Can Microsoft Survive An Electronic Pearl Harbor?

YOWUSA.COM, May 27, 2001 Marshall Masters

-------------------------------------------------------------------------------- Foreword My career in the computer industry started 1978 and I’ve spent that last 12 years of that in the Silicon Valley, where I currently specialize in networking technologies.

For those of you in the general public, that means I work in that area of the Internet that is that big black hole on the other side of your computer modem, that seems to work mysteriously well most of the time.

This is why I’ve written this article for members of the general public with a very basic understanding of computers. It is my hope for this article to convey to those concerned about an “electronic Pearl Harbor,”the often-discussed concerns of network professionals like myself about the possible consequences of an all-out CyberWar.

Please note that products mentioned in this document are trademarks or registered trademarks of their respective holders.

-------------------------------------------------------------------------------- The Threat Richard Clarke, President Clinton’s national coordinator for security, infrastructure protection and counter-terrorism coined the term “electronic Pearl Harbor,” to describe a catastrophic surprise attack on America’s information systems. But it would only be the first strike, and on its heels will come a deadly CyberWar that will cripple our economy and paralyze our ability to function as a modern society. This is because the spearhead of the first attack will be directed against America’s soft digital underbelly, the Windows operating system; a legacy-plagued modern day electronic version of the Maginot Line.

This threat was recognized years ago, only now is an American President doing something about it. Yet, no matter how aggressive Bush’s attempts are to shore up our digital defenses, history has shown us that an electronic Maginot Line cannot protect us, because our adversaries as most likely infecting our computer systems at this very moment.

The experts are warning us at every chance, but ever since the Y-2 bug scare fizzled, it is difficult for their warnings to be heard above the public’s apathy.

Insight Magazine, May 2001 Preparing for The Next Pearl Harbor Attack

America’s miraculous digital revolution, automatic teller machines and wireless phones, personal computers and pagers, and the electronic systems that carry news, airline schedules, stock trades and business inventories have transformed the way people live. Nevertheless, the entire network, which bureaucrats call "the critical infrastructure," is a massive electronic Achilles’ heel, security specialists warn.

nternational terrorists and rogue regimes are savoring the prospect of striking hard at the United States, according to U.S. intelligence agencies. During his recent tour of the Middle East, Cuban dictator Fidel Castro remarked to his Iranian hosts that the United States was plagued with vulnerabilities that smaller countries could exploit. He didn’t elaborate in public, but his message was clear: The time is coming when the rogues of the world will be able to take down Uncle Sam.

After years of dithering under Clinton, say defense specialists, the Bush White House is taking the matter seriously. Virtually every vital service: water supplies, transportation, energy, banking and finance, telecommunications, public health all of these rely on computer and fiber-optic lines, the switches and routers that come from them, notes National Security Adviser Condoleeza Rice. These are vulnerable. In the short time since his inauguration in January, Bush has instructed government offices to coordinate for homeland security and defense, and assigned Vice President Richard Cheney to head a group to draft a national terrorism-response plan by October 1.

Intelligence is the lifeblood of war. During WWII, the Allies were able to break the Enigma code used by the Nazis to great effect, as well as those used by the Japanese. The advantage for the Allies was simple. It is easier to win a poker game when opponent is unknowingly playing his cards face up on the table. In the wake of an electronic Pearl Harbor, we could find ourselves in the reverse of that very same situation and this will be one war we cannot afford to lose.

-------------------------------------------------------------------------------- Why We Need To Be Concerned Americans usually tend to think of computer security in terms of their credit card transactions over the Internet, and the passwords they use at the office to logon to the company network. We assume that the whole security issue is being handled, and that we can go about our lives in relative safety.

We also tend to view computer security as being primarily a commercial issue, with national defense being a secondary issue. Consequently, when most Americans think of a CyberWar, they tend to think in terms of waiting in line for gas, or burning candles until the power comes back on.

However, what they seldom if ever think about is the widespread starvation that will most like come in the wake of an electronic Pearl Harbor.

-------------------------------------------------------------------------------- Why We’ll Starve to Death In a CyberWar The next time you go to the grocery market, watch closely as the clerk runs your purchases across the scanner. This way, should you and your family starve to death as the result of a CyberWar, you’ll know what the culprit looks like. To illustrate the point, let’s use a box of breakfast cereal.

Shelf space in grocery stores is a premium item, and once a particular brand of cereal has achieved a favorable shelf location, maintaining that shelf position becomes an imperative for the manufacturer of the cereal and its various downstream suppliers. The overriding goal is to keep that cereal on the shelf at all times.

In the days before computer automation, the cereal manufacturer had to supply a jobber, who in turn supplied regional distributors, who in turn supplied local distributors, who in turn supplied the grocer from whom you purchased your cereal.

However, manual human systems are inefficient, and prone to shipping and production delays. Therefore, to offset the inherent inefficiencies of manual human systems required a 90-day supply of the cereal that was staged throughout various points in the distribution network. This excess inventory was essential to keeping the product on the shelf, but the carrying costs of this inventory were substantial.

That was, until computer automated supply chain management came along, which brings us back to the scanner in your local supermarket.

Today, when you take a take your box of cereal to the counter for checkout, it is scanned and a notice is sent from the computer in the cash register to the main back office computer in the grocery store that you’ve just bought a box of cereal.

Before you’ve put the grocery sack with your box of cereal into the trunk of your car, the grocery store computer had talked with the grocery chain computer, which then talks with the distributor computer. The distributor computer then talks with the jobber computer, which then finally lets the manufacture know that you’ve just bought a box of their cereal and that they will need to replace that inventory.

By the time you’ve made it home and are stacking that box of cereal on the shelf, an automated purchase order has been placed with the manufacturer to replace the box of cereal you just purchased from the your local grocery store. Depending on the systems used, this process can go a faster or slower, but either way you should get the idea.

Now here is the point. In the days before computer automation, there was always a 90-day supply of food in the distribution chain at any one time, because of the inherent inefficiencies of human systems. Today, computers do all the same work, following all the same rules, but at the speed of light. Consequently, the 90-day supply of food of the past has now become the 90-hour supply of the present.

In case of a CyberWar, the damage could be truly catastrophic because the nation’s railroad system is every bit as automated as its grocery stores. Over the years, manual rail switches have been removed in favor of centralized computer system that now controls a nationwide grid of electronically activated rail switches.

What this means in terms of an electronic Pearl Harbor, is that much of the 90-hour supply of food presently in the supply chain will most likely rot on abandoned rail sidings while railroad employees work frantically to bring their system back online. In the meantime, we will have to fall back on trucks; but then again, we could be in for another nasty surprise.

During California’s latest rolling blackouts, critical oil refineries were taken offline and the interruption of their refining processes was dramatic, because it can take days and even weeks to bring a refinery back online after such an event.

What this means in terms of an electronic Pearl Harbor is that power outages would shut down oil refineries, which in turn would sharply curtail the supply of diesel fuel for trucks and railroad engines. The result is that we’ll see a rash of fuel theft complaints as people quietly scurry about in the night with siphon hoses and gas cans, in search of unattended vehicles.

We are so used to the ease with which we receive the benefits of our technology we simply assume that it will always work this way. But the truth is that societies with a high degree of technological sophistication as more vulnerable than they may think, or wish to think.

Yet we choose to ignore this truth with self-blinding misconceptions, and the most critical of the lot is that CyberWar is not a game. CyberWar is war in the full meaning of the word, and includes all the death and human suffering that attends war!

Continued

-- Martin Thompson (mthom1927@aol.com), May 29, 2001

Answers

See the most recent (28 May) issue of The New Yorker, which has an article by Michael Specter titled "The Doomsday Click: How easily could a hacker bring the world to a standstill?"

Here's a quote, hand-typed so any mispellings are my fault:

[According to Peter Neumann of SRI International] "...Hackers can get into our most important systems in minutes, sometimes in seconds. And they do...The Internet is waiting for its Chernobyl, and I don't think we will be waiting much longer; we are running too close to the edge. When a third of the computer drives in America are wiped out in a single day, when the banking and commerce system is overcome, or the power grids and emergency-response systems of twenty states are shut down because of a malicious computer attack, maybe then people will think about what's going on here." ...

-- Andre Weltman (aweltman@state.pa.us), May 29, 2001.

This is why I recently added a category 'cyberwarfare'as I believe that this is going to become a major issue in the near future.

-- Martin Thompson (mthom1927@aol.com), May 29, 2001.

The consequences of a serious cyberattack would be virtually indistingusishable from the dreaded "Ice Storm" Y2K Bug scenario; except that the threat is continuing, and there's no knowing WHEN it will hit, unlike Y2K.

People who prepared for Y2K are prepared for this threat as well. Those who didn't need to play "catch up" now.

Why hasn't the National Infrastructure Protection Center launched a "Civil Defense" program, to prepare the U.S. population for the threat of such Y2K-like disruptions? This is fully in line with its mission, and would definitely help to deter such an attack, since the damage inflicted would be thereby mitigated substantially.

People who travel, esp. for long periods, live a "just in time" existence for all of life's necessities. The main exception is if travelers stay with trusted and properly prepared family or good friends.

This threat renders the prospect of out of town jobs requiring travel and the "just in time" lifestyle that is required, to be very dangerous, risky, untenable, and undesireable. This is especially true if properly "Y2K prepared" at home. It is even more true for those with medical disabilities, which are exquisitely vulnerable to augmented adverse consequences from even modest disruptions.

-- Robert Riggs (rxr999@yahoo.com), May 29, 2001.

Another day another hack in the web's lawless world

Companies still don't understand that virus protection is where security starts, not where it ends, argues Simon Moores

Sunday May 27, 2001 The Observer

The attack by computer hackers on the world's leading anti-hacker unit last week showed that nothing is impregnable in cyberspace. The US government-funded Cert co-ordination centre was paralysed by a flood of bogus email data requests. The attack was the culmination of a dramatic surge in computer onslaughts in the last four weeks. High- profile UK victims included ITN and BT. Even www.attrition.org, the website that monitors this sinister activity, has confessed that the 'burden of keeping up with all the busy hackers out there has finally become intolerable'.

Attrition has monitored more than 100 website defacements a day, three times the combined total for 1995 and 1996 - statistics that are sobering for any business developing a commercial website.

In 1999, 273 organisations reported $265 million in losses from security breaches, according to the FBI. Most losses were the result of financial fraud and the theft of proprietary information.

In turn, the spread of com puter crime has created a boom for companies offering IT security solutions. Research company IDC predicts that the global market for outsourced security services will grow from $5.5 billion in 1999 to $17.2bn in 2004.

Globalism has created its own digital nervous system. We don't realise that when we connect to the internet from home, someone may be watching our every move.

In California, wireless technology has created the latest fashion in drive-by crimes. All it requires is a Palm Pilot type device with a plug-in wireless network card. An opportunistic hacker can simply park outside any promising corporate target and invisibly log on to any conveniently open and unsecured wireless network gateway. Within minutes the company network and the information it holds will be 'owned' by the hacker, who may simply be carrying out the exercise for personal amusement.

A close encounter of this kind becomes even more serious, if the target happens to be a government agency - or a leading software company: the most recent victim was Microsoft, from whom valuable product information was stolen.

If Microsoft can't defend itself against a determined intruder, who can? Only this month the company's UK website was defaced by the hacker group 'Prime Suspectz' with a simple redirect page and the unremarkable message: 'Thank you for visiting. You are now being redirected to the Microsoft UK website. Please click here if you are not redirected within 5 seconds. ©2000 Microsoft Corporation. All rights reserved.' In the lower left-hand side of the page was the legend 'Prime Suspectz owned Microsoft again!!!'

While the 'old economy' crime of physical theft of IT equipment remains lucrative, the internet is catching up as the preferred environment for the clever criminal. Cybercrime is 'clean' - there is no risk of physical violence and personal danger is low in contrast with other crimes.

Information theft (especially of credit card numbers) by physical or electronic means is increasing. Research suggests that consumer confidence has been shaken by reports of high-profile web crimes and that online fraud schemes are constantly being developed that cannot be tackled by traditional detection.

This has led to a demand for internet-specific screening systems.

A report from CyberSource suggests that vendors and consumers should be educated about security processes, but that there will be a high cost to businesses if they decline all but the safest orders in order to protect themselves from the risk of fraud. The preferred solution is for companies to limit their exposure by using new tools that analyse internet transaction risks.

Even though cybercrime is perhaps the fastest growing industry of the new economy, most businesses are still not taking adequate precautions. In the UK, companies still have a long way to go in grasping that simple anti-virus protection is where a security policy starts, not where it ends.

DK Mattai, managing director of Mi2G, a leading security risk consultancy, believes that many businesses have caught on to the havoc a virus infestation can cause and have responded accordingly with antivirus software.

But he observes that few companies recognise that a continuous cycle of security assessments is needed to monitor and update procedures and software, to best utilise firewalls and intrusion detection systems and thus to protect IT systems from hacks, cracks, viruses or disgruntled employees'.

Last month saw the much-publicised launch of the UK's own national Hi- Tech Crime Unit. With the blessing of the Home Secretary, 80 specialist officers and £25 million, its remit is broad and involves the investigation of two emerging types of criminal activity:

• New crimes, new tools: hacking, cracking and denial-of-service attacks.

• Old crimes, new tools: Crimes against the person using the internet and involving fraud, identity theft and stalking.

Asked whether it were possible, given the resources at his disposal, to both scale and tackle the growing and diverse internet crime danger, Detective Chief Superintendent Len Hynds, head of the Hi-Tech Crime Unit, said: 'The first challenge is, of course, to measure the scale of the threat. Then, and only then, can we begin to benchmark and prioritise activity.

'That said, no single organisation could hope to tackle alone all the crime problems posed by the internet. I'm optimistic that the multi- agency approach the unit represents can act as a catalyst.

But given the international nature of the problem, the concerns of Government and the economic threat that such virtual lawlessness represents, is the arrival of this relatively small and specialist police unit simply an example of trying to use a cork to plug a leaking dam?

Professor Jim Norton, head of eBusiness at of the Institute of Directors, thinks not: 'New tools provide new opportunities for old crimes; e-Business is no exception.'

The police and other agencies need new skills, approaches and tools to respond, but these must be proportionate to the risks involved. They must not impose unreasonable burdens on business or unduly infringe personal privacy.'

And therein lies the dilemma. The functionality of any system is inversely proportional to its security. It has to be a trade-off. Nothing can ever be 100 per cent secure in a wired world.

Promises of action and new legislation, even against the threat of paedophilia, as suggested by Home Secretary Jack Straw last week, can alert us to the scale of the problem, but there is little evidence that an explosion in internet-related crime can be contained, let alone defeated.

Brave words from politicians hold no currency in cyberspace. Its more lawless constituents have little reason for concern while they can operate, at will, from jurisdictions outside of the reach of western government agencies.

The internet has opened the lid on a Pandora's box of personal and commercial threats: its demons have been loosed upon us all .

http://www.observer.co.uk/business/story/0,6903,497087,00.html

-- Martin Thompson (mthom1927@aol.com), May 29, 2001.

Personally, I wouldn't loose too much sleep over it. Everybody in the tech industry knows that Microsoft products have security holes big enough to drive a bus through.

That's why banks, hospitals and the like generally run their main databases on Unix, VMS or the like which have been tried and tested for years, if not decades.

What should be of real concern is that one of MS's biggest customers is the US navy. In fact there is a documented case of a naval destroyer becoming dead in the water.

-- A. Programmer (a@programmer.com), May 29, 2001.