ch04.htm

Maximum Security (First Edition) 网络安全 英文版

	reported that after <TT>skeeve.net</TT> put the hacked CIA page out for display,
	its server received hundreds of hits from government sites, including the CIA. Some
	of these hits involved finger queries and other snooping utilities. 
<HR>


</BLOCKQUOTE>


<UL>
	<LI>In the DoJ incident (Saturday, August 17, 1996), a photograph of Adolf Hitler
	was offered as the Attorney General of the United States.
</UL>



<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT> The DoJ site, in its hacked
	state, can be viewed at <A HREF="http://river-city.clever.net/hacked/doj/"><TT>http://river-city.clever.net/hacked/doj/</TT></A>.
	
<HR>


</BLOCKQUOTE>

<P>As of this writing, neither case has been solved; most likely, neither will ever
be. Both are reportedly being investigated by the FBI.</P>
<P>Typically, government officials characterize such incidents as rare. Just how
rare are they? Not very. In the last year, many such incidents have transpired:

<UL>
	<LI>During a period spanning from July, 1995 to March 1996, a student in Argentina
	compromised key sites in the United States, including those maintained by the Armed
	Forces and NASA.<BR>
	<BR>
	
	<LI>In August, 1996, a soldier at Fort Bragg reportedly compromised an &quot;impenetrable&quot;
	military computer system and widely distributed passwords he obtained.<BR>
	<BR>
	
	<LI>In December, 1996, hackers seized control of a United States Air Force site,
	replacing the site's defense statistics with pornography. The Pentagon's networked
	site, DefenseLINK, was shut down for more than 24 hours as a result.
</UL>

<P>The phenomenon was not limited to federal agencies. In October, 1996, the home
page of the Florida State Supreme Court was cracked. Prior to its cracking, the page's
intended use was to distribute information about the court, including text reproductions
of recent court decisions. The crackers removed this information and replaced it
with pornography. Ironically, the Court subsequently reported an unusually high rate
of hits.</P>
<P>In 1996 alone, at least six high-profile government sites were cracked. Two of
these (the CIA and FBI) were organizations responsible for maintaining departments
for information warfare or computer crime. Both are charged with one or more facets
of national security. What does all this mean? Is our national security going down
the tubes? It depends on how you look at it.</P>
<P>In the CIA and FBI cases, the cracking activity was insignificant. Neither server
held valuable information, and the only real damage was to the reputation of their
owners. However, the Rome, New York case was far more serious (as was the case at
Fort Bragg). Such cases demonstrate the potential for disaster.</P>
<P>There is a more frightening aspect to this: The sites mentioned previously were
WWW sites, which are highly visible to the public. Therefore, government agencies
cannot hide when their home pages have been cracked. But what about when the crack
involves some other portion of the targeted system (a portion generally unseen by
the public)? It's likely that when such a crack occurs, the press is not involved.
As such, there are probably many more government cracks that you will never hear
about.</P>
<P>To be fair, the U.S. government is trying to keep up with the times. In January
1997, a reporter for Computerworld magazine broke a major story concerning Pentagon
efforts to increase security. Apparently, the Department of Defense is going to establish
its own <I>tiger team</I> (a group of individuals whose sole purpose will be to attack
DoD computers). Such attacks will reveal key flaws in DoD security.</P>
<P>Other stories indicate that defense agencies have undertaken new and improved
technologies to protect computers holding data vital to national security. However,
as reported by Philip Shenon, a prominent technology writer for the New York Times:

<DL>
	<DD>While the Pentagon is developing encryption devices that show promise in defeating
	computer hackers, the accounting office, which is the investigative arm of Congress,
	warned that none of the proposed technical solutions was foolproof, and that the
	military's current security program was `dated, inconsistent and incomplete.'
</DL>

<P>The Pentagon's activity to develop devices that &quot;show promise in defeating
computer hackers&quot; appears reassuring. From this, one could reasonably infer
that something is being done about the problem. However, the reality and seriousness
of the situation is being heavily underplayed.</P>
<P>If Defense and other vital networks cannot defend against domestic attacks from
crackers, there is little likelihood that they can defend from hostile foreign powers.
I made this point earlier in the chapter, but now I want to expand on it.
<H3><FONT COLOR="#000077"><B>Can the United States Protect the National Information
Infrastructure?</B></FONT></H3>
<P>The United States cannot be matched by any nation for military power. We have
sufficient destructive power at our disposal to eliminate the entire human race.
So from a military standpoint, there is no comparison between the United States and
even a handful of third-world nations. The same is not true, however, in respect
to information warfare.</P>
<P>The introduction of advanced minicomputers has forever changed the balance of
power in information warfare. The average Pentium processor now selling at retail
computer chains throughout the country is more powerful than many mainframes were
five years ago (it is certainly many times faster). Add the porting of high-performance
UNIX-based operating systems to the IBM platform, and you have an entirely new environment.</P>
<P>A third-world nation could pose a significant threat to our national information
infrastructure. Using the tools described previously (and some high-speed connections),
a third-world nation could effectively wage a successful information warfare campaign
against the United States at costs well within their means. In fact, it is likely
that within the next few years, we'll experience incidents of bona-fide cyberterrorism.</P>
<P>To prepare for the future, more must be done than simply allocating funds. The
federal government must work closely with security organizations and corporate entities
to establish new and improved standards. If the new standards do not provide for
quicker and more efficient means of implementing security, we will be faced with
very dire circumstances.
<H3><FONT COLOR="#000077"><B>Who Holds the Cards?</B></FONT></H3>
<P>This (not legitimate security tools such as SATAN) is the problem: Thirty years
ago, the U.S. government held all the cards with respect to technology. The average
U.S. citizen held next to nothing. Today, the average American has access to very
advanced technology. In some instances, that technology is so advanced that it equals
technology currently possessed by the government. Encryption technology is a good
example.</P>
<P>Many Americans use encryption programs to protect their data from others. Some
of these encryption programs (such as the very famous utility PGP, created by Phil
Zimmermann) produce military-grade encryption. This level of encryption is sufficiently
strong that U.S. intelligence agencies cannot crack it (at least not within a reasonable
amount of time, and often, time is of the essence).</P>
<P>For example, suppose one individual sends a message to another person regarding
the date on which they will jointly blow up the United Nations building. Clearly,
time is of the essence. If U.S. intelligence officials cannot decipher this message
before the date of the event, they might as well have not cracked the message at
all.</P>
<P>This principle applies directly to Internet security. Security technology has
trickled down to the masses at an astonishing rate. Crackers (and other talented
programmers) have taken this technology and rapidly improved it. Meanwhile, the government
moves along more slowly, tied down by restrictive and archaic policies. This has
allowed the private sector to catch up (and even surpass) the government in some
fields of research.</P>
<P>This is a matter of national concern. Many grass-roots radical cracker organizations
are enthralled with these circumstances. They often heckle the government, taking
pleasure in the advanced knowledge that they possess. These are irresponsible forces
in the programming community, forces that carelessly perpetuate the weakening of
the national information infrastructure. Such forces should work to assist and enlighten
government agencies, but they often do not, and their reasons are sometimes understandable.</P>
<P>The government has, for many years, treated crackers and even hackers as criminals
of high order. As such, the government is unwilling to accept whatever valuable information
these folks have to offer. Communication between these opposing forces is almost
always negative. Bitter legal disputes have developed over the years. Indeed, some
very legitimate security specialists have lost time, money, and dignity at the hands
of the U.S. government. On more than one occasion, the government was entirely mistaken
and ruined (or otherwise seriously disrupted) the lives of law-abiding citizens.
In the next chapter, I will discuss a few such cases. Most arise out of the government's
poor understanding of the technology.</P>
<P>New paths of communication should be opened between the government and those in
possession of advanced knowledge. The Internet marginally assists in this process,
usually through devices such as mailing lists and Usenet. However, there is currently
no concerted effort to bring these opposing forces together on an official basis.
This is unfortunate because it fosters a situation where good minds in America remain
pitted against one another. Before we can effectively defend our national information
infrastructure, we must come to terms with this problem. For the moment, we are at
war with ourselves.
<H2><FONT COLOR="#000077"><B>The Public Sector</B></FONT></H2>
<P>I realize that a category such as <I>the public sector</I> might be easily misunderstood.
To prevent that, I want to identify the range of this category. Here, <I>the public
sector</I> refers to any entity that is not a government, an institution, or an individual.
Thus, I will be examining companies (public and private), Internet service providers,
organizations, or any other entity of commercial or semi-commercial character.</P>
<P>Before forging ahead, one point should be made: Commercial and other public entities
do not share the experience enjoyed by government sites. In other words, they have
not yet been cracked to pieces. Only in the past five years have commercial entities
flocked to the Internet. Therefore, some allowances must be made. It is unreasonable
to expect these folks to make their sites impenetrable. Many are smaller companies
and for a moment, I want to address these folks directly: You, more than any other
group, need to acquire sound security advice.</P>
<P>Small companies operate differently from large ones. For the little guy, cost
is almost always a strong consideration. When such firms establish an Internet presence,
they usually do so either by using in-house technical personnel or by recruiting
an Internet guru. In either case, they are probably buying quality programming talent.
However, what they are buying in terms of security may vary.</P>
<P>Large companies specializing in security charge a lot of money for their services.
Also, most of these specialize in UNIX security. So, small companies seeking to establish
an Internet presence may avoid established security firms. First, the cost is a significant
deterrent. Moreover, many small companies do not use UNIX. Instead, they may use
Novell NetWare, LANtastic, Windows NT, Windows 95, and so forth.</P>
<P>This leaves small businesses in a difficult position. They must either pay high
costs or take their programmers' word that the network will be secure. Because such
small businesses usually do not have personnel who are well educated in security,
they are at the mercy of the individual charged with developing the site. That can
be a very serious matter.</P>
<P>The problem is many &quot;consultants&quot; spuriously claim to know all about
security. They make these claims when, in fact, they may know little or nothing about
the subject. Typically, they have purchased a Web-development package, they generate
attractive Web pages, and know how to set up a server. Perhaps they have a limited
background in security, having scratched the surface. They take money from their
clients, rationalizing that there is only a very slim chance that their clients'
Web servers will get hacked. For most, this works out well. But although their clients'
servers never get hacked, the servers may remain indefinitely in a state of insecurity.</P>
<P>Commercial sites are also more likely to purchase one or two security products
and call it a day. They may pay several thousand dollars for an ostensibly secure
system and leave it at that, trusting everything to that single product.</P>
<P>For these reasons, commercial sites are routinely cracked, and this trend will
probably continue. Part of the problem is this: There is no real national standard
on security in the private sector. Hence, one most often qualifies as a security
specialist through hard experience and not by virtue of any formal education. It
is true that there are many courses available and even talks given by individuals
such as Farmer and Venema. These resources legitimately qualify an individual to
do security work. However, there is no single piece of paper that a company can demand
that will ensure the quality of the security they are getting.</P>
<P>Because these smaller businesses lack security knowledge, they become victims
of unscrupulous &quot;security specialists.&quot; I hope that this trend will change,
but I predict that for now, it will only become more prevalent. I say this for one
reason: Despite the fact that many thousands of American businesses are now online,
this represents a mere fraction of commercial America. There are millions of businesses
that have yet to get connected. These millions are all new fish, and security charlatans
are lined up waiting to catch them.
<H3><FONT COLOR="#000077"><B>The Public Sector Getting Cracked</B></FONT></H3>
<P>In the last year, a series of commercial sites have come under attack. These attacks
have varied widely in technique. Earlier in this chapter, I defined some of those
techniques and the attending damage or interruption of service they cause. Here,
I want to look at cases that more definitively illustrate these techniques. Let's
start with the recent attack on Panix.com.
<H4><FONT COLOR="#000077"><B>Panix.com</B></FONT></H4>
<P>Panix.com (Public Access Networks Corporation) is a large Internet service provider
(ISP) that provides Internet access to several hundred thousand New York residents.
On September 6, 1996, Panix came under heavy attack from the void.</P>
<P>The Panix case was very significant because it demonstrates a technique known
as the <I>Denial of Service</I> (<I>DoS</I>) <I>attack</I>. This type of attack does
not involve an intruder gaining access. Instead, the cracker undertakes remote procedures
that render a portion (or sometimes all) of a target inoperable.</P>
<P>The techniques employed in such an attack are simple. As you will learn in Chapter
6, &quot;A Brief Primer on TCP/IP,&quot; connections over the Internet are initiated
via a procedure called the <I>three-part handshake</I>. In this process, the requesting
machine sends a packet requesting connection. The target machine responds with an
acknowledgment. The requesting machine then returns its own acknowledgment and a
connection is established.</P>
<P>In a syn_flooder attack, the requesting (cracker's) machine sends a series of
connection requests but fails to acknowledge the target's response. Because the target
never receives that acknowledgment, it waits. If this process is repeated many times,
it renders the target's ports useless because the target is still waiting for the
response. These connection requests are dealt with sequentially; eventually, the
target will abandon waiting for each such acknowledgment. Nevertheless, if it receives
tens or even hundreds of these requests, the port will remain engaged until it has
processed--and discarded--each request.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B>The term <I>syn_flooder</I> is derived
	from the activity undertaken by such tools. The TCP/IP three-way handshake is initiated
	when one machine sends another a SYN packet. In a typical flooding attack, a series
	of these packets are forwarded to a target, purporting to be from an address that
	is nonexistent. The target machine therefore cannot resolve the host. In any event,
	by sending a flurry of these SYN packets, one is flooding the target with requests
	that cannot be fulfilled. 
<HR>


</BLOCKQUOTE>

<P>Syn_flooder attacks are common, but do no real damage. They simply deny other
users access to the targeted ports temporarily. In the Panix case, though, <I>temporarily</I>
was a period lasting more than a week.</P>
<P>Syn_flooders are classified in this book as destructive devices. They are covered
extensively in Chapter 14, &quot;Destructive Devices.&quot; These are typically small
programs consisting of two hundred lines of code or fewer. The majority are written
in the C programming language, but I know of at least one written in BASIC.
<H4><FONT COLOR="#000077"><B>Crack dot Com</B></FONT></H4>
<P>ISPs are popular targets for a variety of reasons. One reason is that crackers
use such targets as operating environments or a home base from which to launch attacks
on other targets. This technique assists in obscuring the identity of the attacker,