Maximum Security:

A Hacker's Guide to Protecting Your Internet Site and Network

Previous chapterNext chapterContents


8

Internet Warfare

The Internet is an amazing resource. As you sit before your monitor, long after your neighbors are warm and cozy in their beds, I want you to think about this: Beyond that screen lies 4,000 years of accumulated knowledge. At any time, you can reach out into the void and bring that knowledge home.

There is something almost metaphysical about this. It's as though you can fuse yourself to the hearts and minds of humanity, read its innermost inspirations, its triumphs, its failures, its collective contributions to us all. With the average search engine, you can even do this incisively, weeding out the noise of things you deem nonessential.

For this reason, the Internet will ultimately revolutionize education. I'm not referring to home study or classes that save time by virtue of teaching 1,000 students simultaneously. Although these are all useful techniques of instruction that will undoubtedly streamline many tasks for teachers and students alike, I am referring to something quite different.

Today, many people have forgotten what the term education really means. Think back to your days at school. In every life there is one memorable teacher: One person who took a subject (history, for example) and with his or her words, brought that subject to life in an electrifying display. Through whatever means necessary, that person transcended the identity of instructor and entered the realm of the educator. There is a difference: One provides the basic information needed to effectively pass the course; the other inspires.

The Internet can serve as a surrogate educator, and users can now inspire themselves. The other night, I had dinner with a heavy-equipment operator. Since his childhood, he has been fascinated with deep space. Until recently, his knowledge of it was limited, primarily because he didn't have enough resources. He had a library card, true, but this never provided him with more than those books at his local branch. Only on two occasions had he ever ordered a book through inter-library loan. At dinner, he explained that he had just purchased a computer and gone online. There, he found a river of information. Suddenly, I realized I was no longer having dinner with a heavy-equipment operator; I was dining with an avid student of Einstein, Hawking, and Sagan. His talk was so riveting that I went away hungry for lack of having eaten.

So this much is true: The Internet is a an incredible resource for information. However, it is also an incredible resource for communication and basic human networking. Networking from a human standpoint is different from computer networking; human networking contains an added ingredient called action. Thus, individuals from all over the world are organizing (or I should say, crystallizing) into groups with shared interests. Women are organizing for equality, voters are organizing for representation, and parents are organizing for legislation to protect their children.

Inherent within this process is the exchange of opinions, or more aptly put, ideology. Ideology of any sort is bound to bring controversy, and controversy brings disagreement. Whether that disagreement occurs between two nations or between two individuals is irrelevant. When it occurs on the Internet, it often degenerates into warfare. That is what this chapter is about.

Much like the term information warfare, the term Internet warfare is often misunderstood. To understand Internet warfare, you must know that there are different classifications of it. Let's start with those classifications. From there, we can discuss warfare at its most advanced levels. The classifications are

More generally, Internet warfare is activity in which one or more participants utilize tools over the Internet to attack another or the information of another. The objective of the attack may be to damage information, hardware, or software, or to deny service. Internet warfare also involves any defensive action taken to repel such an attack.

Such warfare may be engaged in by anyone, including individuals, the general public, corporations, or governments. Between these groups, the level of technology varies (by technology, I am referring to all aspects of the tools required, including high-speed connections, software, hardware, and so forth). In general, the level of technology follows an upward path, as expressed in Figure 8.1.

Figure 8.1.
The level of technology in Internet warfare.


NOTE: The categories Public and Individual may seem confusing. Why are they not included together? The reason is this: A portion of the public fails to meet the requirements for either corporate forces or individuals. This portion is composed of middle-level businesses, ISPs, universities, and so on. These groups generally have more technologically advanced tools than individuals, and they conduct warfare in a different manner.

As you might guess, there are fundamental reasons for the difference between these groups and the tools that they employ. These reasons revolve around economic and organizational realities. The level of technology increases depending upon certain risks and demands regarding security. This is graphically illustrated in Figure 8.2.

Figure 8.2.
Risks and demands as they relate to various levels of technology.

Naturally, government and corporate entities are going to have more financial resources to acquire tools. These tools will be extremely advanced, created by vendors who specialize in high-performance, security-oriented applications. Such applications are generally more reliable than average tools, having been tested repeatedly under a variety of conditions. Except in extreme cases (those where the government is developing methods of destructive data warfare for use against foreign powers), nearly all of these tools will be defensive in character.

Public organizations tend to use less powerful tools. These tools are often shareware or freeware, which is freely available on the Internet. Much of this software is designed by graduate students in computer science. Other sources include companies that also sell commercial products, but are giving the Internet community a little taste of the quality of software available for sale. (Many companies claim to provide these tools out of the goodness of their hearts. Perhaps. In any event, provide them they do, and that is sufficient.) Again, nearly all of these tools are defensive in character.

Private individuals use whatever they come across. This may entail shareware or freeware, programs they use at work, or those that have been popularly reviewed at sites of public interest.

The Private Individual

The private individual doesn't usually encounter warfare (at least, not the average user). When one does, it generally breaks down to combat with another user. This type of warfare can be anticipated and, therefore, avoided. When a debate on the Net becomes heated, you may wish to disengage before warfare erupts. Although it has been said a thousand times, I will say it again: Arguments appear and work differently on the Internet than in person. E-mail or Usenet news messages are delivered in their entirety, without being interrupted by points made from other individuals. That is, you have ample time to write your response. Because you have that time, you might deliver a more scathing reply than you would in person. Moreover, people say the most outrageous things when hiding behind a computer, things they would never utter in public. Always consider these matters. That settled, I want to examine a few tools of warfare between individuals.

The E-Mail Bomb

The e-mail bomb is a simple and effective harassment tool. A bomb attack consists of nothing more than sending the same message to a targeted recipient over and over again. It is a not-so-subtle form of harassment that floods an individual's mailbox with junk.

Depending upon the target, a bomb attack could be totally unnoticeable or a major problem. Some people pay for their mail service (for example, after exceeding a certain number of messages per month, they must pay for additional e-mail service). To these individuals, an e-mail bomb could be costly. Other individuals maintain their own mail server at their house or office. Technically, if they lack storage, one could flood their mailbox and therefore prevent other messages from getting through. This would effectively result in a denial-of-service attack. (A denial-of-service attack is one that degrades or otherwise denies computer service to others. This subject is discussed in Chapter 14, "Destructive Devices.") In general, however, a bomb attack (which is, by the way, an irresponsible and childish act) is simply annoying. Various utilities available on the Internet will implement such an attack.

One of the most popular utilities for use on the Microsoft Windows platform is Mail Bomber. It is distributed in a file called bomb02.zip and is available at many cracker sites across the Internet. The utility is configured via a single screen of fields into which the user enters relevant information, including target, mail server, and so on (see Figure 8.3).

Figure 8.3.
The Mail Bomber application.

The utility works via Telnet. It contacts port 25 of the specified server and generates the mail bomb. Utilities like this are commonplace for nearly every platform. Some are for use anywhere on any system that supports SMTP servers. Others are more specialized, and may only work on systems like America Online. One such utility is Doomsday, which is designed for mass mailings over AOL but is most commonly used as an e-mail bomber. The entire application operates from a single screen interface, shown in Figure 8.4.

Figure 8.4.
The Doomsday mail bomber.


NOTE: For several years, the key utility for AOL users was AOHELL, which included in its later releases a mail-bomb generator. AOHELL started as a utility used to unlawfully access America Online. This, coupled with other utilities such as credit-card number generators, allowed users to create free accounts using fictitious names. These accounts typically expired within two to three weeks.

On the UNIX platform, mail bombing is inanely simple; it can be accomplished with just a few lines. However, one wonders why someone skilled in UNIX would even entertain the idea. Nevertheless, some do; their work typically looks something like this:

#!/bin/perl
$mailprog = `/usr/lib/sendmail';
$recipient = `victim@targeted_site.com';
$variable_initialized_to_0 = 0;
while ($variable_initialized_to_0 < 1000) {
open (MAIL, "|$mailprog $recipient") || die "Can't open $mailprog!\n";
print MAIL "You Suck!";
close(MAIL);
sleep 3;
$variable_initialized_to_0++;
}

The above code is fairly self-explanatory. It initializes a variable to 0, then specifies that as long as that variable is less than the value 1000, mail should be sent to the targeted recipient. For each time this program goes through the while loop, the variable called $variable_initialized_to_0 is incremented. In short, the mail message is sent 999 times.

Mail bombing is fairly simple to defend against: Simply place the mailer's identity in a kill or bozo file. This alerts your mail package that you do not want to receive mail from that person. Users on platforms other than UNIX may need to consult their mail applications; most of them include this capability.

UNIX users can find a variety of sources online. I also recommend a publication that covers construction of intelligent kill file mechanisms: Teach Yourself the UNIX Shell in 14 Days by David Ennis and James Armstrong Jr. (Sams Publishing). Chapter 12 of that book contains an excellent script for this purpose. If you are a new user, that chapter (and in fact, the whole book) will serve you well. (Moreover, users who are new to UNIX but have recently been charged with occasionally using a UNIX system will find the book very informative.)

Oh yes. For those of you who are seriously considering wholesale e-mail bombings as a recreational exercise, you had better do it from a cracked mail server. A cracked mail server is one that the cracker currently has control of; it is a machine running sendmail that is under the control of the cracker.

If not, you may spend some time behind bars. One individual bombed Monmouth University in New Jersey so aggressively that the mail server temporarily died. This resulted in a FBI investigation, and the young man was arrested. He is reportedly facing several years in prison.

I hope that you refrain from this activity. Because e-mail bombing is so incredibly simple, even crackers cast their eyes down in embarrassment and disappointment if a comrade implements such an attack.

List Linking

List linking is becoming increasingly common. The technique yields the same basic results as an e-mail bomb, but it is accomplished differently. List linking involves enrolling the target in dozens (sometimes hundreds) of e-mail lists.

E-mail lists (referred to simply as lists) are distributed e-mail message systems. They work as follows: On the server that provides the list service, an e-mail address is established. This e-mail address is really a pointer to an executable program. This program is a script or binary file that maintains a database (usually flat file) of e-mail addresses (the members of the list). Whenever a mail message is forwarded to this special e-mail address, the text of that message is forwarded to all members on the list (all e-mail addresses held in the database). These are commonly used to distribute discussions on various topics of interest to members.

E-mail lists generate a lot of mail. For example, the average list generates 30 or so messages per day. These messages are received by each member. Some lists digest the messages into a single-file format. This works as follows: As each message comes in, it is appended to a plain text file of all messages forwarded on that day. When the day ends (this time is determined by the programmer), the entire file--with all appended messages--is mailed to members. This way, members get a single file containing all messages for the day.

Enrolling a target in multiple mailing lists is accomplished in one of two ways. One is to do it manually. The harassing party goes to the WWW page of each list and fills in the registration forms, specifying the target as the recipient or new member. This works for most lists because programmers generally fail to provide an authentication routine. (One wonders why. It is relatively simply to get the user's real address and compare it to the one he or she provides. If the two do not match, the entire registration process could be aborted.)

Manually entering such information is absurd, but many individuals do it. Another and more efficient way is to register via fakemail. You see, most lists allow for registration via e-mail. Typically, users send their first message to an e-mail address such as this one:

list_registration@listmachine.com

Any user who wants to register must send a message to this address, including the word subscribe in either the subject line or body of the message. The server receives this message, reads the provided e-mail address in the From field, and enrolls the user. (This works on any platform because it involves nothing more than sending a mail message purporting to be from this or that address.)

To sign up a target to lists en masse, the harassing party first generates a flat file of all list- registration addresses. This is fed to a mail program. The mail message--in all cases--is purportedly sent from the target's address. Thus, the registration servers receive a message that appears to be from the target, requesting registration to the list.

This technique relies on the forging of an e-mail message (or generating fakemail). Although this is explained elsewhere, I should relate something about it here. To forge mail, one sends raw commands to a sendmail server. This is typically found on port 25 of the target machine. Forging techniques work as follows: You Telnet to port 25 of a UNIX machine. There, you begin a mail session with the command HELO. After you execute that command, the session is open. You then specify the FROM address, providing the mail server with a bogus address (in this case, the target to be list-linked). You also add your recipient and the message to be sent. For all purposes, mail list archives believe that the message came from its purported author.

It takes about 30 seconds to register a target with 10, 100, or 500 lists. What is the result? Ask the editorial offices of Time magazine.

On March 18, 1996, Time published an article titled "I'VE BEEN SPAMMED!" The story concerned a list-linking incident involving the President of the United States, two well-known hacking magazines, and a senior editor at Time. Apparently, a member of Time's staff was list-linked to approximately 1,800 lists. Reportedly, the mail amounted to some 16MB. It was reported that House Leader Newt Gingrich had also been linked to the lists. Gingrich, like nearly all members of Congress, had an auto-answer script on his e-mail address. These trap e-mail addresses contained in incoming messages and send automated responses. (Congressional members usually send a somewhat generic response, such as "I will get back to you as soon as possible and appreciate your support.") Thus, Gingrich's auto-responder received and replied to each and every message. This only increased the number of messages he would receive, because for each time he responded to a mailing list message, his response would be appended to the outgoing messages of the mailing list. In effect, the Speaker of the House was e-mail bombing himself.

For inexperienced users, there is no quick cure for list linking. Usually, they must send a message containing the string unsubscribe to each list. This is easily done in a UNIX environment, using the method I described previously to list-link a target wholesale. However, users on other platforms require a program (or programs) that can do the following:

There are other ways to make a target the victim of an e-mail bomb, even without using an e-mail bomb utility or list linking. One is particularly insidious. It is generally seen only in instances where there is extreme enmity between two people who publicly spar on the Net. It amounts to this: The attacker posts to the Internet, faking his target's e-mail address. The posting is placed into a public forum in which many individuals can see it (Usenet, for example). The posting is usually so offensive in text (or graphics) that other users, legitimately and genuinely offended, bomb the target. For example, Bob posts to the Net, purporting to be Bill. In "Bill's" post, an extremely racist message appears. Other users, seeing this racist message, bomb Bill.

Finally, there is the garden-variety case of harassment on the Internet. This doesn't circumvent either security or software, but I could not omit mention of it. Bizarre cases of Internet harassment have arisen in the past. Here are a few:

These cases pop up with alarming frequency. Some have been racially motivated, others have been simple harassment. Every user should be aware that anyone and everyone is a potential target. If you use the Internet, even if you haven't published your real name, you are a viable target, at least for threatening e-mail messages.

Internet Relay Chat Utilities

Many Internet enthusiasts are unfamiliar with Internet Relay Chat (IRC). IRC is an arcane system of communication that resembles bulletin board systems (BBSs). IRC is an environment in which many users can log on and chat. That is, messages typed on the local machine are transmitted to all parties within the chat space. These scroll down the screen as they appear, often very quickly.

This must be distinguished from chat rooms that are provided for users on systems such as AOL. IRC is Internet-wide and is free to anyone with Internet access. It is also an environment that remains the last frontier of the lawless Internet.

The system works as follows: Using an IRC client, the user connects to an IRC server, usually a massive and powerful UNIX system in the void. Many universities provide IRC servers.


Cross Reference: The ultimate list of the world's IRC servers can be found at http://www.webmaster.com/webstrands/resources/irc/#List of Servers.

Once attached to an IRC server, the individual specifies the channel to which he or she wishes to connect. The names of IRC channels can be anything, although the established IRC channels often parallel the names of Usenet groups. These names refer to the particular interest of the users that frequent the channel. Thus, popular channels are

There are thousands of established IRC channels. What's more, users can create their own. In fact, there are utilities available for establishing a totally anonymous IRC server (this is beyond the scope of this discussion). Such programs do not amount to warfare, but flash utilities do. Flash utilities are designed to do one of two things:

Flash utilities are typically small programs written in C, and are available on the Internet at many cracking sites. They work by forwarding a series of special-character escape sequences to the target . These character sequences flash, or incapacitate, the terminal of the target. In plain talk, this causes all manner of strange characters to appear on the screen, forcing the user to log off or start another session. Such utilities are sometimes used to take over an IRC channel. The perpetrator enters the channel and flashes all members who are deemed to be vulnerable. This temporarily occupies the targets while they reset their terminals.

By far, the most popular flash utility is called flash. It is available at hundreds of sites on the Internet. For those curious about how the code is written, enter one or all of these search strings into any popular search engine:

flash.c
flash.c.gz
flash.gz
megaflash

Another popular utility is called nuke. This utility is far more powerful than any flash program. Rather than fiddle with someone's screen, it simply knocks the user from the server altogether. Note that using nuke on a wholesale basis to deny computer service to others undoubtedly amounts to unlawful activity. After some consideration, I decided that nuke did not belong on the CD-ROM that accompanies this book. However, for those determined to get it, it exists in the void. It can be found by searching for the filename nuke.c.

There are few other methods by which one can easily reach an individual. The majority of these require some actual expertise on the part of the attacker. In this class are the following methods of attack:

Although these are extensively covered later in this book, I want to briefly treat them here. They are legitimate concerns and each user should be aware of these actual dangers on the Net.

Virus Infections and Trojan Horses

Virus attacks over the Internet are rare but not unheard of. The primary place that such attacks occur is the Usenet news network. You will read about Usenet in the next section. Here, I will simply say this: Postings to Usenet can be done relatively anonymously. Much of the information posted in Usenet these days involves pornography, files on cracking, or other potentially unlawful or underground material. This type of material strongly attracts many users and as such, those with malicious intent often choose to drop their virus in this network.

Commonly, viruses or malicious code masquerade as legitimate files or utilities that have been zipped (compressed) and released for general distribution. It happens. Examine this excerpt from a June 6, 1995 advisory from the Computer Incident Advisory Capability Team at the U.S. Department of Energy:

A trojaned version of the popular, DOS file-compression utility PKZIP is circulating on the networks and on dial-up BBS systems. The trojaned files are PKZ300B.EXE and PKZ300B.ZIP. CIAC verified the following warning from PKWARE:

"Some joker out there is distributing a file called PKZ300B.EXE and PKZ300B.ZIP. This is NOT a version of PKZIP and will try to erase your hard drive if you use it. The most recent version is 2.04G. Please tell all your friends and favorite BBS stops about this hack.

"PKZ300B.EXE appears to be a self extracting archive, but actually attempts to format your hard drive. PKZ300B.ZIP is an archive, but the extracted executable also attempts to format your hard drive. While PKWARE indicated the trojan is real, we have not talked to anyone who has actually touched it. We have no reports of it being seen anywhere in the DOE.

"According to PKWARE, the only released versions of PKZIP are 1.10, 1.93, 2.04c, 2.04e and 2.04g. All other versions currently circulating on BBSs are hacks or fakes. The current version of PKZIP and PKUNZIP is 2.04g."

That advisory was issued very quickly after the first evidence of the malicious code was discovered. At about the same time, a rather unsophisticated (but nevertheless destructive) virus called Caibua was released on the Internet. Many users were infected. The virus, under certain conditions, would overwrite the default boot drive.


Cross Reference: Virus attacks and defenses against them are discussed in Chapter 14, "Destructive Devices." However, I highly recommend that all readers bookmark http://ciac.llnl.gov/ciac/CIACVirusDatabase.html. This site is one of the most comprehensive virus databases on the Internet and an excellent resource for learning about various viruses that can affect your platform.

Here's an interesting bit of trivia: If you want to be virus-free, use UNIX as your platform. According to the CIAC, there has only been one recorded instance of a UNIX virus, and it was created purely for research purposes. It was called the AT&T Attack Virus.


Cross Reference: If you want to see an excellent discussion about UNIX and viruses, check out "The Plausibility of UNIX Virus Attacks" by Peter V. Radatti at http://www.cyber.com/papers/plausibility.html.

Radatti makes a strong argument for the plausibility of a UNIX virus. However, it should be noted that virus authors deem UNIX a poor target platform because of access-control restrictions. It is felt that such access-control restrictions prevent the easy and fluid spread of the virus, containing it in certain sectors of the system. Therefore, for the moment anyway, UNIX platforms have little to fear from virus authors around the world.

Nonetheless, as I discuss in Chapter 14, at least one virus for Linux has been confirmed. This virus is called Bliss. Reports on Bliss at the time of this writing are sketchy. There is some argument on the Internet as to whether Bliss qualifies more as a trojan, but the majority of reports suggest otherwise. Furthermore, it is reported that it compiles cleanly on other UNIX platforms.


Cross Reference: The only known system tool that checks for Bliss infection was written by Alfred Huger and is located at ftp://ftp.secnet.com/pub/tools/abliss.tar.gz.


NOTE: There is some truth to the assertion that many viruses are written overseas. The rationale for this is as follows: Many authorities feel that authors overseas may not be compensated as generously for their work and they therefore feel disenfranchised. Do you believe it? I think it's possible.

In any event, all materials downloaded from a nontrusted source should be scanned for viruses. The best protection is a virus scanner; there are many for all personal computer platforms. Even though this subject is covered extensively later, Table 8.1 shows a few.

Table 8.1. Virus scanners by platform.

Platform Virus
Windows/DOS Thunderbyte, F-PROT, McAfee's Virus Scan, TBAV
Windows 95 McAfee's Virus Scan, Thunderbyte, Dr. Antivirus
Windows NT Norton Antivirus, Sweep, NTAV, NT ViruScan, McAfee's Virus Scan
Macintosh Gatekeeper, Disinfectant, McAfee's Virus Scan
OS/2 McAfee's Virus Scan

Malicious code is slightly different from a virus, but I want to mention it briefly (even though I cover malicious code extensively in Chapter 14). Malicious code can be defined as any programming code that is not a virus but that can do some harm, however insignificant, to a user's software.

Today, the most popular form of malicious code involves the use of black widow apps, or small, portable applications in use on the WWW that can crash or otherwise incapacitate your WWW browser. These are invariably written in scripting languages like JavaScript or VBScript. These tiny applications are embedded within the HTML code that creates any Web page. In general, they are fairly harmless and do little more than force you to reload your browser. However, there is some serious talk on the Net of such applications being capable of:

These claims are not fictional. The programming expertise required to wreak this havoc is uncommon in prankster circles. However, implementing such apps is difficult and risky because their origin can be easily traced in most instances. Moreover, evidence of their existence is easily obtained simply by viewing the source code of the host Web page. However, if such applications were employed, they would be employed more likely with Java, or some other compiled language.

In any event, such applications do exist. They pose more serious risks to those using networked operating systems, particularly if the user is browsing the Web while logged into an account that has special privileges (such as root, supervisor, or administrator). These privileges give one great power to read, write, alter, list, delete, or otherwise tamper with special files. In these instances, if the code bypasses the browser and executes commands, the commands will be executed with the same privileges as the user. This could be critical and perhaps fatal to the system administrator. (Not physically fatal, of course. That would be some incredible code!)

Cracking

Cracking an individual is such a broad subject that I really cannot cover it here. Individuals use all kinds of platforms, and to insert a "cracking the individual" passage here would defeat the purpose of this book (or rather, the whole book would have to appear in this chapter). I say this because throughout this book, I discuss cracking different platforms with different techniques and so on. However, I will make a general statement here:

Users who surf using any form of networked operating system are viable targets. So there is no misunderstanding, let me identify those operating systems:

If you are connected to the Net with such an operating system, you are a potential target of an online crack. Much depends on what services you are running, but be assured: If you are running TCP/IP as a protocol, you are a target. Equally, those Windows 95 users who share out directories are also targets. (I discuss this in detail in Chapter 16, "Microsoft," but briefly, shared out directories are those that allow file sharing across a network.)

The Public and Corporations

This section starts with the general public. The general public is often a target of Internet warfare, though most Internet users may remain unaware of this. Attacks against the general public most often occur on the Usenet news network. I want to briefly describe what Usenet is, for many users fail to discover Usenet news even after more than a year of Internet use. In that respect, Usenet news is much like IRC. It is a more obscure area of the Internet, accessible through browsers, but more commonly accessed through newsreaders. Some common newsreaders for various platforms are shown in Table 8.2.

Table 8.2. Newsreaders by platform.

Platform Newsreader
Windows Free Agent, WinVn, Smart Newsreader, Virtual Access, 32 bit News, SB Newsbot, News Xpress, Microsoft News
UNIX TRN, TIN, Pine, Xnews, Netscape Navigator, INN
Windows 95 Free Agent, WinVn, Smart Newsreader, Virtual Access, 32 bit News, SB Newsbot, News Xpress, Microsoft News
Windows NT Free Agent, WinVn, Smart Newsreader, Virtual Access, 32 bit News, SB Newsbot, News Xpress, Microsoft News
Macintosh Netscape Navigator, NewsWatcher, Cyberdog, Internews, Nuntius,
OS/2 Newsbeat, Postroad,

The interface of a typical browser includes a listing of newsgroup messages currently posted to the selected newsgroup. These messages are displayed for examination in the newsreader. For example, examine Figure 8.5, which shows a Free Agent Usenet session reviewing posted messages (or articles) to the Usenet group.

Figure 8.5.
A typical Usenet session using Free Agent by Forte.

Usenet news is basically a massive, public bulletin board system. On it, users discuss various topics of interest. They do this by posting messages to the system. These messages are saved and indexed with all messages on that topic. The totality of messages posted on a particular topic form a discussion thread. This thread is generally arranged chronologically. The typical progression is this:

1. One user starts a thread by posting a message.

2. Another user sees this message, disagrees with the original poster, and posts a rebuttal.

3. More users see this exchange and jump in on the action, either supporting or rebutting the original posts (and all subsequent ones.)

If this sounds adversarial, it's because it is. Although peaceful Usenet discussions are common, it is more common to see arguments in progress.

In any event, Usenet messages are probably the most graphic example of free speech in America. One can openly express opinions on any subject. It is a right of all Internet users. Sometimes, however, others directly interfere with that right. For example, in September, 1996, someone erased approximately 27,000 messages posted by various ethnic groups and other interested parties. As Rory J. O'Connor of the Mercury News reported:

One of the more popular mass communication forms on the Internet was sabotaged last weekend, wiping clean dozens of public bulletin boards with tens of thousands of messages frequented by Jews, Muslims, feminists, and gays, among others.

This type of activity, called canceling, is common and, to date, there is no clear application of U.S. law to deal with it. For example, some legal experts are still debating whether this constitutes an offense as defined under current law. Offense under criminal law or not, it would appear that such activity could constitute a tort or civil wrong of some classification. For example, the Internet has not yet been the target of any lawsuit based on antitrust law. However, it would seem reasonable that antitrust claims (those alleging attempted restraint of interstate commerce) could apply. This is a question that will undoubtedly take a decade to sort out. For although the technology of the Internet moves quickly indeed, the legal system grinds ahead at a slow pace.

Canceling refers to that activity where a user generates a cancel command for a given Usenet message. By sending this cancel command, the user erases the Usenet message from the Internet. This feature was added to the Usenet system so that a user could cancel a message if he or she suddenly decided it wasn't appropriate or had lost its value. This is discussed more in Chapter 13, "Techniques to Hide One's Identity."


Cross Reference: If you are interested in cancel techniques and want to know more, there are several resources. First, the definitive document on what types of cancels are permitted is at http://www.math.uiuc.edu/~tskirvin/home/rfc1036b.

The FAQ about cancel messages is at http://www.lib.ox.ac.uk/internet/news/faq/archive/usenet.cancel-faq.part1.html.


Cancel techniques are often used against advertisers who attempt to flood the Usenet network with commercial offerings (this activity is referred to as spamming). Such advertisers typically use commercial software designed to make Usenet postings en masse. This is required for the task, as there are over 20,000 Usenet groups to date. To target each one would be no less laborious than mailing 20,000 e-mail messages. Thus, mass-posting utilities are becoming the latest hot item for commercial advertisers. Alas, they may be wasting their money.

Several individuals skilled in Internet programming have created cancelbots. These are programs that go onto the Usenet network and search for messages that fit programmer-defined criteria. When these messages are identified, they are canceled. This can be done by anyone on a small scale. However, this technique is impractical to generate cancels en masse. For this, you use a cancelbot. Cancelbots are robots, or automated programs that can automatically cancel thousands of messages.

In the past, these utilities have been used primarily by purists who disapprove of commercialization of the Net. They chiefly target advertisers who fail to observe good Netiquette. The Usenet community has traditionally supported such efforts. However, a new breed of canceler is out there: This breed cancels out of hatred or intolerance, and the phenomenon is becoming more prevalent. In fact, cancelbots are just the tip of the iceberg.

Many special-interest groups take their battles to the Net, and cancel messaging is one weapon the often use. For example, consider the debate over Scientology. The Church of Scientology is a large and influential organization. Many people question the validity of the Scientologist creed and belief. In the past few years, several open wars have erupted on the Usenet network between Scientologists and their critics. (The Usenet group in question here is alt.religion.scientology.) These wars were attended by some fairly mysterious happenings. At one stage of a particularly ugly struggle, when the Scientologists seemed overwhelmed by their sparring partners, a curious thing happened:

And thus it was that in late 1994, postings began to vanish from alt.religion.scientology, occasionally with an explanation that the postings had been "canceled because of copyright infringement." To this day, it is not known who was behind the deployment of these "cancelbots," as they are known. Again, the CoS disclaimed responsibility, and the anti-Scientology crowd began to refer to this anonymous participant simply as the "Cancel-bunny," a tongue-in-cheek reference to both the Energizer bunny and to a well-known Net inhabitant, the Cancelmoose, who has taken it upon himself (itself?, themselves?) to set up a cancelbot-issuing process to deal with other kinds of spamming incidents. But whoever or whatever the Cancelbunny may be, its efforts were quickly met by the development of yet another software weapon, appropriately dubbed "Lazarus," that resurrects canceled messages (or, more accurately, simply alerts the original poster, and all other participants in the newsgroup, that a specific message has been canceled, leaving it up to the original poster to reinstate the message if he or she were not the party that issued the cancel command).1


1"The First Internet War; The State of Nature and the First Internet War: Scientology, its Critics, Anarchy, and Law in Cyberspace." David G. Post, Reason magazine. April, 1996. (Copyright trailer follows: (c) 1996 David G. Post. Permission granted to redistribute freely, in whole or in part, with this notice attached.)

The controversy between the Scientologists and their critics was indeed the first war on the Internet. That war isn't over yet, either. Unfortunately for all parties concerned, the war wafted out of cyberspace and into courts in various parts of the world. In short, warring in cyberspace simply wasn't satisfying enough. The combatants have therefore taken to combat in the real world.


Cross Reference: If you are genuinely interested in this war, which is truly brutal, visit http://www.cybercom.net/~rnewman/scientology/home.html.

The Internet is an odd place, and there are many people there who want to harm each other. In this respect, the Internet is not radically different from reality. The problem is that on the Internet, these people can find each other without much effort. Furthermore, violent exchanges are almost always a public spectacle, and the Internet has no riot police. You have choices, and here they are:

I recommend a combination of the first and last options. That way, you are out of the line of fire. And if, for some inexplicable reason, someone pulls you into the line of fire, you can blow them right out of cyberspace.

Internet Service Providers

Internet service providers (ISPs) are the most likely to engage in warfare, immediately followed by universities. I want to address ISPs first. For our purposes, an ISP is any organization that provides Internet access service to the public or even to a limited class of users. This definition includes freenets, companies that provide access to their employees, and standard ISPs that provide such services for profit. Internet access service means any service that allows the recipient of such service to access any portion of the Internet, including but not limited to mail, Gopher, HTTP, Telnet, FTP, or other access by which the recipient of such services may traffic data of any kind to or from the Internet.

ISPs are in a unique position legally, commercially, and morally. They provide service and some measure of confidentiality to their users. In that process, they undertake a certain amount of liability. Unfortunately, the parameters of that liability have not yet been adequately defined in law. Is an ISP responsible for the content of its users' messages?

Suppose users are utilizing the ISP's drives to house a pirated software site. Is the ISP liable for helping facilitate criminal activity by failing to implement action against pirates?

If a cracker takes control of an ISP and uses it to attack another, is the first ISP liable? (Did it know or should it have known its security was lax and thus the damages of the victim were foreseeable?)

If a user retouches trademarked, copyrighted cartoon characters into pornographic representations and posts them on a Web page, is the ISP at fault?

These are questions that have yet to be answered. And from the first case where a plaintiff's attorneys manage to hoist that liability onto ISPs, the freedom of the Internet will begin to wither and die. These are not the only problems facing ISPs.

Because they provide Internet access services, they have one or more (usually thousands of) individuals logged into their home network. This presents a terrific problem: No matter how restrictive the policies of an ISP might be, its users will always have some level of privilege on the network. That is, its users must, at a minimum, have access to log in. Frequently, they have more.

Granted, with the advent of HTML browsers, the level of access of most users is now lower than in the past. In earlier years, users of an ISP's services would log in via Telnet. Thus, users were logged directly to the server and received shell access. From this point, such users were capable of viewing many different files and executing a variety of programs. Thus, for ISPs of the old days, internal threats were substantial. In contrast, most users access today using some dial-up program that provides a PPP link between them and the ISP. The remaining navigation of the Internet is done through a browser, which often obviates the need for the user to use Telnet. Nevertheless, internal threats remain more common than any other type.

The majority of these threats are from small-time crackers looking to steal the local password files and gain some leverage on the system. However, there exists a real risk of attacks from the outside. Sometimes, for no particular reason, crackers may suddenly attack an ISP. Here are some recent examples:

Cybertown, a popular spot for Net surfers, was cracked. Crackers apparently seized control and replaced the attractive, friendly Web pages with their own. This same group of crackers reportedly later seized control of Rodney Dangerfield's site. Mr. Dangerfield, it seems, cannot get any respect, even on the Internet.

Universities are in exactly the same position. The only major difference is that universities have some extremely talented security enthusiasts working in their computer science labs. (Some of the higher-quality papers about security posted to the Internet have come from such students.)

These entities are constantly under attack and in a state of war. So what types of tools are they using to protect themselves? Not surprisingly, most of these tools are defensive in character. The majority, in fact, may do less to protect than to gather evidence. In other words, Big Brother is watching because crackers have forced him to do so.

The key utilities currently in use are logging utilities. These are relatively low-profile weapons in Internet warfare. They are the equivalent of security guards, and generally either alert the supervisor to suspicious activity or record the suspicious activity for later use. A few such utilities are listed in Table 8.3.

Table 8.3. Various logging and snooping utilities of interest.

Utility Function
L5 Scans either UNIX or DOS directory structures, recording all information about files there. Is used to determine suspicious file changes, files in restricted areas, or changes in file sizes. (For use in detecting trojans.)
Clog Listens to determine whether crackers (from the outside) are trying to find holes in the system.
LogCheck Automates log file analysis to determine whether system violations have occurred. It does this by scanning existing log files.
Netlog Listens and logs TCP/IP connections, searching for suspicious activity therein. This package is from Texas A&M University.
DumpACL Windows NT utility that formats important access-control information into convenient, readable formats for quick analysis of the system's security.

Later in this book, I will examine dozens of utilities like those in Table 8.3. The majority of utilities mentioned so far are either freeware, shareware, or relatively inexpensive. They are used chiefly by public entities such as ISPs and universities. However, an entire world of corporate sources is available. As you might expect, American corporations are concerned about their security.

Corporations often maintain sensitive information. When they get cracked, the crackers usually know what they are looking for. For example, the famous cracker Kevin Mitnik reportedly attempted to steal software from Santa Cruz Operation (SCO) and Digital Equipment Corporation (DEC). These two companies manufactured high-performance operating systems. Mitnik was allegedly interested in obtaining the source code of both. Undoubtedly, Mitnik had intentions of examining the internal workings of these systems, perhaps to identify flaws within their structures.

Corporations operate a little bit differently from other entities, largely because of their organizational structure. Management plays a strong role in the security scheme of any corporation. This differs from universities or ISPs where those with actual security knowledge are handling the situation.

Corporate entities are going to have to come to terms with Internet warfare very soon. For although corporations have the resources to keep penetration of their networks secret, this practice is not advisable. Corporate America wants the Internet badly. In the Internet, they see potential for profit as well as networking. (Several banks have already begun preparing to provide online banking. How effectively they can implement this remains to be seen.)

Some excellent research has proven that a large portion of corporate America is not secure. In Chapter 9, "Scanners," you will learn about scanners, which conduct automated security surveys of remote sites. One such utility is SATAN. This tool was created for the benefit of Internet security by Dan Farmer and Weitse Venema. In December, 1996, Dan Farmer conducted a survey of approximately 2,000 randomly chosen networks in the void.

The survey was called "Shall We Dust Moscow? Security Survey of Key Internet Hosts & Various Semi-Relevant Reflections." A significant number of the sampled hosts were corporate sites, including banks, credit unions, and other financial institutions: organizations that are charged with keeping the nation's finances secure. Farmer's findings were shocking. Large numbers of corporate sites could be cracked by attackers with minimal to complex knowledge of the target host's operating system.


Cross Reference: Rather than parade Mr. Farmer's hard-earned statistics here, I will point you to the site where the survey is publicly available: http://www.trouble.org/survey/.

If you examine the survey, you will find that almost 60 percent of those sites surveyed are in some way vulnerable to remote attack. Many of those are institutions on which the American public relies.

Today, corporate entities are rushing to the Net in an effort to establish a presence. If such organizations are to stay, they must find resources for adequate security. Again, the problem boils down to education. While I was writing this chapter, I received an e-mail message from a firm on the east coast, requesting an estimate on a security audit. That site maintained no firewall and had three possible entry points. Two of these machines were easily crackable by any average cracker. The remaining machine could be cracked after running just one SATAN scan against it.

If there is any group of individuals that needs to obtain books like this one (and, the wealth of all security information now available on the Net), it is America's corporate community. I have had consultations with information managers that have an uphill battle in convincing their superiors that security is a major issue. Many upper-level management officers do not adequately grasp the gravity of the situation. Equally, these folks stand a good chance of being taken, or fleeced, by so-called security specialists. All in all, a dirty war is being fought out there.

Before I close with some reflections about government, I would like to impart this: Internet warfare occurs between all manners of individual and organization on the Internet. This trend will only continue to increase in the near future. There are bandits, charlatans, gunslingers, and robbers...the Internet is currently just slightly less lawless than the stereotypical image of the Old West. Until laws become more concrete and focused, my suggestion to you, no matter what sector you may occupy, is this: Absorb much of the voluminous security literature now available on the Internet. Throughout this book, I provide many references to assist you in that quest.

The Government

Government Internet warfare refers to that warfare conducted between the U.S. government and foreign powers. (Though, to be honest, the majority of Internet warfare that our government has waged has been against domestic hackers. I will briefly discuss that issue a little later on in this section.)

One would imagine that the U.S. government is amply prepared for Internet warfare. Well, it isn't. Not yet. However, recent research suggests that it is gearing up for it. In a 1993 paper, specialists from Rand Corporation posed the question of whether the United States was prepared for a contingency it labeled cyberwar. The authors of that paper posed various questions about the U.S.'s readiness and made recommendations for intensive study on the subject:

We suggest analytical exercises to identify what cyberwar, and the different modalities of cyberwar, may look like in the early twenty-first century when the new technologies should be more advanced, reliable, and internetted than at present. These exercises should consider opponents that the United States may face in high- and low-intensity conflicts. CYBERWAR IS COMING!2


2John Arquilla and David Ronfeldt, International Policy Department, RAND. 1993. Taylor & Francis. ISSN: 0149-5933/93.

Indeed, the subject of cyberwar is a popular one. Many researchers are now involved in assessing the capability of U.S. government agencies to successfully repel or survive a comprehensive attack from foreign powers. John Deutch, head of the CIA, recently addressed the U.S. Senate regarding attacks against our national information infrastructure. In that address, the nation's chief spy told of a comprehensive assessment of the problem:

We have a major national intelligence estimate underway which will bring together all parts of the community, including the Department of Justice, the Defense Information Systems Agency, the military, the FBI, criminal units from the Department of Justice in providing a formal intelligence estimate of the character of the threats from foreign sources against the U.S. and foreign infrastructure. We plan to have this estimate complete by December 1 of this year.

How likely is it that foreign powers will infiltrate our national information infrastructure? That is difficult to say because the government now, more than ever, is getting quiet about its practices of security on the Net. However, I would keep a close eye in the near future. Recent events have placed the government on alert and it has intentions, at least, of securing that massive (and constantly changing) entity called the Internet. I do know this: There is a substantial movement within the government and within research communities to prepare for Internet warfare on an international scale.


Cross Reference: I want to point you to an excellent starting point for information about Internet warfare. It is a site that contains links to many other sites dealing with Internet and information warfare. These links provide a fascinating and often surprising view. The site can be found at http://www.fas.org/irp/wwwinfo.html.

Within the next five years, we will likely begin engaging in real Internet warfare with real enemies. And, for all we know, these real enemies may have already started warring with us.

Summary

As more and more users flock to the Internet, Internet warfare will increase in prevalence whether at the governmental, corporate, or personal level. For this reason, each user should have a minimum of knowledge about how to defend (if not attack) using standard Internet warfare techniques. This is especially so for those who have networks connected 24 hours a day. Sooner or later, whether you want to fight or not, someone will probably subject you to attack. The key is knowing how to recognize such an attack.

Various chapters throughout this book (most notably Chapter 9, "Scanners") discuss attacks from both viewpoints: aggressor and victim. In fact, Part III of this book is devoted specifically to tools (or munitions) used in Internet warfare. I will discuss some of these in the next chapter.


Previous chapterNext chapterContents