CastleCops® - Blocking a cyberterror attack

By John Schwartz

In the abstract, fighting a war is simple. The enemy and the targets are generally identifiable. But in the war against hackers and virus writers, the combatants are harder to know.

The attacker might be a 14-year-old in Canada, or a co-worker in the accounting department. "You'll have every type of person" practicing the dark arts of programming, said Sarah Gordon, a senior research fellow with the security technology developer Symantec.

As industry and government seek to repel the attacks for which the Internet is a launching pad, much of the effort involves understanding those who unleash malicious code and jiggle digital doorknobs. In the world that emerged after the Sept. 11 attacks, after all, understanding an elusive enemy has become a growing part of confronting a threat.

Security experts have warned for several years that cyberterrorism presents a great potential threat to the United States, with its increasing dependence on computer networks for everything from weapons systems to hydroelectric dams, not to mention the underpinnings of commerce. Richard A. Clarke, a former White House adviser on terrorism, warned even before Sept. 11 of a coming "digital Pearl Harbor."

And new vulnerabilities that could leave the way open to such an attack are being discovered all the time: according to Symantec, the number of software holes reported in the nation's computer networks grew by 80 percent in 2002.

Still, the company says it has yet to record a single cyberterrorist attack - by its definition, one originating in a country on the State Department's terror "watch list." That could be because those inclined to commit terrorist acts do not yet have the know-how to do significant damage, or perhaps because hackers and adept virus writers are not motivated to disrupt networks for a cause. But should the two groups find common ground, the result could be devastating, said Michael A. Vatis, head of the Institute for Security Technology Studies at Dartmouth College.

"There is still a big gap in our actual knowledge of our actual vulnerabilities to a serious attack," he said.

The government is working to close that gap. In the executive branch, cyberdefense is one of the concerns of the new Department of Homeland Security. Within the military, a task force with a $26 million annual budget is studying cyberwarfare for both its defensive and offensive potential, and President Bush has signed a directive, disclosed in February, calling for the military to develop policies to govern the waging of digital war. Regular exercises at the military service academies prepare students to defend military networks against hackers.

For now, though, the quarry in such exercises remains elusive. The most damaging attacks and intrusions, experts say, are typically carried out by disgruntled corporate insiders intent on embezzlement or sabotage, or by individuals - typically young and male - seeking thrills and notoriety.

There was, to be sure, the explicitly political Code Red, a self-reproducing program known as a worm that was unleashed in 2001 to take control of thousands of computers and force them to block access to the White House Web site by flooding government servers with data. Many security experts believe that the program was developed in China in retaliation for the loss of a Chinese jet and its pilot after a collision with an American spy plane. Once the worm was detected, a tweak to the numeric online address for the White House Web site prevented disruption.

Code Red drew attention to cyberattacks as a vehicle for political activism, said Roger Thompson, the director of malicious code research at TruSecure, a computer security company. "Instead of doing it to be jerks and show off to their buddies, they're doing it to make a statement," he said.

But exploits coinciding with the war in Iraq were tame at best. Days before the United States began its air attacks, for example, an American military computer was hacked through a security hole in Microsoft software, according to Russ Cooper, a security expert with TruSecure, but no apparent damage was done. And though a programmer identifying himself as a Malaysian Muslim and calling himself Melhacker warned late last year that he would release a potent new virus on the Internet if the United States invaded Iraq, there has been no sign of it.

"Individuals like Melhacker are considered more smoke than fire," said Ken Dunham, a senior intelligence analyst for iDefense, a computer security company. He said that developing profiles of such "malicious actors" - both general and individual - was helpful in defending against their activities and sometimes even curbing them. In Melhacker's case, he said, the company gained the virus writer's trust and obtained some of his code and tools last fall.

The threats and attacks witnessed recently are the sort of harassment that security experts dismiss as "weapons of mass annoyance." Experts who study the lives and motivations of virus writers and hackers, - and those who have wandered onto the wrong side of the law themselves - say that while some want to push a political view, many are interested in making a splash rather than a statement.

"Many of them probably think, 'Hey, hacking the Iraqi government would make me famous!"' said Seth Pack, a former virus writer who lives in Spartanburg, S.C., and works in the computer security field. Similarly, current viruses are likely to be carried in e-mail with subject lines related to Iraq or the SARS epidemic because they are topical, and virus writers, like all marketers, look for the largest possible audience.

Although some Web sites are chosen as hackers' targets for their political significance - an Iraqi government site was defaced during the war with the message, "Hacked, tracked, and now owned by the U.S.A." - most such vandalism is carried out by hackers using automated programs that simply search for any vulnerable machine, said Vincent Weafer, the senior director of a Symantec security response unit.

Aside from the increase in Web site defacement, he said, the level of virus writing and hacking has not risen sharply in recent weeks. "What we were seeing a month ago is what we're seeing today, and what we'll probably see next month," he said.

Businesses and individuals who take security seriously can protect themselves fairly well against the threat of viruses and hacking, said James Lewis, head of the technology program for the Center for Strategic and International Studies in Washington. "It's going to be irritating," he said, "but it's not going to be the end of the world."

At the same time, the government is taking a less urgent view - at least in what little it says on the subject - than the specter of a "digital Pearl Harbor" might have indicated. The role of cybersecurity adviser has been moved out of the White House and into the new Department of Homeland Security, and Clarke's successor in that role, Howard Schmidt, announced his resignation on Monday. "Nobody is in charge of the issue," Harris N. Miller, president of the Information Technology Association of America, complained after Schmidt's resignation was announced. "Cybersecurity is unique, and does require somebody in charge."

A spokesman for the Homeland Security Department said the administration took cybersecurity seriously, but as part of the overall security puzzle. "Our approach to cyber is it is combined with the other critical infrastructures; it's not a stand-alone," said the spokesman, David Wray. Much of the work in understanding the threat and countering it is being carried out in private industry, think tanks and academia, he said, and the role of government is to "look at the body of work and at the body of evidence and find the ways to make the best use of it."

That puts the primary burden on researchers like Gordon, the security expert with Symantec, who has interviewed hundreds of digital mischief-makers. Experts note significant differences between those who unleash viruses, with potentially widespread but somewhat random effects, and hackers, whose targets are generally specific if arbitrary.

Many of the early virus writers were computer researchers testing the limits of machines in the days before the Internet allowed rogue programs to spread around the world in minutes. But as the information on virus coding moved from the elite to the merely adept, there emerged a generation of "script kiddies" who could cobble together malicious programs from online tips.

Article continued
Crime-Research.org


	2002-2008 � Computer Cops LLC dba CastleCops®. All rights reserved. Acceptable Use Policy. Use signifies your agreement. 214ppm 0.229s (0.006s) Making cybercriminals unhappy since 2002*