to country), and the routing information from one country's C5 gateway to another country's C5 gateway.
Crossing international borders introduces several elements that make identification and prosecution of an intruder more difficult. As mentioned previously, weaving increases the difficulty for law enforcement to trace an intruder, but the problem is compounded when political and diplomatic issues need to be resolved. In addition, the different legal systems, laws, and law enforcement agencies in each country raise issues regarding jurisdiction.
3.3 Signaling Networks
The PSN relies heavily on the Common Channel Signaling System 7 (CCS7 or SS7) networks. NS/EP telecommunications are affected by these networks because all basic and advanced network services, such as NS/EP priority services, are controlled by the signaling networks. Exhibit 3-3 shows a generic SS7 network and highlights possible points of attack (i.e., the elements that may have dial-up modems attached).
EXHIBIT 3-3 SS7 Network
Electronic intruders in the computer underground have written many articles on the operations of SS7 and the basic technology supporting SS7 networks. (2600SU91, 2600SP93, PHRACK43, PHRACK41, NFX001) Most of their attention to date, however, appears to be on the services that SS7 affords, such as the CLASS suite of services.
However, there have been several incidents of intruders attacking SS7 network elements, including compromising signal transfer points (STP). (IVPC94) STPs are packet switches that provide the routing function through the SS7 network. In the SS7 network, STPs are deployed in mated pairs physically located in different geographic sites. This robust design provides greater security to the SS7 network because one STP can handle the entire load of the other if one happens to go down. However, if both STPs in a mated pair were compromised, significant network congestion could occur, putting a strain on other STPs in other regions. (CCSTF94)
Intruders have also compromised service control points (SCP). SCPs contain processors and databases that are accessed through STPs. SCPs are used to provide advanced network services, such as 800 number translations and credit card verification services. Certain information stored on the SCPs is considered proprietary and sensitive, including NS/EP priority services. If this information is compromised, some NS/EP services may be degraded or disrupted.
Another issue worth considering is the growing interconnection between carrier signaling networks. As interconnections between SS7 networks increase, individual signaling networks become part of a single large network. In 1989, The Network Reliability Council concluded that "[if] all private and public networks [were] fully interconnected and employ[ed] common software, the entire network could be at risk if a hostile user were to find an exploitable flaw in the system software..." (NRC89) However, the Common Channel Signaling Task Force of the President's National Security Telecommunications Advisory Committee concluded in January 1994, that "the propagation of a condition across network boundaries that ultimately subsumes the entire [SS7] network is unlikely." (CCSTF94)
However, intruders will also have more targets to attack as the signaling network grows. The interconnection between SS7 networks equates to more network elements accessing an increasing number of other network elements. Because more interconnected network elements will be deployed, there will be more opportunity for intruders to attempt to compromise the network.
A related issue concerns mediated access. Mediated access involves opening up the network to third party service providers. Industry is concerned that this may have a large impact on security. Managing the access of multiple vendors will be a difficult task and may provide opportunities for industrial spies and other intruders. As with issues surrounding increased interconnection, considerable attention must be placed on screening processes at the STPs that filter messages between networks so that each carrier knows that its network is safe from the other.
Another trend associated with SS7 network interconnection is the deployment of Advanced Intelligent Networks (AIN). AIN will provide customers with a more active role in configuring and customizing their own network services, potentially pushing network access points out to customer sites. The security concern lies in the difficult task of ensuring that proper security precautions are taken by each customer. Based on their previous activities, intruders will attempt to identify those sites on the SS7 network that are less secure than others a network is only as secure as its least secure node.
Some new systems and services may be dependent on adjunct processors. Adjunct processors control service requests and service processing for intelligent networks. As the use of intelligent networks increases and the dependency on the services offered grows, the importance of adjunct processors on the PSN will increase as well. Electronic intruders know of the adjunct processors and what services are rendered by these processors. (NSA102, NSA103) As the importance of AIN grows in the PSN, the security of adjunct processors will play a more vital role in securing the PSN from the electronic intruder threat in the near future.
Because intruders have historically shown a great deal of persistence in understanding new technologies and cleverness in identifying and exploiting vulnerabilities, the NS/EP community should monitor the rapid deployment and interconnection of SS7 and its related services. As the CCS Task Force recommended, the status of SS7 security should be addressed periodically. The likelihood of SS7 network attacks will increase as intruders learn more about SS7 and AIN, and as the SS7 network interconnections increase.
3.4 Wireless Systems
As the use of wireless telecommunication services exploded during the past decade, computer intruders sought to exploit these technologies. Today, intruders target wireless communications at a growing rate. (PHRACK41, RSKS1438) The attacks have primarily been in the forms of eavesdropping and toll fraud.
Analog Transmission. Wireless systems originally utilized analog transmission technology, which is still the most widespread in the wireless community. With analog systems, cellular phones were exploited by persons using scanners to monitor the cellular frequency bands (824 to 894 MHz). By this means, intruders can capture potentially sensitive data. This is especially important when cellular users transmit credit card numbers, login/password data, access codes, or other sensitive data. The potential impact on NS/EP users from this threat is obvious.
The primary threat to analog cellular systems, however, is toll fraud. Computer intruders have the capability to monitor the Mobile Identification Numbers (MIN) and Electronic Serial Numbers (ESN) transmitted by every cellular phone when it attempts to set up a call. Computer intruders duplicate this data and then uses it to reprogram the Programmable Read-Only Memory (PROM) chips in existing phones for the purposes of toll fraud. An advantage to electronic intruders using this technique is that calls made via compromised cellular phones are virtually untraceable. (CPP92, SPOOFER91)
Digital Transmission. Digital transmission systems have become the latest technological issue in wireless and cellular communications. This new technology can solve many of the existing security problems associated with the analog systems. However, digital receivers and scanners exist, and the conflicts associated with establishing an encryption standard for digital cellular have delayed the widespread distribution of this technology.
Several new digital technologies are presently being deployed that will affect NS/EP telecommunications. As discussed in Section 3.1.1, CDPD represents the first time that PSN switching equipment will be directly connected to the Internet. It is important to identify a means to protect the MD-ISs from intruder attacks. Similarly, Personal Communication Services (PCS) will integrate digital mobile communication devices with other phone networks. The PCS gateways to these other networks will be targeted by intruders and need to be protected. With the understanding that computer intruders have historically proven to be very adept at exploiting new technologies, the threat to digital cellular and wireless communications should be carefully considered.
3.5 Other Emerging Technologies
The telecommunications infrastructure in this country is evolving toward an environment featuring a high degree of interconnectivity between network elements, interconnection of carrier signaling networks, customer control of virtual network configurations, and other types of advanced intelligent network functions. The demand for broadband applications, such as video services, over public networks is also creating the need to implement technologies that can deliver these services. Based on previous examples of electronic intruder flexibility and ingenuity, it must be assumed that electronic intruders are poised to take advantage of these new technologies and services as they are implemented in the PSN.
3.5.1 Synchronous Optical Networks. SONET standards will be widely deployed in fiber optic transmission networks, provide standardized interfaces, provide more efficient multiplexing techniques, and meet increasing demands for broadband services. Every telecommunications carrier is deploying SONET, and some major carriers are in the process of converting all of their fiber systems to SONET. Developed for global high-speed interconnection, SONET is a set of network interface standards that defines a hierarchy of digital rates and formats. SONET networks will be commonly implemented as two fiber rings carrying data in one or opposing directions with add/drop multiplexors (ADM) sending and receiving data on the ring. The dual counter-rotating ring architecture allows for rapid network reconstitution and restoral.
SONET standards provide large bandwidths for high-capacity information flow, often bundling smaller bandwidth facilities. If a single SONET fiber were compromised, a large amount of data would be at risk. The dual counter-rotating ring architecture helps to alleviate some of the concern with fiber cuts or other forms of fiber tampering. If one section of the ring becomes inoperative, the traffic can transit in the opposite direction to reach the intended site. In much the same way, if an ADM becomes inoperative, the ring traffic can be sent to any point on the ring except the site where the ADM is down. Therefore, the concern of intruders simply cutting a SONET facility to disrupt network services is reduced.
However, all traffic carried by a SONET facility transits the ring until the information reaches its designated ADM. This means that the information passes through each ADM along the ring until the intended address is reached. ADMs provide the point where users can split out their information from the rest of the SONET traffic. Electronic intruders, through techniques presently used to manipulate data networks, may develop the ability to access SONET ADMs (see Exhibit 3-4). The skills demonstrated by intruders to modify packet header information in other packet network protocols may also
EXHIBIT 3-4 SONET Attack Scenario
be directed at the SONET frames. Intruders may attempt to misuse the SONET header information to misdirect data, and they may attempt to access the information in the embedded data communications channel (DCC), allowing the intruder to monitor, and possibly modify, the operations and maintenance of the network.
As they have done in the past with other technologies, intruders will target SONET elements as a potentially new and alternative means to exploit the PSN. Intruders have compromised nearly all other PSN network elements in the past, as well as monitored traffic passing through many of these elements. Using their existing data network manipulation skills, intruders may be able to monitor or disrupt SONET traffic as SONET is implemented in the PSN.
3.5.2 Asynchronous Transfer Mode. The primary switching and multiplexing technology for high-bandwidth traffic in next-generation networks will be based on ATM. ATM standards have been defined independent of the transmission facility. Standards bodies have defined ATM at predominantly high bit rates (155 Mb/s and above). However, specific implementations have been fielded at bit rates as low as 1.533 Mb/s (T1).
Similar to packet network switching technologies, ATM uses fixed-size packets or cells. ATM header information identifies the address to which the information carried within the cell should be delivered. Because intruders have demonstrated the skills to monitor both packet network traffic and packet header information, there is concern that intruders will target ATM cells. Although it is unknown whether any ATM switches or multiplexors have been targeted to date, intruders have begun to research the topic in an attempt to find more information. (NSA102)
3.5.3 Integrated Services Digital Network. ISDN integrates voice and data communications into a single digital network. One of the important aspects of the ISDN structure is the use of a separate channel (Digital Subscriber Signaling System 1 [DSS1] protocol) that carries subscriber and receiver information as a message out of band from the voice and data channels. ISDN is heavily dependent on the SS7 network; the DSS1 information is transmitted through the SS7 network by an ISDN User Part protocol.
There is concern that intruders may use SS7 elements to compromise ISDN communications. Electronic intruders have researched the ISDN structure and have shown an in-depth technical knowledge of the protocols. (2600AU93, HD12, EFFCT206, CALLER) The intruders are also aware of ISDN's dependence on the SS7 network. As mentioned previously, intruders have not only demonstrated their skills to modify, intercept, and destroy data packet information, but also have intruded upon SS7 network elements.
3.5.4 Conclusion. The emerging technologies have several things in common. Most notably, they offer the customer more management control by supporting intelligent network features. These new technologies also have in common similarities and reliances on older, existing technologies and systems. Electronic intruders have developed the skills to compromise many of these existing technologies and may be able to build on these skills to target the new technologies.