Army outpost held off hackers in New Year's showdown

Shortly after dark on New Year's Day, the pager on the belt of Steve Carey, chief of information assurance at the Army's Redstone Arsenal in Alabama, went off. The message was alarming: a hacker was trying to crack into a critical server that keeps track of network identities and passwords at the arsenal.

When Carey got to the arsenal's network management center, he found the system protections had withstood the attack and all was well. But Carey and his staff couldn't rest. Attackers continued trying to breach the arsenal's computers and its Web sites as the new millennium dawned.

Some other government sites were spared attacks during the New Year's holiday, even though they had braced for the worst. But Redstone is a particularly attractive target for high-tech bandits.

The arsenal has technical information on 14 of the Army's top 29 weapons systems, including missiles, helicopters and conventional aircraft. It also handles about 63 percent of the Army's foreign military sales. This means transfers of money as well as weapons technology. "It's big bucks," said Col. Douglas S. Brouillette, who heads the arsenal's Intelligence and Security Directorate.

As a result, security experts in Redstone's Local Computer Incident Response Team (LCIRT) are constantly vigilant and in many ways ahead of other agencies when it comes to handling network attacks. LCIRT uses a number of computer intrusion detection systems. But even places such as Redstone, where computer security is a high priority, can't get all the technology resources they need. So instead of relying entirely on technology, the arsenal depends on people to remain alert against attacks.

"We have a high level of monitoring because we don't have all the firewalls we need installed yet. We hope the monitoring compensates for that," Brouillette said. "Monitoring allows us to detect, immediately react and fix attacks until we get all the firewalls and other security products installed."

Redstone's basic defense is to find attacks quickly in order to stop them as they happen, he said. Contract analysts from Intergraph Federal Systems serve with Carey on his defense team.

Redstone needs all the help it can get, because its networks are peppered with attacks daily. "We've had hundreds of incidents in the last three-month period," Brouillette said. "That's 3,000 to 4,000 scans of the network."

Hackers conduct scans to try to find out what hardware and software are present on a given network. Scans can discover computers or even modems with open links to the Internet. Unknown hackers who appeared to be from countries including Bulgaria, China, Hungary, Israel, Latvia, Lithuania, Macedonia, Poland, Portugal, Romania and Russia have scanned Redstone over the past three months. But because hackers can make it look as if they were on a computer in a different country, pinning them down geographically is an imperfect science.

Once the reconnoitering is complete, hackers try to exploit vulnerabilities and gain access to private networks and the information stored there. Without intrusion detection systems and expertise, network staff may never know they've been hacked.

Beyond scanning and attempted break-in, hackers can cripple networks and servers by launching "denial-of-service" attacks. In such incidents, intruders launch a flood of messages to a single server, overwhelming it. Denial of service attacks have become so commonplace that they come with colorful names, such as Ping Flood, SMURF, SYN Flood, UDP Bomb and WinNuke.

Over the past three months Redstone has been hit with 17 denial of service attacks. Twelve of them succeeded.

And then there are the vandals-Internet gang members armed with digital spray paint-that LCIRT must contend with.

"Three of our Web sites have been breached in the past 12 months," Carey said. In the successful attacks, the methods were new to the network defenders, which meant the attackers were able to change the Web sites. Once LCIRT members discovered how the hackers pulled off the attacks, they went through every base Web server to make sure vulnerabilities were fixed.

Because of past vigilance, the New Year's vandals failed to make a dent. LCIRT members say new attacks and techniques are constantly appearing, and the only way to stop them is to have a team monitoring the network and the logs of the intrusion detection systems.

That's how the arsenal's defenders knew the New Year's hackers were aiming deliberately for one of Redstone's most sensitive servers. "If you get into that server you can go anywhere in the installation," Brouillette said, breathing a sigh of relief now that 2000 is well under way and his servers are intact.