E-Espionage BusinessWeek magazine probed the rising attacks on America's most sensitive computer networks, uncovering startling security gaps. The email message addressed to a Booz Allen Hamilton executive from the Pentagon was mundane-a shopping list of weaponry India wanted to buy. But the missive was a brilliant fake. Lurking beneath the description of aircraft, engines, and radar equipment was an insidious piece of computer code, known as Poison Ivy, designed to suck sensitive data out of the $4 billion consulting firm's computer network.
The Pentagon had not sent the email. Its origin is unknown, but the message traveled through Korea on its way to Booz Allen. Its authors knew enough about the "sender" and "recipient" to craft a message unlikely to arouse suspicion. Had the Booz Allen executive clicked on the attachment, his every keystroke would have been reported back to a mysterious master at the Internet address cybersyndrome.3322.org, which is registered through an obscure company headquartered on the banks of China's Yangtze River. The email aimed at Booz Allen paints a vivid picture of the alarming new capabilities of America's cyberenemies. The email message was sent to John F. "Jack" Mulhern, vice president for international military assistance programs at Booz Allen.
In the high-tech world of weapons sales, Mulhern's specialty, the email looked authentic enough. "Integrate U.S., Russian, and Indian weapons and avionics," the email noted, describing the Indian government's expectations for its fighter jets. "Source code given to India for indigenous computer upgrade capability." Such lingo could easily be understood by Mulhern. The 62-year-old former U.S. Naval officer and 33-year veteran of Booz Allen's military consulting business is an expert in helping to sell U.S. weapons to foreign governments. The email was more convincing because of its apparent sender: Stephen J. Moree, a civilian who worked for a group that reported to the office of then-Air Force Secretary Michael W. Wynne. Among its duties, Moree's unit evaluated the security of selling U.S. military aircraft to other countries. There would be little reason to suspect anything seriously amiss in Moree passing along the highly technical document with "India MRCA Request for Proposal" in the subject line.
The Indian government had just released the request a week earlier, on August 28, and the language in the email closely tracked the request. Making the message appear more credible still, it referred to upcoming Air Force communiqués and a "Team Meeting" to discuss the deal. But the correspondence from Moree to Jack Mulhern was a fake. An analysis of the email's path and attachment, conducted for BusinessWeek by three cybersecurity specialists, shows it was sent by an unknown attacker, bounced through an Internet address in South Korea, relayed through a Yahoo! server in New York, and finally made its way to Mulhern's Booz Allen in-box. The analysis also shows the code-known as malware, for malicious software-tracks keystrokes on the computers of people who open it.
A separate program disables security measures such as password protection on Microsoft Access database files, a program often used by large organizations such as the U.S. defense industry to manage big batches of data. Global Threats The U.S. government and its sprawl of defense contractors have been the victims of an unprecedented rash of similar attacks, say current and former U.S. government officials. "It's espionage on a massive scale," said Paul B. Kurtz, a former high-ranking national security official. Government agencies reported 12,986 cybersecurity incidents to the U.S. Homeland Security Department in one fiscal year, triple the number from two years earlier.
Incursions on the military's networks were up 55 percent, said Lieutenant General Charles E. Croom, head of the Pentagon's Joint Task Force for Global Network Operations. Private targets such as Booz Allen are just as vulnerable and pose just as much potential security risk. "They have our information on their networks. They're building our weapon systems. You wouldn't want that in enemy hands," Croom said. Cyber attackers "are not denying, disrupting, or destroying operations-yet. But that doesn't mean they don't have the capability." Poison Ivy Commercial computer security firms have dubbed the malicious code hidden inside the email attachment Poison Ivy, and it has a devious-and worrisome-capability known as a RAT, a remote administration tool. RAT gives the attacker control over the host PC, capturing screen shots and perusing files.
It lurks in the background of Microsoft Internet Explorer browsers while users surf the web. Then it phones home to its "master" at an Internet address currently registered under the name cybersyndrome.3322.org . The digital trail to cybersyndrome.3322.org , followed by analysts at BusinessWeek 's request, leads to one of China's largest free domain-name-registration and email services. Called 3322.org, it is registered to a company called Bentium in the city of Changzhou, an industrial hub outside Shanghai. A range of security experts say that 3322.org provides names for computers and servers that act as the command and control centers for more than 10,000 pieces of malicious code launched at government and corporate networks in recent years. Many of those PCs are in China; the rest could be anywhere. The founder of 3322.org, a 37-year-old technology entrepreneur named Peng Yong, says his company merely allows users to register domain names.
"As for what our users do, we cannot completely control it," Peng said. The bottom line: If Poison Ivy infected Jack Mulhern's computer at Booz Allen, any secrets inside could be seen in China. And if it spread to other computers, as malware often does, the infection opens windows on potentially sensitive information there, too. Many security experts worry the Internet has become too unwieldy to be tamed. New threats appear every day, each seemingly more sophisticated than the previous one. The Defense Department, whose Advanced Research Projects Agency (DARPA) developed the Internet in the 1960s, is beginning to think it created a monster. "You don't need an Army, a Navy, an Air Force to beat the U.S.," said General William T. Lord, commander of the Air Force Cyber Command, a unit formed to upgrade Air Force computer defenses. "You can be a peer force for the price of the PC on my desk."
Questions
1. Define information ethics and information security and explain why each is critical to any government operation.
2. Identify two epolicies the government should implement to help combat cyberterrorism.
3. Demonstrate how the government can use authentication and authorization technologies to prevent information theft.
4. Analyze how the government can use prevention and resistance technologies to safeguard its employees from hackers and viruses.
5. Propose a plan for how the government can implement information security plans to ensure its critical info1rmation is safe and protects.
6. Evaluate the information security issues facing the government and identify its three biggest concerns.