, a security consultant and former hacker with the pseudonym V1ru5. A company or government may employ all the best information security systems available, but untrained and overly trusting personnel may end up being their biggest security liability, he adds.

Many hackers employ social engineering, Lupo says. In other words they get people on the inside of a company to trust them — whether by revealing a password over the phone or letting a perpetrator masquerading as company technician from the "home office" work on their computer, he explains.

"You would be amazed at how far you can get with a hardhat, clipboard, and a radio," Lupo says. "People really want to be helpful," he adds.

People also should know better than open up multiple e-mail messages from the company president saying, "I love you," Symantec's Moritz says. They should know there is a problem afoot and notify their system administrator, he adds. Companies need to encourage their employees to be more diligent and update their antivirus software once a week, Moritz says.

Managing threats

The next megatrend in security is for companies to outsource for security management all the time, ISS's Klaus says.

Many companies need security systems that provide Internet security the way an alarm service company secures homes, Counterpane's Schneier says. Counterpane provides round-the-clock security monitoring services, he adds.

Counterpane uses cross-product analysis and filtering technology to watch and sort through all audit information in real time to detect intrusions. Human analysts then examine these events to eliminate false alarms and carry out plans to foil hackers, Counterpane officials say.

In case of a verified intrusion, analysts contact company security personnel, stop the intrusion, and close the vulnerability. Counterpane manages two secure operations centers — one in Mountain View, Calif., and the other in Chantilly, Va.

"No one hires their own guards; they outsource," Schneier explains in his book. "No one hires their own security auditors; they outsource. Even something as mundane as document shredding is best outsourced to a company that specializes in that sort of thing."

ISS recently bought Netrex Secure Solutions of Southfield, Mich., which operates "big wargame-like screens that emit loud noises and bright colors when a cyber attack hits a system," Klaus says. Counterpane and ISS also back up their solutions with insurance programs for their clients.

"A secure computer is one you've insured," Schneier states in his book. "I believe that insurance is the future of digital security. You can buy insurance against almost any other security risk: theft, vandalism, rogue employees shooting the executive team, or whatever. Why not digital security risks? Whoever learns how to best manage risk I the one who will win. Insurance is one critical component of this. Technical solutions to mitigate risk to the point where it is insurable is another."

Counterpane has a new insurance program with Lloyd's of London, Schneier says. It enables Counterpane's clients and customers to purchase insurance policies to protect against loss of revenues and information assets because of Internet and e-commerce security breaches.

Counterpane offers two insurance programs. The first is Internet Asset and Income Protection Coverage, which provides insurance for loss of, or damage to, information resulting from a breach of security or technology failure. The insurance also covers business interruption from a breach of security. The second program is Internet Asset and Income Protection Warranty Plan, which enables counterpane's clients to extend the coverage to their clients.

ISS uses Marsh, a subsidiary of Marsh & Mclennan Cos. in Atlanta, Klaus says. Through the insurance firm they have set up a security rating to assess a company's defenses then suggest ways to improve on the rating.

Industry's answers

Experts at Northrop Grumman in Baltimore, Logicon, and the U.S. Air Force Research Laboratory Information Directorate in Rome, N.Y., are working on a tactical deception concept. Called Sleeping Beauty, it would make an adversary believe he has broken into a network and lets him look at, manipulate, and corrupt bogus data, Northrop Grumman officials say. Meanwhile the real databases or networks would perform their intended tasks uninterrupted.

Programs like Sleeping Beauty lets the hacker "think he's getting away with something while you subliminally identify his geolocation," says Logicon's Zavidniak. These programs, also called "honeypots," record how an attacker gets in the first time and uses that information against him the next time, says Axent's Clyde.

Logicon experts also recently demonstrated what they claim is real-time information recovery and response during a simulated information warfare attack on a deployed U.S. Department of Defense battle management system.

The demonstration held last summer, is part of the Data Resiliency in Information Warfare (DRIW) program of the U.S. Air Force Research Laboratory Information Directorate in Rome, N.Y.

"The Logicon team has focused on two unique areas — forecasting an attack and responding in real-time immediately after an attack," McCallam says. "Our work enables the user to either forestall an attack or react rapidly to it, and re-establish the system's operations with minimal or no impact to the end user."

"DRIW is specifically designed to protect battle management and command and control systems," says Joe Giordano, the Air Force's program manager. "Logicon's team is the only real-time recovery solution that has been successfully demonstrated."

Axent officials offer the Raptor Firewall, which integrates with Microsoft Windows NT to provide native high-availability support using Microsoft Cluster Server. Axent also has an intrusion-detection system called NetProwler, which complements firewalls by analyzing the authorized traffic and attempting to exploit known vulnerabilities.

For firewall protection Secure Computing offers Sidewinder, an application-level security gateway that uses Secure Computing's Type Enforcement security and offers protection for e-mail, Java, and the World Wide Web.

Symantec recently developed a way to defeat the first known Trojan horse for the Palm platform — Palm.Liberty.A, Symantec's Moritz says.


NSA selects Secure Computing to develop security for Linux

SAN JOSE, Calif. — Experts at Secure Computing Corp. in San Jose, Calif., are developing a Secure Linux Operating System (OS) for the National Security Agency in Washington. Secure Computing engineers will apply their Type Enforcement technology to develop a secure Linux platform.

Secure Computing's patented Type Enforcement technology, first developed under previous government contracts, is available today as part of the Unix operating system for Secure Computing's Sidewinder firewall.

Type Enforcement secures underlying operating systems and protects applications and network services by segmenting them into domains. Each domain has permission to access only specific file types, including executables, Secure officials say.

As such, each domain provides a self-contained, discrete layer of protection that cannot be altered. Implementing Type Enforcement within the operating system itself assures the highest level of security available in commercial operating systems. As the two teams work together, Secure and NSA will leverage each other's expertise to develop a code base.

There will be no restrictions on the use of Type Enforcement by the Linux open source community, Secure officials say. The Secure modifications to Linux will consist of strong policy enforcement code which is integrated into the kernel itself and a flexible policy engine structured as a separate kernel component, Secure officials say. — J.M.

More in Communications