OT: Think your computer is private? Guess again. Launching a Counteroffensive in Cyberspace

greenspun.com : LUSENET : TimeBomb 2000 (Y2000) : One Thread

Launching a Counteroffensive in Cyberspace

Saturday, February 5, 2000; Page A3

LIVERMORE, Calif.  Eric Thomas hacks into Jason Arnold's computer with a few simple keystrokes, sniffing Arnold's password, hijacking his online session and stealing all the data on his screen.

It's easy enough. Thomas launches the attack, an ingeniously malicious script of Czech origin that he's downloaded from the Internet, without Arnold ever knowing what hit him.

"I'm watching everything he's doing right now," Thomas says, peering at his computer screen. He types in another command and declares victory: "I've taken over his connection!"

As it happens, Thomas and Arnold are seated 10 feet apart here at the Northern California branch of Sandia National Laboratory, the nation's best-equipped computer attack simulation center. This is a place where it is quickly apparent that the thrust and parry between cyber-attackers and cyber-defenders has evolved further than non-experts may realize--and that the defenders are not as hapless as the American public may think.

Both Thomas, 20, and Arnold, 18, are students at San Jose State University with a flair for computers. And both are just the type President Clinton had in mind last month when he proposed a national scholarship program to train cyber-security experts in return for four years of public service once they graduate.

The two young men are part of the vanguard, already enrolled in Sandia's College Cyber Defenders Program, an initiative of computer security guru Fred Cohen. A principal member of Sandia's technical staff, Cohen, 43, is credited with inventing the computer virus as a graduate student at the University of Southern California in 1983. Like Clinton, he believes the current security environment is more precarious than ever, having spent the past 17 years pioneering defenses against all forms of cyber-attack.

The attackers are becoming bolder and more sophisticated, Cohen said, while most people using computers know little--and seem to care even less--about protecting their machines. "This disconnect between technology and how people behave is getting broader, not narrower," Cohen said.

But within the federal government, the picture is more encouraging. The Pentagon's computer defenses have improved by "an order of magnitude over the past five years," according to Cohen. While the government still makes its share of blunders in cyberspace, he said, its combined expertise for defending computer systems and waging cyberwar "is probably the best in the world--by a long ways."

Such prowess isn't always readily apparent, with hackers taking down federal Web sites with regularity and Clinton sounding the alarm about cyber-terrorism in his budget proposal for fiscal 2001, which contains $2 billion in computer defense initiatives.

But the Pentagon started funding the government's first computer emergency response team, or CERT, at Carnegie Mellon University 12 years ago after the so-called Morris "worm" was unleashed on the Internet and spread to 6,000 computers. Now most federal departments and agencies staff their own CERTs, the infantry in a growing cyber-security command structure.

At the FBI, the National Infrastructure Protection Center is responsible for fighting cyber-crime, taking many of its leads from CERTs throughout the executive branch. At the Pentagon, a newly created center in Arlington called the Joint Task Force-Computer Network Defense is responsible for coordinating all computer defenses throughout the military. And at the General Services Administration, the Federal Computer Incident Response Center plays the same role for all civilian computer defenses.

The price tag for these forces this fiscal year: $1.5 billion.

Cohen himself is a one-man computer defense conglomerate, beginning with an 18-member research staff on cyber-security he directs here at the California branch of Sandia, which has its headquarters in New Mexico.

Dressed in blue jeans and Birkenstocks, he explains that he developed the Cyber College Defenders Program for much the same reason Clinton proposed the $25 million scholarship program. "Ph.D. researchers are very expensive, they're hard to find, and the [national] labs don't pay as much as Silicon Valley," Cohen said. "It's build or buy these employees--and you can't buy them. So you have to build them."

The son of two physics professors, Cohen is also an adjunct professor at the University of New Haven in Connecticut and an expert in the nascent field of computer forensics--tracking digital crimes. And he runs a private consulting business, advising companies on how to protect their computer systems. One of his tactics is to show clients that they are theoretically vulnerable to attacks that could disable factories, cause chemical spills, or steal millions of dollars.

With such experience, Cohen is deadly earnest about the threat of cyber-war. He joined Sandia's technical staff, he said, because he saw "the potential for attacks on the critical infrastructure that could cost millions of lives and change the course of nations."

Lance J. Hoffman, director of the Cyberspace Policy Institute at George Washington University, said most experts believe it is only a matter of time before a disastrous computer assault takes place.

"The government does have resources in computer security and information assurance," Hoffman said. "But there is no such thing as perfect security. . . . I hope Congress does not wait until the aftermath of a cyber-disaster to take action."

In Sandia's cyber-defenders program, Cohen downloads attack programs posted on hacker Web sites and assigns his students to run them against a variety of operating systems, figure out how they work and devise ways to defeat them. The suggested defenses are then posted on the Internet. "Attackers share, but defenders don't share as well," Cohen said.

With the program nearing its first anniversary, students working part-time for $10 to $12 an hour have already modeled 400 attacks. Cohen has 1,800 more planned, and he figures his students will be caught up by the end of this summer, when the number of participants in the training program will double to 25.

One day last month, Corbin Stewart, 28, who has a degree in history and is studying computer science at Las Positas Community College, launched his 100th simulated attack, a script called seyon exploit.sh. It comes with a disclaimer: "Please use in a responsible manner." But seyon exploit.sh was written with unconcealed malice, designed to allow whoever launches the code to gain root access to an improperly protected Unix operating system.

"It's privilege expansion," Cohen said as Stewart fired away. "They become the super-user on your computer--they can read, write, modify anything. They can cause it to crash, they can use it to attack other computers, they can install sniffers, Trojan horses to get back in--it's all theirs." The threat, of course, is relative--and often grossly exaggerated, Cohen said.

Hackers launching seyon exploit.sh or other commonly available attack scripts could damage somebody's home computer or business server, Cohen said, but it is highly unlikely that they could bring down U.S. military networks.

Most hackers lack the expertise to penetrate sophisticated defenses or sustain their attacks, Cohen said. Hacking into a federal government Web site, he said, typically causes little more lasting damage than spray-painting a sign outside a government office.

But when Clinton said last month that "hostile powers and terrorists can now turn a laptop computer into a potent weapon capable of doing enormous damage," he was not, in Cohen's opinion, exaggerating at all. A hacker may not be able to disrupt the Northeast's power grid, Cohen said, but the Russian government--with legions of computer scientists, years of expertise and a sophisticated understanding of how power systems work--probably could, if it wanted to. ) 2000 The Washington Post Company



-- Carl Jenkins (Somewherepress@aol.com), February 05, 2000


Damn Carl! You're gonna put Hokie and Homer Beanfang out of business... 9 posts in a row! Good work, thanks. :-)

-- Hawk (flyin@high.again), February 05, 2000.

Make that 10 in a row... think that's a record!

-- Hawk (flyin@high.again), February 05, 2000.

FWIW, I found a neat little site out there that will check your Internet connections (and optionally probe your ports, if you're into that sort of thing):

Shields_UP!_--_Internet_Conne ction_Security_Analysis

-- I'm Here, I'm There (I'm Everywhere@so.beware), February 05, 2000.

Yeah, but can you trust this Shields Up guy??? The size of the file (20K) sounds suspiciously like the size of a "DIRT" file.

Nerd to know he isn't a Trojan Horse!!

-- Z (Z@Z.Z), February 05, 2000.

I am not part of this company and recieve no benifits at all from this post, except that it may help a few of you people out there.

I went to shieldsup and found that yes, I had a few flaws. What I didnt like (I was on a cable modem) is that periodically my hard drive light would light up and I would here disk activity. I was sure someone was hacking me, but had no way to tell.

So, I stumbled accross www.networkice.com, they have a personal firewall, that is easy to use. It STOPS intruders, and even tells you when one tries to get in, and even gives you there IP address!

I've tried several, but this one is top notch.

Again, the only reason I'm puttin this out here, is because of the abundance of malicious hackers, who want to do nothing but get into your stuff.

Cost is 40 bucks, but piece of mind is what you will receive.


-- Electman (vrepair1@tampabay.rr.com), February 05, 2000.


Thanks for the info...I've become aware that this Internet is A LOT less secure and could be enabling Big Brother or its hacker equivalent.

-- Z (Z@Z.Z), February 05, 2000.


I didn't download the file you speak of (not intentionally, anyway). The blurb says that it's more for use if you don't have a dedicated connection (like if through a firewall or if you're on a site that in effect will give you at least TWO IP address). The two functions worked fine for me when I first used it a month or so ago, and nothing untoward seems to have happened to my puter and the virus scan still turns up nothing. I'VE felt a little woozy ever since, but that's nothing new.

But you're right to be skeptical. His resume is also out there on the site, if you're interested. He may or may not be legit, although I personally have no reason to think he isn't. As always -- especially these days -- you're wise to be prudent about it. Take it all with as many grains of salt as you see fit.

-- I'm Here, I'm There (I'm Everywhere@so.beware), February 06, 2000.


I noticed that sporadic disk access, too. Can't explain it, although nothing seems to have been disrupted.

I base my opinion that the Shields UP site is probably legit solely because, as you read through the material, commercial programs that stop unauthorized access (with their names) are actually RECOMMENDED, and even though he says he's working on his own version, he also says you should go ahead and get one of the others now. It stuck me that someone trying to hack into my humble PC would hardly be telling me to go out and get a product to PREVENT them from doing so on a continuing basis. I may be wrong, and my reasoning may be flawed, and all my hot 'n' steamy love letters may be archived somewhere by now, but that was just the way I saw it.

As before, take it for what it's worth. I have no connection or interest either way.

-- I'm Here, I'm There (I'm Everywhere@so.beware), February 06, 2000.

Moderation questions? read the FAQ