The CERT/CC is part of the Software Engineering Institute at Carnegie Mellon University Improving Security
CERT® Coordination Center

 Home | What's New | FAQ | Site Contents | Contact Us | Search

About Us | Alerts | Education and Training | Events | FTP Archives | Improving Security | Other Resources | Reports | Survivability Research

Cyber Infrastructure and Malicious Expectations during the Y2K Transition Period

International Y2K Workshop
Gatwick, England UK

This document is the product of the Threat Analysis Working Group at the International Y2K Workshop, held at the Renaissance London Gatwick Hotel in Gatwick, England, 26-28 October 1999. The International Y2K Workshop was sponsored by the Y2K Information Coordination Center (ICC), and was led by the CERT® Coordination Center (CERT/CC).


OVERVIEW

Threat Summary

The authors of this assessment expect both real and reported increases in malicious cyber activity, encouraged by the heightened awareness of and media focus on malicious activity during the period. Further, the authors see significant opportunity for malicious activity in the large numbers of systems that experienced Y2K remediation efforts.

The increase in malicious activity during the Y2K period could generate additional problems in infrastructure systems, beyond genuine Y2K-generated issues and the normal level of infrastructure concerns.

The authors believe that users and system administrators will encounter and should be able to correct small-scale Y2K incidents throughout the cyber and physical infrastructures. Similarly, the authors anticipate encountering both known and probably new viruses and exploits. However, limitations exist in the collective community's ability to predict, prevent, and immediately detect malicious activity and distinguish between genuine Y2K events and malicious intrusions.

At worst, the authors can envision the relatively wide dissemination of several new, possibly destructive viruses, and the successful exploitation of both corporate and national security information systems. But even these worst-case scenarios reflect the same kinds of malicious activity that is seen and acted upon today.

 

Key Messages

In framing the discussion of cyber assurance against the coming Y2K transition period, the authors conclude the following:

  • "Business-as-usual" during the Y2K transition period

Activity during the Y2K period will predominantly exhibit known characteristics. Most of the malicious cyber activity expected during the Y2K transition period is the same kind of activity seen in the past and present; the actors will remain insiders, individual intruders and intruder groups, corporate and state espionage, criminals, and terrorists.
  • Increased media attention could provide incentive for malicious activity

Media attention and associated reactions and misperceptions will generate additional incentive for malicious activity. This could be aggravated by genuine failures of Y2K remediated systems and/or problems with some Y2K remediation efforts.
  • A large-scale "crash" to the physical or cyber infrastructures is unlikely

It is not expected that malicious activity will impact physical or cyber infrastructure systems on a regional or national scale.
  • Increased cyber "noise"

Malicious activity will generate an increased volume of cyber "noise." Malicious activity will generate and provide increased opportunity for localized incidents to be successful.
  • Leverage existing cyber assurance efforts

The challenge posed by the Y2K transition period will be met by applying effectively and rigorously the same expertise and techniques required now to strengthen public and private information systems alike in an evolving age of electronic business and commerce. Y2K represents a real challenge to the ongoing process of large-scale cyber-systems security.
  • Increased cyber assurance activity necessitated by Y2K transition period

The cyber assurance community will be challenged during the Y2K transition period in terms of the increased information flow, assessment, and responsiveness required.


INTENT AND CAPABILITY

Who

The Y2K period provides an unusual opportunity for cyber-attack groups, including the following types of actors:

  • Independent intruders

The particular motivation for elements of this group over the Y2K transition period is for simple attention – adding to and exploiting the chaos. They will be further fueled by the hype surrounding the millennial period and the opportunity for increased media attention. However, some elements may prefer to remain covert using the increased opportunities of the Y2K event to avoid detection.
  • Criminals

The Y2K period may provide significant opportunity and cover for criminal activity. For example, illegal activity such as billing fraud may be misdiagnosed as a Y2K transition problem.
  • Hacktivists

The term "hacktivist" is used to describe groups or individuals using cyberspace to promote their agendas. Attacks may be coordinated or focused on specific targets (e.g. ".gov" or ".mil" sites) or support a specific cause such as organized protests (e.g. the London J18 protests).
  • Terrorists

The Y2K transition period provides a significant media event that could prove attractive to terrorists; however, the authors currently see no reason to expect concerted attacks of this kind during the Y2K period.
  • Espionage

Actors sponsored by nation-states or industry competitors may look to the Y2K transition period as an opportunity for espionage activities. Professional data miners may use it to cover their activity, while perceived attention to security during the period could serve as a disincentive.
  • Insiders

Insiders – those who use legitimate access for malicious ends – exist as threats both alone (as individuals) and as part of any of the groups mentioned above. Motivation varies from disgruntled employees to simple theft to industrial and national espionage.

 

Particular opportunities over the Y2K period

The Y2K transition period provides a particular focus with a number of unique characteristics:

  • A particular target date and time to prepare viruses and probe systems
  • Significantly increased media attention and hype
  • An increased noise level that could help conceal attacks and incidents
  • Temporarily "frozen" system and network configurations (final remediation requirements overriding normal security processes) providing an unusually static target for hackers and other threat groups
  • Y2K remedial patches, in some cases urgently sought by system administrators, providing ample opportunity for malicious code to be inserted

The most likely scenario is one with an increased noise level with several new viruses or exploits, where the main players are independent intruders. Attention-seeking attacks will include graffiti and viruses. There will be increased probing of systems, as there is at any time of heightened attention. Although individually these attacks can be dealt with locally in the usual manner, there is a danger that the increased volume of attacks will create its own momentum and make timely remediation difficult. This could lead to instability or denial of service through congestion. In the extreme, this could precipitate a system shut down. Interdependencies between systems could result in collateral damage not anticipated by the attacker.


TYPES OF ATTACKS

The types of attacks seen during the Y2K transition period will most likely include the following:

  • Trojan Horse Programs

A Trojan horse program is an executable file that performs an unauthorized action on your computer. Harmless Trojan horse programs may simply display a picture on the screen or have humorous actions such as making letters fall off the screen. Malicious Trojan horse programs, on the other hand, can surreptitiously damage and/or erase files, disable security features, and reformat hard disk drives.

NOTE: If you suspect that your system may have been compromised by a disgruntled employee or anyone else that has had access to the system, the best solution is to low-level reformat the drive and reload the operating system from the original software distribution.
  • Viruses & Email Attachments

It is possible that the advent of the millennium will see the distribution of new forms of malicious software in the form of new computer viruses. A virus is a computer program designed to conceal itself on the system and infect other computers on the network or by sharing of magnetic media (e.g. disk transfer). The virus itself may be malicious (e.g. deleting or destroying system integrity) or be innocuous. Virus development is relatively simple, with toolkits being available on the Internet to even inexperienced users. The self-replicating component(s) of the virus may remain standard and unaltered by the developer, while the malicious element (payload) is determined by the writer and could provide exploitation routes for subsequent attacks. Experience has shown that such viruses may be distributed largely by email as attachments, which in turn are either executed by the recipient through opening the attachment, or are automatically re-distributed to the recipient’s current e-mail mailing list.

NOTE: There are a number of excellent anti-virus programs designed to detect and delete known programs. The best defense against such threats is to enforce a policy requiring the use of current anti-virus software and prohibiting the opening or sending of unknown attachments.
  • Exploitation of Vulnerabilities

Intruders are often able to break into network systems by taking advantage of vulnerabilities in the operating system. Such vulnerabilities and the tools used to exploit them are often publicized and distributed throughout the Internet.

In addition to weaknesses in the operating system, network programs running on servers (ftp servers, time servers, etc.) can also provide additional exploitable vulnerabilities. Therefore, it is important that any unnecessary programs and services be removed from the server.

NOTE: It is imperative that system administrators always maintain their systems with the current version of the operating system as well as insuring that all security patches to the OS are applied in a timely manner. Special care should be exercised in obtaining the patches from a secure site.
  • Passwords

Password compromise is a classic way of obtaining unauthorized access to a system. Two popular methods for obtaining the passwords are sniffing the network (monitoring all traffic on the network and capturing authorized users’ login names and passwords) and dictionary attacks on weak passwords. Weak passwords include names, places, and other personal descriptors.

NOTE: Two suggested ways of creating recallable secure passwords would be to use two or more words separated by non-alpha characters or create a phrase and use the first letter from each work in the phrase.

<<THIS SECTION APPLICABLE TO U.S. GOVERNMENT USERS ONLY>>

Where applicable, U.S. government users should create passwords from a U.S. government-approved algorithm. It also is suggested that warning banners be installed and displayed wherever users connect to a system and are prompted for login information. While the banners should not contain any information related to the identity of the system, they should advise users that unauthorized access is prohibited and subject to prosecution.

<<END U.S. GOVERNMENT-ONLY SECTION>>
  • Social Engineering

"Social engineering" is another way of saying that a system administrator or user has been tricked into providing an intruder with information about the system or about a user account. A classic example of this is when an attacker impersonates a user and calls a "help desk" asking that his/her forgotten password be reset.

NOTE: It is imperative that administrators not release information regarding a system or user account without first ensuring that the person they are speaking with is who they claim to be (authenticated).
  • Specialized computing systems (e.g. Domain Name Servers & Routers)

Certain specialized computing systems require particular attention at this time as system administrators often fail to adequately secure them. Domain Name Servers (DNS) and routers are principal amongst these. Successful exploitation of these systems facilitates more sophisticated intrusions and denial of service attacks on other, connected computer systems.

A DNS server is a computer that runs a program called "named." Its purpose is to translate a system name into an IP address. A corrupted or suborned DNS server enables an intruder to redirect connections to an alternate system.

The DNS server should be dedicated; absolutely no other services should be allowed to run on it other than the "named" program. Secondly, the system administrator needs to fine tune the default configuration to prevent outside systems from performing unwanted updates to the list of server names and addresses as well as preventing unauthorized zone transfers.

A router is a switch used to connect a LAN to the wider network. An exploited router enables an intruder to redirect connections and disrupt network connectivity as well as use the router as a point of entry into the LAN. Routers should be configured to reject "telnet" connections from unauthorized users. Additional configuration safeguards can be performed to reduce the chances that the router can be exploited for use as a gateway for denial of service attacks. Contact your router manufacturer for suggested configuration guidelines.

 

CONCLUSIONS

  • There will be some problems during this period; the authors expect smaller isolated incidents and failures (that may or may not be caused by a Y2K problem) and some unexpected combinations of problems and minor failures.
  • Those responsible for the infrastructure have thought about information security and have completed a great deal of work nationally and internationally over the last several years. They have leveraged Y2K coordination processes to organize resources to respond to significant incidents. A Y2K Triage FAQ/Checklist, as well as incident reporting forms are available at http://www.y2k.gov. There is a process in place using interconnected computer security incident response teams (CSIRTs) around the world that can help respond to problems in a coordinated manner as they occur.

Recommendations for the public

  • Those responsible for infrastructure computer systems recognize the threats and are working to protect the infrastructure. Y2K is a period of heightened awareness of computer security issues, but these are the same kinds of issues that occur all the time.
  • Intruder tools are becoming easier to obtain from the Internet. Amateurs and youth can intentionally or unintentionally launch attacks without being fully aware of the damage they are causing.
  • Don't assume that every incident or problem is necessarily caused by Y2K. It may be due to a whole range of causes such as natural disasters, accidents, or intruders. Moreover, the Y2K problem is not limited to 01 January 2000; problems can easily occur weeks and months into the new year.
  • There are basic preparations and precautions that people can take (many are called out in this paper), and these are the same kinds of activities needed for ongoing cyber security and assurance.

Recommendations for system managers

  • Ensure that procedures for dealing with a significant system intrusion or attack are added to existing Y2K contingency plans for business continuity.
  • Follow current "best practices" for configuring ("lock down your system plus have latest patches installed") and operating networks securely.
  • Use back-ups and integrity checkers to identify unauthorized changes that have been made. Store integrity check list and checking software apart from the rest of the system.
  • Update security policy documentation.
  • Ensure that staff on duty during the Y2K transition period have the authority needed for immediate defensive actions necessary to protect computer systems from significant intrusions or attack (for example, changing passwords throughout the system, quarantining parts of a network, etc.).
  • Note where additional resources for more detailed information need to be developed.
  • Monitor information security advisory services for news and updates.
  • Be extra alert at the end of the year and subsequently through the lifecycle of software in production. Y2K could be the opportunity to insert a bug in a system, but it could be activated at any subsequent point in time until major updates are made that negate the inserted bugs. Thus, an exploit may be more likely some weeks or months after the century date change rather than that first weekend or a year later.
  • Understand your important communication channels (vendors, CSIRTs and similar organizations) and ensure they're available, especially during the Y2K transition period.
  • Identify organizations running similar systems as alternative sources of information to vendors and CSIRTs.
  • Recognize that information security is a continuous process.

Recommendations for policymakers (e.g., CEOs, public affairs staff)

  • Assess the situation accurately and state it realistically.
  • Remember that the threat from insiders remains your most serious problem and that Y2K remediation activity may have exacerbated this problem.
  • Emphasize that there is a security infrastructure in place that is working through the millennium in a public-private partnership.
  • Ensure cyber security and assurance practices are well implemented; a normally difficult challenge that will be even harder during the Y2K period. Management attention that has been placed on Y2K remediation, testing, and validation should now shift to equally important cyber security and assurance efforts.

 

Credits

International Y2K Workshop - Threat Analysis Working Group participants

    Katherine T. Fithen, Manager
    CERT Coordination Center
    Defence Evaluation & Research Agency (DERA)
    Marianne Miller (CESG)