[149] in WWW Security List Archive
Re: what are realistic threats
daemon@ATHENA.MIT.EDU (Mike Muuss)
Wed Sep 28 19:45:44 1994
Date: Wed, 28 Sep 94 18:19:13 GMT
From: Mike Muuss <mike@arl.mil>
To: Dave Kristol <dmk@allegra.att.com>
cc: www-buyinfo@allegra.att.com, www-security@ns1.rutgers.edu,
"Stephen R. Orso" <76570.1102@compuserve.com>
Reply-To: Mike Muuss <mike@arl.mil>
David Kristol writes -
|
| Mike Muuss <mike@arl.mil> says:
| > This sort of attack is not as difficult as you might think. It is not
| > especially more difficult than conducting a wiretap on an analog line.
|
| That seems pretty hard to me. Any idea how often they're done by non-
| governmental people? [... since we know we can trust the government to
| behave.]
*laugh* For as long as I've been alive, telephone hacking has been a
popular passtime of University students. Some of the hacks have been
incredibly good. I know of quite a few "benign" (non-criminal) phone
taps and phone hacks that have been perpetrated by some of my college
buddies once they got out into the workforce. It's a good thing that
they (by and large) are "good guys", and not crooks.
Wiretaps are easy. If you don't believe _me_, go ask some of the
teenagers at the local computer club.
Please, please, PLEASE worry about this threat RIGHT FROM THE START!
I'm going to be attending the "Security Issues of the National
Information Infrastructure (NII) Iniative" conference, sponsored by
AFCEA and the NSA, 9-10 Nov. Anybody else from here going? It's
classified US SECRET, NOFORN. Contact Sandi Buss 410-684-3526 for
conference information.
| > If the rewards for doing so are sufficiently high, there will be plenty
| > of people who will mount this sort of attack. To be more specific:
| > when the amount of money or goods that can be stolen in a short time
| > period by this sort of attack reaches the US$100k to US$250k range, then
| > this attack will become commonplace.
| I wonder if the amount to be stolen from a WWW server is likely to reach
| these levels "in a short time". Of course, if someone can collect credit
| card numbers, the amount could add up quickly.
As soon as commerce becomes practical on the WWW, the amounts I cited
will seem trivial. There are already real estate listings on the Web,
many ranging from US$150k to US$5Million. If such a sale could be
consumated electronically, *bingo*.
Yes, I realize the there are additional obstacles to electronic real
estate purchases that will prevent them from being in the first wave
of electronic WWW sales. But the day will come. The two packets that
have the $5Million and The Deed in them are what we in the military
would call "high value targets". Come on, guys, think ahead!
As a more practical example, there is a company on the WWW right now
which is selling disk drives in the US$1-3k range. If they market them
well and they sell 100 units/day on the Web, then stealing their traffic
for 6 or 8 hours would represent enough money to cross the threshold I
cited, in the timeline that I cited. This could happen TODAY.
The threat is real -- the network transport is not 100% secure, and
never can be. Let's address the threat head on, early. Otherwise, the
"bad guys" will eat our lunches, using little more than a pair of tin
cans, some string, a lineman's butt-set, and their kid's Pentium PC.
Best,
-Mike Muuss
Leader, Advanced Computer Systems Team
Survivability and Lethality Analysis Directorate
The US Army Research Laboratory
Attn: AMSRL-SL-BV
APG, MD 21005-5068 USA
<Mike @ ARL.MIL>
410-278-6678 Voice
410-278-6656 Secretary
410-278-5058 FAX
