Cyber Terror

Jul 1, 2008 12:00 PM, By Michael Fickes

Lumeta is working on this initiative with the Federal Aviation Administration (FAA), DHS and DoD. The company makes a software application called IPsonar, which scans a network and records the devices connected to it. On a regular schedule, security personnel compare the initial scan with a new scan to discover what new devices might have been connected and whether they are authorized and comply with security requirements.

“IPsonar also enables agencies to reduce the number of connections to a manageable level,” Markulec adds. “The fewer connections you have the easier they are to monitor.”

Effect of social engineering

Technology is one layer of defense. Policies, procedures and continuing education for employees compose another layer. Many experts, especially those with the technical expertise that enables them to hack into systems, think that the human side of network security presents risks equal to the technical side.

To make the point, Chris O'Ferrell, vice president with Herndon, Va.,-based Command Information, an IPv6 Internet services provider that works with government agencies, describes how a hacker or technically sophisticated terrorist might worm his way inside the networks operated by police, fire and medical first responders in a large city.

“Hackers are methodical,” he says. “They work in war rooms using a host of techniques designed to learn everything they can about a target. If I were a terrorist and wanted to disrupt the ability of first responders to respond to a physical attack — a bombing perhaps — in a big city, I would start by identifying all of the first responders in the agencies I was interested in.”

That's easy, continues O'Ferrell. Social networking Web sites such as MySpace, Facebook and others make it possible. “It's illegal to use these sites for this purpose, but still easy,” O'Ferrell says. “I would sign on to a couple of sites, create an account and type in the name of the agency. I'd end up with hundreds of names of people that work there now and have worked there in the past.”

O'Ferrell then checks out what they say about themselves and their jobs. He gets their title, information about their experience and perhaps some personal information. He also gets e-mail addresses.

Next, he makes up an organization chart for the agency, showing the relationships between people. “Once you know the names and relationships, you can impersonate someone and send e-mails asking for things,” he says. “You'll sound reasonable because you know the relationships. Maybe you use the Human Resource manager's address and send an e-mail asking someone for a home address and phone number because ‘you're updating the HR records.’”

When the person hits reply, an embedded feature in the e-mail sends the reply to O'Ferrell instead of the real HR manager O'Ferrell has impersonated.

The kind of information he goes after depends on the plan. Suppose, for instance, that he wants to confuse and delay the first response to a physical attack on a port facility in a coastal city. He can fill up the agencies with disinformation that will send police, fire and medical responders on wild goose chases. He can send commanders downtown for non-existent meetings. He can mount denial of service attacks on e-mail, VoIP and wireless communications servers.

And when the physical attack comes, a confused first response will raise the amount of damage and the casualty count.

The ultimate security piece: Human judgment

When an organization falls for a social engineering attack, it is a human failure, says David Gewirtz, editor-in-chief of Computing Unplugged and a Ph.D. in computer science.

“The biggest mistake we make is not learning enough about network technologies and what a malicious person can do,” Gewirtz says. “We say that we're not technical so it is someone else's problem to figure out the security problems. In fact, it's dangerous not to have a base level of technical knowledge”

The General Accountability Office recently released a study recommending how a number of federal agencies could strengthen e-mail record keeping systems. In reading the report, Gewirtz discovered a network security flaw buried in the footnotes. The Federal Trade Commission (FTC) prohibits staff from accessing external Web-based e-mail with the agency's Web browsers. But agency employees may use remote application software to obtain access to external Web-based e-mail as a convenience. A footnote explains that the remote application is Citrix.

“Citrix creates a tunnel from a remote desktop to your local desktop,” Gewirtz says. “The tunnel lets you move stuff from point A to point B. But you have no way of knowing who else is moving stuff from point A to point B through the tunnel.”

Like the nuclear power plant that connected its secure network to the Internet, the FTC vulnerability has nothing to do with technology. It is an error in human judgment.

Want to use this article? Click here for options!
© 2010 Penton Media Inc.

Story Missing Your Link?

• Innovation In The Sun
• Tackling Identity Theft
• Search And Rescue