From the Editor
Fed up with the Feds
M
any years ago at an economic conference at a North Eastern university a poll was taken of seniors to determine the type of organization they wanted to work for. When the results were tabulated one person selected government service, drawing the comment of a famous economist that that person did not understand the question. If we fast forward to the present day and replace economists with government officials responsible for countering cyber-threats, it appears those folks at the Federal Bureau of Investigation do not understand what they are encountering. Let me explain.
Over the past year members of the FBI's cyber protection unit headquartered in the Washington, DC area have been both slow to react to certain threats and have inadvertently spread a virus they were supposed to suppress. While some of the shortcomings of the FBI were noted from news read by this author, from a personal perspective I encountered negligence that borders on indifference to a potential security hole that can significantly effect the bottom line of many organizations as a minimum and could possible play havoc with the infrastructure of a Western economy if performed on a large scale by persons hired by a third party, something I will shortly discuss.
One of the noted shortcomings of the FBI include a researcher unleashing the fast-spreading Sircam virus that emailed private FBI documents to others. Another shortcoming was the delayed reaction of the FBI to several well-known viruses.
Returning to my dealings with the FBI, over a year ago I informed them of a possible technique that could be used by a cyber terrorist to literally create an infrastructure meltdown. Unfortunately, after a year nothing has been done by the FBI to inform Web operators of the threat and some potential solutions. Thus, let me put pen to paper and explain.
Today there are literally thousands of Web sites that have partially or fully automated query -response subsystems. Fill out a form and within a few days you may receive a catalogue or brochure via regular mail, priority mail, or even United Parcel Express. If one mailing is good, fill out the form N times and sites will send you N mailings. However, other sites use either name or address checking, which can easily be overridden by adding a letter or digit to a name or an apartment number to a street address. If you take the time to write a script to fill out a Web form, you have the basis for a 'script-form' attack. Give a hacker or group of hackers a week or two and let them go to work a month or two before the holiday season and the automated Web systems could generate enough false and misleading mailings to generate hundreds to thousands of tractor trailers hauling catalogues and brochures from the East Coast to the West Coast and vice versa. In fact, some sites, to include state tourist agencies, may allow one user to request up to 60 brochures at one time, permitting a script-form attack to rapidly reach warp speed. In spite of the potential to financially bleed a company due to mailing and brochure costs as well as to adversely affect transportation, the FBI has been tight-lipped about this threat.
Thus, let me focus on a few countermeasures. First, set a threshold for mailings for a daily or weekly basis and become suspicious if your potential mailings in the form of label generation exceeds the threshold. Secondly, check source IP addresses and do not permit multiple sequential requests from the same source address. Third, use common sense and double-check how your form-generation process operates to consider recommending other potential checks. As my Macon TV announcer would say, 'That's my opinion -what's yours?' -Gilbert Held