Facts fight fiction in security circles
By Ellen Messmer
Network World Fusion, 3/9/98
Do you ever lie awake at night worrying that extortionists might blast your LAN with electromagnetic HERF guns, that the military is spying on your network traffic or that hackers are in league with Saddam Hussein?
There are plenty of people in government and business who do, and a whole
cadre of security consultants who happily spread doom and gloom stories.
These threats have even earned their own buzzword - infowar. The problem
is, as the tales get bigger with each telling, separating fact from fiction
can itself be "mission impossible."
Take the case of High-Energy Radio Frequency (HERF) guns.
HERF guns are electromagnetic pulse weapons used to garble data stored on hard disks or tapes. They also can be used to temporarily disable networks by disrupting the electron flow.
Industrial nations, including the U.S., Russia and Sweden, are developing HERF guns as part of an overall infowar strategy.
And banks, for instance, are ''hardening'' their data facilities with shielding to prevent possible data loss by terrorists or criminals firing radio-frequency guns from a distance.
''SEV Bank in Stockholm has hardened its computer centers against HERF guns,'' said Manuel Wik, chief engineer and strategic specialist in the Swedish Electronic Systems Directorate. He added that a number of Swiss banks are also looking into protecting their networks.
Tales of HERF gun and other attacks abound, circulated by word-of-mouth and spread by consultants or the media.
The Sunday Times of London caused quite a stir in June 1996 when it reported that undisclosed ''London financial institutions'' paid ''up to 400 million pounds'' to ''international gangs of cyberterrorists'' using HERF guns.
The paper named the U.S. National Security Agency as the source of the information, but at the time, the NSA claimed no knowledge about it. The story was later discredited.
But the infowar crowd - a growing cottage industry - still loves a good HERF gun tale.
At last year's Infowar conference in Brussels, for example, Nicholas Chantler, professor of intelligence and security studies at Queensland University of Technology in Brisbane, Australia, claimed that an unnamed Israeli research facility one morning discovered all of its computer records wiped out - and suspected HERF guns. The story has not been independently confirmed.
Some suspect HERF guns were used against Hussein in the last Gulf War and may be used in future conflicts.
In 1991 during Operation Desert Storm, ''we used non-nuclear electromagnetic pulse-tipped cruise missiles that, depending on the design, can explode above ground or on the ground to take out communications and power,'' said Winn Schwartau, president of Seminole, Fla.-based consultancy Security Experts, Inc., who runs the infowar.com Web site.
But could portable HERF guns be used by criminals to disrupt corporate networks, too? Yes, said Schwartau, but others are more skeptical.
''It's a genuine threat, but you can't build HERF guns from what you get at Radio Shack,'' said Barry Collins, senior research fellow at the Institute for Security and Intelligence. ''It takes some technical prowess, but a terrorist could do it, absolutely.''
Collins said that HERF guns can penetrate walls, wood and concrete, and can only be blocked by certain types of metal shielding.
While some HERF threats have been overblown, the future could be fraught with electromagnetic peril. Ira Merritt, chief of the advanced technology concepts identification and applications analysis division at the U.S. Army Space and Missile Defense Command, complained that the Internet is becoming a place to easily disseminate technical information on radio-frequency weapons.
In particular, Merritt told Congress that detailed papers up at the Web site www.cs.monash.edu.au, attributed to Australian engineer Carlo Kopp, provided HERF gun design concepts.
''The HERF gun is eminently buildable, and this has been the case for many years now,'' Kopp told Network World. Kopp works in the systems research group at the Department of Computer Science at Monash University in Clayton, Australia. Kopp added he is not in the habit of providing the precise mathematical details to build the guns.
Even though it is difficult to confirm an actual HERF attack, experts say that caution is in order. ''No one knows how susceptible commercial electronic systems might be to a concerted electronic attack,'' Alan Keys,
a senior researcher on high-power microwave radiation at the U.S. Army Laboratories, told Congress.
Beware of suitcases?
It might not be just guns that ultimately threaten networks. In January, the Swedish newspaper Svenska Dagbladet reported that the Swedish National Defense Research Institute purchased a Russian ''suitcase bomb'' that uses high-power microwaves to knock out computers.
''The article also reported that this device is being sold commercially and that it has been sold to the Australian military,'' Merritt said.
Still, it's hard to know what to believe. As an April Fool's joke in 1991, an InfoWorld column by John Gantz humorously said that the NSA had inserted a powerful computer virus into an Iraqi-bound printer, thereby downing the Iraqi defense network.
According to Schwartau, the story was picked up by Japanese news sources, and eventually, military officials passed it along as real news to Nightline and U.S. News & World Report. These days the Gulf War virus hoax still gets a good laugh with the infowar crowd.
Is the NSA a threat?
Another favorite subject in infowar circles is the NSA, the Fort Meade, Md.-based spy agency known to operate a formidable array of communication-interception equipment at listening posts around the world, filtering out fax, e-mail and phone calls that might affect U.S. national security.
Within the European Parliament in Brussels, there has been growing concern about the U.S. power to intercept satellite communications via Echelon, the NSA's surveillance system that dates back to the '80s.
According to Secret Power, a book by Nicky Hager, the largest NSA-directed satellite facility is in Menwith Hill, England, which can tap directly into the British Telecom microwave network.
The European Parliament is now reviewing a report ''Assessing the Technologies of Political Control,'' which is said to verify the existence of Echelon.
The report claims that Echelon is ''designed primarily for nonmilitary targets: governments, organizations and businesses in virtually every country.''
The report goes on to say that the NSA is routinely ''transferring all target information from the European mainland via the strategic hub of London, then by satellite to Fort Meade in Maryland, via the critical hub at Menwith Hill.''
''The only [European Union] member state that is part of Echelon is the U.K., not any of the other countries,'' said Tony Bunyan, director of London-based public advocacy group StateWatch.
Another favorite subject of speculation is whether Internet hackers are in league with Iraqs Hussein.
In an assertion that has been repeated in books and broadcasts, a Dutch hacker ring called High Tech for Peace allegedly went to the Iraqi embassy in Paris during the U.S. Gulf War buildup and offered to foul up the network handling logistics messages between bases in the U.S. and the U.S. military units in Saudi Arabia.
According to John Fialka's book, War By Other Means: Economic Espionage in America, Hussein turned down the offer. When asked where he got this information, Fialka pointed to undisclosed military sources who told him this during the Gulf War.
BBC television aired the story, and had Dutch hackers actually stealing U.S. military secrets to sell to Hussein in March 1997, citing Eugene Schultz, former head of computer security at the Department of Energy, as the story's source.
But while no one disputes that Dutch hackers were busy breaking into Defense Department computers right before the Gulf War, there is considerable doubt as to whether they were in league with Hussein.
''This never happened,'' said Dutch citizen Rop Genggrijp, who said he long ago gave up his former high-profile hacker ways to operate an Amsterdam-based Internet service provider. ''High Tech for Peace was not from Holland, and the story got mixed up with stories of Dutch hackers.''
Amsterdam police inspector Piel Kruyer said Dutch authorities have never heard of High Tech for Peace. And a military source who was active in the Gulf War admitted that the colonel who told Fialka that High Tech for Peace was an Amsterdam group was mistaken.
Don't try this at home
The wild stories continue to spread. Just last week, The New York Times ran a piece claiming that a ''computer supervisor at a Midwestern engine manufacturing company'' told his bosses that if he didn't get a raise immediately, he ''would shut the company down'' through some kind of sabotage.
The plan worked and the employee ''got his raise,'' according to the Times, which cited as its source computer security consultant Erik Thompson, who ''was called in to help the company.''
The author of the story, columnist Peter Lewis, said he is convinced the story is real, and withheld the manufacturing firm's name because Thompson, who works for Orem, Utah-based AccessData, requested it.
In the world of infowar and security gurus, its once again a question of Believe it or not.
Contact Senior Editor Ellen Messmer
An Introduction to Information Warfare
Basic intro to the field.
The E-Bomb - a Weapon of Electrical Mass Destruction
The Carlo Kopp paper that has Army upset. Note that one of the mirror sites is run by the U.S. Air Force.
Hardening Your Computing Assets
Exposing the Global Surveillance System
Article by Nicky Hager on the NSA's Echelon system.
The Complete, Unofficial
TEMPEST Information Page
A look at government efforts to ''harden'' computers against snooping.
Business spy threat is real, former CIA chief says
SonicWall to buy Phobos
Sybase chief has harsh words for Oracle
EC gives Microsoft more time on market power inquiry
Akamai unveils enhanced Internet content delivery service
All of today's news
DNS security upgrade promises a safer 'Net
Lucent cites ailing CLECs' woes
Uncle Sam wants (to serve) you...on the Web
Crypto proposal faces long journey
Technology Insider: Linux in the enterprise
More news, reviews and features from Network World
A LAN of its own
Storage devices on their own network? Watch the debate.
Palm-enabled cars go too far
Fred McClimans: Stop the madness!
An ISP with attitude
Plus: Confessions of a smut lord.
$25,000 VoIP giveaway
Describe your dream VoIP installation; you could win a system.
Get answers to your networking questions.