TOWARDS ARMAGEDDON - PART 1

by BERNARD A HODSON

For the next article or two I am going to write some fictionalised fact on what can happen in regard to some of the security issues, and how we might address the situation. All names are fictionalised to preserve privacy.

Lost identity

"Someone stole my identity" yelled Justin to his room mate, slamming the door as he entered the three bedroom apartment they shared near the University campus, the third room being used as a computer laboratory. "All my bank accounts, credit cards, driving license, health insurance, personal insurance, are all being used by one or more thieves". This was doubly embarrassing to him because he was a designer of computer chips that embedded within them security features to help prevent fraud, usually used with smart cards. A doctorate in computer engineering from MIT he had a promising career ahead of him, being currently employed as an Assistant Professor of Computer Engineering. Already he had several papers published in learned journals, which had been widely acclaimed.

Patrick, a colleague at the University, shared the expenses of the apartment but he was a software engineer rather than hardware. At thirty two he was a recently promoted Associate Professor, having graduated several years earlier from CalTech.

Justin went to his own room and pulled out all his personal papers, following which he telephoned the banks, credit card companies, and other companies he did business with, each call needing him to verify personal information. What he found out from the several conversations he conducted was horrendous. One of his credit cards had been used for several thousand dollars in Los Angeles, where he had not been recently (he still had his card). Another had been used in France and England, again to the tune of several thousand dollars, for expensive hotels and food. Two of his bank accounts had been completely drained while a third had been taken for five thousand. A driving license in his name (he verified he still had his own) had been used to rent an automobile, which had been involved in a fatal accident, the driver being intoxicated. There was now the possibility of a lawsuit from the family who had lost loved ones in the accident, which could involve him with legal expenses just to clear his name. The publicity would not please his employers as he was involved as a consultant with the security services, working on highly confidential projects.

Things got worse as mail was received during the next few days. In view of the fatal accident his car insurance premiums were raised by four thousand dollars a year. Due to the draining of his bank accounts several cheques had been refused by the banks, resulting in angry vendors, costs associated with NSF cheques, and annotations on what used to be an exemplary top of the category credit rating. A bouncing automatic deduction resulted in his Internet access being cut off, affecting his ability to communicate other than through his University account. Additional threatening letters were received suggesting that phones, heating and electricity could be cut off if bills were not paid.

Vulnerability

Over a beer the following week Patrick and Justin discussed what might be done to avoid such situations. In particular they realised that what had happened to Justin was only the tip of the iceberg. The potential for catastrophe was not just personal but national and international as well, with adverse consequences far worse than anything that might happen to an individual. They started to elaborate some of the possible perils.

They discussed the technique for tappimg undetected into the optical fibres that carried data streams around the world. It is a difficult operation but can be done by determined groups. Because of their consulting work with the security services they knew that there had been occasions when this had been done (fortuitously discovered), but no one knew how extensive the undiscovered problem was, nor what data had been intercepted, which could be financial, personal, security, technical or other data of interest to corrupt individuals or terrorist groups.

Patrick then discussed with Justin what happens with data received from remote sensing satellites. He indicated that the data is transmitted in a continuous bit stream. If a single bit goes missing in transmission (which it can do) the transmitted image can be distorted. Software is required to find whether any bits are missing and, if so, correct the data stream. This was not usually done with optical fibre transmission of data, a danger which he went on to explore.

Patrick explained that while it did not yet appear to have been done it might be possible to introduce data into an optical fibre data stream by an analogous technique to that used in tapping, corrupting the data being transmitted. Patrick, who had contact with consultants to the banking industry in Switzerland, said that these contacts indicated that bankers there were expecting a major catastrophe with electronic money transfers involving billions of dollars. He mentioned also that several avoidable disasters had already happened with the electrical transmission industry, causing blackouts in several countries but particularly so in North America. Although the Swiss concern has to do with software he said that if a determined group deliberately introduced spurious data at several points into optical fibre data streams carrying financial data it could interrupt the entire world economic structure, making electrical transmission failures look like small potatoes.

Justin, the hardware expert, then outlined the situation with satellite data transmission. It was already known that satellite data transmission can be severely affected by sun spot activity. He went on to indicate that it is also possible to jam the transmission signal from satellite to earth, disturbing or cutting off the data transmission. In some satellites, hardware and software have been introduced so that if any jamming is sensed then the satellite can change the frequency of its data transmission to avoid the situation. Nevertheless a determined group could severely disrupt satellite data transmission, potentially causing chaos at a critical time.

He went on to describe how insecure satellites are by giving two examples. He told how in the early days of satellite transmission Dr. (now Sir) Bernard Lovell, of Jodrell Bank fame at the University of Manchester, had intercepted data from a Soviet satellite and published the result even before it had been made available from the Soviets. The second example he cited occurred many years later when a Canadian remote sensing expert had built a receiving dish from chicken wire and a Heath Robinson printing unit. When playing around one day he received a beautiful image of the Great Lakes. Phoning his contacts in Washington he asked what frequency they were using. The Americans did not even know about the situation and asked him for all the information he could give them on the Soviet satellite, whose data he had received, particularly the transmission frequency being used. Satellite data transmission can be picked up by anyone, even casually.

Patrick then went on to say that since the beginning of the computer era the method for application development has been based on the concept of a stored program (a set of instructions that are given by a programmer to be followed by the computer). These sets of instructions have been generated for each and every application, rarely being compatible from one application to the next. All these different applications require an operating system to run them. These operating systems are demanding more and more resources, of memory, disc and chip speed. Much of the content of the operating system is never used by most users, an obscene use of resources costing the world economy a fortune. Current operating systems are so complex, with hundreds of modules, often in an un-coordinated structure, that they are highly unreliable, subject to frequent crashes, and prone to virus and worm infection. Patrick stressed that their lack of security is already well known.

This led them to a discussion of how people miles away can access the personal computers of individuals without their knowledge. A virus or worm involves a string of code being added to a legitimate transmission, often involving an attachment. How to create a virus or a worm is fairly public knowledge, even a Canadian security agency having put out a document showing how this is done. By gaining access to the email address lists of a recipient the virus is sent to those people as well. The virus can be as simple as an annoying or sexual message being displayed but the possibility exists of erasing the hard disc. The 9/11 software equivalent could wipe out the data on vulnerable computers across the world, triggering an economic bomb burst or, worse, creating chaos at a critical time in world history. They then discussed the recent development of gangster protection rackets where the gangster threatens to hack in to the company and destroy their data (potentially putting them out of business) unless they paid a few thousand dollars for protection. If a few gangsters can do pinpointed damage like that think of what a group of terrorists could do.

They also reminded each other that a related item is the very annoying situation of having sexual images displayed on the screen at frequent intervals during legitimate computing activity, while playing an on-line computer game, talking on-line, or creating data or a message. No matter how often one cleans up the unwanted imagery it seems to pop up again within a short time. In general the same intrusion of code to a distant computer has been achieved (the same as with a virus or worm), as well as the introduction of spurious data files containing the unwanted images.

Justin added to these remarks details of how vulnerable the general public is in its use of magnetic striped credit cards and even so called smart cards, problems which are likely to get worse if uncorrected. The banks and credit card companies have known for many years that security on their magnetic striped cards is inadequate. They have been relying on an interim measure of unusual usage monitoring, which can detect some problems, but which obviously failed in Justin's situation. Smart cards are slowly being introduced but they also have potential problems.

He went further, describing the perils of wireless linkages. It is a well known fact that running computers generate signals which can be picked up by radio antennae. In the early days programmers would generate specific tones from subroutines that played recognisable tunes on nearby radios. Certainly today, but also during the cold war, countries had listening vans located near embassies and other critical sites, to pick up radio signals from computers and peripheral equipment. To offset this, sensitive sites installed "tempest" terminals and other signal shielding equipment that prevented signal transmission, embassies had electronic proof rooms. With the rapid increase in the use of wireless for computer communication, signals can be intercepted by placing receivers nearby, which is now done on a regular basis in London's and other city's commercial centres, with the inevitable criminal possibilities. Credit card numbers, PIN's and other data can also be picked up and used illegally. The same is also true of cell phone interception, as more than one royal person has found to his chagrin and embarrassment. Such interceptions can lead to all sorts of nefarious information getting into the hands of wrong parties, to blackmail, pornography and worse.

They then discussed how certain types of encryption can give a false sense of security, as the Germans found so disastrously during World War II. Their ENIGMA encoding system was theoretically unbreakable but the value of their encryption was lost by the predictable bureaucratic use of the system, which meant that certain procedures were almost always followed, betraying that particular code stream. The same is still true today. Though encryption algorithms have improved, they can still be broken, given enough incentive, compromising the sensitive data.

The fictional fact story will be continued in the next newsletter.