1996 Congressional Hearings
Intelligence and Security


SECURITY IN CYBERSPACE

U.S. SENATE
PERMANENT SUBCOMMITTEE ON INVESTIGATIONS
(Minority Staff Statement)
JUNE 5, 1996


APPENDIX A

Computer Terms and Definitions

"Attack". The act of trying to bypass security controls on a computer system, resulting in an attempted penetration or an actual penetration. The fact that an attack is made does not necessarily mean that it will succeed. The degree of success depends on a vulnerability of the system or activity and the effectiveness of existing countermeasures.

"Audit trail" is a chronological record of computer system activities which saved to a file on the system. The file can later be reviewed by the system administrator to identify users actions on the system or processes which occurred on the system. Because audit trails take up valuable disk space and can slow the computer system down, many system administrators do not use them or use only limited ones.

"Bulletin Board System" or "BBS" is a computer set up by individuals or companies that can be connected to by using a modem and dialing the telephone number of the BBS. There are thousands of bulletin board systems in the United States offering a wealth of information to its users. Some and public domain software than can be downloaded.

Crash . A computer or program is said to "crash" when it has become inoperable because of a malfunction in the equipment or the software. Causes include power loss, bad software code, or a computer process that conflicts with the system or other processes and causes the system to "lock-up." Hackers can cause systems to crash either by accident or on purpose by initiating certain commands or by installing incompatible programs to the system.

"Cyberspace" is the virtual world of computer networks that can be explored by anyone who has a computer and modem. Individuals can "go" to computer systems all over the world and communicate with other computer users.

"Daemon" (pronounced demon), is a program that maintains or performs certain computer tasks or functions such as the printing of files, monitoring of incoming traffic, or outbound communication services.

DISA. Defense Information Systems Agency (DISA), previously called the Defense Communications Agency (DCA), provides communications and computer services, guidance, policy and direction for DOD. In 1991, the Assistant Secretary of Defense for Command, Control Communications and Intelligence tasked DISA to establish and manage a unified, fully integrated information system security program for the Defense Information Infrastructure (DII). The Defense Information Systems Security Program (DISSP) was then established as a joint effort of DISA and the National Security Agency.

CISS. The Center for Information Systems Security, which executes the DISSP's missions and functions, has the responsibility to provide a unified information systems security policy and architecture.


APPENDIX A 2.

Within the CISS is the Information Systems Security (INFOSEC) Countermeasures Directorate. This directorate is charged with several programs, one of which is the Automated Systems Security Incident Support Team known as ASSIST.

DISA's ASSIST is an integrated DoD operational response capability for handling information systems security incidents, attacks and threats to DoD-interest automated telecommunications systems. ASSIST provides telephonic, on-line, and on-site support 24 hours a day, 7 days a week, 52 weeks a year. ASSIST activities include assessing the nature and extent of any damage to helping site systems administrators faced with an incident faced with an incident contact other key technical resources (when appropriate), coordinating (with both DoD community and vendor) technical efforts to develop and collect software patches, providing a source of verification for information pertaining to incidents and also for "patches", and advising site personnel on how to perform damage control and recovery procedures. ASSIST creates a single reporting point to reduce redundant reporting and encourage reporting through training programs, awareness newsletters and a state of the art electronic bulletin board system. ASSIST, staffed by computer security engineers, scientists and specialists, provide a level of technical assistance sufficient to address the technical problems created by almost any incident that a DoD site could encounter and then restores the site to secure operation in as short as time as absolutely possible. ASSIST is the primary technical tool supporting the DoD and Federal law enforcement communities. Recognized expert witnesses, ASSIST provides the technical perspective to investigations involving DoD-interest automated information systems.

"Denial of Service" is action or actions that result in the inability of an automated information system or any essential part to perform its designated mission, either by loss or degradation of operational capability. Denial of service can impact productivity. Costs associated with it are based on the length and time of day the denial of service occurs.

"Finger" is a computer network command which allows the user of the computer system A to identify a user from computer system B who is logged onto computer system A. The command can be "turned off" or disabled by the user of the computer system B so that if anyone executes the "finger" command to identify them, they are invisible to it and cannot be identified.

Firewall is hardware or software systems that protect an internal network from unauthorized intrusions from the outsider or to prevent insiders from exceeding their authorization.

Hacker. The dictionary defines "hacker" as a slang term describing a person who carries out or manages something successful. A hacker is someone who spends many hours with the computer often successfully operating it by trial and error without first referring to the manual. A hacker is often a technical person in the computer field, such as assembly language programmer or systems programmer. Today the term hacker has taken on a negative meaning. The news media has often used the term hacker in a derogatory manner to refer to people that use their technical knowledge to gain unauthorized access and perform mischievous or destructive activity in computer systems and data banks.


APPENDIX A 3.

Internet. The "Information Superhighway" or its formal name of the "Internet" is a worldwide entity that cannot be easily defined. The beginnings of the Internet date back to 1969, when DoD's Advanced Research Projects Agency (ARPA), formed the ARPANet. This early network was limited to military entities, military contractors and educational users with UNIX computers linked by leased telephone lines. A main aim of ARPANet was to maintain military communications during disruption of telephone service during nuclear attack. This accounts for the Internet's high degree of redundancy and low degree of centralization. If one communication link between two sites was unavailable, the computers would try other routes to see if an alternate way could be found to deliver a message. Due to the number of different routes between, computer centers and how duties are spread among them, there is no "center" or "top" of the Internet. Each computer site is an independent entity, but follows guidelines established by national and international committees. With the exploding growth in personal computers and commercial bulletin boards offering Internet access for a small monthly fee, anyone who has even the most basic computer and a modem can use it. In 1988 the Internet consisted of approximately 33,000 host computers and by the end of 1993 has expanded to over 1.8 million. There are approximately 20 million computer users worldwide who can communicate via the Internet, and one million new users hook up each month.

"Logic Bomb" is a computer program that lies dormant for a period of time in a systems and is triggered by an event, such as a date.

"Logon Warning Banner". As a means of legal warning, immediately after all users enter a logon and password the very first thing a computer system will often present is a paragraph of information known as a Logon Warning Banner. Generally, the banner will contain information which tells the user what computer system they have logged into and who owns it, any restrictions on the use of the system and whether or not users and the information they process on the system are monitored. By regulation, all DoD and DoD interest computer systems are required to have a "logon warning banner" which advises the user at logon that they have logged into a U.S. government computer system, that use constitutes consent to monitoring of the user and their activities, use is limited to official purposes only, and what level of information may be processed on the system. Additionally, the warning banners often admonish that violation of the system by either an authorized or unauthorized user (hacker) subjects the violator to prosecution. Although required, the warning banners were not present on all of the DoD and DoD interest computer systems SUBJECTS entered.

"Looping" is a method in which hackers try to conceal their point of origin. Using this technique, hackers "leap frog" or loop through several computer systems before finally going into the system they actually intend to attack. The technique serves to mask the hackers actual origin from the system that is being attacked as well as those pursuing them. Additionally, hackers will often ensure the routing their looping takes them crosses them across international and state borders. Any time a border is crossed electronically by hacker they have as good as crossed it physically, and has involved another country's or state's laws and law enforcement agencies. This further complicates and slows down efforts to pursue the hacker.


APPENDIX A 4.

"NII" National Information Infrastructure. The NII refers to that system of advanced computer systems, databases, and telecommunications networks throughout the United States that make electronic information widely available and accessible.

"Password" is a protected word or string of characters that identifies or authenticates a user for access to a computer system, or a specific resource such as data set, file, or record.

"Phreaking" is the hacking of the telecommunication systems. Phreaking is a specific subset of hacking. It is spelled with PH for PHONE.

"Root" or "System Administrator Privileges" are terms used to describe a particular degree of trust and privilege on an operating computer system. When logged in to a computer system as "system administrator," the computer regards the user as "God," allowing them to do absolutely anything they desire. The privileges granted extend from simply looking at any file the computer system controls or has access to, moving any of its files anywhere desired, loading other data or executable program files on the system, to destroying and all files under it's control system. Needless to say, "root" or "system administrator" privileges are reserved for a very select few system users who are responsible for the configuration, maintenance, and upgrade of the computer system and it's file structure.

"Security Class C-2" In layman terms, C-2 requires the installation of certain security tools, and the implementation of procedural security practices which improves computer security and limits the vulnerability of the system to attack and limits use to only authorized users. A technical definition would include a security testing standard established under The National Computer Security Center's (NCSC) Trusted Computer System Evaluation Criteria (TCSEC). The TCSEC was created as a metric against which computer systems could be evaluated. Security Level C-2 is basically comprised of system documentation defining a system protection philosophy, mechanism and system interface operations. Security level is basically defined as the combination of hierarchical classification and a set of non hierarchical categories that represents the sensitivity of information.

"Sniffer" is a software program that is installed to monitor network traffic. Sniffers typically correct a certain number of characters at the beginning of a new users session to compromise their logon and password.

"Social Engineering" is the gaining of privileged information about a computer system by an unauthorized person masquerading as a legitimate user. The high-tech version of the old "confidence game."

"Spoofing" is an attempt to gain access to a system by posing as an authorized user. Synonymous with impersonating, masquerading or mimicking.

"TCP Wrapper" Transmission Control Protocol (TCP): Access control mechanism which allows/disallows and records access to TCP daemon. The wrapper sits between the inbound connection and daemon on the system which controls access to the system. The wrapper reads the incoming traffic and originating site and compares the IP address to an access list which the sysop configures. The access list contains sites which are authorized or not authorized to connect to the system. The wrapper records the time, date, and originating IP address of the inbound connection before it allows access to the system.

"Telnet" is a program that allows you to log on to a computer at another location. Once logged on, you can look at files and run programs. When you run telnet, your local system:

A "Trojan Horse." as its name implies, allows an unsuspecting gatekeeper to invite an invading army into his midst. It is a program which performs, or appears to perform a valid function. As the apparently valid program executes in the foreground, a malicious code or set of instructions initiates other processes in the background which are invisible to the user.

"Trusted Host Table" is a listing technically known as "host.equiv file" which defines what other computer systems or networks that will allow remote access without having to log-in and use a password a second time. In turn, access can be gained to other computer systems who are on the trusted host table of the second system. This allows uninterrupted access to authorized users, however, once a hacker enters one system and cracks the password files, gains what appears to be legitimate access, the hacker can then gain what appears to be legitimate access to any other computer system listed on the trusted host table. If a system which contains a trusted host table has been compromised, all of the systems contained within the host table can be considered compromised as well and appropriate action should be taken to secure them.