Printer Friendly

The intelligent threat.


THE CURIOUS HACKER WHO subscribes to hacker magazines and enjoys cruising through telephone numbers to find the whine of a modem frequency is not what this article is about. Neither is it about those who succeed in breaking into computer systems to leave messages of triumph. This article is about the hacker as an external threat, a terrorist, a person who destroys information for spite, revenge, some get-rich-quick scheme, or some ideological reason--but always with physical or electronic destruction or modification of data as a possible end result. The hacker as a destructive force is the external threat all information systems are faced with, and as a manager of these systems, your job may depend on how well you defend your data against such a force.

These people can be called intelligent terrorists. While it takes little intelligence to throw a Molotov cocktail into a room full of mainframes or even to gain access to that part of a building, it does take some knowledge of computers and telecommunications to get around automated security obstacles--knowledge in which the traditional terrorist does not show much interest. Imagine terrorists supported by hackers who transfer funds or sell downloaded sensitive data to finance their operations or alter data to produce erroneous calculations. Now imagine being able to purchase this information from someone with the knowledge to break into the system. A number of instances can be shown where terrorists, defined as an external threat, have crossed the line.

* In September 1984, a hacker with an interest in politics rummaged through the TRW credit report of incumbent congressional candidate Tom Lantos in California and turned up a prior small-claims court dispute over a price tag switched on a suitcase. Lantos had lost the case and refused to pay, putting the record of the court's collection efforts into his file. Lanto's opponent wasted no time in making sure certain local reporters were aware of the impropriety. What if this had occurred on the presidential campaign level?

* Another hacker with an interest in politics broke into Rep. Ed Zschau's (R-CA) computer system on Capitol Hill and erased his entire data base, including letters and his constituent mailing list. Imagine if the data base had been altered rather than destroyed. What if all the pro-life constituents had received pro-abortion material?

* In July 1985, a group of New Jersey teenagers calling numbers at random discovered a phone line through which communications satellites were monitored and controlled. Their intrusion into the system was discovered when they began changing satellite orbits. Imagine one orbit irreconcilably changed so that the satellite entered the earth's atmosphere and crashed into a populated city.

* In July 1987, the Fresno, CA, police, acting on an FBI tip, arrested two young men who were trading credit card and MCI access numbers on computer bulletin boards located in the Midwest, and then using the numbers to order thousands of dollars' worth of merchandise. Imagine the effect on the economy if the credit card industry had to cancel all cards due to massive fraud.

* Members of the 414s, a Milwaukee-based hacker group named after the telephone area code of eastern Wisconsin, were reported to have entered the main computer center at the Memorial Sloan-Kettering Cancer Center in New York City. The damage they did was easily fixed, including repairing the altered audit trail they had changed to hide the fact they had entered the system in the first place. Imagine if they had taken one more step and deleted or altered patient records. The lack of treatment or the wrong treatment could have been fatal.

Not all external threats occur through electronic hacking.

* In 1978, Stanley Rifkin stole $10.2 million from a Los Angeles bank by posing as a consultant hired to improve the operation of the bank's communication center, where computer messages for transferring funds originate. By interviewing console operators there, he collected computer passwords and bank codes necessary to pose over the phone as an officer of the institution and have the funds transferred to a New York bank account and from there to Switzerland. He was apprehended only because he bragged about the act to his lawyer, who turned him in to the FBI. The money was returned, and Rifkin was sentenced to eight years in prison.

* In 1970, American antiwar activists set off a bomb outside the Army Mathematics Research Center at the University of Wisconsin, killing a young graduate student working there after hours. The damaged equipment included a Control Data Corporation 3600 system, a Univac 9300 terminal, a Honeywell DDP124, and a Scientific Control Corporation 4700 computer. Three smaller computers belonging to the physics department were also destroyed. The explosion damaged 10 buildings--mainly by shattering window glass. What was believed to be the world's finest cryogenic laboratory was also destroyed, and subsequently all projects were abandoned. The research data represented 1.3 million staff hours of effort built up over 20 years. The loss was estimated at more than $18 million. Saboteurs also made four attempts to damage the computer center at the Wright-Patterson Air Force Base near Dayton, OH.

* In November 1969, five members of a group called Beaver 55 attacked a chemical company's computer center in Midland, MI. One thousand tapes were damaged with small magnets. It was a long and expensive job to recreate the files, and damage was estimated at $100,000. The subversives thought they had destroyed research data on nerve gases, napalm, defoliants, and other secret chemical weapons. However, they had in fact destroyed records of the local blood bank, research on air pollution, history of the company's industrial health program, and the chemical test results of a mumps vaccine under development.

* In March 1984, a bomb exploded at IBM's White Plains, NY, facility, with the perpetrators blaming the company for the policies of the South African government.

* Recently the FBI had its hands full with the motorcycle-riding Hell's Angels. Government informer and past Hell's Angels' president William "Wild Bill" Medeiros claimed to have the necessary knowledge for complete access to the National Crime Information Center's computer network. The network serves 65,000 law enforcement agency personnel, providing criminal records and reports on fugitives, stolen property, and missing persons.

The reaction to such attacks around the United States is a renewed effort to protect facilities from external threats. Demands for contingency planning and disaster recovery techniques are at an all-time high. Computer security analysts expect external attacks to continue, perhaps in greater numbers as terrorists come to realize the importance and vulnerability of corporate data bases and data processing centers.

IF EXTERNAL THREATS AGAINST computer centers continue, then terrorists will most likely engage in the fairly simple yet newsworthy forms of attack against computer centers--bombings. This entails little risk to themselves. It also appears likely that terrorists will increase the electronic penetration of computer centers and destroy, steal, or alter data. This also represents little risk to the terrorist as it can be done over telephone lines. The information on phone numbers and how to penetrate computer centers via phone lines, how to penetrate operating systems once entry is gained, and how to circumvent the data security software packages usually residing on main-frames is already available through underground hacker sheets, electronic bulletin boards, terrorist-produced newsletters, and hackers themselves.

One hacker publication is called ECODEFENSE: A Field Guide to Monkeywrenching and is published by Earth First, a militant environmental protection group based in the western United States. In the second edition published in 1987, pages 213 to 218 discuss computer sabotage. These pages include sections on hardware sabotage ("The simple straightforward destruction of costly equipment requiring physical access, forced or otherwise, to computer facilities"), records sabotage ("The destruction, by physical means, of computer tapes and discs to severely impede many destructive activities"), software sabotage ("This consists of `borrowing' embarrassing information from corporate files, diverting company operations away from critical areas, and the planting of so-called `logic bombs' that use predesignated cues to trigger erasures of records and operating programs"), and security tips for hackers, discussing how to minimize the risk of having phone calls traced.

The threat of the intelligent terrorist requires the computer center manager's diligence in knowing the center's external threats, vulnerabilities, and existing and planned countermeasures. Much of the computer security field believes the intelligent terrorist who recognizes the value of a computer center to society has already arrived, and that, like the fictional nuclear weapon hidden on a ship that enters New York harbor and holds the city for ransom, it is only a matter of time.

Even a computer virus has been used as a threat in ransom demands. This virus was discovered at several universities, including the University of Delaware, George Washington University in Washington, DC, and Northern Virginia Community College. Computer users who found the virus were told to send $2,000 to an address in Pakistan to obtain an immunity program that would rid the system of the virus. Investigation showed that the virus was written by two brothers in a computer store in Lahore, Pakistan--they had put their names, an address, and a phone number in the virus! "It's like a fantasy of being a terrorist without the blood," said Eric Corley, editor of a national hacker newsletter, 2600, whose electronic bulletin board was also infected.

WHILE TERRORISTS HAVE BEEN launching isolated bombing and vandalism attacks on computer centers around the world, the threat to computer-based networks and the compromise, rather than the destruction, of data by terrorists cannot be ignored. Surreptitiously downloading data may cause greater harm to the computer center than actually destroying the computer center and its data. In destruction or modification no one has access to the data, but a good backup plan will soon get your data returned to you; in compromise, everyone, including your competition, will know what data you have--your corporate forecasting, research and development efforts, payroll and accounting, cost proposals, and employee information.

In October 1985, Georgetown University's Center for Strategic and International Studies (CSIS) in Washington, DC, warned of the external threat to computer centers in a report entitled "America's Hidden Vulnerabilities." The report concluded that computer systems should be safeguarded against acts of terrorism intended to disrupt or cripple society. The vulnerability of computers to electronic penetration by hackers has increased concerns that terrorists will be following the same logic but with greater destructiveness.

Electronic terrorism is feasible now and is potentially effective against financial institutions, military systems, and research and development laboratories. The debate over the effectiveness of electronic sabotage has escalated with the penetration of computer systems at the Naval Research Laboratory, US Army in the Pentagon, Lawrence Berkeley Laboratory, MIT, MITRE Corporation, Stanford University, the University of Illinois, and other facilities. In early October 1988, the US government's Lawrence Livermore National Laboratory, responsible for nuclear weapon design and Strategic Defense Initiative research, made the news when its computers were infected with the virus. In April 1988 Chuck Cole, deputy computer security manager at the laboratory remarked prophetically, "The whole notion of people breaking into computer systems has been focused on the young college or high school student. That image has to change, because there are some very real dangers."

When planning the protection of a high-tech resource such as a computer center, the assumption might be to think the threats to such a center must also be high-tech. But a single terrorist with a few pounds of plastique or a vengeful hacker with a superuser password can do more damage in less time than any high-tech threat could do. Many countermeasures that can reduce or eliminate the external threat are derived from common sense. The following are a few such countermeasures:

* For external threats to data, consider if the operating system is allowing a portion of the data to remain in some resource-sharing storage, if passwords are protected from visual observation, if software is inspected for viruses before being allowed onto the system, if use of assembly language coding is controlled, if testing and debugging procedures are adequate, and if the password file is encrypted.

* For external threats to hardware, consider if the system has two or more protection-state variables, if memory protection mechanisms are in place, if redundant equipment is necessary to protect the system from downtime due to equipment failure, if undetected hardware errors or hardware tampering may compromise security, if poor security procedures may permit the system to be configured improperly, and if the system has interruption-resistant power.

* For external threats to or from computer personnel, consider if employees are adequately cleared to handle the data on the system, if only properly cleared personnel are present during sensitive processing, and if personnel are assigned data accountability.

* For external threats to or from management, consider if there is separation and accountability of ADP (automatic data processing) functions, if there are contingency and recovery funds available, if a full-time ADP systems security officer or a person adequately trained for a collateral duty position is assigned, if a computer program quality assurance system is in place, and if program integrity is built into vendor-supplied software.

* For external threats to the physical environment, consider the physical access to the computer room, if the physical layout inside the main computer room and other sites makes it difficult to control the movement of personnel inside the ADP facility, if fire protection is adequate, if the environmental control system is adequate, if discarded hard-copy is destroyed, if the physical perimeter within which security is maintained and outside of which little or no control is maintained is clearly established, if emergency procedures are documented and periodically reviewed, if computer rooms are secured during unattended periods, if incoming and outgoing materials and containers are inspected, and if adequate flooding and water protection is in place.

* For external threats to communications security, consider if data communication lines and links can be tapped or monitored, if terminals (like users) can be identified by the system, and if telephones sit too close to terminals.

* For external threats involving emanations, consider that some components of a computer and computer peripherals emanate data signals across various distances when processing or displaying data. Radios, tape players, and other personally owned equipment may be transmitters of electromagnetic emanations, which in turn may be modulated by nearby ADP equipment.

Many computer centers do not presently have the expertise or resources to provide threat, vulnerability, and countermeasures analyses to their particular sites, much less risk assessments, security tests and evaluations, and disaster recovery plans. Management should obtain the services of in-house or contract computer security professionals. It is only a matter of time before your computer site will have to respond to an external threat--whether from a terrorist with a bomb or an intelligent terrorist with a virus.

About the Author ... Douglas E. Campbell is a program manager for PSI International in Fairfax, VA. He is a member of ASIS.
COPYRIGHT 1989 American Society for Industrial Security
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 1989 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:special section - Computer-Information Security: Getting the Protection You Need
Author:Campbell, Douglas E.
Publication:Security Management
Date:Mar 1, 1989
Previous Article:Virus: a strain on the system.
Next Article:Rx for micros.

Related Articles
A computer and information security directory.
Computer Virus Handbook.
New fringe benefit regulations make useful changes to car and plane valuation rules.
Protection Officer Training Manual Fifth Edition.
Six secrets of a successful survey.
Education matrix.
Internet Security 2006 also spyware 2006.

Terms of use | Copyright © 2016 Farlex, Inc. | Feedback | For webmasters