"Infowar" is coming, security specialists warned at a recent IT security conference. Electronic attacks on companies are not only being planned and executed by so-called cyber-criminals. Security managers need to prepare for wilful attacks of destruction perpetrated by so-called cyber-terrorists and cyber-warriors.
Indeed, serious damage could be wreaked by an enemy country that is weak in conventional military hardware, but which is determined to use IT expertise to launch devastating computer viruses via the internet.
In the book "The Next World War", former Sunday Times defence correspondent James Adams said: "The soldier will be the young geek in uniform who can insert a virus into an electricity supply and plunge a city into darkness." He continued: "No longer will it be the simple terrorist armed with an AK-47 or the Semtex bomb (although he will still be around); the new threat will be groups who will bond in cyberspace and attack using new weapons of war: viruses, bugs, worms and logic bombs."
George Tenet, American CIA director, warned the US Senate Intelligence Committee: "There's a new threat...that is to information systems. Recognising this problem, we are assessing countries that have such potential, including those which appear to have instituted formal information warfare programmes."
Threat from the Far East
Delegates to Infowar 2000, a conference staged in London, were told to be on their guard against governments such as China and Vietnam, who were increasingly looking to develop ways of attacking an enemy country's economy through computer viruses that could disable governments and companies.
General Nicholas de Chezelles, from NATO HQ in Brussels, said that his organisation was taking the general threat seriously by boosting its computer security, including the establishment of a public key infrastructure, ensuring the source and integrity of electronic information processed and transmitted in its networks.
It's also establishing a NATO Computer Emergency Response Team, which is supposed to create a NATO detection and reaction capability. With tanks being run by microprocessors and electronic communications all important in modern warfare, defence forces have to protect their own information systems as well as those of their country's economy.
"Virus attacks are now more frequent, and require immediate action to protect our assets immediately," said General de Chezelles. "The recent operations in Kosovo gave us the opportunity to experience and manage a situation where our electronic data systems were on constant attack."
Even if there's no war, there are predictions that on-line vandalism from hackers on private and public sector networks may intensify, if the development of e-commerce leads to poorer sections of society being excluded from shopping and working on-line. Alistair Kelman, e-commerce counsel for the Enformatica group, told the conference that resentment could grow where poorer sections of society were effectively locked out from buying goods and services on-line, because they did not have the credit rating to be granted a credit card.
The experience of globalisation has shown that pressure groups are prepared to resort to on-line vandalism to make their case. During the 1999 Seattle summit of the World Trade Organisation, internet campaigners opposed to its work bombarded its website with e-mails in a bid to bring its server down. They also set up phantom mirror sites, used to try and discredit the organisation.
Don't let the web bugs bite
Physical and computer security threats can also go hand-in-hand. Roger Gaspar of the UK's National Criminal Intelligence Service warned: "Information is freely available on bomb-making including anti-personnel devices specifically intended to deal with law enforcement intervention; race-hate sites spawn their evil over a global newspaper stand, neutering the legislation of individual countries." His concerns have been graphically illustrated by the attacks by Nazi nail-bomber David Copeland, in London.
Pottengal Mukundan, director of the International Chamber of Commerce's Commercial Crime Services, outlined a series of new internet threats that could be used by cyber-warriors. These include:
- The "Chernobyl" virus: So called, because it struck on the 13th anniversary of the infamous nuclear disaster. It erased and overwrote hard disk files. Strains of the virus can be found around the world on the 26th day of any month.
- Logic bombs: These are alterations made to computer programmes that are triggered when certain conditions arise, such as a specific date or the addition or deletion of data. These devices can be fixed into computer systems via the internet, using software accesses known as backdoors, or trapdoors.
- Cross-site scripting: This affects browsers and web-servers which can dynamically generate HTML pages. These create copies of websites that can be seen by hackers, allowing them to monitor visitors, possibly obtaining credit card details.
- Surfer diversion: US authorities were flooded with reports last August that internet users accessing more than 25 million legitimate web pages had been diverted by criminals to a series of pornographic sites operated out of Australia.
Technology may be sexy, but one should not ignore dull and boring physical security. Loss experience has demonstrated that crime can only be deterred by an integrated package of measures
Pottengal Mukundan, ICC
Physical presence
Hackers had coded the sex pages with identical instructions used by search engines such as Yahoo!. The victim companies suffered through loss of reputation and fewer visitors, damaging their on-line advertising revenue. Faced with this increasing array of high-tech attacks, delegates were advised not to neglect basics in setting security policy while they were looking into electronic solutions, such as computer firewalls and virus scanners.
This related in particular to physical security of computers. Mukundan said: "Technology may be sexy, but one should not ignore dull and boring physical security. Loss experience has demonstrated that crime can only be deterred by an integrated package of measures: for instance access controls, physical barriers, intruder alarms, lockdown devices and permanent overt marking of computer equipment."
One British e-commerce services company has gone to the ultimate length to protect its computer servers and routers: it has acquired the use of a former Bank of England gold bullion vault. John Ridd, the chief executive officer of XTML Ltd, told Infowar 2000 that his company needed to guarantee the safety of its clients' data, storage and traffic. XTML sets up, runs and hosts e-commerce websites for a variety of on-line companies.
Ridd told delegates the vault's base is surrounded by two 7 ft-thick granite and steel loaded concrete walls – separated by a 2 ft bomb blast corridor – and a 12-ton bomb-proof vault door. It also has cameras installed recording any movement inside, which has enabled the company to win a dispute with a client over whether a fault had been caused by the re-setting of a server: CCTV footage showed that no one had touched the relevant computer at the relevant time.
Other computer safety basics cited by Pottengal Mukundan included the sensible setting of passwords. They should be at least six characters long, include mixed-case letters, digits and punctuation marks. They shouldn't be based on personal information or any dictionary word in any language, never written down and placed where they can easily be found and should be changed regularly.
FBI takes on hackers
Meanwhile, on the high-tech side, he said that in the USA, the FBI's National Infrastructure Protection Center has developed software which can be used to scan computer systems for hacking software tools. These tools might be placed with a view to creating an electronic route for a mass 'denial of service' attack, where sites are bombarded with millions of messages, such as those messages which floored Yahoo! and CNN earlier this year. These are particularly important, given that the tools – including trin00 and Tribe FloodNet – can be downloaded for free on the estimated 1,900 hacking sites on the internet.
Daniel J Knauf, policy and corporate communications chief, for the Information Systems Security Committee of the US National Security Agency, said the management of electronic security risks should become more focused. Policies, Knauf added, should be organised as to whether they are "detect-react" actions or "prepare and prevent'" precautions.
"Detect-react" actions would include identifications and warnings, the identification and characterisation of an attacker, mitigation and damage assessment and reduction, retaliation, prosecution, negotiation, and repairs, as well as learning lessons.
"Prepare and prevent" precautions would include education, training and awareness, threat and vulnerability analysis, research and development, exercises and implementation of policies, procedures and guidance.
Source
SMT
