This section describes the variety of electronic intruders and the skills and techniques these intruders have demonstrated to gather and exploit information. The 1993 edition of this report discussed the computer underground in detail, including their means of communication, group structures, and publications. Because of all the media coverage on the computer underground in recent months, much of the detail has been removed from this report. This section focuses on the types of electronic intruders most likely to threaten NS/EP telecommunications.
Electronic intruders with malicious intent can be members of the computer underground, coerced or disgruntled employees, industrial spies, foreign intelligence services, or any combination thereof. Intruders from these groups use similar techniques, but motivations and resources vary from group to group. Consequently, intruders from each of these groups may work with or employ intruders from other groups (see Exhibit 2-1). Indeed, a malicious intruder may not be associated with any particular group: renegade intruders may have no ties to the computer underground, insiders, industrial spies, or foreign intelligence services. Renegade intruders with malicious intentions have similar motivations, however, to members of the previously mentioned groups. These four groups are used to categorize the various motives of malicious electronic intruders. It is important to also note that users, authorized or unauthorized, whose intentions are not malevolent can still disrupt or deny network services through ignorance or mistakes.
EXHIBIT 2-1 Categories of Potentially Malicious Electronic Intruders
Identifying an intruder's group affiliation or motivation is difficult. As mentioned previously, intruders of different groups may work together, which helps to mask the true motive behind specific attacks. It is also possible for an intruder to function as a member of more than one group. Therefore, identifying the true motive of the intruder is difficult, if not impossible. (CSL0394)
From data written about and by electronic intruders, it is apparent that they remain active. However, law enforcement activity has driven members of the computer underground further into seclusion. Several prominent intruders have been arrested and prosecuted for penetrating telecommunications and computer systems. These arrests may have helped deter casual electronic intruders from attacking the network.
Unfortunately, successes in prosecuting computer criminals have made finding the elite intruders more difficult. Computer criminals are divulging less information about themselves and their activities. The intruders appear to be developing increasingly surreptitious attacks, making the collection of evidence more complicated. Electronic intruders move freely over state or international borders, and they perform their tasks without gaining physical access to systems. These factors make it more difficult to detect intrusions. When intrusions are detected, it is difficult, if not impossible, to track down and prosecute those involved. As elusive attack methods are perfected, the possibilities for more elaborate and covert attacks increase.
2.1 Skills and Techniques
Electronic intruders have demonstrated a variety of methods for gathering and exploiting system information. These methods range from nontechnical activities to highly sophisticated software-based attacks. Exhibit 2-2 outlines the basic stages of the electronic intrusion threat. These stages and examples are discussed in a general manner throughout this report. The gathering of system information is an initial step preceding actual attacks (see Section 2.1.1). When information about a system is gathered, intruders attack the system by any of three means: monitoring the system, penetrating the system, or planting code or false information in the system (see Sections 2.1.2, 2.1.3, and 3.0). These three types of attacks can result in four types of effects: unauthorized monitoring and disclosure of sensitive information, unauthorized modification of network databases/servers, denial or disruption of service, or fraud or financial loss (see Section 4.0).
2.1.1 Basic Information Gathering Activities. There has been much information written about the more basic methods electronic intruders employ to gather information about various systems. The use of these tactics is still commonplace; even
EXHIBIT 2-2
Stages of the Electronic Intrusion Threat
established intruders continue to use the tried and true basic methods. (TD14-315, 2600WI93, CUD614) These methods are summarized below:
"Dumpster Diving" or "Trashing." This brazen activity is often undertaken by the newer or younger intruders as a quick way to gather information about a company or a network by sorting through the victim's trash. This has proven to be an effective method because of the widespread assumption by employees, that once something has been thrown away, no one else sees it. Intruders have found discarded account names and passwords, personal information, and other potentially sensitive information. (MTRASH, TAOTRASH, BELLTRASH, TRASHTECH) The value of one's trash to unauthorized users should not be underestimated.
Social Engineering. A social engineer attempts to deceive an unwary victim by assuming a false identity, usually that of a network administrator, security manager, craft employee, or other person privy to sensitive information. This tactic is effective due, in part, to employees' willingness to help, coupled with a lack of awareness of such methods. Social engineering should be taken seriously because valuable data (such as passwords, personal information, company proprietary information, and dial-in numbers) have all been obtained by this method. (R&ROP, SOCENG89, UNLISTED, CUD513)
War Dialing. War dialing is the practice of using a modem to call all numbers within an exchange or within a range of numbers to locate other modem lines. After these modem lines have been identified, intruders call these numbers to identify the computer system supporting the modem. When interesting systems have been identified, the numbers are usually disseminated to other intruders.
Physical Break-ins. A less common, but extremely effective information gathering tactic is the physical break-in to carrier or service provider sites. The most notable example is the alleged break-in by Kevin Poulsen who allegedly broke into local exchange carrier (LEC) offices and stole equipment, software, identification badges, and other miscellaneous items. (UMPOULSEN) When an intruder successfully breaks into a site, the intruder has direct access to various systems and can find system information. Despite the ever-present danger of arrest, electronic intruders seem to actively use this method. (PHRACK32, PHRACK21, PHRACK2, IHA191, PHRACK43, THEFT)
2.1.2 Sophisticated Software Skills and Techniques. The more knowledgeable intruders have developed software tools for a variety of missions. Many of these sophisticated tools are widely available to any intruder at any skill level. Software tools, such as war dialing programs and password crackers, are available to all electronic intruders via the Internet and computer bulletin board systems.
A different genre of software tools is being used increasingly by electronic intruders. These tools are often custom developed by computer underground members; they are frequently distributed with both source and object code, allowing for quick and easy modification to suit specific tasks. The most dangerous type of this software is new or modified code, or malicious code, which the electronic intruders plant surreptitiously inside network elements. These small programs can be written to function like software viruses, worms, or trojan horses.
The genre of software viruses, worms, and trojan horses has been discussed in great detail in other forums, but it is important to mention here. Although most reports of these types of software attacks relate to microcomputers and not network elements, the principles are similar. There are indications that many electronic intruders have extensive knowledge of viruses, worms, and trojan horses. Some have authored viruses and trojan horses for mini- and microcomputer platforms (PHRACK23, PHRACK25), and virus writing competitions have been advertised in the computer underground. (CUD521) Trojan horses have also been found in certain PSN network elements. (IVPC94) If the software attack is delayed (i.e., programmed to execute at a later date), the infected code may be copied onto the system back-up mechanisms. Removing the infected code in this case would normally involve restoring the system from the manufacture's original system tapes and then rebuilding the system's operating data, resulting in substantial downtime.
In 1990, several members of the Legion of Doom's (LOD) Atlanta branch were arrested on charges of penetrating and disrupting telecommunications network elements. Federal agents accused the LOD members of planting a series of destructive "time bomb" programs in network elements in Denver, Atlanta, and New Jersey. These time bombs were designed to shut down major switching hubs, but were defused by telephone company employees before they caused damage. (WSJ082290)
Currently, there have been few other documented cases of surreptitious code being planted in PSN network elements. However, the required skill sets are well developed in the computer underground and could be applied to the PSN. This is significant because of the potential damage that could result from such an attack.
An equally significant technique gaining popularity in the electronic intruder community involves modifying legitimate software tools stolen from telecommunication carriers and equipment manufacturers. At least four well publicized incidents illustrate this problem:
Kevin Mitnick, a.k.a. Condor arrested and prosecuted in 1989 for stealing more than $1 million in source code from Digital Equipment Corporation (DEC), modifying it to add "trap doors," and attempting to copy it back to DEC's development computers. He also was prosecuted for breaking and entering into telephone company facilities. (MITNICK4, HAFFNER91)
Herbert Zinn, a.k.a. Shadow Hawk arrested as a juvenile in 1987 and subsequently prosecuted for breaking into AT&T computers and stealing source code for digital switches worth hundreds of thousands of dollars. (COOK90, TNS10)
Legion of Doom indictments handed down in the aftermath of the BellSouth Enhanced 911 (E-911) cases in 1989 charged that LOD members unlawfully accessed BellSouth computers and stole proprietary source code and software tools. (LODINDICT90, PHRACK24, CUD421)
Leonard Rose, a.k.a. Terminus prosecuted in 1990 for possessing stolen copies of source code for AT&T's UNIX operating system. The source code in Rose's possession had been modified to defeat security features. (POST32391, BARLOW90)
In these four cases, no PSN element was compromised by planting modified source code of element software. However, there have been reports that the members of the electronic intruder group, Masters of Disaster (a.k.a. Masters of Deception, a.k.a. Masters of Destruction, or MOD) (see Section 2.2), accessed several carriers' computers and "modified or otherwise corrupted" programs. (PHRACK40) The level of threat in this area warrants attention because these cases demonstrate the skills necessary to target PSN elements.
A slightly different twist on this threat occurred in several less publicized incidents electronic intruders stole source code to network management, maintenance, or engineering tools and used it to attack the network. This threat has been especially prevalent in X.25 packet switched networks because X.25 software tools are easily available. (PHRACK31, PHN02-04) Tutorials on how to use and modify these tools have been distributed throughout the computer underground. (PHRACK42) The level of threat in this area is difficult to quantify; however, because of the electronic intruders' improving skills and the growing dissemination of these tools, the threat is significant.
A highly sophisticated form of software attack, known as a programmed attack, has been detected several times in various networks and is considered to be on the leading edge of intrusion activities. These attacks rely on highly customized software programs that target specific types of computers or network elements. Little data has been gathered on these attacks because they are seldom detected. It is significant that these programs are almost never destructive or disruptive they apparently seek to modify or add services rather than "crash" systems. Another apparent purpose for programmed attacks is to gather information. These programs normally attack using pre-existing accounts, so they can be assumed to be the result of significant prior effort on the electronic intruder's part.
The capability illustrated by this category of attacks has not fully matured. However, if a coordinated attack using these types of tools were directed at the PSN with a goal of disrupting NS/EP telecommunications, the result could be significant.