Proprirtary In mmn inn SYSTEM SECURITY AND INFORMATION WARFARE NETWORKS AT RISK TED PHILLIPS BOOZ-ALLEN HAMILTON INC April 1997 Booz- Allen 8 Hamilton Inc Introduction System Secu Network - Today s Agenda rity Issues -- Understanding The Risks Telecommunications Industry Trends Vulnerabilities - Threats And Case Histories - Strategies To Reduce Your Risk Exposure E Booz- Allen 3 Hamilton im Va Proprietary infommtian This Brie ng Is Based On Entirely 0n Unclassi ed And Open Source Information SYSTEM SECURITY ISSUES UNDERSTANDING THE RISKS Proprietary Understanding the Risks Electronic Intruders Are Targeting Core Communications Technologies Networks Are Highly Interconnected And International They Are Very Attractive Targets or Etectronic Intruders Booz- Allen Hamilton Inc if Understanding the Risks Financial Gain 8 A Strong Motivator Many groups have a high level of Organized Crime interest in Terrorist Organizations eiegtromcp mtrusmn skin's Foreign Intelligence Services lndustriai Espionage Agents Private Investigators Information Brokers 011001110001 Proprietary Information Understanding the Risks During The Past 3 Years Network Attacks Have Increased Significantly I i Intruders Have Attacked I Intruders Have Attacked A Wide Variety Of End User Systems All Major Categories OfNetwork Elements Intruders Have Attacked Ali Major US Telecommunications Carriers Intruders Have Attacked Many Major International PTT Networks Intruders Have Attacked All Major Internet erviee Providers Bnnzo Alien 8 Hamilton Inc Telecommunications Industry Trends - - 1 i a Understanding the - Industry Trends Will Increase Risk I Architectural Trends Technology Trends fill- Understanding the Risks Industry Competitive lssues - Financial Pressures Reduce Security s Priority - Metrics To Conduct Security Cost Bene t Analyses Not Fully Developed - Downsizing Reduces Worker Loyalty And Creates Disgruntled Ex-Employees A 4 Booz- Allen Hamilton no 10 -I Proprietary Infommtion Understanding the Risks Privacy And Con dentiality Trends - Sensitive Customer and Network Information Is Created And Stored On Network Elements - Sensitive Information Is Openly Exchanged Among Network Elements - End User Systems Are Directly Connected To Public Networks Booz- Allen a Hamilton Inc Proprietary Infommtion Understanding the Risks Architectural Trends Network Administration ls Increasingly Shared Between Carriers Service Providers And Users Customer Premise Equipment CPE Is More Interconnected With Public Network Elements Public Network Elements Are Richly Interconnected Creating Extremely Complex Network Structures The Communications Industry Is Moving Toward A Cell-Switched Architecture Boozv Allen S Hamillon lnc Understanding the Risks Technology Trends Public Network Elements Are Virtually All Computerized And Software-Controlled Network elements are increasingly complex and dif cult to securely administer Wireless Technology Will Be Important For End User Network Access Booz- Allen 3 Hamilton rm VG Proprietary I foer ti on Understanding the Risks New Technologies Will Increase Risk Optical Networks SONET Transfer Mode ATM Networks Internet Protocol version 6 Digital Subscriber Line Technologies Advanced Intelligent Networks AIN Integrated Services Digital Network ISDN Wireless Local Loop Technologies Wireless Data Networks CDPD PCS 9 Electronic Intruders Are Developing Techniques To Attack Each These Technologies Booz- Allen S Hamilton Inc 14 Network Vulnerabilities - 4 i rupm'mm Understanding the Risks - Network Vulnerabilities All Systems In This Diagram lime Been Peneiruietl At Least Once In The Past 3 Years Local Exchange Carrier Inter-Exchange Carrier I- r ml lzl ljr nff L4 r PIP arm 1 I - - 1 WHIRAlma fra- Junta R 15-min 1 a Ii d- 1 1 - d I ea-H ELEnullSystem - -II vuI- tm hnginttr Hun-m i I tend Ill-l 4mm l - rim lld I'mm HIP - ran-tin i i mrirmrw Understanding the Risks Network Vulnerabilities cont rm nri Service mm Animer 1 'Ii'lthk Monitoring I 'nnrmiKin- dIan 3 1 - Irulihle - Mime 4mm 1 i I sus s Lu n I E 1 Hg lla l_rl _rlLI - an - rlnehlnm Tm I ritit mum Hi um Kl Hmum r I Ntt' lCE h nuc liElkN- H Ii Engln -rml In r'JnIM-u- Hulr h-lu II- 'I'lI-Il-nn- i I rdl-l-I nu-II null-Inn- 11 Nun Uni-t- I I a - ulunum Imr lulu-'le -- i if Iii'T Irulgr run-l Fhf'm-fll If Inne- 133 HI tntre I ir- 1 run It Ill an ruurr I I I Linn I nm1uI1-r qr II- ramr n1 Il lfi ltr h H lth nt-n I ujnu Ill-If lint ch lili lldt' I dc I h'li Inf-nu- lu-Hlmr rnm Hi ur-ut IriHIrHu-n 1 i Huh- Lil run Milli In lumen-4 M r Ir luvlqn I run amusing Hun-nun gural im - 1 Mlnahnl laymen-Mfr-nun 11 ll All Inn-puny hunn nuhml I _r In I Ink Ida w II -I-u-Ialnm id-mnlu n at il Milan- lull-nu - 4 2 3002' I5 Hamilt n 3 I i a the l Data Network Vulnerabilities Attack Scenario l'uhlic at lulu Attack Origination 1 New York l rih ate Hula New an Hug-put Mi nurl q ax a Ithnli l Nun- It k I catchI'x Hum a r m upporl 1 t 4 inn-a3 I wn Mtan 1 Much 1 a I i I l- tum-H '51 an art-mu SHIT Sullthing dminmratinn Ill 4 3002- Allen 3 Hamilton lm g Understanding the Risks Proprietary Information Computer Networks Have A Long History Of Intrusions The Computer Emergency Response Team CERT And Other Similar Bodies Have Averaged 3 Advisories A Month For he Past 3 Years Vulnornbilition Ina-ad ch 01mm osn l Vulnuabineiu CA-il 12 Sondmlil Vulnerabilitios Nov-11 Uhir oro Vulnorabilitiol 5C0 Byltan Vhlnorohilitios 1-07 Now i R-vilod HP Bullotin Sncuritf Patch-s 93-29 Sondmnil Exploitation Altar-d Erato Binnrio 92-07 Att-lpto to Stool Password 92 09 Automatod Probes 92-53 UNIX Slourity Problem 92-70 Cinco Acct-a Lint Eoyntroko Logging Bonn-r VHS Monitor vulnerability ULTRII 3 D BREAK-1H Ch-91 11 SCI vulnornbility C921 A11 BIID Daemon A l TFTP Attacks 1'22 Attack Booz- Allen 3 Hamilton Inc ll l'nderstanding the Risks - Proprietor lotion-ratio The Internet Security Dirty Dozen 1 Trusted Host Relationships Network File System Xwindows Vulnerabilities lleseez Reseed FTP Servers A nonymous FTP Ybind Ypserv Default Legins l eakJ Null Passwords Script Vulnerabilities Sendmail Jl in hostequiv le World readable ritable Keystroke capture Remote execution without authentication Access without authentication Default loginipassword on PCs Macs Nmell Check for writable areas password le Domain name sers'er weaknesses bin lp guest sysadm demo ftp root t'iehl Easily guessahle null passwords Web server vulnerabilities A new vulnerability every week Boer Allen 8 Hamilton Ma a Understanding the Risks Exploitation Of Trusted Relationships Over 60% of machines could be vulnerable to software attacks By exploiting trusted relationships approximately 85 in i of machines could be II at risk from a single intrusion I Thg igla'f 'm 4 I l nulumu I x Jam -l fucker a - - Allen 8 Hamilton Inc 5 Understanding the Risks The IP Spoo ng Attack A Hacker Cumpmmised In valid I Addre I 7 s i X- Terminu - I a The Internet Ff gm hwy we Ffrg ruurge Packet Sun-m I i II Sequence Number Query Assume Identity Server - Bnnz- Allen 8 Hamilton fru irr irmrt rm Understanding the Risks Network Con guration Issues I a Internet Servnee Provider we Dual-Up I Connection i Corporate Authorized I Fire a Network I-rj I 1f onneetion I Internal Corporate 2 x NetworkL J man H qu 1300 Alien 8 Hamilton int 4 l'nl m'trrm Understanding the Risks Outsourcing And Vendor Issues Maintenance 1Vendor IP Network Internal Corporate 8 11 Network - rt Imill l I I Authorized Connections if The orporare - - Firewall I1 I- Outsourcing Contractor ll Network Booz- Allen ll n1illunll1t% 4 I'll Understanding the Risks SONET Vulnerabilities i'nmpan I linla Facilily I nag A nmpany A Ileadqllarien E egg Cnmpany i Engineering Building E31 lfua npa exerj Ring Remnre a Company inrerne Gateway A Hack Origination _ Buoz- Allen Hamilten Inc - mm -' Understanding the Risks I- Signaling System 7 SS7 And Intelligent Network Vulnerabilities Public ruin Hum Nun-an Dill 1p bdrm I k A 7 Bnnz- Alli-3n S Hamilton Infummtiun r Understanding the Risks Financial Systems Are Completely Dependent On Networks JHFORMATIDN PROVIDERS I car Maria sup amp a I lrkl'l Emil And ll-arch THUITHI NIARKYT Fl A I - Bran-m A I I L m fin-user I I Emu-nut I Fr if I r3 PHI Hauler I Int-mat I MM Hunrch Rm I ELIENTS Tudlng Trading Group Group 5 FJa'e-i Gall-r mama MS Him he News Hij 5' F3 F5 Intonation IJM MM Hdb Ind Riu th MICE M5 M5 Hales f Rana In1ernil Punrch author a Pesl agrq Fu' 11 I 5' 1 1 I CLIENTS Servers PC Sen-en 3r Samar I %3002- Allen 81 Hamillnn Intry THREATS AND CASE HISTORIES K Threats And Case Histories The Primary Threats To Network Technologies Unauthorized Disclosure 01' Data Disruption Or Denial Of Service Unauthorized Modification Of Data Fraud And Financial Loss BOOZ- Allen Threats And Case Histories Include Highly targeted custom scripted attacks Automated attack tools Sophisticated surveillance data gathering - Hacker Toolkits q tools Offensive use of network management tools Complex stealth evasion techniques Password cracking tools Network element attack techniques Allen 81 Hamilton mprir mrlr Fatima-1 er a Threats And Case Histories Case Histories - Masters Of Deception MOD - Kevin Poulsen - Kevin Mitnick - Legion Of Doom LOD The Posse And Internet Attacks - Shadowhawk Countries With Signi cant Hacker Activity Booz- Allen 8 Hamilton lnr i Jill I ruprlu'hlry 'I'hreats And Case Histories Masters Of Deception MOD Developed And Unleashed Programmed Attacks On Telephone Company Computers Monitored Data Transmissions On Packet Data Networks Created New Telephone Circuits And Add Services With No Billing Records Changed An Adversary s Long Distance Carrier To Illegally Obtain Calling Records Sold Passwords Access Codes and Other Illegally Obtained Information Destroyed Data In Computer Systems Booz- IIan1i tnn I Threats Anti Case Histories Kevin Poulsen aka Dark Dante AIIegedly lacked lnto Phone Company Computers Hundreds Of Times Used Stolen Access Codes To Access Government Information And Sold Access Codes For Money Compromised Several Ongoing Law Enforcement Investigations 5 35 nsnu Fill On Telephone Company Investigators Sold Untraceable Unbillcd Circuits To Criminals Illegally Entered Telephone Company Of ces And Stole Data And Equipment 3007' Allen S qul'rliltun lm' 1 1 1 1 Threats And Case Histories 1 Kevin Mitnick aka Condor Allegedly Attacked Telephone Central Of ces - Stole Telco Equipment Manuals - Attacked Software Development ComputerAnd COpied Preprietary Source Code Programs For The Operating System - Modi ed This Stolen Source Code To Introduce A Trap Door - Compromised Cellular Telephone Network Equipment Implemented Spoo ng Attack 1111111111111 111111111 1 1 Boo Allen Hamilton 1 11111 1 1 1 1 1 - Threats And ase Histories Legion Of Doom LOD - Planted Software Time Bombs ln Telephone e i -- 1 Centers t 2r 3 - Corrupted Pomter I Tables In Signaling 15 Switches - Changed Circuit Routing Tables In Traf c Switches - Electronically Eavesdropped 0n Telephone Conversations Traded Stolen Credit Card Numbers Calling Card Numbers And Computer System Information 3002- Allen 8 Hamilton inc Threats And Case Histories The Posse And Internet Attacks Allegedly - Attacked Internet With Sniffer Programs Designed To Record Login IDs and Passwords - Penetrated The Primary Internet Backbone Networks - In First 6 Months Sniffer Programs Were Discovered On Over 500 000 Internet Hosts The Number May Now Be Over 1 Million - Individual Sniffer Programs Have Captured Over 40 000 Passwords Per Day - The Sniffer Is Now Part Of The Standard Hacker Toolkit Along With Scanner Programs And The Rootkit Software Booz- Allen 48 Hamilton Inc Threats And Case Histories Shadowhawk - Illegally Copied The SESS Switching System Source Code Valued Between $28 000 And $40 000 - Illegally Copied Source Code Files Worth Over $1 Million I - Attacked A Telephone Carrier s I Computers And Installed A Trap Door Password Allowing SysAdmin Access Accessed A Military Computer And I estroyed Diagnostic Files Re ecting The Operation Of The h'lilitaiy Base s Communication System - Published Entry Codes To 27 Computers As Well As Legitimate Names Telephone Numbers Account Names And Passwords - - - - - - Booz- Allen 8 Hamilton Ina 3 Threats And Case Histories Countries With Signi cant Hacker Activity Netherlands United States Hungary England Canada Czech Republic Germany Brazil Bulgaria Belgium Israel Russia France Australia Belarus Austria Italy Turkmenistan Sweden Greece South Africa Switzerland Korea Spain Malaysia PRC Philippines South Africa Japan Argentina Based On Unclassified Open Source Information Booz- Allen 8 Hamilton Inc a STRATEGIES TO REDUCE YOUR RISK EXPOSURE Conclusions All Aspects 01' Worldwide Communications Networks Are At Risk From Electronic Intruders Electronic Intrusions Are Escalating In Frequency Severity New Technologies And Other Industry Trends Are Increasing Risks To Both End Users And System Operators Booz- Allen 8 Hamilton Inc Pf II Risk Management I - Risk Can Not Be Eliminated Entirely But It Can Be Effectively Managed Your Risk Exposure Can Be Dramatically Reduced By Developing and Implementing An Organizational Security Strategy Organizational Security Policy System Speci c Security Policies Detailed Security Procedures - Your Security Posture Should Reflect Management s Position On Security Costs and Benefits i - a Boor- Allen 8 Hamilton Tm- Risk Can Be Reduced By Implementing New Procedures Establish Security Awareness Programs Improve Security Staff Skills A Less Complex Perform Regular Security Audits Control Proprietary In formation Use Existing Security Features 11 Equipment Implement Dial Access Control More Complex Bnuz- Allen If Hamilton Identify and Close Security Holes Design Implement A Security Architecture ll Implement Advanced Security Technologies