Of Disaster and Online Terror
As the Christmas and New Year period arrives again for another year, it is time to consider how you may be leaving your Information Technology infrastructure over the holiday period. From disaster recovery plans in the case of catastrophic system failure, through to inadvertent information leakage it is important to be prepared.
While major natural disasters are relatively infrequent, their destructive effects are fairly uniform across a large area. This means that if your recovery plans rely upon immediate response by third party agencies, then they may not have the opportunity to respond to your needs as you have planned. The infrequency of disasters is not a good enough argument against not planning for them to affect your infrastructure this holiday period. The South Asian tsunami and Canberra bush fires are two fairly recent examples of disasters to hit close to this time of year.
While not a natural disaster, the sudden catastrophic failure of IT infrastructure can be devastating, and it is something that many businesses are not able to recover from. Just in the last several days, S?nnet Beskerming staff witnessed a company experience sudden and complete infrastructure failure, yet be able to recover within minutes, to the point that the sum data loss across the company was two lines of unsaved text in a text editor.
The failure struck just as the company had commenced daily operations, and their systems were loaded with the maximum amount of data for daily processing. In their recovery plan, the company had steps to handle situations such as this, and were able to fully recover the information that was held on the systems, and were confident that, if they were given more time, they would have recovered the unsaved text as well. The loss of productivity was only on the order of a couple of hours to the end users as alternative systems were brought online.
The above company was not lucky, just well prepared, although with the current general state of IT management, the two seem to be interchangeable.
At the other end of the disaster scale, planning needs to take into effect what happens as personnel depart for leave, travel or holidays, and what their systems will be doing during this period. Already a number of security mailing lists are publicly calling for people not to turn on automatic out-of-office reply features in their email clients as they can get replicated onto the mailing lists, providing the hackers who read them useful information about the whereabouts of key security personnel for various companies. It also makes their hacking efforts that much easier, as the company being targeted already knows that the person the hacker is pretending to be is not in the office.
Even without the holiday increase in hacking efforts by the lower skilled hackers (script kiddies), the ongoing research into software vulnerabilities sometimes causes a problem when the discoverers decide that they want some public recognition for their efforts. Last week, an auction appeared on eBay which claimed to be for the sale of a '0-day' exploit for Microsoft Office's Excel spreadsheet software. As expected, eBay rapidly pulled the auction off the site, but the existence of it sparked some interesting arguments amongst security specialists as they argued over the ethical issues raised by such a move.
While the act of selling an exploit for software can be considered ethically dubious, there are a number of higher profiled Information Security companies which do trade in such exploits, ideally acting as a conduit between the software vendor and the hacker, for financial compensation to both. This apparent hypocrisy only furthers the perception of the Information Security industry being filled with snake oil salesmen.
As to the nature of the Excel exploit, no one is completely sure, although the eBay lister suggested that Microsoft agreed that it was a real vulnerability which had been discovered. At least one other researcher has hinted at having possession of an exploit against Excel which can lead to the compromise of a vulnerable system, but it is not known whether Microsoft have verified that particular case.
The bickering continued, following the announcement that the Sober email worm would automatically self-update on the 5th of January, 2006. One company (which is one of the companies involved in the trading of newly discovered exploits for money, and is one of the more 'respected' names in Information Security), claimed that it is to activate a mass attack of some form (possibly spam) to commemorate the 87th anniversary of the founding of the German Nazi party. While the 87th anniversary of any event is an odd one to celebrate, at least part of the justification is based on previous iterations of the worm being used to distribute neo-nazi spam.
Not only have the claims of this company been questioned, but also the intent of the company which claimed to have discovered the self-updating feature. While disclosure of information such as this is important for administrators to be able to better defend their (infected) systems, an administrator who would take action on this information would have already ensured their systems were cleaned of infection, and subsequently protected. At the least, it has tipped the developer of the worm off that the internals of their worm have been cracked, and the Security world will be watching with interest come January 5.
Online attacks have also gained extra attention this past week, with the BBC reporting at the start of the week on a call from a group of Islamic militants who were seeking to have a presence established on the Internet so that they could distribute information to the world about their activities and military actions. As part of the compensation for the budding web designer is a promise that the designer would get the chance to remotely launch a rocket attack against a US base in Iraq, using newly developed Internet-controlled rockets.
While this, and other activity by militant groups, is not normally identified by the mainstream media or Information Security groups as being an issue, the transcript from an informal round-table on the threat of online terror attacks has been published on the Internet, and it has drawn a range of very polarised responses - arguing for and against the threat of online attacks. The round-table itself appeared to be inconclusive, with more argument about how attacks can be defined than actually about the threat posed by external attackers.
The few nuggets of useful information that were thrown up suggest that the US, at the least, is concerned about what is known as an asymmetric threat, whereby one attacker, or a few, can create damage far beyond what their size would suggest (e.g. one person taking out the power infrastructure for the country). Some of the other information suggests that there are numerous critical infrastructure systems in the US which are reachable, and thus attackable, from the Internet, including important utilities such as electricity, gas, and water supplies for major metropolitan centres.
What did seem apparent from the transcript was the significant difficulties that are encountered when trying to get technical people to consider the military and national interest strategic consequences of technical vulnerabilities and system exposure, and those difficulties encountered when getting strategic planners and thinkers (military and national interest) to adequately understand the technical nature of the threats being discussed.
Even minor attacks such as web defacements can be seen by some as a terror threat. The recent defacement of the Australian Capital Territory Chief Minister's website was reported as being a targeted attack against the Chief Minister (which it wasn't), while the recent defacement of the National E-Health Transition Authority (NEHTA) was not widely reported (if at all), but probably is of more concern. NEHTA has been established for the purposes of enabling the Commonwealth and State and Territory governments to develop better ways of electronically collecting and securely exchanging health information, and the inability to secure their Internet presence does not instill a lot of confidence in their claimed focus on the security of electronic health information.
At the very least, even if the threat of online terror attacks is not a credible one, it does not mean that security can not be improved on the systems currently connected to the Internet, and those which are not meant to be.
Disturbingly, the discussion on online terror attracted enough apparently independent comments about various military and other sensitive infrastructure networks (primarily US) to imply that there are definitely electronic connections to the greater Internet from systems up to and including the US Top Secret level, with varying levels of ease of connection to those systems.
To protect the US, it looks like the US Air Force is going to step up and do it. At least, that's according to their recently released mission statement:
The mission of the United States Air Force is to deliver sovereign options for the defense of the United States of America and its global interests -- to fly and fight in Air, Space, and Cyberspace.
12 December 2005
Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.
Comments will soon be available for registered users.
Subscribe to our feed.