[Back][Home][Search] [Image] [Image] [Image] [Bomb2] [Image] CIWARS Intelligence Report - 4 January 1998 CIWARS Intelligence Report - 4 January 1998 ==================================== Volume 2, Issue 1: Copyright @1998 http://www.iwar.org Dedicated to the discussion of infrastructure vulnerability to improve defense Table of Contents Editor’s Comments The CIWARS 1998 Forecast of 1998 Vulnerabilities Focus—Internet/Computer Systems Focus—Telecommunications Focus—Air Traffic Control Focus—Electric Systems Focus—Regional Vulnerabilities Focus—Terrorist Organization Forecast Focus—Organized Crime Forecast Editor’s Comments This issue focuses on worldwide infrastructure vulnerabilities for 1998. It is CIWARS’ opinion that the infrastructure is showing signs of what we call Systemic Collision. Systemic Collision describes a series of unrelated circumstances that are uncoordinated and related. When placed within a context, it produces results that are extra-intentional and many times catastrophic. However, it is important not to apply this term to over simplistic circumstances. To be systemic the definition should account for a number—at least three—of unrelated changes that do not have a direct or obvious cause and effect pattern. Currently, there are three factors that are producing a Systemic Collision which need to be considered by a nation/or corporate structure in defending or protecting infrastructure. First, the global redefinition of the role of government requires a new understanding about the role of corporate enterprises in terms of protecting infrastructure. This is best demonstrated by the growing privatization trend of vital infrastructural services that only thirty years were defined as of strategic national value. Water, electric, transportation, and gas systems have been sold to private enterprise; therefore, these services are no longer under the direct protection of government. Second, the globalization trend has produced three significant sub-category changes: a) globalization has encouraged non-national corporations to purchase privatized assets. In other words, a country’s electric system could be owned by another nation or a corporation controlled by investors from another nation, b) globalization has encouraged the adoption of open software systems or at least shared operating systems. For example, a Swedish software company sells the operating software for a number of foreign stock exchanges. Similar vulnerabilities are shared by each of those stock exchanges. The same applies to common ownership of energy management software, c) globalization has increased the number of inter-dependent communications points. The third change is the accelerating growth of the Internet and its use as an internal system and as a public interface. This trend has expanded the access vulnerability and globalized the potential threat. Focus--Internet /Computer Systems ---------------------------------------------------------------------- Performance Vulnerability Assessment During the last weeks of 1997, the performance vulnerability of the Internet was no longer a matter of speculation. Some 11 of the last 12 weeks saw the Internet backed up on email or a service outage. The usual scapegoat of AOL was joined by MCI, Worldnet, and Netcom. But there is a reason for all of these problems. Email traffic is doubling each six months The size of the messages are getting larger with more people using the attach file feature AOL handles 21 million messages a day and is the fastest growing Internet provider AT&T handles 1 million message a day Keystone Systems reported a 4.5 percent deterioration in Internet performance between its April 1997 report and its September 1997 report. The average time to download their test file rose from 9.928 seconds to 10.370, and the best performance went from a blazing 1.543 seconds to 4.905 seconds. Considering Intenet domain growth has now been documented at a linear path of 18,000 domains a day and 83 percent of surveyed Internet users cited email as their most used application, CIWARS believes that by July 1998 the Internet should reach 30 million domains (up from 19.9 million domains in July 1997) and show at least another 4.5 percent degradation in service. Editor’s Note: AOL has grown their number of email servers from 14 to 20 but based on past performance and their track record of problems during upgrades, 1998 should be a difficult year for AOL. Also for comparison CIWARS looked at AT&T which has 6 email servers for one million messages compared to AOL’s 20 for 21 million messages. It is difficult to do a comparison without technical specifications; however, CIWARS will stick by its opinion for another difficult Internet year. Vulnerability Recommendation CIWARS urges its readers to seek ISPs that have private connections to the backbone rather than using ISP that rely on the public NAP. In addition, we recommend constant monitoring of network performance if your applications are critical. Security Vulnerability Summary Denial of Service Attacks 1997- 4 Attacks 1998- Predicted 7 Attacks all specifically targeted sites CIWARS expects Syn Floods and Smurf attacks to increased in 1998 and they will move from "kiddie script" attacks based on media release of these scripts to professional attacks for economic means. CIWARS recorded two such cases in 1997—one in Brazil and one in Australia—where competing ISP attacked one another to hurt the quality of their service. The prime regions for this activity will remain Asia and Latin America where ISP competition will be the strongest based on the limited market. CIWARS expects to see DOS attacks targeted at other commercial enterprises during times of intense competition. This will especially hold true as more firms move to on-line commerce for a higher percent of their sales mix. This prediction is based on the history of 1997 compared to the fall of 1996 when the first large scale DOS attacks were mounted after the release of a DOS script by Phrack. As 1997 progressed, the DOS attacks took on a targeted or focused quality. The two attacks in the Spring did not appear to be politically motivated attacks; however, by September the Australian attack occurred and then during late September an ISP was targeted because it housed the infamous spammer Sanford Wallace. Data Theft/System Intrusions Vulnerability Summary Based on 18 months of data and analysis, it is the opinion of CIWARS that overall threats on the Internet remain undeveloped and unprofessional. According to recent studies, most attacks use standard or well known script exploits. Our research reveals less than 1,000 hackers in the world who have the professional programming skills to create their own attack scripts. Social engineering and the use of inside personnel will remain the primary method of obtaining or effecting data on systems. The trend of targeting financial/Electronic Commerce sites will continue as more and more companies enter this distribution channel. Like the current Electronic Commerce sites, the group establishing sites in 1998 will be subject to a range of 2 to 5 serious attacks per month (NetSolve Study) with CGI-bin attacks leading the thrust. Vulnerability Recommendation An Infrastructure Assurance Posture (IAP) should be established that provides a comprehensive view of security risks. Vulnerability Analysis This next year will be a telling year in terms of watching threats move or migrate from region to region. The United States has gone through its first round of Electronic Commerce implementation and now the United Kingdom and Asia, according to surveys, are on schedule to start Electronic Commerce sites. In terms of threat development, CIWARS believes threats will migrate to the most vulnerable areas; therefore, we expect these sites to be hit full force with experienced threats. On-Line Software Piracy Vulnerability Assessment Up until now, there have a number of factors suppressing the number of titles being distributed on the Web. The two primary reasons (beyond consumer preference) are download speed and size of new applications. CIWARS believes 1998 will bring the addition of software or methods that will speed the process of downloading large files from the Web. CIWARS predicts by 3rdQ 98 there will be a surge of pirated software from on-line site. Web Page Hacks Vulnerability Summary There has been a suggestion that Web Page Hacks are increasing; however, CIWARS urges caution in establishing a trend from the limited sampling that has been obtained. The statistics promoting an increase in Web Page Hacks count each page that has been hacked and not the primary server. For example, if one hacked domain allows access to 10 Web Pages under the current scheme that is counted as 10 hacks. Under CIWARS’ methods, this would be counted as one hack with 10 pages affected. In addition, there is a problem with motivation and development of this threat. Self-satisfaction appears to be the primary motive for these attacks. Based on the signatures left after an attack, the current attacks are limited to a small group of individuals (200) who accomplish the core number of attacks. CIWARS also believes that our preliminary statistics show these attacks are university-based or at least encompass that age group. It is for this reason we believe the number of Web Page Hacks is a coordinated factor with threat production by a society and, therefore, the number will vary from country to country. Year2000 Vulnerability Summary In previous reports, CIWARS has referred to the Y2k problem as Attack Day. Y2k refers to the problem associated with the change of date at the end of 1999 and the historic programming of many computer systems using only a two digit date. Although the actual technical vulnerability will not start until 9 Sept 1999, CIWARS lists 1998 as a highly vulnerable year for the following reasons: Recent surveys of corporations in the United States reveal that only one in five are prepared to meet the Y2k deadline. European corporations have combined this task with the conversion to the European Monetary Union (EMU) on 1 January 1999; therefore, they are better prepared. In Asia, the situation may be much worse. This past summer’s economic disruption has cost Asian corporations time, focus, and money, and many experts are predicting the Y2k fix—which uses outside or foreign consultants payable in US dollar—deadline will not be met. Finally, Latin America is extremely vulnerable because of their late start on the Y2k fix. Vulnerability Analysis The threat for 1998 will take the form of rushed efforts to complete the Y2k fix. This will create three very distinct threat vulnerabilities. First, companies who haven’t secured Y2k fix resources yet may resort to consulting companies that have not done an adequate job of screening contract programmers which will increase the possibility of a threat knowing the interworkings of a corporate system. Second, a rushed implementation may require the use of outsourced contractors in another region of the world. These programmers will have inside knowledge of the systems. Third, because many Y2k fix applications require new hardware, production capacity for traditional vendors will be strained. Companies caught in a last minute rush may be forced to use unproven vendors for computer hardware. This may prove to be an ideal time for a threat to insert a "chipped" system. (Editor’s Note: The shipping of corrupted computer systems or "chipping" has been confirmed by the United States Central Intelligence Agency.) Focus--Telecommunications ---------------------------------------------------------------------- Vulnerability Assessment The primary vulnerability facing the telecommunications sector will be the global trend of the merging telecommunications marketplace. The merger of WorldCom and MCI heads the list for examination. CIWARS’ preliminary investigation in this merger reveals numerous duplicate network points that may become the target of consolidation efforts. Prior to the merger, both MCI and WorldCom ranked very high in download speed tests because of their excellent backbone structure; CIWARS will monitor this indicator for degradation. The second area of vulnerability will be the growing use of satellite transponders to deliver a wide range of services from mobile telecommunications to video content. Last year’s outage at one of India’s stock exchanges characterizes the need for adequate infrastructure redundancy; however, CIWARS believes a shortage of transponders will restrict proper telecommunications planning for selected users. The third area deals with growing use of Global Positioning Systems (GPS) services and the entry into the marketplace of a hand-held device that can scrabble GPS signals up to 200km according to a Janes report. This device was shown at the recent Moscow Air Show and retails between $2,000 to $4,000. If this device works, it brings military technology down to the palm top for organized crime and terrorist. GPS is at the heart of most commercial and government tracking systems and is a key ingredient to a new FAA air traffic system. Focus--Air Traffic Control ---------------------------------------------------------------------- Vulnerability Summary There are a number of factors working against the world’s air traffic infrastructure. First, air traffic has been growing at a steady rate for the last five to six years. The United Kingdom and much of Europe is seeing increases of five percent a year, and now that it is in its fully deregulated mode, it should accelerate beyond that base figure. Second, countries like United Kingdom and the United States are involved in system upgrades which are off schedule or have not met expectations. Third, the two areas of the world—Latin America and Asia—with the lowest percent of countries with Category I ratings (Asia with 69 percent Category I ratings and Latin America with 39 percent compared to Europe’s 93 percent) has also been the hardest hit economically which could slow their air traffic control improvements. Vulnerability Analysis The United States The United States is caught in a cycle of aging equipment, bureaucratic management, and botched improvements. This has left the United States vulnerable to infrastructure attacks that could be devastating to the system. The largest vulnerability has been power outages to the system. An April General Accounting Office (GAO) report examining the Federal Aviation Administration’s (FAA)power management procedures after a string of 1995 and 1996 power outages concluded that effectively the FAA had lost control of its back-up generator inventory. Some 88 percent of its generators were at least 20 years old (the useful life is 15 years) and nearly half of those are over 30 years old. This was caused by a lack of a national inventory of generators, according to the GAO report. The problem of electrical outages continued in 1997 despite the GAO recommendations with an almost holiday traffic threatening outage just days before Christmas in Kansas City. Aging Radar Screens The United States is in a protracted replacement process of its aging radar screens. It is a phased program ending in 2001. After the Washington National Airport screens logged over 100 outages in 1997, the FAA decided to immediately replace the screens. United States Threat Analysis The United States is vulnerable to a cascade affect. A direct hit on the air traffic control system is not required as long as the same results can be achieved by disrupting the power system since adequate power back-up does not exist. Considering the other problems with air traffic control, CIWARS believes it would be fair to assume that computer security has not been maintained and is in need of review. The problems associated with air traffic are endemic to improper project management and system supervision. The United Kingdom The United Kingdom, one of he busiest air spaces in the world with Heathrow being a hub for Europe, is also one of the safest. However, it has slipped a deadline on building its New En Route Centre at Swanwick. The centre was originally planned for 1996 and then slipped to March 1998 and now it looks like it will be operational sometime during 1999. This will cause considerable problems in managing UK’s already busy skies during 1998. United Kingdom Threat Analysis The current system is vulnerable to higher load factors which decreases the margin of error. This narrowed margin forms the basis of an exploitable target. Focus—Electric/Water Supply ---------------------------------------------------------------------- Vulnerability Assessment Water Shortage The effects of El Nino will reach full force in 1998. Water shortages in Indonesia, PNG, Malaysia, Australia, and Ecuador will intensify. This could produce significant disruptions of electricity production, agriculture activity, and normal water consumption. Electric Power Distribution There will be continued pattern of targeting electric systems by dissident or rebel groups in the world which demonstrates the growing use of infrastructural warfare against the populace. Targeted countries: Honduras, United States, Albania, Colombia, Sri Lanka. The United States with its high energy use is the most vulnerable. During 1997, PG&E suffered two acts of sabotage to power stations. The last attack disrupted traffic for hours and plunged most of San Francisco Pennisula into chaos. Earlier in the year, a lone gunman shot out a PG&E transformer in protest over the Oklahoma City bombing verdict. In addition, the Western part of the United States may still be vulnerable to disruption of coal delivery to power plants because of the previously reported problems associated with the Union Pacific-Southern Pacific merger. Focus--Regional Assessments ---------------------------------------------------------------------- United States The United States has the highest possibility for significant infrastructure disruption in 1998. During 1997, it had sabotage to major electric and land transportation systems, a near emergency state in the railroad system in the Western United States, consistent Internet disruptions (email and general transmission), telephone system software disruptions, and outages in air traffic control systems. In addition, the United States is home to the largest supply of professional and "kiddie script" hackers. It also accounts for most of the hacked Web Pages of the world. In short, it the opinion of CIWARS that the United States represents an example of a country that is all the way at the end of curve in terms of information age, privatization, deregulation, technical reliance, and social problems that produce threats. Although the Scandinavian countries are just as reliant on technology, they have not—generally speaking—relinquished as much control of their infrastructure as the United States government. In addition, there are social factors that limit threat production. Therefore, the United States will be a good test-bed for future developments. Vulnerability Targets Internet Transmission Financial Systems Energy distribution systems Asia This past summer’s currency and stock crisis will produce a Systemic Collision that could further devastate the Asian countries. Southeast Asian (Singapore excluded) countries who were just gaining momentum on the infrastructure development scale have been forced to cancel vital infrastructure projects. (Malaysia’s canceling of Bakun dam is an example.) Unfortunately, these countries have put programs in place to build the level of energy consumption and this clashes with their lack of financial resources to fulfill these efforts. In addition, there is the danger of these countries not having the resources to maintain their current structures. In terms of physical problems, Indonesia bears watching because of the 1998 elections. Suharto’s power base is eroding and there is no indication that he or his family will take Air Marcos into exile. Physical violence has already erupted on college campuses and as the crisis worsens it may spread to the general population if the once pampered middle class starts to feel threatened. Civil strife in Indonesia will threaten the security of the region and could be another economic blow. Vulnerability Targets Communications links that terminate or pass through Indonesia. Shipping links Trade agreements. Shared development agreements on energy production or distribution and satellite communication Latin America This region is starting to recover from the lost decade of the 1980’s with a transition to a democratic power base. Latin America’s primary threat comes from organized groups who have a history of targeting infrastructure. Hostile attacks on the infrastructure have occurred in: Colombia (pipeline and electric systems), Peru (telephone systems), Honduras (electric system), and Dominican Republic (electric systems). In addition, Argentina is experiencing a new threat from fundamentalist Islamic groups. Latin America is still a potential target for a currency speculators which would further damage its economy and hinder infrastructure development and support . Vulnerability Targets Currency Energy and Power Distribution Air Traffic Control Europe Europe’s primary vulnerability is managing the transition to the European Union and its associated effects. The privatization of their infrastructure may have a long range effect on their ability to control and protect the traditionally state controlled structures. This will not be evident in 1998 but it can be watched for further development. Europe also leads the world in smart card use which will tie in with the EMU implementation and possibly attract hackers to higher value smart cards. In terms of financial systems, Europe automated many of the trading functions of its stock exchanges and linked them. During the stock fluctuations of 1997, many of these systems showed considerable stress; therefore, CIWARS believes a significant stock correction in 1998 could force these systems into linked failures. Vulnerability Targets Financial Systems Air Traffic Control (Heathrow) Russia As for vulnerabilities in Russia, this space is too limited. However, Russia’s biggest threat is from internal corruption and organized crime which takes critical dollars away from building a viable infrastructure. Vulnerability Target All physical infrastructure Financial Systems Focus--Terrorist Organizations Forecast ---------------------------------------------------------------------- CIWARS believes that by late 1998 the first terrorist use of information weapons will be recorded. The most likely weapon will be a virus or worm attack against an infrastructural target. This assault will come from a group that has not been traditionally associated with terrorism. Conversely, CIWARS does not expect any of the groups in the Middle East, Latin America or Asia to make the transition to information weapon in 1998. Focus--Organized Crime Forecast ---------------------------------------------------------------------- Our forecast of 7 December still stands. CIWARS believes organized crime will gain strength in 1998 but only in its traditional areas. We expect further Internet fraud or money laundering activity but CIWARS believes 1998 will be a transition year. Organized Crime will continue to disrupt the infrastructure and economy of Cambodia, Colombia, Mexico, Russia, and India. In addition, the economies of the following countries are vulnerable in the coming year: Thailand, Indonesia, Brazil, Peru, and Philippines. ---------------------------------------------------------------------- Subscriptions are available at http://www.iwar.org Click on Subscription and it will take you to infowar.com’s bookstore. +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ William Church, Managing Director, Centre for Infrastructural Warfare Studies iwar@iwar.org Via Delle Tagliate 641 55100 Lucca Italy Voice: (39) 0583 343729 GSM: (44) 0410442074 http://www.iwar.org +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ [Bomb2] Infowar.Com & Interpact, Inc. WebWarrior@Infowar.Com Submit articles to: infowar@infowar.com Voice: 813.393.6600 Fax: 813.393.6361