Net espionage stirs Cold-War tensions

[InfoSec News <isn () c4i org>]

http://www.zdnet.com/zdnn/stories/news/0,4586,2780523,00.html?chkpt=zdnn_rt_latest

By Ted Bridis
The Wall Street Journal Online 
June 27, 2001 5:38 AM PT
 
WASHINGTON -- Fears of Cold War tensions are finding new life in
cyberspace, as the threat of Internet espionage shifts the nuclear-age
doctrine of "mutually assured destruction" to that of mutually assured
disruption.

In one long-running operation, the subject of a U.S. spy investigation
dubbed "Storm Cloud," hackers traced back to Russia were found to have
been quietly downloading millions of pages of sensitive data,
including one colonel's entire e-mail inbox. During three years, most
recently in April, government computer operators have watched--often
helplessly--as reams of electronic documents flowed from Defense
Department computers, among others.

The heist is "equivalent to a stack of printed copier paper three
times the height of the Washington Monument," says Air Force Maj. Gen.
Bruce Wright of the Air Intelligence Agency.

China and Russia pose the deepest threats because their technology
research is the most advanced, U.S. officials say. But some senior
officials worry that it doesn't take a superpower to hack into a
nation's sensitive computer networks. Moreover, there are complicated
legal issues about how and when to launch counterstrikes.

A teenager or a terrorist?

It is often impossible for government or corporate victims to know
whether an attacker is a teenager or terrorist, a rival company or a
foreign government--and those distinctions make all the difference in
how the U.S. government reacts. Even in the Storm Cloud case,
officials can't answer for certain whether a foreign government or
rogue hackers are involved.

Both pose dangers. A federal advisory panel, the Defense Science
Board, reported in March that the Pentagon "cannot today defend itself
from an information operations attack by a sophisticated, nation-state
adversary." Security testers at the Pentagon's National Security
Agency routinely hack into U.S. military networks--and without the
Pentagon noticing 99 percent of the time, the board found.

But the Central Intelligence Agency says hacking by foreign
governments, as opposed to individuals, is the biggest threat. "Only
government-sponsored programs are developing capabilities with the
future prospect of causing widespread, long-duration damage to U.S.
critical infrastructures," says Lawrence Gershwin, head of the CIA's
intelligence on technology. He calls terrorists, for example, a
"limited" Internet threat. "Bombs still work better than bytes."

The Storm Cloud case, which involved several military and
law-enforcement agencies and descended from an FBI investigation
called "Moonlight Maze," isn't the only illustration of the threat
from overseas. After a U.S. spy plane collided with a Chinese jet in
May, Chinese activists vandalized or shut hundreds of U.S. Web sites,
including that of the White House. Last fall, a hacker accessed
software blueprints at Microsoft Corp.; detectives believe the hacker
used software from Asia and transferred data back to an anonymous
e-mail account in Russia.

So far, the government's response has been disjointed; cooperation has
been slow to evolve among various U.S. agencies, corporations and
foreign governments. A 1998 presidential order made the Federal Bureau
of Investigation's National Infrastructure Protection Center the
"focal point" for collecting data about threats. But the FBI center
sometimes can't share information with the president's cyber-security
adviser unless the Justice Department approves. Meanwhile, the White
House budget office instructed agencies to report Internet attacks to
the General Services Administration.

The Storm Cloud case has highlighted all these issues. The attackers
often covered their tracks using a modified software tool called
"Loki," after a mischievous Nordic god; the software makes break-ins
look like innocent Web browsing. Victims include the Defense
Department's high-performance computer labs, where researchers use
some of the world's fastest supercomputers to predict how air flows
around a jet or how a missile penetrates armor. Weeks after the first
attacks, an insider newsletter at one lab, the Aeronautical Systems
Center at Wright-Patterson Air Force Base, conceded, "We accept that
we can never be completely secure." Investigators insist nothing
classified was stolen though the data were sensitive and commercially
valuable.

Suspicious file transfers tripped sensors at Wright-Patterson in early
1998. But it wasn't until months later, after intrusions into other
computer labs, that officials realized the attacks were connected. The
hackers were particularly clever: Officials found software sensors
inside federal computers that modified a private Web site in Britain
whenever new documents were available. The hackers would view the Web
site to see if it had changed and therefore didn't have to risk
detection by checking themselves.

Investigators believe hackers installed eavesdropping "sniffer"
software as early as 1997 at universities, including Louisiana State
University, in Baton Rouge, and the University of Cincinnati in Ohio,
where professors working on defense projects connect via the Internet
to military labs. The hackers then posed online as those professors to
steal data and pilfer more passwords. Only after the attacks were
noted were outside researchers instructed to use some encryption.

The Pentagon then ordered all defense employees to change their
computer passwords. The intruders even stole that memorandum,
investigators suspect, and accordingly changed the passwords for the
military accounts they had hacked.

Investigators traced the break-ins to three commercial
Internet-service providers in Moscow. But the riddle remained: Who was
at the keyboard? Russia's government, or rogue hackers? The State
Department last year formally pressed Russia--where laws subject
almost all electronic communications to government monitoring--for
help. A spokesman for Russia's intelligence service denies
culpability, adding that if the government had organized the hacking,
it would have done a better job hiding its tracks.

How to respond to attacks?

Such uncertainties raise crucial legal and diplomatic questions about
how to respond. When does the U.S. hack back, and how? If the hackers
are civilians, they are deemed "unlawful combatants" and criminals
under U.S. law. But if a government is involved, the U.S. would weigh
a retaliatory cyberstrike, says military spokesman Barry Venable.

The agency that chiefly defends the military's computers changed its
role this spring to include offensive attacks. It expects to triple
its staff to nearly 150 in the next two years, and a draft Pentagon
budget projects spending on computer warfare to increase by $400
million next year, and by $3.5 billion over the next seven years.
 
The FBI tried a similar hack-back approach. In April, a grand jury in
Seattle indicted two Russian computer experts accused of hacking into
dozens of U.S. banks and e-commerce sites, and then demanding money
for not publicizing the break-ins. FBI agents, posing as potential
customers from a mock company called Invita Computer Security, last
November had lured the Russians to Seattle and asked the pair for a
hacking demonstration. The agents secretly recorded every keystroke
with commercial software available to anyone for $99.

Days later, using one man's password, "cfvlevfq," the FBI connected to
the Russians' own computers overseas and downloaded 781 megabytes of
data. Only then did they obtain a search warrant for the files. A U.S.
judge condoned the tactic in a pretrial ruling, partly because the
searched computers were in Russia.

Sen. Robert Bennett, a Utah Republican who is one of Congress's
technology experts, says the ability to counterstrike should help
discourage serious attacks from those who can be hit back. "The U.S.
is the most vulnerable society because we're the most wired in the
world," he said. "On the other hand, we're probably the most capable
to wage this kind of warfare if someone were to provoke us."




ISN is hosted by SecurityFocus.com
---
To unsubscribe email isn-unsubscribe () SecurityFocus com.