IN THIS CHAPTER
Since 1973, Internet sites have been breached on a regular basis. Although it’s difficult to compare the Internet of the late 70s and 80s with the network known as the Internet today, it is safe to say that the attack trends are not decreasing. This chapter was designed to give you a tour of some of the chaos that exists on the Internet today, as well as to provide some insight into what could possibly lie ahead. We will examine the fact that every type of organization in existence has been broken into, ranging from educational institutions to corporations to the U.S. Department of Defense (DoD). There is evidence that Internet-based attacks could be used to cripple organizations and government agencies for political purposes. With the worldwide fight against terrorism, these issues are more relevant than ever. The Internet is just one battleground of many. Today, security technologies are complex, but the Internet is still easily cracked. This chapter discusses who can, and has been, broken into and why.
Although most people have succumbed to using the term hacked when they refer to illegal intrusions, the term cracked might be more proper. Cracked refers to that condition in which the victim network suffers an unauthorized intrusion. There are various degrees of this condition. Here are a few examples:
The intruder gains access and nothing more (access being defined as simple unauthorized entry on a network that requires—at a minimum—a login and password).
The intruder gains access and destroys, corrupts, or otherwise alters data.
The intruder gains access and seizes control of a compartmentalized portion of the system or the whole system, perhaps denying access even to privileged users.
The intruder does not gain access, but instead forges messages from your system. (Folks often do this to send unsolicited mail or spam.)
The intruder does not gain access, but instead implements malicious procedures that cause the network to fail, reboot, hang, or otherwise manifest an inoperable condition, either permanently or temporarily. These type of attacks are usually classified as denial-of-service (DoS) attacks.
Modern security techniques have made cracking more difficult. However, the distance between the word difficult and the word impossible is still wide. Today, crackers have access to a wealth of security information, most of which is freely available on the Internet. The balance of knowledge between crackers and bona fide security specialists is not greatly disproportionate. In fact, it is arguable that each side possesses components that the other side lacks, which makes the balance all the more interesting.
This chapter shows that cracking is a common activity—so common that assurances from anyone that the Internet is secure should be viewed with extreme suspicion. To drive that point home, I will begin with governmental entities. After all, defense and intelligence agencies form the basis of our national security infrastructure. They, more than any other group, must be secure.
If I asked you who your friends were, you’d answer without hesitation. That’s because human relationships are based on mutual interest and affection, simple qualities that are largely subjective. If I asked you to identify friends of the United States, again, you would answer without hesitation. In that instance, however, your answer would probably be dead wrong.
In diplomatic circles, the word ally describes any foreign nation that shares common territorial, ideological, or economic interests with your own. We call this or that foreign state an ally based on various treaties, a handful of assurances, and on occasion, binding contracts.
For example, we count France and Israel as allies. Each occupies a geographical region that we have interest in protecting, and each shares with us a vision of democracy. (The French stood with us against the Nazis, and we have long supported Israel in the repatriation of Jews driven from Soviet Russia.) If these nations are our friends, why are they spying on us? In the last decade, the United States has been the target of widespread technological and industrial espionage, often perpetrated by friends and allies. In 2002, security experts estimated that at least 12 of the top trading partners of the U.S. had systematic spying programs directed at the U.S. This includes the seven largest European Union members, as well as China, Israel, Japan, South Korea, and Taiwan. Most of these countries are considered U.S. allies. More information can be found at http://www.worldtrademag.com/CDA/ArticleInformation/features/BNP__Features__Item/0,3483,74603,00.html.
CAUTION
Do you fly Air France? If so, watch what you say on the telephone. Air France has been caught intercepting electronic communications of American tourists in transit to Europe. An article on the subject can be found at http://www.newsmax.com/showinside.shtml?a=2001/6/14/153545.
China and Japan have been caught stealing data communications information from Lucent. France targeted Boeing as well. Like most nations spying on us, France employs these generic intelligence-gathering techniques:
Eavesdropping
Penetrating computer networks
Stealing proprietary information
Do you still believe that France is an ally?
You’re probably shocked that I would say all this. Let me take a different angle. If you’re a French, Israeli, German, or South Korean national, know this: The U.S. government spies on your countrymen 24 hours a day, 7 days a week. In fact, every industrialized country does it. Many non-industrialized countries do it as well. That’s simply the way it is; nations have their own economic and political agendas. These agendas naturally—and necessarily—have far greater priority than pacts made with allies. In other words, we can’t blame France for trying.
The problem is, times have changed drastically. For 10,000 years, spying, sabotage, and warfare have all required human participation. Indeed, the spy’s face has changed little throughout the ages. Whether he was a stealthy infiltrator, an agent of influence, or an agent provocateur, he was still human.
The rules have since changed. Telecommunications and computer technology have made electronic espionage and warfare not simply fanciful notions, but hard realities. Therefore, hostile foreign nations need not send human spies anymore. Instead, they can send packets—and why not? Packets are cheaper. Packets don’t drink or smoke (that we know of), they don’t gamble, and they cannot be compromised by virtue of reputation, sexual indiscretion, or criminal record. Most importantly, packets are invisible (at least to folks who maintain poor security practices).
From this, it’s only a small step to imagine the Internet as a superb espionage tool. Many government sources were slow to recognize this. However, the U.S. government is at least well aware of the problem now and takes it seriously.
The better question is, how often is the Internet used for espionage? Analysts have hotly debated for quite some time now whether the Internet could be used for spying. They can stop arguing—it is already happening. For example, the Soviet Union’s space shuttle program was based on American technology stolen from the Internet. Designs were acquired from various technical universities online. In fact, in his article “How Soviets Stole a Shuttle,” Robert Windrem says that:
So thorough was the online acquisition, the National Security Agency learned, that the Soviets were using two East-West research centers in Vienna and Helsinki as covers to funnel the information to Moscow, where it kept printers going “almost constantly”… Intelligence officials told NBC News that the Soviets had saved billions on their shuttle program by using online spying.
The Soviets have long recognized the Internet as a valid intelligence source. An Internet legend gained international fame by breaking a KGB spy ring that used the Internet to steal American secrets. I refer here to Clifford Stoll, an astronomer then working at a university in Berkeley, California.
Stoll set out to discover the source of a 75-cent accounting error. During his investigation, he learned that someone had broken into the university’s computers. Instead of confronting the intruder, Stoll watched the activity. What he saw was disturbing.
The intruder was using Stoll’s servers as a launch point. The real targets were military computers, including servers at the Pentagon. The intruder was probing for information on U.S. nuclear preparedness. Stoll recognized this for what it was: spying. He therefore contacted the Federal Bureau of Investigation. However, to Stoll’s surprise, FBI agents dismissed the entire incident and refused to offer assistance. Stoll began his own investigation. What followed has since become the most well-known chapter in Internet folklore.
After analyzing chained connections through the telephone system, Stoll traced the spy to Germany. His evidence would ultimately prompt the FBI, the CIA, and the West German secret police to get involved. In March 1989, Clifford Stoll was credited with cracking a German spy ring that stole U.S. secrets from the Net and sold them to the KGB. (An interesting side note: The German spies received not only money, but also large amounts of cocaine for their services.)
The term for this is cyberterrorism. The definition is somewhat vague, and has several different meanings. One is planning physical terrorism by exchanging information on the Internet. Another is damaging the Internet itself. We will look at both kinds.
Intelligence experts have determined that Al-Qaeda used the Internet to plan the attempted bombing of LAX (the Los Angeles airport), and troop movements were also planned over the Internet. In both of these cases, they tried to disguise the conversations in terms of wedding and travel plans. Also, Web sites containing thousands of coded files belonging to the terrorists have been found. There have also been persistent but unconfirmed reports that messages were hidden inside pornographic images on the Internet. This is known as steganography, and more information can be found at http://www.jjtc.com/Steganography. Finally, defaced Web sites are very common these days, sometimes to further terrorist ends.
NOTE
Find out more about terrorists and the Internet in Chapter 9, “Dispelling Some of the Myths.”
Discussions in the U.S. Congress have revealed that the Internet traffic exchange points are relatively few. All the fiber connections between the U.S. and Europe go through New York City. Eighty percent of the United States’s Internet traffic goes through just a dozen locations. That means that there are potentially serious physical security issues that need to be addressed to prevent terrorists from taking out the Internet.
Hostile foreign nations are studying how to use the Internet to attack us. The new threat, therefore, is not simply espionage, but all-out Internet warfare. Are we ready? Sort of.
Information warfare has been on the minds of defense officials for years. Recent studies suggest that we’ll experience our first real information warfare attack within 20 years. Most hostile foreign nations are already preparing for it:
Defense officials and information systems security experts believe that over 120 foreign countries are developing information warfare techniques. These techniques enable our enemies to seize control of or harm sensitive defense information systems or public networks, which Defense relies upon for communications…They could infect critical systems, including weapons and command and control systems, with sophisticated computer viruses, potentially causing them to malfunction. They could also prevent our military forces from communicating and disrupt our supply and logistics lines by attacking key Defense systems. | ||
| --“Information Security: Computer Attacks at Department of Defense Pose Increasing Risks.” (Testimony, 05/22/96, GAO/T-AIMD-96-92). | ||
Most information warfare policy papers center on the importance of information warfare in a wartime situation. However, some U.S. information warfare specialists have recognized that we needn’t be at war to be attacked:
The United States should expect that its information systems are vulnerable to attack. It should further expect that attacks, when they come, might come in advance of any formal declaration of hostile intent by an adversary state… This is what we have to look forward to in 2020 or sooner. | ||
| --“A Theory of Information Warfare; Preparing For 2020.”Colonel Richard Szafranski, USAF. | ||
The real question is this: If they attack, what can they do to us? The answer might surprise you.
The President’s Commission on Critical Infrastructure Protection (PCCIP, a group studying U.S. vulnerability) has identified key resources that can be attacked via the Internet. Here are a few:
Information and communications
Electrical power systems
Gas and oil transportation and storage
Banking and finance
Transportation
Water supply systems
Emergency services
Government services
In 1998, the PCCIP delivered a report with preliminary findings. They, too, concluded that we might be attacked without warning:
Potentially serious cyber attacks can be conceived and planned without detectable logistic preparation. They can be invisibly reconnoitered, clandestinely rehearsed, and then mounted in a matter of minutes or even seconds without revealing the identity and location of the attacker.
Is the situation that critical?
Technology is a strange and wonderful thing. Depending on who’s using it, the same technology used to create Godzilla can also be used to create weapons of mass destruction. For this reason, technology transfer has been tightly controlled for almost five decades.
During that time, however, commercial advances have dramatically influenced the distribution of high-grade technology. Thirty years ago, for example, the U.S. government held all the cards; the average U.S. citizen held next to nothing. Today, the average American has access to technology so advanced that it approaches the technology currently possessed by the government.
Encryption technology is a good example. Many Americans use encryption programs to protect their personal data from prying eyes. Some of these encryption programs (such as Pretty Good Privacy) produce military-grade encryption. This is strong enough that U.S. intelligence agencies have a hard time cracking it within a reasonable amount of time, and time is often of the essence.
Encryption has already thwarted several criminal investigations. For example, in the case of famed cracker Kevin Mitnick, the prosecution had a problem: Mitnick encrypted much of his personal data. As reported by David Thomas from Online Journalism:
The encrypted data still posed a problem for the court. As it stands, government officials are holding the encrypted files and have no idea of their contents. The defense claims that information in those files might prove exculpatory, but revealing their contents to the government would violate Mitnick’s Fifth Amendment protection against self-incrimination. Further, prosecutors have indicated that they will not be using the encrypted files against Mitnick, but they refuse to return the evidence because they do not know what information the files hold. Ultimately, the court sided with the prosecution. Judge Pfaelzer described Mitnick as “tremendously clever to put everyone in this position” but indicated that “as long as he (Mitnick) has the keys in his pocket, the court is going to do nothing about it.”
Advanced technology has trickled down to the public. In many cases, crackers and hackers have taken this technology and rapidly improved it. Meanwhile, the government moves along more slowly, tied down by restrictive and archaic policies. As a result, the private sector has caught (and in some cases, surpassed) the government in some fields of research.
This is a matter of national concern and has sparked an angry debate. Consider the Mitnick case. Do you believe that the government is entitled to Mitnick’s encryption key so it can find out what’s inside those files? That’s a hard question to answer. If Mitnick has a right to conceal that information, so does everybody else.
In the meantime, there’s a more pressing question: How does this technology trickle-down affect our readiness for an Internet attack?
From a military standpoint, there’s no comparison between the United States and even a gang of third-world nations. The same is not true, however, in respect to information warfare.
In March 1997, a Swedish cracker penetrated and disabled a 911 system in Florida. Eleven counties were affected. The cracker amused himself by connecting 911 operators to one another (or simply denying service altogether).
NOTE
The Swedish case was not the first instance of crackers disrupting 911 service. In Chesterfield, New Jersey, a group dubbed the Legion of Doom was charged with similar crimes. What was their motivation? “[T]o attempt to penetrate 911 computer systems and infect them with viruses to cause havoc.”
NOTE
Another disturbing case occurred in March 1997, when a Rutland, Massachusetts, teenager cracked an airport. During the attack, the airport control tower and communication facilities were disabled for six hours. (The airport fire department was also disabled.) It was reported as follows:
“Public health and safety were threatened by the outage which resulted in the loss of telephone service, until approximately 3:30 p.m., to the Federal Aviation Administration Tower at the Worcester Airport, to the Worcester Airport Fire Department, and to other related concerns such as airport security, the weather service, and various private airfreight companies. Further, as a result of the outage, both the main radio transmitter, which is connected to the tower by the loop carrier system, and a circuit which enables aircraft to send an electric signal to activate the runway lights on approach were not operational for this same period of time.” | ||
| --Transport News, March 1998 | ||
NOTE
On April 25, 2002, thieves stole 17 traffic control computers in Santiago, Chile. Traffic was deadlocked for three days. If computers like these were taken out of action while a physical attack was taking place, the result would be heightened confusion and delayed emergency responses.
The introduction of advanced minicomputers has forever changed the balance of power. The average PC processor is more powerful than many mainframes were five years ago. Add to this advances in clustering and distributed processing solutions, and with relatively cheap hardware you can start approaching the processing power that was previously only known by a few government and research institutes.
A third-world nation could theoretically pose a threat to our national information infrastructure. Using advanced microcomputers and some high-speed connections, a third-world nation could wage a successful information warfare campaign against the United States at costs well within its means. In fact, bona fide cyberterrorism will probably emerge in the next few years.
Furthermore, the mere availability of such advanced technology threatens our military future in the “real” world. Nations such as Russia and China have progressed slowly because they lacked access to such technology. Their missiles are less accurate because their technology base was less advanced. U.S. defense programs, however, were sufficiently advanced that even when we appeared to make concessions in the arms race, we really made no concessions at all. Here’s an example: The United States only agreed to quit nuclear tests after we developed the technology to perform such tests using computer modeling.
As the United States’s perceived enemies obtain more sophisticated computer technology, their weapons will become more sophisticated—but it’s not simply weapons that make the difference. It’s the combination of weapons, communication, and information. If our enemies can alter our information, or prevent us from accessing it, they can gain a tremendous tactical military advantage. This could make up for shortcomings in other areas. Shane D. Deichman reports the following in his paper “On Information War”:
A key element of the information warfare environment is the participants need not possess superpower status. Any power (even those not considered nation-states) with a modicum of technology can disrupt fragile C2 networks and deny critical information services. Rather than a Mahanian “information control” strategy that attempts to dominate all segments of the information spectrum, though, a more realistic strategy for U.S. forces is one of “information denial” (that is, the denial of access to truthful information).
Perhaps a question less asked, however, is, should the U.S. government be responsible for protecting all of the U.S. infrastructure? After all, aren’t the companies that operate systems like our telephone networks FOR PROFIT? Shouldn’t the protection of these systems be one of their primary concerns?
You would think so, wouldn’t you? Although the U.S. government has more than its fair share of problems and tasks, organizations turning to the government to make their information security problems go away are missing the point. Information security is everyone’s problem—welcome to the party.
There hasn’t yet been an all-out information war. The distributed denial-of-service (DDoS) attacks that hit in February 2000 were the closest to this description to date, but it’s difficult to say how a full-scale attack would be conducted. Military officials aren’t willing to talk specifics. We can speculate, however, as many think tanks do.
TIP
In February 2000, some of the largest sites were knocked off the Internet using distributed denial-of-service tools. The attack made headlines in just about every news publication out there. These attacks are discussed in detail in Chapter 16, “Denial-of-Service Tools.”
On September 26, 2001, Michael Vatis, Director of the Institute for Security Technology Studies at Dartmouth College, spoke before a U.S. House Committee on the United States’s preparedness against cyberterrorism. (The full report can be found at http://www.ists.dartmouth.edu/ISTS/counterterrorism/preparedness.htm.)
Mr. Vatis stated that an attack would target the Web sites of government agencies as well as private companies. The attack might use worms, viruses, or denial-of-service attacks. Crackers might break in to disrupt systems and networks. Then these actions might be combined with physical terrorism to maximize the damaging effects. This is a fairly accurate picture of what could happen.
The Institute for Security Technology Studies at Dartmouth also prepared a report called “Cyber Attacks During the War on Terrorism: a Predictive Analysis,” which is available at http://www.ists.dartmouth.edu/ISTS/counterterrorism/cyber_a1.pdf. What is really interesting about this report is that it points out that there have been at least four physical conflicts that have spilled over into a mini-cyberwar.
The first is the ongoing Kashmir conflict between Pakistan and India. Web defacement has been very common, with hundreds of sites being hit, including that of the Indian Parliament. Also, five megabytes of sensitive nuclear research was downloaded by crackers from the Bhabha Atomic Research Centre.
The next is the Israeli/Palestinian conflict. Pro-Israeli crackers have made sustained DDoS attacks against the Palestinian Authority, Hezbollah, and Hamas. Pro-Palestinian crackers have returned the favor by taking down the sites of the Tel Aviv Stock Exchange, the Bank of Israel, and some divisions of the Israeli government.
The third case occurred during the Kosovo conflict between Yugoslavia and NATO. DDoS attacks were made against NATO Web sites, and American sites were defaced during the same time frame. NATO admitted that it had some serious disruptions in communications, but it did not affect the military campaign.
The final case is the U.S.-China spy plane incident during 2001. About 1,200 U.S. sites were defaced with pro-Chinese images. The planning took place over IRC and Internet postings. It is unknown whether these actions were supported by the Chinese government or not. American hackers supposedly defaced 2,500 Chinese Web sites as well, and possibly made DDoS attacks against a Chinese Web portal.
You would have to believe that if a major world power was directly involved, these kinds of attacks could be much more serious and damaging. Also, these incidents have focused on Web sites—it is highly likely that at some point in the future it will spill over into systems that control people’s day-to-day lives. Imagine if a successful attack was made against the electric power grid instead of just Web sites—that would be much more serious.
Throughout the Internet’s history, government sites have been popular targets. One of the primary reasons this happens is because of press coverage that follows such an event. Crackers enjoy media attention, so their philosophy oftentimes is that, if you’re going to crack a site, crack one that matters.
Government sites are supposed to have better security than their commercial counterparts. Hence, the media reacts more aggressively when a government site is cracked. Likewise, crackers who successfully penetrate a government site gain greater prestige among their fellows (whether it’s deserved or not).
NOTE
The Government Accounting Office (GAO) regularly audits the government’s computers systems, and they regularly find that the government does not do a good job in securing them. In 1999, their review found that the U.S. Army Corps of Engineers was in very bad shape. In an updated review on June 10, 2002, there was improvement, but still found weaknesses in such basic things as securing networks and controlling access.
This phenomenon is not new, nor have government officials done much to improve the situation. Indeed, some very high-profile government sites have been cracked in recent years. In 2001, 32 different government agencies reported 155 computers had been cracked. This number is up from 64 in 1998. Of course, this doesn’t count how many were cracked and not detected. The General Services Administrator stated that about 75% of the attacks were from foreign sources.
Federal agencies aren’t the only targets, either. In July 2001, crackers from China broke into computers owned by the state of Kentucky and sent workers anti-U.S. messages. These attacks are increasing, and so far the availability of advanced security technology has had little impact. Why? It’s not the technology; it’s the people.
TIP
Although I could go on listing government sites that were hacked until I’m blue in the face, there is already a great, up-to-date site that does it for me. See http://lists.insecure.org/alldas/ for a massive archive of defaced Web sites. Although defacements are not always as severe as thorough break-ins, they serve as a good tell-tale sign that a site’s security is not up to par.
In February 1998, Attorney General Janet Reno announced the formation of the National Infrastructure Protection Center (NIPC), an investigative organization populated with personnel from the FBI’s Computer Investigations and Infrastructure Threat Assessment Center (CIITAC). The NIPC tracks network intrusions and attempts to develop long-range solutions, including intrusion detection and international cooperation of police agencies.
The NIPC Web site (http://www.nipc.gov/) is one of the best on the Internet for getting information. One page there in particular needs to be pointed out. The Cybernotes page (http://www.nipc.gov/cybernotes/cybernotes.htm) is of particular interest—it contains bi-weekly updates of the latest security holes, available patches, and trends in viruses.
To date, government security has been largely inadequate, and although the efforts of the PCCIP, NIPC, and CIITAC are doubtless improving the situation, further work is needed.
Until information security officers are properly trained, government sites will be cracked on a regular basis. Reasonable levels of security are obtainable, and if the government cannot obtain them on its own, it must enlist private sector specialists who can. In some places in the government, this is already being done.
It’s clear that government servers can be successfully attacked, but what about the private sector? Is American business—big or small—immune to the cyber threat? Hardly. In fact, private sites are taken down with much greater frequency. Virtually every information security survey ever issued has reported a steep rise in incidents, and some security Web sites report hundreds of Web site defacements per month. Worse, although Web site defacements are publicly humiliating, most security experts agree that they are only the tip of the iceberg in terms of total incidents in the field.
Marketers who are anxious to engage in electronic commerce with the public assure us that these incidents are harmless. They point out, for example, that credit card and personal data is perfectly safe. Are they right? No—not by a long shot.
In July 1997, crackers demonstrated one of the first widely known attacks on Internet credit card data. Their targets weren’t small-time firms, either. The credit card numbers of NBA and ESPN site users were captured and distributed.
StarWave was the site responsible for protecting that data. StarWave is a widely known firm that hosts many large commercial sites, including ABC News. However, in July 1997, StarWave officials were apparently unprepared for the security breach.
The cracker or crackers took the credit card numbers and mailed them to NBA and ESPN subscribers to demonstrate to those users that their credit data was unsafe. Included in the mailing was a message. The relevant portion of that message was this:
Clearly, StarWave doesn’t consider the protection of individual credit card numbers a worthwhile endeavor. (This is one of the worst implementations of security we’ve seen.)
StarWave officials responded quickly, explaining that the security breach was minor. They also changed system passwords and have since added an extra level of encryption. However, the fact remains: User credit card data had leaked out.
Electronic commerce advocates originally asserted that the StarWave case was an isolated incident. In fact, at the time, many contended that few verified cases of credit card theft existed, and that the threat was relatively small. Time eventually proved them dead wrong.
Consider the case of Carlos Felipe Salgado. Salgado used a sniffer program (you’ll learn about these in Chapter 15, “Sniffers”) to steal thousands of credit card numbers off the Net. In their affidavit, FBI agents explained:
Between, on or about May 2, 1997, and May 21, 1997, within the State and Northern District of California, defendant CARLOS FELIPE SALGADO, JR., a.k.a. “Smak,” did knowingly, and with intent to defraud, traffic in unauthorized access devices affecting interstate commerce, to wit, over 100,000 stolen credit card numbers, and by such conduct did obtain in excess of $1,000; in violation of Title 18, United States Code, Section 1029(a)(2).
Salgado’s method was one well known to crackers:
While performing routine maintenance on the Internet servers on Friday, March 28, 1997, technicians discovered that the servers had been broken into by an intruder. Investigation by technicians revealed a “packet sniffer” installed on the system. The packet sniffer program was being used to capture user IDs and passwords of the authorized users....the FBI met “Smak” at the appointed hour and place. “Smak” delivered an encrypted CD containing more than 100,000 stolen credit card numbers. After the validity of the credit card information was confirmed through decryption of the data on the CD, “Smak” was taken into custody by the FBI.
Sniffer attacks are probably the most common way to grab credit card data (and usernames and password pairs). They are so common that Jonathan Littman (a renowned author of a best-selling book on hacking) wrote this in response to the Salgado case:
Fact No. 1: This was an old fashioned attack—and it happens about as often as dogs sniff themselves. The packet sniffer that Carlos Felipe Salgado Jr., a.k.a. Smak, allegedly installed in a San Diego Internet provider’s server is something hackers have been doing for years. My provider in Northern California was hacked a couple of months ago and just last week, too. Guess what that hacker was about to install? | ||
| --“Take No Solace in This Sting,”Jonathan Littman, ZDNET News | ||
Unfortunately, these incidents were only the start. Consider the following cases:
In January 2000, thieves stole 300,000 credit cards from CD Universe. At the time, this was the largest theft of credit cards to be publicly reported.
In March 2000, a cracker known as Curador led authorities on a global chase after lifting some 26,000 credit cards from an assortment of e-commerce sites. Curador was caught later that same month.
In September 2000, Western Union shut down its Web site for five days after crackers stole 15,000 credit card numbers.
In December 2000, Egghead.com reported that they had suffered a security breach that might have exposed 3.7 million credit card numbers. Egghead later reported that it didn’t believe the intruder was able to access the credit cards, but the scare was definitely significant.
The FBI was investigating 55,000 stolen credit card numbers from CreditCards.com in January 2001. The cracker tried to extort $100,000. When payment did not come, 25,000 of the numbers were posted on the Internet.
In March 2001, the FBI and NIPC issued a warning that Russian and Ukrainian thieves had stolen more than one million credit cards.
In late 2001, I personally had a bogus charge from a supposed Web site called Pornotherapy.org on one of my credit cards. The credit card company immediately changed my card number. My best guess is that it was stolen on the Internet. It just goes to show this doesn’t just happen to others.
In November 2001, Playboy.com was cracked. An undisclosed number of credit card numbers were stolen.
In February 2002, crackers broke into the database of the World Economic Forum. The credit card numbers of 1,400 WEF members were stolen. A few of the cards belonged to Bill Clinton, Bill Gates, Yasser Arafat, and Shimon Peres.
In September 2002, a Web site owned by Spitfire Ventures received 140,000 credit card submissions in 90 minutes. All were for $5.07. Out of these, 62,477 were approved. It is speculated that this was an attempt to see which numbers were valid.
Notice a trend here? The problem is only getting worse. It should also be noted that the fraud rate for online credit card transactions is about triple the rate for offline transactions. These are just some of the reasons why the Internet is a dangerous place to do business. Unfortunately, the stories are only getting more and more outrageous.
Hard statistics on security breaches are difficult to come by. However, there are a few good sources. One is the Computer Security Institute’s Computer Crime and Security Survey. The CSI Survey is conducted annually, and the 2002 results are in. You can obtain those results at http://www.gocsi.com/press/20020407.html. Briefly, the 2002 results indicate yet another increase in computer crime. For example, 90% of the respondents reported security breaches in the previous year. Approximately 40% of all respondents suffered hard denial-of-service attacks, and an equal number experienced penetration by remote attackers. Of all respondents, 74% indicated that the Internet was the point of entry for intruders.
If your company has asked you to justify a security plan, you’re probably looking around for more statistics. No problem; there’s a lot of material out there. One good source is the Ernst & Young LLP/ComputerWorld Information Security Survey, located at
http://www.ey.com/global/download.nsf/International/Global_Information_Security_Survey_2002/$file/FF0210.pdf
The Ernst & Young survey differs a bit from others mentioned earlier. For a start, it’s a survey of human beings. (Actually, it’s a survey of 459 information managers.) Respondents were asked a wide variety of questions about Internet security and secure electronic commerce.
One recurring theme throughout the 2002 survey was this: September 11th made IT security a bigger priority than ever. Businesses are getting better about their security planning, but have a long way to go still. Respondents also indicated the following:
Only 40% feel confident that they could detect an attack.
Forty percent of the organizations do not investigate security incidents.
Only 41% of organizations are concerned about internal attacks.
If your company holds similar attitudes about security measures, you need to get busy.
Many companies that consider establishing a Web server feel that security is not a significant issue. For example, they might co-locate their boxes, and in doing so might throw both the responsibility and liability to their ISP. After all, ISPs know the lay of the land, and they never get cracked, right? Wrong. ISPs get cracked all the time.
TIP
Do not exclude universities from your sites, either. For example, in December 2000, SecurityFocus ran a report on the University of Washington break-in. Intruders stole more than 5,000 patient records from the University’s Medical Center. See a report on this incident at http://www.securityfocus.com/news/122.
If you’re an information officer and your firm requests Internet connectivity, be sure to cover all the bases. Make it known to all concerned that security is a serious issue. Otherwise, you’ll take the blame later. You should also be wary of any ISP that gives you blanket assurances. Today, even firewalls can be cracked, and cracked through the same old methods by which servers are cracked—exploitation of human error.
We’ve established that any site can be cracked, including the following types:
Banks
Military servers
Universities
Internet service providers
Do not expect this climate to change, either. New and more effective cracking methods are surfacing, and the pace is only getting quicker. New cracking tools and viruses are being manufactured every day, and these tools—which were once toys for hackers and crackers—have now become viable weapons. These methods will be used by both hostile foreign nations seeking to destroy other countries’ national information infrastructure, as well as kids who are bored and want to take down a popular Web site.
On the information warfare front, there are several key objectives, but these four are particularly prominent:
Denying the target computer services
Destroying the target’s computer systems
Stealing data
Modifying data
Today’s denial-of-service attacks and viruses will likely form the basis for tomorrow’s information warfare arsenal. Considering that anyone anywhere can obtain these tools, compile them, and deploy them in minutes, the immediate future looks pretty scary.