Is Obama Planning to Lose World War III?

In a cyberwar fought in an Internet-driven, overconnected world, things get turned upside down. The best offense is a defense. If a cyber-attacker disables your military command and control system, shuts down and catastrophically damages your power grid, makes your telecommunication system non-functional, and cripples your financial system, there isn’t much left to fight with.

Think of what the state of the country would be without these systems. Without power and telecommunications, there would be no logistic systems, supermarket shelves would be empty, credit cards wouldn’t work and money would be unavailable from ATM’s. Water would stop flowing to your home, and since gasoline would be unavailable from electric powered pumps, your car would not work. Among the other systems subject to attack: pipelines, sewage, and water supply. You get the idea.

If President Obama and the rest of our nation’s leaders aren’t actively implementing our cyber-defenses, they are implicitly planning to lose World War III.

For a long time I thought the idea of software designed to cause great physical damage to systems was fanciful. Then I came across a story in Thomas C. Reed’s 2004 book, At the Abyss: An Insider’s History of the Cold War. Reed was a former Secretary of the Air Force and told a story about a massive, three-kiloton explosion of a Soviet pipeline–the most massive non-nuclear explosion ever observed from outer space.

According to Reed, Russian agents stole software used to control the pipeline. As it happened, the CIA had anticipated the theft and deliberately programmed the software to go haywire. Sure enough, in 1982, when the Soviets deployed the stolen software, the pumps kepts pumping while valves were shut, producing pressure in excess of those the pipeline joints and welds could stand. The massive explosion soon followed.

I certainly hope there will never be a third world war, but I know there will be an increase in cyber-warfare, cyber-terrorism, cyber-crime, and cyber–vandalism. One only has to read the newspapers to be convinced that such incidents are on the rise.

In early 2007, Estonia came under cyber-assault. Estonia is one of the most Internet-dependent countries in the world. Ninety-six percent of its banking transactions are online. Citizens pay for parking using their cell phones. The attacks first targeted government sites and then were used to knock news sites offline. They culminated on May 10 when Hansabanka, the country’s largest bank, was forced to shut down its online operations shutting down ATM’s and severing the bank’s connections to the rest of the world.

South Korea has been attacked on numerous occasions. In 2009 a series of DDOS (Distributed Denial of Service) attacks were launched against government, news media, and financial web sites. More attacks occurred early this year. The April 12 attack paralyzed the Nonghyup Bank network for a week. The attacks were believed to have been originated by the North Koreans.

On April 19, 2011, Sony began investigating a cyber-attack that was a “very carefully planned, very professional, highly sophisticated criminal cyber-attack designed to steal personal and credit card information for illegal purposes.” Sony discovered that credit card data and email addresses had been stolen from 77 million user accounts. Further investigation revealed that information was stolen from another 24.6 million online gambling accounts.

These assaults take two general forms. The first are attacks from the outside and usually take the form of DDOS (Distributed Denial of Service) attacks. In these attacks, an unauthorized remote user seizes control of thousands of computers and orders these “zombies” to flood websites with millions of messages. The overloaded systems become saturated and can no longer carry out routine operations. This type of attack brought down the Hansabanka and Nonghyup Banks.

The second form of attack is far more dangerous. The attacker gets inside the system and seizes control of the system operation or disables the system. The attacker may plant a “logic bomb” that will wake up on command or at some time in the future and might erase the system or perform some function that will injure the system under its control.

Stuxnet is a worm that was introduced into the Siemens programmed logic controllers at the Natanz uranium enrichment facility in Iran. It is believed the worm rapidly cycled the centrifuges to 1410 cycles per second and then slammed on the brakes, slowing them to 2 cycles. The rapid deceleration tore centrifuges apart. The same type of logic controller is used in numerous SANDA (Supervisory Control and Data Acquisition) systems in nuclear power and chemical plants. In a nuclear plant, such a logic bomb could cause a meltdown.

It is also possible for an attacker to use software trap doors to seize control of a command and control system and cause it to issue orders. In this scenario, troops might be ordered to attack the wrong target.

We are planning to lose World War III because we are unwilling to aggressively confront the cyber-defense issue. Confronting it is inconvenient, costly, involves regulation, and gives the government a potential window into our private lives.

But in an overconnected Internet-driven world, we must think about our current systems differently.

Here’s the problem we face: The Internet was never designed to be secure. It was designed by academics to serve the needs of trusted colleagues. While it will be impossible to make any system no matter how carefully conceived entirely secure, it is inconceivable that the existing Internet and systems based on it can be made more than marginally secure. This is not to say that the security of these systems cannot be improved.

The current activity of cyber-criminals offers convincing evidence that existing systems can be easily penetrated, and many of those systems have already been compromised. Infected computers and portable memory devices may have already introduced malware to numerous existing systems. The structure of the Internet makes it virtually impossible to identify the source of a well-executed attack.

My guess is that we can improve existing systems enough so they can continue to serve the Public and Private system users but that the current system can never be made secure enough to protect Secure and Mission Critical systems.

It is critical that we protect to the highest degree possible our Mission Critical systems. Among them are military command and control systems, systems controlling financial networks and the transfer on money within the network, networks that control our electric power. And, to a lesser extent, we need to protect other systems as well.

A few suggestions: We should consider physically disconnecting our Mission Critical systems from external networks. We should consider requiring all major ISP’s (Internet Service Providers) to install the capability to do deep packet inspection. In the case of a DDOS attack, these systems could quarantine the packets used to barrage and choke Internet systems. And we should give regulatory agencies the power to impose certain standards for cyber-security on businesses.

Doing these things will be expensive and create many inefficiencies. Many businesses will oppose these actions. Liberals and conservatives alike will worry about the potential loss of privacy and government intrusion into our lives that could result from the abuse of information collected with deep packet inspection. But realistically, it is hard to see many businesses and utilities going to the trouble and inconvenience of taking these types of actions unless they are forced to do so.

In an Internet-driven, overconnected world, power has become asymmetric. Small groups can do immeasurable amounts of damage with relatively small efforts.

Right now our country is the most vulnerable and most tempting target for cyber-terrorists and criminals. We have a highly developed physical and commercial infrastructure that is heavily dependent on the Internet. We cannot function if the Internet is shut down.

North Korea is possibly the country best positioned to attack us. They can launch cyber-attacks but their national infrastructure is so primitive that there is nothing for a cyber-warrior to attack. Cyber-terrorist are in a similar position. They have no banks or power stations for us to disable.

Our Defense Department is probably in a position to launch the most devastating and comprehensive cyber-attacks of any nation. Unfortunately, those attacks will not do much to defend many of our important systems. Probably all of them are not secure enough to withstand a sophisticated assualt.

So let’s get on with building the type of offense an Internet-driven, overconnected world requires. The new rule for that environment is “The best offense is a superior defense.” Relying as we currently do on having the best offense is a plan for losing World War III. Let’s start playing defense.

http://blogs.forbes.com/billdavidow/2011/05/24/is-obama-planning-to-lose-world-war-iii/

Anonymous Declares War on Sony

In Sony’s effort to pursue George “GeoHot” Hotz and other Playstation hackers to the ends of the earth (literally), they’ve poked the sleeping giant of Anonymous, the 4chan based hivemind who under the guise of “freedom of information” has now officially declared war on Sony, and has launched attacks ranging from bringing down their websites (and possibly the PSN) to publishing personal information of the executives.
The “press release” by Anonymous says things like “You have abused the judicial system in an attempt to censor information about how your product works” and more tellingly, “You saw a hornet’s nest, and you stuck your penises in it.”
But even though it may seem childish on the surface, Anonymous is not a group to be trifled with. They’ve taken on corporations before, most recently places like Bank of America, Paypal and a whole host of companies that decided to act against kindred spirit Wikileaks in various ways.
Yesterday, they took down Sony and Playstaion.com, and the Playstation Network was non-functional most of the day. There’s no official confirmation that despite claims of “routine maintenance,” this was actually because of Anonymous, but it seems like an awfully big coincidence if not. By taking down the service, Anonymous would presumably be trying to draw customer’s ire toward the company, as most wouldn’t know who was responsible for the outage.
But today there’s a new battlefront, as Anonymous has turned to start finding and publishing personal information about Sony executives. When the info is located, advice on the forums suggest to crank call them on Skype, place Craigslist erotic personals in their name and send their friends and loved ones “STD postcards” announcing a newly acquired disease. No one ever said they were mature, as often being straight up malicious overshadows the primary directive of the group. Nothing is sacred, and dueling with Anonymous is like trying to have a fistfight where your opponent kicks you in the groin, throws sand in your face and stabs you with a razor blade.

As of now, Sony.com and Playstation.com are online, and the PSN is back up almost everywhere. I agree that Sony isn’t handling this hacking disaster particularly well, but it’s hard to condone Anonymous’s tactics either.

http://blogs.forbes.com/insertcoin/2011/04/05/anonymous-declares-war-on-sony/

The cyberweapon that could take down the internet

A new cyberweapon could take down the entire internet – and there's not much that current defences can do to stop it. So say Max Schuchard at the University of Minnesota in Minneapolis and his colleagues, the masterminds who have created the digital ordnance. But thankfully they have no intention of destroying the net just yet. Instead, they are suggesting improvements to its defences.

Schuchard's new attack pits the structure of the internet against itself. Hundreds of connection points in the net fall offline every minute, but we don't notice because the net routes around them. It can do this because the smaller networks that make up the internet, known as autonomous systems, communicate with each other through routers. When a communication path changes, nearby routers inform their neighbours through a system known as the border gateway protocol (BGP). These routers inform other neighbours in turn, eventually spreading knowledge of the new path throughout the internet.

A previously discovered method of attack, dubbed ZMW – after its three creators Zhang, Mao and Wang, researchers in the US who came up with their version four years ago – disrupts the connection between two routers by interfering with BGP to make it appear that the link is offline. Schuchard and colleagues worked out how to spread this disruption to the entire internet and simulated its effects.

Surgical strike

The attack requires a large botnet – a network of computers infected with software that allows them to be externally controlled: Schuchard reckons 250,000 such machines would be enough to take down the internet. Botnets are often used to perform distributed denial-of-service (DDoS) attacks, which bring web servers down by overloading them with traffic, but this new line of attack is different.

"Normal DDoS is a hammer; this is more of a scalpel," says Schuchard. "If you cut in the wrong places then the attack won't work."

An attacker deploying the Schuchard cyberweapon would send traffic between computers in their botnet to build a map of the paths between them. Then they would identify a link common to many different paths and launch a ZMW attack to bring it down. Neighbouring routers would respond by sending out BGP updates to reroute traffic elsewhere. A short time later, the two sundered routers would reconnect and send out their own BGP updates, upon which attack traffic would start flowing in again, causing them to disconnect once more. This cycle would repeat, with the single breaking and reforming link sending out waves of BGP updates to every router on the internet. Eventually each router in the world would be receiving more updates than it could handle – after 20 minutes of attacking, a queue requiring 100 minutes of processing would have built up.

Clearly, that's a problem. "Routers under extreme computational load tend to do funny things," says Schuchard. With every router in the world preoccupied, natural routing outages wouldn't be fixed, and eventually the internet would be so full of holes that communication would become impossible. Shuchard thinks it would take days to recover.

"Once this attack got launched, it wouldn't be solved by technical means, but by network operators actually talking to each other," he says. Each autonomous system would have to be taken down and rebooted to clear the BGP backlog.

Meltdown not expected

So is internet meltdown now inevitable? Perhaps not. The attack is unlikely to be launched by malicious hackers, because mapping the network to find a target link is a highly technical task, and anyone with a large enough botnet is more likely to be renting it out for a profit.

An alternative scenario would be the nuclear option in a full-blown cyberwar – the last resort in retaliation to other forms of cyberattack. A nation state could pull up the digital drawbridge by adjusting its BGP to disconnect from the internet, just as Egypt did two weeks ago. An agent in another country could then launch the attack, bringing down the internet while preserving the attacking nation's internal network.

Sitting duck

Whoever launched the attack, there's little we could do about it. Schuchard's simulation shows that existing fail-safes built into BGP do little to protect against his attack – they weren't designed to. One solution is to send BGP updates via a separate network from other data, but this is impractical as it would essentially involve building a shadow internet.

Another is to alter the BGP system to assume that links never go down, but this change would have to be made by at least 10 per cent of all autonomous systems on the internet, according to the researchers' model, and would require network operators to monitor the health of connections in other ways. Schuchard says that convincing enough independent operators to make the change could be difficult.

"Nobody knows if it's possible to bring down the global internet routing system," says Mark Handley, an expert in networked systems at University College London. He suggests that the attack could cause "significant disruption" to the internet, with an effect greater than the Slammer worm of 2003, but it is unlikely to bring the whole thing down.

"The simulations in the paper make a lot of simplifying assumptions, which is necessary to simulate on this scale," he explains. "I doubt the internet would behave as described."

http://www.newscientist.com/article/dn20113-the-cyberweapon-that-could-take-down-the-internet.html

EU runs first pan-European cyber-war simulation

   

In Thursday's exercise, codenamed 'Cyber Europe 2010', experts from all 27 EU states plus Iceland, Norway and Switzerland faced 'simulated attempts by hackers to paralyse critical online services in several EU member states,' a statement released in Brussels read.

http://www.monstersandcritics.com/news/europe/news/article_1596558.php/EU-runs-first-pan-European-cyber-war-simulation