Today's ISN Sponsor: Repent Security Incorporated
[Moderator: Ok.. the FBI are so gungho about how dangerous these hackers
are, how much of a threat they are, to the point they do a swat style
raid on their houses. Yet they used a "common hole" to get in each
system?
I understand it is illegal to hack into those systems, but if it is that
easy, why are they storing sensitive data on them? Do they think that a
foriegn power won't break in because it is wrong to do so? More and more
it seems that our Federal Police live in a double standard fantasy
world.]
Getting to the bottom of 'Cyber Attacks'
Pentagon that "cyber attacks" had
been waged against at least 11
military computer systems is either
politically motivated scaremongering
or evidence of technical ignorance,
system administrators and computer
security experts say.
In a breakfast meeting with
reporters Wednesday, deputy
secretary of defense John Hamre sent
headline writers to maximum alert
when he said that in recent weeks, a
small number of individuals had
launched a "highly organized and
systematic" attack on the Pentagon's
computer systems.
Hamre said that only unclassified
materials such as logistical and
administrative data had been probed
or accessed. He declined to provide
specifics, citing the need for
secrecy pending an investigation.
But one source, a former defense
contractor employee familiar with
federal computer technology and
security, was suspicious of Hamre's
agenda in making the unprompted
announcement.
"Most administrators are loathe to
admit mistakes like this," the
source said, "which makes me really
wonder if the report even originated
inside the technical group at the
Pentagon."
The source said that Hamre's
statements may be politically
motivated, designed to build support
for increased Defense Department
funding in an era when government
coffers are shrinking.
Hamre reportedly said the Defense
Department has been attempting in
recent years to update its systems
against security attacks, but that
"We have to do a good deal more in
this area," he said.
Hamre made the remarks to the
Defense Writers Group, an exclusive
cadre of journalists affiliated with
national news media organizations.
Pentagon public affairs officials
refused to provide a transcript of
the meeting, or comment on what was
said. Early news stories reported
Hamre's comments rather uncritically
and did little to clarify the nature
of the attacks.
Hamre himself was not specific about
whether or not crackers were
attempting to query federal systems
- such as merely opening up a telnet
connection to a federal machine on
the Internet, or sending such a
machine a harmless "ping" request -
or genuinely getting in. All
high-profile computer systems are
commonly queried by curious computer
users running programs such as "port
scanners" that knock on network
doors, and only identify if any are
open.
One source told Wired News that up
until a year ago, every attempt to
open a telnet connection - a common
networking scheme used to operate
computers remotely - to a government
system was considered an attack.
Sorting out exactly what happened
with the "cyber attacks" is a tricky
proposition.
"This has all the appearances of
just being a game," Hamre told the
reporters. "Somebody trying to get
in so they can say they got in," he
said.
According to a Washington Post
report today, intruders attempted to
enter four Navy and seven Air Force
systems and had actually accessed
administrative information in some
cases.
"That could be anything on any
computer they own," said James
Wilson, system administrator for
CruxNET.
"Someone probably broke into their
Web server again," said Wilson. "It
happens to all major government
servers every once in a while. That
is why the Web servers have
absolutely no connection to anything
near being valuable," Wilson said.
Isolating sensitive information from
public networks is a standard
security practice known as
compartmentalizing. But it would be
negligent for the government to
expose even relatively harmless
data, such as payroll information,
to the Internet, sources said.
Peter Neumann, moderator of the
RISKS Digest mailing list - a weekly
roundup of intrusions and security
threats around the world - confirmed
that no sensitive information was
available through government Web
sites, and that one should clearly
distinguish between attempted
break-ins, which are routine, and
actual penetrations, which are not.
"When you hear a report that a
system is under attack, it doesn't
mean that anyone penetrated it,"
said Neumann, adding that "The stuff
that's on the Internet is there
because it's supposed to be
disseminating information."
Another source said that if systems
really were compromised beyond
routine Web page hacks, then the
administrators at those sites need a
lesson in basic TCP/IP security.
"If it's been going on for weeks,
and they haven't been able to stop
it, well then clearly their skills
are lacking," he said. "Fool me
once, shame on you. Fool me twice,
shame on me," the administrator
said.
"Being attacked isn't a big deal,
and should be expected of any site
that is well known, and the admins
should be prepared to deal with it,"
the source said.
But the larger question of
protecting valuable and sensitive
data - beyond human resources files
- is a much more serious matter,
said Neumann, who was an advisor to
the President's Commission on
Critical Infrastructure Protection.
That report examined the
vulnerability of the nation's key
energy and communications
infrastructures.
The report is still largely
classified, but last fall Neumann
said that the upshot is that as far
as critical infrastructure goes,
"we're in bad shape."
Still, despite Hamre's announcement,
Neumann said that hard data on
intrusions doesn't come easily.
"It's very hard to get the correct
numbers of how many things are
actually broken into," he said.
"They don't talk about it."
Meanwhile, Dow Jones reported today
that attorney general Janet Reno
will ask Congress for $64 million
for fiscal 1999 to fund an
interagency center designed to
protect the nation's telephone
systems, electric utilities, and
digital networks from cyber attacks.
Dow Jones said Reno would announce
the planned facility, to be called
the National Infrastructure
Protection Center, during a visit
Friday to the University of
California's Lawrence Livermore
National Laboratory.
If you wish to receive ISN directly, mail majordomo@sekurity.org with "subscribe isn".
ISN is a non-profit list designed to keep Security Professionals aware.
Received on Sat Mar 14 23:30:57 1998