->PConnect(script.ftech.net,mi2gl,m4d2e,mi2gl)
 

E-BOMBS - The next phase of Cyber War

press release

London, UK, 20th May 1999 - Have trouble with junk mail every morning? Now junk e-mail could cripple your computer network and land you in court. Post the IBM Tivoli (www.tivoli.com) announcement, mi2g (www.mi2g.com) world leader in secure knowledge management software, is going public with its internal memorandum of 22nd April 1999 in the interest of security for all businesses using e-mail. The memorandum warns of four main types of e-bombs that together as a cocktail can precipitate unstoppable overwhelming linked reactions and could be delivered as junk e-mail. These linked reactions could not only affect businesses but also services and public utilities. The appropriate authorities have already been informed of this risk.

E-mail bombs can significantly disrupt or collapse the normal functioning of IT Networks especially in the less well-prepared civilian sector, where there is a greater vulnerability. E-mail bombs can be launched in many different attack scenarios, which easily flood and shut down chains of SMTP mail servers with devastating consequences on the organisation's network. The heart of an e-mail bomb lies in the simplicity of the "normal" e-mail (SMTP) protocol which can be combined with the robustness of the "Sendmail" Mail Transfer Agent (MTA) program and misused in numerous ways. E-mail bombs are primarily of four types: Chain Bombs, Error Message Bombs, Covert Distribution Channel (CDC) Bombs and Mail Exploder Bombs.

A few IT businesses, such as Tivoli, are already concerned that they could receive such e-mail bombs and in order to protect their servers have designed their systems to reject a suspect percentage of all incoming e-mails. Tivoli's decision is significant because it anticipates the problem of "open relay" spamming and how this can degrade server-processing capacity as well as give the impression that the victim sent the junk mail (www.tivoli.com/spam.html). The problem with the Tivoli approach is that it rejects some genuine business enquiries as well. This combined scenario has been outlined in the mi2g internal memorandum of April under the description of "CDC Bombs" and "Chain Bombs".

"The IBM Tivoli e-mail restriction strategy is being perceived to be too drastic by the Internet Mail Consortium (IMC). But from a business survival point of view, this approach is increasingly realistic as there is a growing and repetitive occurrence of Cyber Warfare incidents since the start of the year. The total number of unbudgeted human hours spent dealing with such incidents is escalating monthly since January 1999", said D K Matai, Managing Director of mi2g.

Notes for the Editor

1. An exact replica of the mi2g internal memorandum of 22nd April titled "The Threat from Electronic Weaponry - Unstoppable Overwhelming Linked Reactions" is attached.


______________________________________________________________________

mi2g internal memorandum of 22nd April 1999

"The Threat from Electronic Weaponry"
Unstoppable Overwhelming Linked Reactions

E-mail bombs can significantly disrupt or collapse the normal functioning of IT Networks especially in the less well prepared civilian sector, where there is a greater vulnerability. E-mail bombs can be launched in many different attack scenarios, which easily flood and shut down chains of SMTP mail servers with devastating consequences on the organisation's network. The heart of an e-mail bomb lies in the simplicity of the "normal" e-mail (SMTP) protocol which can be combined with the robustness of the "Sendmail" Mail Tranfer Agent (MTA) program and misused in numerous ways. E-mail bombs are primarily of four types:

1. Chain Bombs exploit the route address functionality of MTAs to create a very powerful e-mail bomb, which executes an automated script with a chain of source routed e-mail messages. The e-mail bombs are delivered and queued on the first MTA in the chain. If the attack volume of the e-mail bomb is sufficient to deny service to the first MTA, the remaining messages in the outbound queue of the bombing host, are automatically routed to the second MTA. This process continues for all the MTAs. This floods MTAs in the chain, one after the other. Sorting out malicious e-mail from business e-mail becomes very difficult and very resource intensive. If the system administrator simply reboots the mail server without clearing the malicious messages from the MTA queue, the Sendmail process re-initiates and attempts to deliver the Chain Bomb to the next MTA in the route address chain.

2. Error Message Bombs exploit the feedback paths of mail systems by using legitimate error messages generated by MTAs. In this attack, the bomber inserts the e-mail address of the victim's e-mail server as the origin of the message and send the e-mail bomb to another MTA, configured to generate feedback messages to the originator, when any error condition conditions are generated. This causes large volumes of error messages to be generated, which are forwarded to the victim's MTA. Two alternative scenarios are exhibited - Either the victim's MTA is taken out of service or the end-user's mailbox is completely flooded.

3. Covert Distribution Channel (CDC) Bombs anonymously distribute covert files and illicit mail via a neutral intermediate MTA. The recipient of the illicit mail can be easily fooled to believe that the e-mail originated from an innocent victim's host machine. This poses a very real and dangerous method for terrorists to victimise the internet community. For example, an MTA of a victim could be used as a relay by propaganda distributors. The recipient of the e-mail would more-than-likely (falsely) believe that the victim was the originator of the illicit mail.

4. Mail Exploder Bombs are sent to automated mailing lists to redistribute to all subscribers of the list. Automated list servers provide many opportunities for the e-mail bomber to exploit the SMTP infrastructure. This attack scenario can be combined with other bombing techniques to create a very complex cocktail of electronic bombing that becomes an unstoppable overwhelming linked reaction with systemic risks.

Conclusion

Civilian target sectors for E-mail bomb cocktails that precipitate unstoppable overwhelming linked reactions could include power generation and distribution; financial markets; large businesses; communication facilities; health services; public utilities and emergency services.

Renowned worldwide for the ATCA Briefings. Subscribe now.
 
Home - Profile - Values - People - Careers - Partners - Contact Us
D2 Banking - Bespoke Security Architecture - Digital Risk Management - Tools

Intelligence Briefings - Brochures - Case Studies -
SIPS Methodology FAQ (pdf)
Keynote Speeches - Articles - News Feeds - Glossary (pdf)
Terms and Conditions - Privacy Policy