[ISN] Origins of spy-mail easy to trace

InfoSec News isn at c4i.org
Mon Oct 31 07:24:39 EST 2005 

http://www.thestar.co.za/index.php?fSectionId=225&fArticleId=2973225

By Jacques Wessels
October 30, 2005

Can the government IT systems be hacked, broken into and information 
stolen or planted? The answer is yes. It is a fact of life in the IT 
industry that there is no such thing as a secure network. IT systems 
and networks can have a high or low level of security, but the perfect 
impenetrable network does not exist.

Is it a trivial matter to break into government systems? This is a 
question that needs deeper understanding. 

The government.s information security policies are modelled around the 
BS7799 standard, which is an internationally recognised benchmark for 
information security around the world. But the problem comes with 
implementing those policies.

On October 10, it was reported that government websites were 
repeatedly hacked into by a group calling themselves the "Beyond 
Crew". Technical personnel fixed their web servers only to have them 
hacked into again by another group known as "BHS-Team". These systems 
were built on platforms generally regarded as very secure.

A hacker is a person with very good technical computer skills that 
uses those skills to gain access to computer systems. As is the case 
with web servers, the reason is often a form of prestige within the 
hacker community on being able to gain access.

How does all this tie into the current saga between Minister Kasrils 
and the NIA on claims of stolen e-mails? The NIA claims an .agent. 
either intercepted the e-mails or fabricated them. For a more 
objective opinion, it would be useful to bring certain events into 
focus.

Deputy president Phumzile Mlambo-Ngcuka's laptop was recently stolen. 
It is alleged that presidential legal advisor Mojanko Gumbi's laptop 
was also stolen.

Government websites have very recently been hacked and defaced, and 
now there are supposed e-mails of a sensitive nature doing the rounds. 

If indeed the laptops had been acquired by someone with the correct 
level of technical skills, it would be a fairly routine exercise to 
find and interpret sensitive information.

The e-mails may well have been obtained from the laptops themselves.

If the laptops are not to blame, that leaves the possibility of an 
agent breaking into the government network. This may sound easy, but a 
high level of technical expertise is required for this. Government 
networks use devices called firewalls to enforce computer security 
policies.

A firewall is a device that makes decisions on which users from the 
Internet may access a protected network. A hacker would therefore have 
to compromise the firewall security to gain access to the internal 
government network. This is a very complex task since firewalls are 
explicitly designed to stop this from happening. It is however not 
impossible, and there are many companies that get hacked despite their 
state-of-the-art firewalls.  

The question is whether your security policy is smarter than the 
hacker you are trying to keep out.

Government has a fairly smart policy and if implemented properly, 
there is a far more likely scenario.

According to research on security in the computer world, the weakest 
link is the human one. Couple this with the fact that more than 70% of 
information security breaches occur from within the organisation, the 
most likely scenario is that someone already inside the government 
computer network gained illegal access to information. 

Once a hacker has physical access to a network, the picture changes 
dramatically. The exercise of stealing data and breaking into computer 
systems becomes a trivial exercise.

Computer networks and computer systems can be compared to a noisy bar 
and its patrons respectively. It is easy to .tune. into a single 
conversation at a time . a conversation meant for your ears, but it is 
also possible to eavesdrop on other conversations. 

Eavesdropping on network traffic such as e-mails and chat room 
conversations is called "sniffing" in hacker terms.

Some forms of sniffing attacks allow a hacker access to data even on 
switched networks by inserting the hacker.s computer between two 
communicating computers.

These attack methods are known as "man-in-the-middle". They can also 
allow a form of digital impersonation called "spoofing" where the 
hacker can send e-mails that look like they came from another person.

One important point remains. Even though it is entirely possible to 
obtain information such as e-mails, the hacker will always leave some 
kind of trail. Every web page, phone call, e-mail message or even chat 
room conversation can be traced, intercepted or monitored. Without 
exception. 

This is also true of government systems and will prove to be critical 
in finding the truth. If the e-mails did originate within government 
then log files will exist, and if proper forensic investigation is 
conducted, then it should be possible to trace their origin.

-=-

Jacques Wessels is a computer science lecturer in the Engineering 
faculty at the Nelson Mandela Metropolitan University

More information about the ISN mailing list