[Click Here]

Foreign Government, Or 16 Year Old? (Risk Assessment - Why The US Military
Gets It Wrong)

I hate to bring up this case again, but it's such a perfect example, I feel
that I have to.

In the spring of last year, the US Military went into high alert, the
president was notified, and over 40 FBI agents worked around the clock, to
investigate what Deputy Secretary of Defense called the most "organized
attacks against the US infrastructure to date". It was feared that these
attacks were actually the beginnings of a "cyberwar" being waged by Iraq.
This DOD project, dubbed Solar Sunrise turned out to be a huge
embarrassment for the military, and a major story for AntiOnline, when I
announced that the attacks had truly been originating from three teenagers
(two 16 year olds in the US, and an 18 year old from Israel).

As I said before, this is a perfect example of how the military got it dead
wrong, and how a profiler could have helped to have prevented an
embarrassing, and COSTLY investigation.

What may be true in the rules of "physical risk assesement" may not hold
true in the rules of "digital risk assessment". Here's one common
misconception that the US Military seems to have when it comes to digital
attacks. ORGANIZED does not equal SERIOUS. The government, in this case and
in many others since it, has assumed that if they're being hit in what
appears to be a large, organized manner, it must be a serious attempt for
an organization with extensive resources (ie, a foreign government or
terrorist organization). But, in my eyes, an attack from such an entity
would look exactly the opposite. Let me explain further.

One of the things that we look at on our very own little network is the
concept of "normal". What are the "common occurrences" on our network. This
holds true for both regular activity, and hack attempts. We see "PHF Cgi
Vulnerability" checks on a regular basis, from literally hundreds of unique
hosts a week. PHF checks from a vast array of hosts are "normal". As are
hundreds of other vulnerability checks. Now, if I was a hostile nation, and
I decided that I wanted to break into AntiOnline to steal proprietary or
classified information, I would not set up several machines that scanned
every one of the servers on the AntiOnline network for every known
vulnerability in a matter of minutes. This would show up on our network as
not being "normal", and would be an event that would trigger investigation
on our part. Instead, I'd have the machines check a particular server, over
the course of WEEKS, for a vulnerability here and there. On our network, it
would appear as just another, small, "NORMAL", hack attempt.

The same holds true on military networks which see thousands of hack
attempts a week. One more small little qmail vulnerability check from AOL
would be left unnoticed, another sendmail check from UUNet would be left
the same.

Are you getting the picture now? If I was the US military, I wouldn't be
worried about the "massive, organized scans", I'd be worried about the
small, every day occurrences. "Massive and Organized" draws attention (all
of which, to date, have proved to originate from nothing more than
teenagers looking for a thrill), "Common and Everyday" does not (we're not
sure of the threats that common and everyday may pose, simply because
they've never been looked into).

Back To The Table Of Contents