3.0 TARGETED TECHNOLOGIES AND SERVICES

This section outlines the telecommunications services and technologies that electronic intruders have targeted. This section also addresses concerns regarding the threat posed to emerging technologies and the importance of these emerging technologies in the evolving PSN. The technologies and services highlighted in this section exemplify the various skills and techniques intruders employ. As mentioned in Section 2.0, the different attacks fall into three basic categories: monitoring attack, penetration attack, and planting attack (see Exhibit 3-1). Although many of the different techniques were defined in Sections 2.1.2 and 2.1.3, this section will highlight how intruders have used many of these techniques to attack existing technologies and services, and how intruders may use their skills to attack emerging technologies.

EXHIBIT 3-1 Stages of the Electronic Intrusion Threat Attack Stage

The discussion on technologies and services in this section expands and updates many of the findings in the 1993 edition of this report. The 1993 report identified the techniques used by electronic intruders to attack wireless systems, packet switched networks, and PSN network elements. Also, the report briefly discussed various emerging technologies and the security issues surrounding these technologies. This edition of the report expands on these technologies and focuses on several emerging technologies in more detail. Some information from the 1993 edition is reiterated here to help the reader better understand the points made.

Although there are several types of electronic intruders (as discussed in Section 2.0), it is important to note that most of the information in this section is based on the activities and knowledge of members of the computer underground. The reason for this is twofold. First, members of the computer underground have written extensively about their own exploits and have shared this information throughout the computer underground community. Also, the media has reported many times on the alleged activities of the computer underground. Therefore, one can readily monitor the activities, interests, and knowledge of the community by researching this data. On the other hand, information about the activities, interests, and knowledge of insiders, industrial spies, and foreign intelligence services is much more difficult to obtain and analyze.

Second, the resources and knowledge of computer underground members act as the lowest common denominator for all the types of electronic intruders defined in Section 2.0. Insiders, by nature of the unique threat they present, are already privy to detailed information about the systems they threaten. Both industrial spies and foreign intelligence services have the resources to gather information about various systems in a manner similar to the members of the computer underground, pose as members of the computer underground, and buy the services of various computer underground members and even insiders.

Therefore, using open source information that primarily reflects the knowledge of the computer underground serves to outline the threat in a conservative manner. Because the purpose of this report is to increase the awareness to the electronic intrusion threat, not quantify the level of threat, this conservative approach is adequate. The reader should note that the threat to NS/EP telecommunications from insiders, industrial spies, and foreign intelligence services is equal to, if not greater than, the threat from members of the computer underground.

Electronic intruders have continued to attack telecommunications systems, and as reported by the Office of the Manager, National Communications System (OMNCS), the overall electronic intruder threat is "a serious concern." (NCS-M93) Electronic intruders are adept at compromising a wide variety of computer and telecommunications technologies and services, and they have proven to be very skillful at avoiding detection.

In fact, most intrusions go undetected. A study of one government agency's network systems estimated that approximately 98 percent of all intrusion incidents have gone undetected. (NETFIRE1) Compounding this problem, the study also discovered that only 5 percent of detected incidents were actually reported to system or security administrators. Although these figures represent a study of only one government agency, these figures reflect that the majority of intrusions are undetected. (DEBATE, ZONE2, FRAUDSEC) The study also reflects that most of the detected intrusions probably go unreported.

Telecommunications systems have long been a favorite target for electronic intruders. In the past, intruders have compromised nearly all categories or types of PSN elements, including switching systems; operations, administration, maintenance, and provisioning (OAM&P) systems; and packet data networks. (IVPC94) Research also shows that electronic intruders have regularly attacked all types of networks linked to the PSN. For instance, electronic intruders have written extensive text files on accessing and manipulating corporate networks and private branch exchange (PBX) systems. These private networks are linked to the PSN, and the electronic intruders have used private corporate networks to establish outside connections. (HACKDEA, PHRACK01, HD07)

Based on an analysis of open source information, several telecommunications systems appear to be targeted frequently, whereas other technologies have been newly targeted within the last year. Other technologies are similar enough to emerging technologies that the skills used by intruders on these may be effective on the newer technologies. These technologies include data networks, international gateways, signaling networks, wireless systems, Synchronous Optical Networks (SONET), Asynchronous Transfer Mode (ATM) networks, and Integrated Services Digital Networks (ISDN).

3.1 Data Networks

Data networks are rapidly growing in popularity, and intruders actively study these networks. The increasing number of users on large data networks, such as the Internet, makes identifying these intruders more difficult. Intruders will increasingly explore and compromise these networks as accessibility to the networks becomes easier.

The longevity of an electronic intruder's activities is largely dependent on the intruder's ability to avoid detection. There are many techniques intruders employ to avoid detection. One of the characteristics of data networks is that network nodes are accessible through a variety of paths. This characteristic enables intruders to weave through data networks to the targeted site. Weaving is the act of accessing a system and using an outbound port of that system to access another system. This process can be repeated as many times as the intruder wishes; the more systems the intruder weaves through, the less likely the intruder will be detected (see Exhibit 3-2).

There are a variety of other techniques employed by intruders that complicate the task of detection and identification. Intruders have disabled data network auditing programs on compromised sites. When the auditing is disabled, intruders attack a site in a variety of ways, exploiting any of several vulnerabilities, making the identification of an intruder difficult. Intruders can create new accounts that may go undetected for months or years. They can also install trojan horses or similar code that may be unnoticed, masquerade as legitimate users, or any combination of the above. Most intruders encrypt information left on a compromised site, which further compounds the problem of identifying and prosecuting an intruder on a data network.

EXHIBIT 3-2 Example of Weaving

Intruders are attacking data networks more frequently. This is not only because intruders can successfully avoid detection, but also because the increased accessibility and quality of services associated with data networks have attracted more users demanding more interconnection with these networks. This increasing interconnection to data networks offers more potential targets for electronic intruders. The most prominent data network attacked is the Internet.

3.1.1 The Internet - TCP/IP Networks. The Internet is a group of networks communicating via the Transmission Control Protocol/Internet Protocol (TCP/IP) suite of communications protocols running on primarily UNIX-based platforms (although the Internet can be easily accessed by a large number of personal computers). As of August 1994, there were 3.2 million hosts on the Internet, which is an increase in 81 percent over the previous 12 months, and as of December 1993, there were well over 22 million users on the Internet. (ISOC1293, ISOC894)

In January 1994, a California university discovered an unauthorized program on its computer network that captured and stored account information, including account names and passwords. The program collected 3,000 account names and passwords in fourteen hours. In February, the problem had been discovered on a much larger scale. It was reported that tens of thousands of accounts on thousands of Internet sites were compromised. (TNSR394)

Although Internet (e.g., TCP/IP and UNIX) security is a broad topic that transcends the scope of this report, this latest incident deserves attention. The incident has demonstrated that as the Internet grows and dependence upon the Internet increases, the threats to the Internet also threaten all private networks that are connected to the Internet. The intruder (or intruders) was able to install programs that intercept and store the first few bits of each packet transiting compromised network sites. As a result, many user names and passwords have been intercepted, putting thousands of individual sites at risk and enabling the intruders to login and masquerade as legitimate users. When on the new system, the intruders can exploit any number of known vulnerabilities that would allow "root" access to the new site. Then the intruders are free to install the data-intercepting program on the compromised site. This process could be continued indefinitely.

During this attack, intruders have been observed modifying software, destroying and stealing data, and shutting down host sites. (FED0694) There have been reports that software may have been stolen and data may have been modified. Allegedly, the attack has been so pervasive that the intruders at times could have destroyed software and even shut down entire networks. (NETFIRE1) At this time, the attacks are still occurring and the full effect of this incident has yet to surface.

The NS/EP community is, or will be, affected by issues concerning the Internet. The Government has undertaken an effort to improve its information infrastructure and provide governmentwide electronic mail as part of the "Reinventing Government" initiative. Both taskings cited the Internet as a reference model. (NPR993) Many government agencies currently have connections to the Internet the DoD alone has 103,000 unclassified hosts on the Internet.

In addition, threats to the Internet and other data networks affect NS/EP telecommunications service providers. The traffic on the PSN is predominantly digital data, not voice traffic, and the carriers are offering more data services. This trend has been continuing for several years, and digital data traffic is predicted to grow at a much faster rate than voice traffic for the foreseeable future. Because of the increased number of PSN data services (e.g., Cellular Digital Packet Data [CDPD], Frame Relay, Switched Multimegabit Data Services [SMDS]), gateways to existing data networks (such as the Internet) will be standard components in the PSN architecture. This allows customers the option of sending traffic to other networks and increases the value of the PSN data service to the customer. Every major telecommunications carrier has connections to the Internet, and a carrier's gateway machine to the Internet may only be a single network gateway away from their corporate network or a PSN network element. (NETFIRE2) Therefore, the increase in use by the NS/EP community and NS/EP service providers leads to a growing need to address Internet security and the unique threats associated with the Internet.

An important example of these trends is the new CDPD network service being planned by the cellular telephone industry. This service overlays a packet data network on top of the existing cellular transport infrastructure, providing customers the ability to use a standard, widely available service for wireless connectivity. The cellular industry plans to implement CDPD by installing data switches (called mobile data intermediate systems [MD-IS]) in their cellular networks. These MD-ISs will be interconnected via public packet switched networks, such as the Internet. (NSSOG994) This represents the first time that PSN switching equipment will be directly connected to the Internet.

The expected threats against the MD-ISs will likely be higher than ever experienced by traditional telephone switches. Current Internet protection strategies, such as firewalls, are not effective in protecting MD-ISs. Firewalls are designed to restrict the types of traffic allowed from external networks to internal systems, but a CDPD MD-IS is specifically required to route all types of traffic to and from mobile terminals. Thus, an MD-IS is conceptually similar to an Internet router, rather than an Internet host system, and current firewall technology is not designed to protect intermediate systems or routers.

Another reason for the NS/EP community to be concerned about vulnerabilities exploited by electronic intruders on the Internet is that these vulnerabilities are present in any TCP/IP network. Service providers are increasingly relying on TCP/IP protocols to operate their internal corporate networks, manage their network resources, and provide OAM&P functions to large customers. Several carriers presently offer SS7 interconnection to customers via a TCP/IP link from a UNIX-based workstation. Although this TCP/IP link is a dedicated line, an intruder can exploit all TCP/IP vulnerabilities and may be able to access the SS7 network if they can access the customer's gateway.

3.1.2 X.25 Data Networks. Although newer and faster protocols (e.g., Frame Relay and ATM) are being implemented, X.25 networks still support many carriers' network systems. Indeed, many carriers' corporate networks run on the X.25 protocols. Carriers' corporate networks have been a fertile ground for exploitation by computer intruders. One of the characteristics of switches, OAM&P systems, and other network elements is that they are highly interconnected via carriers' internal corporate networks. This connectivity provides remote access to network elements for network engineers, technicians, craftsmen, and other legitimate users. Remote access to network elements is a double-edged sword. Providing remote access to legitimate users enables carriers to reduce operating costs, but it also provides many intrusion opportunities for computer intruders.

Because important systems reside on carriers' corporate networks, significant security provisions are normally implemented. However, these security measures are usually employed around the perimeter of the network at dial-in ports and gateways. When legitimate users or computer intruders pass these perimeter security points, they can attempt to connect to a wide variety of network elements and other resources.

Some of the types of systems accessible over corporate networks are billing systems, service provisioning systems, engineering systems, maintenance systems, switches, network management systems, database systems, signaling control points, signaling transfer points, digital cross-connect systems, and administrative systems. All of these systems have experienced intrusions by electronic intruders. (PHRACK26, NSTF92)

Electronic intruders have shown a great deal of interest in X.25 networks. Entire X.25 public packet switch networks have been compromised. (IVPC94) Intruders from the computer underground have routinely exchanged network user identifications (NUI) and network user addresses (NUA). (SWEDISH92, PHRACK18, HACKGUIDE) Legitimate diagnostic tools have been modified by intruders to monitor communications and to attack network management and maintenance operations. Tutorials on how to use and modify these tools have been distributed throughout the computer underground. (PHRACK42, 2600WI92)

Electronic intruders have also demonstrated skills related to the direct manipulation of data network devices, such as packet assembler/disassemblers (PAD) and packet switches. Through the compromising of these elements, intruders have intercepted and monitored traffic data, including OAM&P sessions, and they have targeted network elements. (IVPC94, PHRACK42, 2600WI92)

The threat to X.25 networks from electronic intruders is difficult to quantify. They have successfully compromised entire X.25 networks. The increasing dissemination of the skill set equates to distributed attacks, and considerable attention should be given to the threat posed by electronic intruders to these networks.

Other packet switched networks are being developed to meet the demand for broadband applications. As will be discussed later in this section, the skills acquired by intruders on X.25 networks may prove to be useful in attacking these newer technologies.

3.2 International Gateways

One of the characteristics of electronic intruders is their ability to identify new uses for older intrusion tools. One such tool is the blue box. The blue box is a device that generates the dual tone multifrequency (DTMF) and single frequency tones used by operators to seize, control, and release trunks on in-band signaling networks, thereby allowing the user to place fraudulent calls. The use of the blue box has declined over the past several years due to the increase in out-of-band signaling networks.

However, intruders continue to use blue boxes, and recently the use has increased. This rise in blue boxing activities is due to the dissemination of information about the analog network used for international network connections CCITT Signaling System 5, CCITT-5, or C5. This protocol is still used for signaling between international gateways. Much like other analog systems, C5 networks are controlled by tones that seize, control, and release trunks. The C5 networks are often accessed via toll free "country-direct" numbers.

Electronic intruders are disseminating information on how to abuse C5 networks. Intruders have spread detailed explanations of the C5 protocol and the functionality of C5 operations, and they have exchanged information about the tones needed to abuse the C5 network. The potential for fraudulent activity has been discussed in the computer underground. (2600SP94, CDUGD91, DUTCH)

The abuse of C5 networks may serve as a means for more furtive activities than simply placing fraudulent calls. Using these networks, intruders can weave through the voice network across international borders. For example, an intruder in Detroit can call New York via England, Japan, and Chile. The intruder only needs to have knowledge of the tones that manipulate the switches on the C5 network, the amount of time each tone is sent (which can differ from country