Outline
1. INTRODUCTION
2. SOME OF OUR GENERAL FINDINGS
3. WHAT WE WOULD LIKE TO SEE HAPPEN
1. INTRODUCTION
Who We Are
For well over a decade, the members of the L0pht (Brian Oblivion, Weld Pond, Mudge, Space Rogue, John Tan, Kingpin, and Stefan von Neumann) have been involved with technology and security. Whether it was understanding how telephone switches operate, computers hook up to networks, or how math could be used to write 'secret messages'- we were and are driven by a need to understand our surroundings. Often times this new understanding leads us to figure out what things are capable of doing, not just what they were meant to do. Quite often this means tricking programs to bypass security. This can be something as innocuous as listening in to 'private' conversations all the way to the possibilities of stealing ones identity to commit crimes.
For the past four years the seven of us have been working together at a little "club-house" we affectionately refer to as the L0pht. This has come to be known as the top hacker collective in the United States.
One of the most intriguing aspects of the L0pht is the diversity of its technological savvy. Everything from satellite communications, smartcards, cryptography, operating systems, hacking, phreaking, networking protocols and high voltage electrical systems has a champion at the L0pht. Individual members have worked on or for DoD contracts, military field operations, large private sector firms, and federally-funded space agencies; performing, among other things, physical security audits, network security audits, and source code analysis.
The individuals, which make up this collective, have varying interests and backgrounds. Commercial sector computer security, computer and network administration, software programming, electronic engineering, hired hacking, and cryptanalysis are all Backgrounds that are present at the L0pht. From the standpoint of attacking hi-tech security mechanisms this works tremendously to our advantage. Currently the world is largely embracing software components as security solutions which is fine as we have some of the top software engineers / reverse engineers. When smartcards and physical tokens become more mainstream, we are poised with a brilliant hardware group. Physical hi-tech security is very well covered as well. As the emphasis moves between hardware, software, and combinations of the two we are able to (and do) move with it - always attempting to remain at the epic. Perhaps this is why we have achieved respect both from the 'good-guys' and the 'bad-guys'.
Articles written by the L0pht or about the L0pht have appeared recently in or at www.microsoft.com, www.lotus.com, CINet, Infoworld, EE-Times, Wired Magazine, LA Times, NY Times, Washington Post, BBC, LAN Times, Phrack Magazine, 2600 Magazine, New England Cable News, Byte Magazine, The Jim Lehrer News Hour, Information Week and many others.
The L0pht has issued at least 19 Security Advisories to the general network security community. These advisories have prompted several CERT advisories along with patches from Microsoft, Sun, FreeBSD, Cygnus (Kerberos), and BellCore.
Of course the question of why we even bother must be brought up, though it is not an easy question to answer. Perhaps an easier question to answer is what are not the reasons we do this. We are not involved in this for monetary gain as we provide our information to the public free of charge and end up paying any expenses out of our own pockets. We do not spend our time breaking, defeating, and researching hardware and software to be appreciated by the industry. Often times companies become quite irate that we were able to show how weak their flagship product is. In fact, there are seven unique individuals who all have their own reasons for doing this. It largely boils down to the notion that if we can and do engage in this without any financial aid or backing and can find that the entire infrastructure is incredibly fragile, how can people as a whole be expected to trust and use this vehicle? Perhaps we would like to become the 'consumer reports' group that does not have any ties or alliances to the large corporations and simply publishes and benchmarks who is attempting to help the end user and who is selling snake oil. It has become apparent that such a non-biased organization does not currently exist. The following seven short paragraphs were composed by the individuals who make up the L0pht. It is hoped that this will shed insight into the dynamics and personality of the L0pht as a whole before we go into our observations on the current state of network and computer security.
Where we came from
Brian Oblivion's involvement in the L0pht began in early 1992, when his wife, fed up the accumulated electronic test and computer equipment in the kitchen, demanded that it had to go. A "loft" space was acquired close-by and the equipment transferred. In order to defray the costs of the turn of the century warehouse, others were contacted on an intimate electronic bulletin board system (BBS) in the Boston area, the Black Crawling Systems. It began as a "storage locker" for excess equipment, but eventually a small lab was setup as well as an internal network, and that is when the research began. The actual L0pht was born in late 1993, when our Linux box [a personal computer running a UNIX'ish type operating system] went up on the Internet via a 28.8 link to a local Internet Service Provider. Brian Oblivion is the last surviving original member of those that procured the space in the South End of Boston. He has watched as a group of loosely organized individuals storing equipment in a warehouse, has turned into a highly organized security "watchdog" group. Struggling for existence, the group had to produce some products to keep the physical space alive while at the same time continuing the basic premise for why they do what they do: To have fun. Pushing the envelope, examining security systems and providing "Full Disclosure" to all of those in the Security Industry of our findings. Brian Oblivion concentrates on wireless and satellite communications networking technology and security. Being an Amateur Radio operator, he also supports the wonderful grassroots research and development capabilities of the United States and is a proponent of protecting the Amateur Radio Frequency bands from being annexed by the commercial sector. He also is a strong advocate of the free unrestricted use of encryption technology, thereby raising the overall state of National Security. He hopes to be an influential member of the process to revisit the antiquated encryption export laws still in United States Code.
John Tan's involvement stemmed from encouragement in early childhood when teachers and other students recognized his technical talents. He found it easier to contribute to a team best by building knowledge and skill in as many areas as possible, with special focus on a few specific areas. Because his social involvement bridged both those labeled computer geeks and the rest of school's societies, he earned the label 'hacker'; more so because he used the technologies around him to implement new and exciting ideas in the real world, surprising the mainstream with what the technologies could do. The L0pht maximized Tan's ability to implement new and exciting ideas by pooling his resources with the resources of 6 other enthusiasts who share equivalent 'knowledge space' but have different specialized areas of knowledge and resources themselves. Through the L0pht John Tan would like to see influence in industry and government as well as the media for sending a clear, consistent message to all parties as to where we as an electronic society are and where we need to go. Whether it's contributing technical savvy to a business environment, contributing to the various computer communities, being interviewed by the press or even invited to testify before the U.S. Senate, it really boils down to a matter of pride for John Tan.
Space Rogue brings several skills and abilities to the L0pht collective that are essential to survival. Along with strong technical skills coming from many years as a computer systems administrator with hardware service and maintenance responsibilities, Space Rogue brings real world experience stemming from 8 years duty in the Armed Forces. The calm, cool, demeanor is only pierced by bursts of excitement upon completing unusual hacks that cross most standard boundaries. To Space Rogue a successful hack ends up taking any number of forms - from sheer determination in finishing an arduous task to merging and combining data from disparate sectors of life and extrapolating new useful information all the way to technology reclamation. Privacy, freedom, and curiosity drive Space Rogue and are a common thread with his interactions amongst the other L0pht members.
Mudge started tinkering with computers in 1975. His father encouraged his learning and allowed him to travel down different routes without the stigmas of believing there are accepted versus unaccepted ways of looking at problems. He received degrees in music and has held positions varying from software development to code breaking for large organizations. Recently Mudge pointed out to the public several intrinsic problems with Microsoft's encryption, BellCore's One Time Password Authentication schemes, a Kerberos authentication/encryption scheme. One of his strongest drives is knowing that the L0pht is attempting to keep information flowing and offering insight and knowledge back to the community that they were born from. The belief that individuals are still capable of impacting and helping to shape the future with regards to technology and legislation is very pronounced for him. A well respected computer security expert in his 'official day job', Mudge is a strong proponent of 'Full Disclosure' and the belief that shrouds of secrecy and corporate bureaucracy can be.
After Weld Pond graduated from college with a degree in computer engineering he set off to work at a large software company in Cambridge. After a few years absence from the computer underground he decided to get back into the scene in his new home, Boston. He hooked up with a local computer underground BBS operator and a core group of talented hackers who had just formed the L0pht. To have a place to go to physically work with other hackers was a new concept the L0pht was pioneering. It allowed for shared resources and an organization that permitted working on larger hacking projects together. There was a synergy between the hackers who had different expertise. Weld was hooked. By leveraging the expertise gathered working his day job on Microsoft Windows and web server programming Weld focused his sights on breaking software that he knew best. These were products such as the Windows NT operating system and Lotus' Notes (now named Domino) software. Several vulnerabilities were found and reported to the manufacturers and the Internet community so they could better protect themselves. Weld is also a licensed amateur radio operator who is interested in radio communication systems, especially those that use data transmissions. He also enjoys keeping up with the latest in encryption technology and is an avid cypherpunk, a member of the cypherpunks Internet mailing list.
As a member and resident of the L0pht, Stefan von Neumann draws upon and contributes to the collective's wealth of information and skill. He has 16 years experience hacking in such varied subjects as telephone communications, electronics, computer networking and hardware, and high-power systems. Stefan joined the L0pht in 1993 before L0pht had taken on its current role as an unofficial watchdog organization. He has investigated security flaws in software and hardware from Apple Computer, Inc. and has found flaws in the current system of distributing Internet data over cable television systems. He is currently most interested in and concerned with new communications media being developed. Digital communications are now sent over consumer-level cable television systems, radio-frequency broadcasts, infra-red light broadcasts, but are planned for transmission over electrical power distribution systems. Stefan is currently investigating whether these new transmission methods are vulnerable to exploitation.
Kingpin, the youngest of the seven, has been a member of the L0pht since 1993. His specialties include microprocessor and embedded system design, electronic physical security, smart cards, wireless data transmissions and low-level software design. From his younger days of exploring the telephones and other computer systems via modem, his interests have matured into the electronics and engineering fields. To Kingpin, the L0pht is a place to go to sit back and relax after a hard day, think about and experiment with new ideas and explore just about any obscure or new technology there is. The L0pht has not only kept Kingpin from illegitimate activities, it has helped him focus his energy on positive projects. Kingpin's research topics vary quite often, as he prefers to explore the many facets of electronics and technology. Previous works include a POCSAG pager decoder, experiments with the insecurity of police mobile data terminals and surveillance/counter surveillance tools. Current research involves experimentation in eavesdropping and monitoring of stray electromagnetic fields from computer terminals.
Hackers Are Not The 'Bad Guys'
Computer Hackers are not, by default 'bad guys'. As with any group, especially a group with a large percentage of teenagers, there are trouble makers. But, in general, hackers are respectful of other people's rights. They do not cause damage for fun. We think hackers are a national resource that should be harnessed instead of harassed by law enforcement. Hackers have a 'can do' attitude.
We would consider most of the great inventors of our time, such as Thomas Edison and Alexander Graham Bell, hackers. They took what was available to them and made something work. This is basically what hackers do. The following example illustrates the difference between 'regular' software or hardware engineers and hackers.
During the Apollo 13 crisis the Houston ground team assembled to discuss how to abort the mission. The NASA man in charge was directing some questions to the Grumman engineer about the LEM and the Grumman engineers said, "That's not what it was designed to do." The NASA man said, "I don't care what it was designed to do. I want to know what it CAN do." They then hacked the functionality of the systems in ways that were never intended by the designers.
Why What We Have To Say Should Matter To You
Through our independent research and exploration we have found Internet and computer security to be almost non-existent. In many cases where devices and software/hardware are in place for security protection we have found that the components are either incorrectly set up or do not perform as advertised. Anyone can make a faulty computer program and sell it on the Internet as secure. If a car manufacturer did this they would be hauled off into court. With automobiles you are required to show some understanding and proficiency before you are given a license to drive. Off the shelf computer software is purchased and attached to the Internet all the time. Perhaps software manufacturers should be held accountable for robust products and possibly for educating customers in certain situations. We hope to touch upon some of our concerns and findings in the rest of this paper. We believe that our perspective is unique as it crosses the boundaries of good-guys versus bad-guys and instead looks at the situation with the ability to step back and take from both vantage points.
2. SOME OF OUR GENERAL FINDINGS
The Infrastructure Is Extremely Fragile
One of the core problems with the security and robustness of the Internet is that it was not designed to be bullet proof by today's standards. The underpinnings of the network protocols have been around for roughly 20 years now. A Tremendous amount of change has brought about new ideas and it is only logical to weld these additions on to the existing vehicle as opposed to scrapping the vehicle and starting over again. The problem comes from the weakness of the foundation. For instance, when the Army looked for a new jeep, they commissioned a design that started from the ground up and got the Humvee, a completely new and improved design. They did not take a Yugo and attempt to buttress any shortcomings. One instance of the infrastructure fragility, comes in the example that it would be trivial for one individual to knock the majority of the United States off of the Internet while remaining almost totally untraceable. We have been able to confirm this and several other attacks, in our own labs, that would make the Internet as a whole, unusable for as long as was desired. While the benefits of commerce over the Internet are clearly present, the simple fact that the Internet was not designed for this type of activity, should be kept in the minds of Corporate America.
Allow us to offer an example: In the matter of under 30 minutes, the seven individuals here could very trivially make the Internet unusable for the entire nation. Internet communication would be terminated between the US and all other countries, while internally none of the major backbone providers (MCI, AT&T, etc) would be able to route network traffic to each other (VVe have contributed these findings, along with many others, to the appropriate agencies). Now throw into this example the notion that telephone switches, power grids, and other critical pieces of infrastructure are becoming more and more dependent upon the continued operation of the Internet. The fact that we, without funding or aid, have discovered several of these problems leads us to believe that others have found these and many more.
The Tower-To-Aircraft Insecurity
With the introduction of ACARS (Aircraft Communications Addressing and Reporting System) this decade, the problem of a phantom controller is amplified. A phantom controller, armed with a surplus transceiver capable of transmitting and receiving in the aircraft control frequency range, and a computer and interface capable of decoding the ACARS data streams which contain Latitude and Longitude of aircraft in flight, would have a greater ability to convince unsuspecting aircraft pilots of his validity.
Software and plans to build a decoder for ACARS transmissions are easily available to download off of the Internet. The software provides the user with the position of the aircraft in his area of operation, which is normally superimposed over a map of the local geographical area. Receiving the ACARS transmissions should not be considered a crime, nor should they necessarily be encrypted. Rather, to disable the ability for a "phantom controller" to issue commands to pilots, a method of authentication of Tower-to-Aircraft communications is clearly needed.
The General State Of Security In Commercial Products Is Abysmal
Corporate America has decided to place tremendous importance and effort into conducting business over the Internet. At the same time it seems that they have placed extremely little effort into helping their customers with regards to liability and security. (All the while marketing and advertising their products as "secure"). For instance, Microsoft held its head up and basically stated "use us as opposed to Unix (a non-Microsoft operating system) -- we're more secure as you can see since Unix has been around for 20 years and people have found problems with it over that timeframe. We are more secure than Unix because we are NOT Unix". As it turns out, not only did Microsoft have just as severe, if not more severe, security problems, but they showed the world that instead of looking at the competition and improving upon or fixing problems they saw, they simply reintroduced them. Those who do not learn from the past are forever doomed to repeat it could become Microsoft's new technological slogan. This is not due- diligence. How can people or companies expect to be secure when not only the foundation but all of the additions are fragile and weak.
The market place for products strictly addressing security is even more appalling. When pressed, many of these companies will reluctantly admit that they have no real world experience with computer security in their engineering departments. You have the equivalent of engineers designing home security systems without any knowledge of standard burglary M.O.'s. As an unknowing consumer, which the government agencies are as are all of the other consumers of these products, it does not even seem suspect that the alarms are only on the roof and not the doors or windows which have been installed in your house without locks.
One particular piece of software we looked at cost well over $30k per copy. It was supposed to catch hackers as they were breaking into a company. Unfortunately, we were able to show that even an attacker with very little understanding about computer security was able to trivially bypass the auditing system. In essence, it did not work in the real world. We found a separate piece of software that was sold to help secure networked computers which ended up accidentally defeating the security of the system on it's own. The act of biting ones nose off to spite ones face is alarmingly common in this marketplace.
Independent, non-biased testing organizations are crucial. Everything to do with Microsoft is extremely biased because they wield so much power. This is a problem. It seems that only totally independent groups like the L0pht or individuals are willing to publicly stand up and shout "The emperor has no clothes" when it comes to looking at the approach to security in their products. Coopers & Lybrand wrote a security white paper on Windows NT saying how great it was. This is exactly what the industry does not need. Ziff-Davis and the other computer centric magazines will not refute Microsoft claims no matter how outrageous they are. In some of our official 'day job' capacities, we have been asked by our employers to not go public with some of the problems that we have found for fear of losing the standing our employers currently have with Microsoft. This is not the route to more secure systems.
Time will determine whether or not current recommendations in the Report of the President's Commission on Critical Infrastructure Protection, October 1997, for a joint venture between the National Security Agency and the National Institute of Standards, will fill this void. This joint venture, recently announced as the National Information Assurance Partnership (NIAP) is to promote the development of objective criteria for testing and assessing the functionality and assurance of security technology and products. Tests, test methods, tools, security metrics and reference implementations will be produced and offered to private-sector laboratories to conduct investigations and produce certifications. We feel this is an admirable first step in creating an infrastructure to help police the products flooding the security market.
Example Of Large Auditing Firm Problems
So, should government agencies and others that are concerned about their computer and network security go to outside firms for external audits? Absolutely! However, there is still no way of knowing what you are paying for unless you already have the expertise in-house. The L0pht recently was given the opportunity to audit one of the larger network security auditing firms (which will be referred to as "Corp A"). Corp A had spent a relatively large sum of money and hired outside consultants to configure and install firewall software to protect their own company from the Internet. The software had been configured incorrectly and within the first day of the audit we had broken into their financial and development machines from the Internet. One week later we had control of every multi-user machine on their network. Even after this audit and presentation of the vulnerabilities, Corp A remains vulnerable to the same problems as they have chosen not to close the holes we pointed out to them. Corp A also continues to offer consulting and 'security' audits to corporations and agencies.
A second firm (which will be referred to as "Corp B") was contracted to perform a security audit on one of our employers. Being curious as to whether Corp B's services were valuable we were asked to perform the same audit against the same targets concurrently. Corp B handed our employers a clean bill of health while we handed our employers copies of all the sensitive data stored on the target machines. The attack we used to get into the systems was one of the first vulnerabilities any novice cracker would have attempted. Corp B did not find this hole yet claimed that they would attack the system as if they were the "hackers" that the company should be protecting itself against.
Example Of NASA / Pentagon Problems
The FBI, CIA, NSA, Pentagon, Lawrence Livermore National Labs, and NASA are just a few of the areas on the network that can and do attract cracker interest by name value alone. Agencies like NASA and various national laboratories have further problems based upon the open computing environment that has become part of their world. These open environments are usually born from academia. There is a tremendous amount of trust and sharing of information involved which becomes engrained in daily operations. When organizations that are steeped in these practices connect to public networks there is almost never any security in place worth mentioning. If security was attempted, many times the employees will either accidentally or purposefully thwart the security mechanisms in order to achieve the open trust model again. It is no big surprise, nor is it a difficult feat by any stretch of the imagination, that these organizations are broken into quite frequently and repeatedly. Yet, even without any technical merit or secret techniques, break-ins to LLNL and NASA will almost guarantee big press coverage.
Excusing organizations such as Universities, LLNL, and NASA, as research is their prime directive - not security, is almost (but not quite) understandable. What excuses do agencies such as the FBI, CIA, and NSA have for publicly connected systems that are not properly secured? Computer intrusions into military computers connected to public networks are not new and the government has known about these problems for a long time but has not adequately responded. In 1991 during the Gulf War some crackers from the Netherlands penetrated 34 DoD sites. They obtained information related to personnel, logistics and weapon system development. The telling fact is that publicly know vulnerabilities were used to break into the systems. This information was given at Hearings before the Subcommittee on Government Information & Regulation, Committee on Governmental Affairs, United States Senate, 20 November 1991.
If a computer is broken into using a vulnerability that is publicly known then the person responsible for securing that system is not doing their job. All of the recent press "computer cracks" have been through known vulnerabilities. If the system manufacturer has released a workaround or a patch it should be installed on the vulnerable systems. If there is no fix it may be necessary to turn off some services or disconnect the machine from the network to protect it. Manufacturers of software need to respond quickly to these known vulnerabilities, especially if they are touting their software as 'secure' as everyone seems to be these days. Sometimes a system is broken into using a previously unknown vulnerability. There is really nothing a system administrator can do for this case except to badger the manufacturer of the software to test their products more thoroughly before selling them. The software industry is highly competitive and companies gain huge advantages to being the first to market a particular feature. Unfortunately, quality and security can suffer in this time to market rush. This raises an important issue now that DoD and other government agencies have decided to embrace 'off the shelf' software. They are now buying software that has reduced cost but may have many features that they don't need which could lead to security problems. The software could have been rushed to market. These 'hidden' security costs need to be accounted for.
Why Trust Models Do Not Work On The Internet
Trust between systems on the Internet is a very convenient way of facilitating work. In organizations it is often essential for productivity; the R&D file server needs to trust the developers' machines as they are all contributing to the same project. It does not make sense for all of the individuals to be isolated into little pockets when they need to share their information with each other. This type of interaction is seen in the real world over and over. This was indeed how the Internet grew up.
However, without boundaries between groups that should have access to items and data and groups that should not - trust is extended indefinitely. As with any trust model you are only as strong as your weakest link. If person A trusts person B with a secret and person B trusts person C, person C will be able to learn person A's secret. Take this notion and throw several million people into it. Now, quickly point out which one of these millions of people is the weakest link. Not a very easy task, especially when several thousand are in the 'pretty weak' category to begin with. Welcome to the Internet as it is today.
How does one extend trust in secure fashions to remote offices that are only connected to each other over the Internet? What does the mobile or remote employee do? There are many cases where making a tight bubble around the group that needs to trust each other becomes quite difficult. It needs to happen but cannot and will not without education of end users and administrators. Think about the following situation: A power company has their central power grid control and maintenance system remotely accessible to their field technicians. Since they have hundreds of field technicians they have one access account - 'maintenance' with a password of 'electric'. Trust has just been extended all across the area that the field technicians move throughout. If the system is connected to the Internet and the technicians access it that way then this notion of trust can be very dangerous. This does not even bring into play the lack of auditing, authentication, and non-repudiation. Do you think that nobody engages in activities like this? Federal Express uses this model for the lock combinations on their package 'drop-boxes'. It did not take the underground world long to learn this and take advantage of it.
It's Not Just That The Data Gets From Point A To Point B Safely
Many people still remember when families in the same area had 'party- line' phone service. If you needed to use the phone you would pick it up and listen to see if any of your neighbors were already utilizing the line. Out of common courtesy one was expected to hang up the phone if it was already in use. This is how large parts of the Internet operate. Computers share a common connection and look at the addresses on the data that go across. Each system has to examine at least the beginning of the data to see if it is intended for itself or someone else. If the data is intended for the machine that looked at it, the data is further examined in more detail. There is very little stopping systems from examining data not destined to them that traverses the shared media.
This problem has been known about since the beginning of the shared media implementation. One of the main routes that companies are taking in securing this is to protect the information as it travels from point-A to point-B. Encryption is being used to guarantee that others cannot look at information that is not intended for them while it is in transit. While this might protect a company from someone stealing credit cards as they are transmitted back and forth it misses a very important area: What happens to the information at the end-points. This becomes even more disturbing when one notices the false sense of security that is created. The buzz words of "it's safe because it's encrypted" seldom make us sleep well at night. Banks have strong vaults at the end points and then move their valuables back and forth in armored transports. People are currently being sold the notion that their information is safe because, through whatever add-on components, the armored transports can be used over the Internet. Nobody is being told the truth that the end-points the delivery goes between are paper bags - not vaults. In the cases where the encryption has been implemented correctly we have often found that the security around the final containers was woefully inadequate.
There Is No Independent / Non-Biased Organization To Watchdog The Claims Of Network Security Products
Software is totally different from other 'certified' products such as an automobile crash test. When you add a new tail light to a car the component is fairly isolated from the rest of the car. If it fails it usually does not make the car drive off the road or even stall. Software features, on the other hand, can cause catastrophic failures in completely different parts of a software system. Security component changes can have wide ranging effects because they are so central to operation of a computer system. You can crash test a model of a car and it doesn't matter what kind of radio it was purchased with or if they made minor changes to it. The crash test is still valid. Software that is certified cannot be modified AT ALL or it will need to be recertified.
Unlike a car, which only has a few configurations, software is almost infinitely configurable. There are many settings and services that can be enabled or setup in many ways. A slightly different configuration could have a huge security vulnerability where another may not. This means that not only does the underlying operating system or application software need to be certified but each unique computer system with its own unique configuration needs to be certified.It is going to be very difficult to certify security in software but it must be done. Otherwise there is no way to know what you are buying and there is no liability on manufacturers. If you configure NT properly and someone still breaks in and disrupts your online commerce site Microsoft just says, "sorry". Even Kryptonite backs their bicycle locks with a warrantee to replace your bike up to $1000. The Kryptonite locks cost roughly $30, while corporations throw millions of dollars at Microsoft without any liability.
Certifying products is going to be expensive. It is also going to take time. There are only so many people who have the expertise to try to break software security. Certifying individual computer systems with their unique configurations can probably be done in an automated way with scanning software, but certifying the operating system or application software will take much more detailed human review.
Education Is Necessary
One of the prime missions of the computer underground is the spread of knowledge. Hackers proudly publish their discoveries: first on BBSs, then on Internet mailing lists, and now most often on our own web sites. The L0pht has always maintained a large online library for anyone to connect to and learn. The culture of learning as much as you can about different subject permeates the hacker culture.
Unfortunately the rest of society is not so enthused when it comes to learning about computer and communications security. Most people who operate these systems want to know the bare minimum it takes to do their jobs and nothing more. Currently, knowing little or nothing about computer security is the standard for people who operate these systems. Knowledge of computer security must become a requirement for people who connect any machine to a public network.
Nearly every part of society: individual citizens, libraries, schools, corporations, and federal, state, and local government are connected to the Internet now. Every part has resources they need to protect. The level of education for these different parts varies widely. Corporations or government agencies that have valuable resources to protect usually have some education when it comes to computer security but even here we have seen huge problems. Others usually have no education of the subject.
It is clear that more education is required but where will it come from? Manufacturers of software and computer systems is a good place to start.
Just as a car owner's operating manual covers safety features and good operating practices, computer owner's manuals should do the same. Car manufacturers are held liable if features of their cars are hard to use correctly or if car owners are not warned properly about how to use them. If computer manufacturers were held to the same standards then they would have a vested interest in educating their users.
Educating individual users who may just use a personal computer at home on the Internet is important. Any computer connected to the Internet can be used by to attack any other computer. This means that attackers can use other people's computers as 'stepping stones' to reach their final target. This gives the attacker more anonymity and power to direct an attack from several places at once. So not only can an individuals file's be stolen or destroyed but their computer could be used unwittingly in an attack of another system.
This is why everyone needs to be made aware of basic computer security procedures such as using strong, un-guessable passwords, configuring their computers properly, and not becoming the victim of computer viruses.
It Is Not To Difficult To Raise The Bar
The objectives of any security effort should be to decrease risk to assets through application of security mechanisms. The level of security is most often determined by the cost to protect assets versus the value of said assets. Through this practicality, an industry has risen to address security by enabling the owners of computer systems via low cost, robust, unobtrusive solutions to the core problem areas in computer and network security. Application of these security technologies is key to the execution of a number of the components of a diligent security effort.
A security effort may consist of a wide range of in-house and out- sourced staff. Traditional computer and network security efforts range from models where the administrators bear a distributed responsibility for security with little or no guidance from management to organizations with a security department responsible for writing policies, education of users and management, administering users, vulnerability testing and administering firewalls. Some go further yet and have fully matured into organizations adding real-time intrusion detection and incident response capabilities to their arsenal. Security efforts at the classified level should potentially include an R&D effort, seeking out new attack methods, automating probes for identifying vulnerable systems, and fabricating a defense method potentially incorporating identification of the attacking system and/or a counter-attack.
Policies, standards and procedures will define the success of the security effort. Policies document the network owner's expectations and buy-in to the security effort. Standards and low level procedures will guide computer and network administrators in running a secure network. Together, this documentation may be used as a tool by the administrators to prevent insecure computing practices by the user community and vendors as well as other administrators. Upper management buy-in is essential for the enforcement of any of these important elements of a security effort, especially where computer based enforcement mechanisms are not available.
No security effort can expect to stop all attacks. A professional security effort should however, be able to fend off the "ankle-biters" who are simply using programs and scripts written to document and test for well known vulnerabilities in systems. If your system is penetrated by an ankle-biter, then the security effort at the organization is being utilized as the problems being assessed or the findings are being ignored. There are a number of suppliers of vulnerability testing software. Several commercially available Network scanning tools will assess the security of a specified computer across the network. Such tools are effective for assessing the level of risk that individual machines might present against the novice or "ankle- biter" level of attackers. One must not get too confident about the results of these tools as they are not a panacea and different vendors' tools work better than others. Still, they are an excellent starting point in auditing your systems. Once inside a system, an intruder typically has only partial access to the system. The Information Security department needs to worry at this point about where the intruder can get to and what levels of access they can fool the system into giving them. There are several free software packages which we have found to work better than most of the commercial ones available that assess a computer from the "inside"; helping prevent an intruder from elevating their level of privilege once inside the system. Together, these two programs or ones like them may be used on a regularly scheduled cycle to help satisfy this component of the security effort. Even in places that are pursuing this form of due- diligence we all too often find that even though the tools might be in place to "raise-the-bar" the results are being ignored.
Before even attempting to assess the level of risk to a computer or network, there are some baseline measures which may be taken which work toward "raising the bar" so administrators are not over-whelmed after the first risk assessment. The single act of using encrypted communications to interactively communicate with Internet hosts takes away from many of the passive monitoring attacks. Another measure is to assure that all computers are "up to patch level" meaning, all software on all computers is the newest version with all the latest "fixes" from the company that wrote the software. This ends up being helpful in preventing older attacks but the administrator and administration must keep in mind that the patches out of the vendors are usually 6 months behind the date that the attackers know of the problem. In addition, this would not be as much of a problem if the vendors were producing more thoroughly tested and robust software from the beginning. Firewalls and other mechanisms which enable finer granularity of access control to be placed on components of the network and local file system access are essential, largely due to the lack of security measures in the existing infrastructure.
Once policies, secure computing mechanisms, and a risk assessment cycle are in place, an effort should be made to educate the users of the computers as to the policies that affect them. They should be provided with a publication of some sort documenting "appropriate use" of the computing facilities and their responsibilities with regard to the security of those facilities. The user community should then be assisted in adjusting to any necessary changes in behavior and periodically updated to changes and refreshed on important policies. Finally, the public must be educated so that it may, in an informed manner, endorse government initiatives to ensure security as well as governments response to incidents it encounters. Additionally, well trained administrators are essential in responding to the findings of a risk assessment. Administrators must not only be trained in their specific job function, but also must understand security and secure computing practices as well as how to deal with threats and incidents.
The thought of intrusion detection is a sign of maturity in a security effort, even if many of the implementations for this are not adequate for the real world. Network intrusion detection will work best at the end nodes for many reasons, not the least of which is the different ways that end nodes handle data that is sent to them that cannot be inferred from a passive monitoring point in the middle of the network.
A truly mature and professional security effort will have a well defined series of incident response procedures in place. In the event of an intrusion, a well planned response will have a far better chance of yielding positive results. Ill conceived responses may reveal an immature security organization or turn a simple intruder into a malicious intruder. A well planned response will take into account the nature of the intrusion, the consequences or potential consequences, the originating state or country, the skill level and information available on the intrusion among other things. Procedures, scripts and templates should be put into place with legal council to assure a consistent, predictable response to incidents. Just like car alarms and car thieves, if someone really wants to steal your car they will be able to. However, if they are just looking for an easy mark they will walk to the next car that does not have an alarm installed. Similarly if your company achieves a reputation for going after attackers then the word will spread and attackers will look for easier marks.
For an administrator to respond to newly discovered vulnerabilities, the administrator must understand the attack method and decide for themselves how to defend against it. Regardless of the availability of a "fix" from the vendor, the vulnerability exists and must be defended against once identified. Any clearinghouse for computer security information must fully disclose all information pertinent to a vulnerability within a short time of its discovery. Vendors and "old- boy" networks of information exchange alone do not work. Vendors should be given advanced notice to prepare a "fix" but must not delay the timely announcement of the vulnerability to the consumers affected. A detailed description of the attack is necessary for administrators to decide best how to protect themselves from the threat. This is especially essential when there is no vendor provided "fix" available. This particular approach is what has earned the L0pht its reputation. We have provided a valuable service to systems administrators over the last four years where others have consistently failed to provide that value.
By applying these technologies in a meaningful way, network administrators may "raise the bar", fending off the ankle-biters in an automatic fashion, allowing them to concentrate their efforts on being proactive and responding to the serious threats as they arise. This is key to the success of the success of the security effort. By achieving such a baseline of security, public confidence is increased as the majority of attacks are thwarted and those that are successful illicit a meaningful response. Again, the technologies are readily available and are even low cost or in many cases free. When proper policies, education and incident response are not in place however, the implementation of the technologies will fail. Unfortunately these are the components of the security effort that you can not buy; you have to build them.
3. WHAT WE WOULD LIKE TO SEE HAPPEN
Understanding Of The New Threat Model
It sure seems as though the era of 'our hardware' versus their hardware', our software' versus 'their software', and 'us' versus 'them' has faded into the background. Our hardware is the same Intel/AMD/Motorola/Sparc processors as theirs is. We all run the same operating systems and the 'us' versus 'them' has been replaced with 'us' referring to the government and 'them' now being 3 billion people with Internet access and no geographical or profound political boundaries. Now the government has to contend with a new threat that contains no cold hard boundaries.
How does the government turn it's eyes inward on the people it is sworn to protect and in many cases not legally allowed to watch. Does big brother rear it's ugly head, or is McCarthyism to come back en vogue? Neither of these options will work. Neither will the key escrow that the government is attempting to push for.
From a defensive standpoint the playing field needs to be raised to the level where auditing and accounting mechanisms are robust enough and the tools you are attempting to protect become reliable enough that even when someone attacks you it is instantly obvious and detectable.
Offensive standpoints should be looked at from various angles remembering that crippling or weakening the common components only ends up penalizing the legitimate users.
Understanding Of Severity / Skill Level Of Attacks
The media has been largely atrocious in their understanding of hi-tech attacks. When a street thug shoots and kills somebody you seldom see the press jump up and say 'brilliant misfit who understands spontaneous combustion and projectile ballistics kills teen'. Did the street thug understand the chemical reaction that was happening when the hammer of the gun made contact with the bullet in the chamber? Probably not. Yet every time a machine is 'cracked' on the network the media jumps up and praises the misunderstood "brilliant child". Yes, there are some very ingenious hacks and hackers out there on the net, the same way that people who invented guns and gunpowder were very bright. The few ingenious hackers out there might put together a program that demonstrates a flaw or vulnerability; this does not mean that everyone who follows the cookie cutter instructions and executes the program is at the same level. Much the way that everyone who pulls the trigger of a loaded gun does not necessarily understand trajectories, velocity, and combustion. With the sensationalism attached to largely trivial attacks there is no surprise that more and more people will want to, and be able to, cash in on their 15 minutes of fame by going after high profile targets. We don't believe these particular people should be feared nor do we feel that harsh repercussions are appropriate. If the gun analogy was in use this would be a situation where it is easy enough to provide all people with bullet proof vests that are unseen and always worn. The people you would not be protected against are at a much higher level. The point is that these people would now be the minority. The majority of the problem would be addressed and that is a great start.
Yes, there are people out there that are amazingly adept and technically skilled. You will not see the media talking about them. Our government has them as do other governments (along with plenty just being out there on their own). You will not be able to keep these people out in most situations. If the L0pht had to or wanted to achieve access to a computer on a network badly enough we could and would. The difference is being able to differentiate between the real concerted and skilled attacks and the noise level created by all of the joy riders and door knob turners.
Willingness Of Corporations To Consider Security Aspects From Product Inception As Opposed To 'Afterthought'
Just as in any engineering project such as building a car or a building, the earlier in the process that critical features are designed in, the better the end product. It is cheaper to build and it works better. Just like a car sunroof that is not installed in the factory sometimes leaks, security patched onto an operating system after the fact can also leak.
Security needs to be thought about and designed into software or communication systems at the very beginning of the design process. It is cheaper in the long run for manufacturers to do it this way but market pressures usually force a short term mentality. They think that if a problem is discovered they will patch it later. The problem with this is that computers may lie vulnerable to attack until the manufacturer is notified of a problem and then fixes it.
The L0pht always makes its security vulnerabilities public but there are many people and organizations in the world that do not do this. They keep secret the flaws they have found and use them in attacks knowing that they will always succeed. If manufacturers keep up with the 'ship it and patch it later' mentality then the unpublished vulnerability is always going to be a risk.
Security must be designed into the initial architecture of the computer and communications systems by people educated in good security design. Then as the product is built security code reviews must be done by security experts on the software's source code. Finally extensive testing must be done to see if the system can withstand attacks. The earlier problems are found in the development process the cheaper it is to fix and the better the end result. Problems found after a system is deployed can have severe consequences to the users of those systems.
Use Of Authentication And Encryption
For some time now, Authentication has been in use within governmental and military telecommunications systems. However, authentication has been lax in sensitive utility, financial, law enforcement, and medical communities. For example, medical records, when transferred from one site to another should be encrypted when sent over an unsecured channel such as the Internet. However, an agency wide change in policy that is to be received by many individuals would be better served by authentication.
One should authenticate almost always where time and resources exist. Encryption should be used when the content of the transmission is sensitive or of a compromising nature and usually intended for one recipient. Authentication should be employed if the information within the transmission is common or to be received by many recipients.
The L0pht recommends that a plan to implement Authentication in Law Enforcement (National and State agencies) and National Infrastructure Communications system be employed in dispatch communications to prevent the transmission of unauthorized commands over the radio channel, while encryption should continue to be used to protect sensitive tactical operations.
The amount of radio and data communications equipment in the surplus markets coupled by inexpensive powerful computers, renders the ability for non-trusted parties to monitor and participate on digital communication channels relatively easy. This statement alone defines the requirement for authentication systems like those currently used in the military arena, to be transferred into commercial and public two-way communications systems.
Whether to use authentication or encryption depends on the sensitive nature of the transmission and the intended audience. The location of aircraft and air traffic control is useful to many agencies that do not necessarily need to transmit to control towers. There is actually no need to encrypt air traffic control communications. Rather, you want to be sure that an instruction from the Control tower is indeed from that source. Hence the control tower should authenticate its transmissions to the aircraft in the area.
Complete encryption of radio dispatch communications is counter- productive as many civil and local organizations utilize these communications during environmental and national emergencies. Amateur Radio operators use these communications to better coordinate relief assistance and provide emergency communications when traditional methods are disabled. It is important to not alienate these resources.
POCSAG, RDLAP, ARDIS, FLEX, MDC4800, AX25, CDPD and a host of other communications should be encrypted. These are private communications protocols intended only for the recipient. You don't want people viewing NCIC records being transmitted from the Police Head-end to the patrol car. You don't want people pulling peoples identities, birth dates and social security information out of the air. More and more automated computer security systems page System Administrators when an intruder is detected or when a system resource is failing. Shipping manifests can be pulled out of the air by eavesdropping on the wireless digital transmissions from PDA's (Personal Digital Assistants) in ship and train yards.
The "security" on many of the wireless transmission services are practically nonexistent. In the case of paging services, the POCSAG, FLEX and GOLAY signals are all sent in a clear text, non-encrypted form. This allows for any radio enthusiast, with a handful of off-the- shelf electronic components, to receive these transmissions which might contain sensitive information. Take the case, for example, of the person who intercepted (and subsequently released publicly) the paging traffic related to one of President Bill Clinton's trips. Information within these paging transmissions involved where and when President Clinton's airplane would be landing, where to pick up associates, and the overall movements and actions of the travelling party.
The mobile data terminals, terminals used in the police cars to transmit and receive criminal records, warrant information and license plate information, are another case of clear text data transmissions. Using the same electronic components mentioned above, one can easily intercept the transmissions from the police station "base" to the police car and vice versa. By doing so, one receives various information related to the NCIC database, identities, birth dates, addresses, social security information, and car and license plate information. It is also trivial task to not only intercept this traffic, but generate your own radio transmissions, spoof authentication, and gain access to these same databases from the comfort of your own home.
Sensitive information, such as mentioned above, should be encrypted. The transmission methods of police departments around the country are still plain text and only a handful of police departments have upgraded to a more secure digital transmission method.
One should never put inherent trust into a transmission medium just because it is uncommon. New transmission methods are being hailed as "Secure" when they are not. Over and over you hear claims that Spread Spectrum systems are inherently secure because of they way they "spread" the spectral density of a transmission over an area of the frequency spectrum. A frequency hopping system transmits a portion of the message on a frequency and then jumps to the next frequency, transmits a portion, then jumps to the next frequency, ad nauseam. These systems have been used for the past 30 years in the military sector and many papers on how to intercept and jam these communications methods are available publicly. Governments and commercial endeavors alike think individuals with mal-intent are stupid and do not read the research papers put out by the IEEE, CTIA, and academia. We beg to differ. They are out there and they read these materials.
There are two major reasons the United States telecommunications and communication manufacturers do not secure their networks:
These two factors, in our opinion, are large contributors to the lack of security in the National Information Infrastructure.
Change In Current Legislation
Enabling restrictive laws such as the Cellular Telephone Protection Act will lead to a slippery slope. The CAUSE of the problem needs to be treated, not the EFFECT. Upgrading the cellular telephone system to use an encrypted digital transmission method will remove, at least temporarily, the problems of cellular phone cloning and fraud, as well as ensure privacy between the two communicating parties. Prohibiting citizens from using a scanning receiver simply will not rid the problem, merely hide it.
The L0pht finds that The Cellular Telephone Protection Act (S.493) does nothing to solve problems and criminalizes many law abiding citizens. Unneeded legislation banning the sale of scanning receivers that can receive the cellular bands does nothing to stop the fraud and abuse that plagues the Cellular industry. The problem is the data channels used to recognize a valid phone are transmitted "in the clear" which allows cellular pirates to snatch valid cellular telephone identification credentials to create cloned phones. Simple data scrambling would hinder the cellular pirate industry while strong encryption would eliminate the problem of stealing the information from the air entirely.
On the subject of listening to the conversations, tone masking or time element scrambling, or a host of digital scrambling methods, could be easily employed which would hinder the enthusiast, while again, encrypting the speech channel would eliminate the problem of the ordinary citizen, the criminal, and the federal government from monitoring private cellular communications. Hopefully technology resulting from the NSA's Operation CONDOR to provide secure communications to Government, Military, and Law Enforcement officials will eventually trickle down into the commercial markets.
Some recent changes to the Cellular Telephone Protection Act make having in your possession a receiver capable of receiving the cellular band, a cellular phone, and software to change the identity of a cellular phone illegal. Thereby criminalizing individuals that legitimately would like to reprogram their own telephone with the identity of another phone they currently own. It is the equivalent of wiring an additional telephone into your home. Instead of making it difficult for criminals to extract the information anonymously over the air, possession of legitimate equipment and software is made a crime.
The L0pht also recommends the relaxation of crypto export laws to empower United States software security industry. On the issue of research into key recovery systems, we feel that this research is very important an should continue, HOWEVER, the resultant technology should allow data warehouses, companies and private citizens to access their protected information in the event of key loss. The Escrowed key would remain in the possession of the owner of the information, not a third party. This cannot continue to happen.
Incentives
Many computer and communications manufacturers wash their hands of any liability if their product fails. No where is this more prevalent than with software manufacturers. Since software is not legally owned, but license to the end user, software manufacturers are able to craft up an extremely restrictive license agreement which give the end user no rights. If the software completely fails usually you have no recourse except a refund. This is very different than most products where the manufacturers are liable for the damages their products cause.
Software should be held to a higher standard than it is now. Users should demand better licenses. If companies were liable for product failure then they would have incentive to design security into their products earlier, to test the security features better, and to educate their users.
We appreciate the opportunity to share our viewpoints in this forum and hope they were in some way beneficial and helpful.