Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Internet, key computer systems vulnerable to cyber attack, say experts

Internet, key computer systems vulnerable to cyber attack, say experts

by Nikola Strahija on December 26th, 2002 The war on terror and the prospect of hostilities with Iraq have the sentinels of cyberspace bracing for trouble. Experts say it's only a matter of time before someone mounts a concerted, politically motivated attack on the Internet or a piece of computer-dependent infrastructure such as the electrical grid.


Despite growing security awareness, especially in the wake of the Sept. 11, 2001, terrorist attacks, many critical systems remain open to intrusion and disruption, authorities in both the private and public sectors agree.

"The problem at this point is that the vulnerabilities are so numerous one has a hard time trying to decide where to start," said Andrew McAllister, director of cyber protection at the federal Office of Critical Infrastructure and Emergency Preparedness.

There's no published evidence such a strike has taken place yet and some experts believe cyber attacks remain more of a nuisance threat for now.

The Canadian Security Intelligence Service, responsible for assessing the cyber threat, won't reveal which potentially hostile groups or countries have the capability.

A July 2001 CSIS report, citing U.S. sources, included Iraq on a list of countries developing the ability to mount "information operations."

But it's inevitable a terror group or hostile state will try something, said Michael Vatis, director of the Institute for Security Technology Studies at Dartmouth College in New Hampshire.

"Frankly, I've been a little bit surprised that we haven't seen something yet from Al Qaeda or one of its sympathizers because of the ease and low cost of doing it," he said. "That's why I do believe it's just a matter of time."

Vatis was the first director of the U.S. National Infrastructure Protection Centre, founded in 1998 and under FBI control before becoming part of the new Department of Homeland Security.

The centre served as a model for McAllister's two-year-old agency, which operates under the Department of National Defence.

It's true, said Vatis, that to date cyber attacks have added up mostly to costly disruptions of e-commerce and Web vandalism by what McAllister called "hacktivists."

Vatis said he doesn't even use the term cyber terrorism because it's misleading.

But a study that Vatis did in the wake of Sept. 11 found cyber attacks increased concurrent with political flare-ups in the Middle East, between Indian and Pakistan and the war in Kosovo.

Vatis said he believes hostile countries may be more of a threat than terrorists.

"I think it really behoves the U.S. and its allies to prepare for the eventuality of cyber attacks against us, especially when we engage in any sort of conventional military action or response in cyberspace," he said.

The redundancies built into critical systems make it hard for any one cyber attack to bring a country to its knees, David Charters of the Centre for Conflict Studies at the University of New Brunswick has said.

But the tools for cyber attacks are readily available for terrorists or others who want them.

"I don't think we know enough to say whether they have it now or not, given the ease with which the capability can be acquired by anybody," said Vatis. "You can literally go and download the capability from a hacker Web site."

One of the most serious recent attacks occurred in October, knocking out three of the world's 13 Internet domain-name root servers, which verify Internet addresses for Web surfers.

Traffic was rerouted to backups but the Internet could have been crippled if more of the servers been shut down.

There are between 65,000 and 70,000 virus and malicious code threats worldwide, said Vincent Gullotto, senior director of research at anti-virus software-maker McAfee.

Gullotto said the purveyors are still largely traditional hackers out to make a name for themselves.

"We haven't really seen anything from my perspective that purely says Al Qaeda's been involved or somebody that works for some fundamentalist group," he said.

"We have seen virus writers add into their mix here and there some political statement."

But governments and corporations are reluctant to publicize serious attacks, Gullotto added.

"If someone from Al Qaeda has found a way to hack themselves into some Department of Defence operation, we're not going to hear about that," he said.

One ominous trend has been a change in the origin of attacks, said John Gantz, chief research officer for Boston-based IDC Inc., an information-technology consulting firm.

Until a year ago, about 60 per cent of intrusions into corporate systems came from inside - disgruntled or larcenous employees. Today it's reversed.

"We basically believe a war with Iraq will galvanize the hacker parts of the terrorist factions," said Gantz.

System security has become the No. 1 priority among chief executives, he said, and spending on security-related software is the fastest growing area of information technology.

"Security is now becoming more important than usability," added McAllister.

But he said the problem is computer networks have evolved with openness in mind.

"You'd assume hopefully that nobody else would want to do anything bad to your system," said McAllister. "We can no longer make those assumptions.

"So now we're stuck with systems that have been developed and written for usability, openness and remote access. The question is, who's remotely accessing your system now?"

McAllister agreed that it takes a highly skilled person

to do serious damage but said the expertise is spreading rapidly.

"It only takes one to show up in your Internet back yard to really ruin your day," he says. "So really what we're finding is it's not a question of if, it's a question of when."

The approach to defending against such attacks worries the experts.

As recently as last July, the U.S. General Accounting Office - similar to Canada's auditor general - warned of "pervasive weaknesses" in federal information security.

"Because of our government's and our nation's reliance on interconnected computer systems to support critical operations and infrastructures, poor information security could have potentially devastating implications for our country," Robert Dacey, the office's director of information-security told a congressional hearing.

That interconnectedness links government and industry and spans borders, McAllister noted.

"Everything's so interdependent now that the ripple effect of an event in one sector or one set of services has a more profound impact on other services now," he said.

Key sectors, such as banking and air-traffic control, may have hardened computer systems but other industries may not be doing all they should, said Gantz.

"One of the fastest-growing software package areas is intrusion detection," he said. "They're putting in the software but they're still not necessarily manning a desk 24-7 to see if there is an intrusion."

Vatis said tracing and countering cyber attacks also becomes more difficult outside the small group of developed countries such as Canada, Britain and the United States that traditionally work together.

"As Internet use increases much more rapidly in developing countries, for instance, I fully expect to see that problem of non-co-operation grow significantly," he said.

---

Some types of cyber threats:

Web defacement and semantic attack: Often politically motivated, vandalizing Web sites or subtly changing Web page content with false information.

Domain-name service attack: Interfering with domain-name servers that verify Internet address and connect Web surfers to sites, redirecting them to incorrect or counterfeit sites.

Distributed denial of service attack: Common hacker attack that swamps system with information requests, dangerous if highly co-ordinated against key infrastructure such as banking, communications and transportation.

Worms: Often harmless attacks that exploit weaknesses in software but considered a cheap method of delivering a destructive attack if necessary.

Attacks on routers: Routers are the Internet's traffic cops. Systems considered less vulnerable than other computers but lack of diversity leaves them open to knockout punch if attacker can find a flaw.

Infrastructure attacks: Vulnerabilities of systems that control financial institutions, voice communications, electrical grid or water distribution not well understood.

(Remove the following source, date and time and pull together like a scorecardCyber Attacks During the War on Terrorism, by Michael Vatis)

-

Some public Web sites dealing with cyber threats:

www.ocipep.gc.ca - Federal office Office of Critical Infrastructure and Emergency Preparedness, which co-ordinates responses to natural and man-made disruptions of key services.

www.nipc.gov - National Infrastructure Protection Centre, the U.S. counterpart of OCIPEP.

www.cert.org - Computer Emergency Response Team, a clearing house for cyber threats and responses, which is operated from Carnegie Mellon University in Pittsburgh.

www.cancert.ca - Canadian adjunct to CERT.

www.incidents.org - Internet and industry collaboration on security issues.

www.wildlist.org - Regularly updated list of viruses and cyber threats.

- artilce available at http://www.canada.com -


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »