1996-06-27 - Re: CIA Fears UmpTeen InfoNukes

Header Data

From: vin@shore.net (Vin McLellan)
To: Mike McNally <m5@vail.tivoli.com>
Message Hash: 2bf3a16e50e5b8bcbe3ce0e284b9dd667d94794997182215219592a0df0f3720
Message ID: <v02140b00adf7ea1940e7@[206.243.160.225]>
Reply To: N/A
UTC Datetime: 1996-06-27 12:55:50 UTC
Raw Date: Thu, 27 Jun 1996 20:55:50 +0800

Raw message

From: vin@shore.net (Vin McLellan)
Date: Thu, 27 Jun 1996 20:55:50 +0800
To: Mike McNally <m5@vail.tivoli.com>
Subject: Re: CIA Fears UmpTeen InfoNukes
Message-ID: <v02140b00adf7ea1940e7@[206.243.160.225]>
MIME-Version: 1.0
Content-Type: text/plain


        Mike McNally <m5@vail.tivoli.com> queried the List:

>By the way, there was a thing in the Yahoo/Reuters feed about "attacks"
>on DoD computers; apparently British police arrested a "hacker" the
>other day.  Anyway, the article included a claim that there have been
>250,000 attempted break-ins on DoD computers over the past year.
>
>Does anybody know how they count that?

        I don't know if they go so far as to count pings, but it seems they
do try to count ISS/Satan/Pingware scans -- and then they project off what
numbers they have to come up with the estimates.  But no one is
particularly careful about these numbers... certainly not the politicians
nor the press.

        The estimates come from the Defense Information Systems Agency
(DISA) and refer to "attacks" on the 2.1 million computers, 10,000 LANs,
and 100 long-distance networks.  (It is unclear whether DISA also includes
the defense contractors' machine and networks -- another 2 million, as I
recall -- but, by US law, those are also considered Defense systems.)

        According the May 22 GAO report: "DISA  estimates indicate that
Defense may have been attacked as many as 250,000 times last year.
However, the exact number is not known because, according to DISA, only
about 1 in 150 attacks is actually detected and reported.  In addition, in
testing its systems, DISA attacks and successfully penetrates Defense
systems 65 percent of the time."

        (It is unclear whether this estimate process is circular, with DISA
-- all and all, a generally capable crew, which normally doesn't bother
with this sound-bite silliness -- "projecting" the total number of attacks
by taking the number of reported attacks  and then enhancing that number by
multiplying it by the percentage of their own attacks on DoD systems which
go unremarked.)

         Jack Brooks, the director of the GAO's Defense Information and
Financial Management Systems, who presented the GAO's formal report
("Computer Attacks at Department of Defense Pose Increasing Risks") gave
some further explication:  "Not all hacker attacks result in actual
intrusions into computer systems; some are attempts to obtain information
on systems in preparation for future attacks, while others are made by the
curious or those who wish to challenge the Department's computer defenses."

     Some numbers seems slightly less puffy: officials at Wright-Patterson
Air Force Base reported that, on average, they receive 3,000 to 4,000
"attempts to access information each month from counties all around the
world."

        There are real problems effectively securing DoD's unclassified
computers -- both the military's own systems and the defense contractors --
but its sad how completely the real problems are being overlooked (or, at
least, overshadowed) but the obsession with the InfoWar threat and teen
cyberdemons being manipulation by Iraqi secret agents.

        Historically and at this moment, the vulnerability of the DoD
computers -- as illustrated by hacker attacks and (almost certainly) by
DISA itself -- lies in untrained and poorly managed system administrators
who simply do not bother to apply even the CERT-labelled patches to their
systems.  There are brilliant hackers about (some in DISA; maybe even a few
on this list) but they would but rarely need that brilliance to penetrate
the typical DoD system.

        I'd bet cold cash that DISA's own tiger-team attacks on DoD systems
are almost always successful with nothing more innovative than an ISS or
SATAN scans and/or a list of CERT-announced security problems from the
previous six months.  The real threat is incompetent, poor-trained DoD
system administrators -- and a class of computer-illiterate senior managers
who define "system security" and routine administration as a marginal
expenses and scorn readily available options like one-time passwords as too
complex for the military mind.

        Much, much, easier to rail at the terrorist threat exemplified by
the 16 year-old Brit who called himself "Datastream Cowboy" and to hint
darkly that his unidentified cohort "Kuji" may have been a Russian or an
Iraqi.  The hell with security, let's wiretap the phones of all 16
year-olds!

        Cliff Stoll and Peter Neuman of SRI are supposed to testify, and
they might bring some common sense to bear -- but I for one desperately
wish to hear the like of acid-tongued Bob Courtney, IBM's former director
of Info Security, chew this fluff up.

        The Datastream attack, btw, didn't occur "the other day," as Mike
McNally suggested -- this whole media flurry is built around a retelling of
Datastream's 1994 attack and arrest.  It's just that the Air Force CERT did
a nice job of documenting the good guys' effort to identify and track him
down -- although Lord! the kid was dumb, no Morris Jr. there! -- and
writing up a report.

        Makes you realize how desperate some folks are for cyberterror
stories, doesn't it?  Wonder why?????

        Suerte,
                        _Vin

         Vin McLellan +The Privacy Guild+ <vin@shore.net>
      53 Nichols St., Chelsea, Ma. 02150 USA Tel: (617) 884-5548
                         <*><*><*><*><*><*><*><*><*>







Thread