Agencies victimized by more complex attacks

BRISTOL England - Almost half the security incidents handled in the past eight months by the newly established Federal Computer Incident Response Capability team for civilian agencies were system intrusions according to recently released FedCIRC statistics obtained by Federal Computer Week at the Forum of Incident Response and Security Teams conference convened here last week.

Federal agencies continue to experience a wide variety of system security breaches many of which are becoming increasingly more difficult to detect and track according to the computer emergency response teams charged with handling these incidents.

FedCIRC which was established last year as a governmentwide computer emergency response team for civilian agencies handled 131 security incidents from October 1996 through May 1997. Of those incidents 62 were unauthorized intrusions 44 were probes of a system 12 were viruses and 13 involved so-called e-mail bombs and spamming. E-mail bombs or sending thousands of e-mail messages to one computer and spamming are methods of attacks that flood a system with so many commands that it cannot manage all the requests and becomes clogged or eventually shuts down.

Intrusion incidents included stolen password access and using password vulnerabilities to exploit known software vulnerabilities. Probes included scanning systems for vulnerabilities for security weaknesses and to gain unauthorized access to systems according to statistics.

Numerous emerging and complex techniques for breaking into systems worry federal security experts said Sandy Sparks manager of the Energy Department's Computer Incident Advisory Capability and manager of FedCIRC West.

Sparks said DOE is not only experiencing traditional security breaches such as e-mail bombs and spamming but also those caused by a new breed of attacks. Attempts are being made to exploit a vulnerability that came embedded in a number of the publicly available Hypertext Transfer Protocol World Wide Web servers Sparks said. The security hole commonly called "phf" after the name of the script that can be exploited allows an attacker to store and retrieve files on the Web server and obtain privileges reserved for administrators on an operating system.

"The incidents are becoming more complex " Sparks said. "The tools that [unauthorized users are] using make detection and tracking harder. It just takes more time and effort to try to backtrack.

"The successful cracks are most of the time exploiting a known vulnerability for which there is patch information available."

Some military systems also are the target of these complex attacks. Kenneth Taylor a systems security analyst with the Air Force Computer Emergency Response Team said these new technologies are among the new breed of security incidents the Air Force team is finding. Probing of Air Force systems also has increased during the past six months he said.

"They're coming from one host to another " Taylor said. "They're not straight out attacking. They're using an intermediary host."

The ripple effect of these incidents affected thousands of other sites and hosts said Marianne Swanson FedCIRC program manager. Although computer emergency response teams routinely refrain from identifying specific sites Swanson said one intrusion of a federal site affected 10 000 other hosts inside and outside government and an intrusion at another civilian agency affected 100 other hosts. Not all these hosts were within the government but the intrusion into a government system served as a launch pad for these attacks she said. One virus infection from a government site affected 700 hosts.

While widespread publicity about the security shortfalls in Defense Department systems have increased the awareness of administrators at military sites many civilian agencies have not yet acknowledged the possibility of security breaches to their own systems Swanson said.Although FedCIRC provides free emergency services to any civilian agency it offers more expansive services such as security system assessments for an additional subscriber fee.

FedCIRC recently has signed on its first three subscribers for its service: the Customs Service the General Services Administration's Federal Supply Service and the Agriculture Department's National Finance Center.