Cyber-Attacks?

Galahad2 writes "The Washington Post has a lengthy article about the Bush administration's fears of an Al Qaeda cyber attack on the nation's infrastructure. Though we have all seen this sort of attack as a possiblity for a long time, I'm having a hard time believing that Al Qaeda is capable of anything along these lines." You're not the only one. The article does cite an example of the only known infrastructure attack, a case in Australia where a consultant used his inside knowledge of a local sewage treatment system to dump raw sewage, hoping for a contract to solve the problem he created.

Believing

[saphena]

I'm having a hard time believing that Al Qaeda is capable of anything along these lines.

I had a hard time believing the events on September 11th even whilst they were happening!

Why is important infrastructure online?

[khym]

Why are any of the computers controlling national infrastructure on the Internet or available via modem? Anything that important should be completely cut off from the outside world.

Re:Inconceivable?

[red5]

Prior to September 11th, 2001, it was inconceivable that anyone would be capable of using airplanes as guided missiles and then fly them into buildings. Look where we are now.

Okay what about kamikaze?

"Those that don't learn from history are doomed to be beat to hell by those who do. " -- red5

the real terrorists are governments and media

[g4dget]

Government experts and the media are bombarding us with possible scenarios: smallpox sprayed from crop dusters, terrorist attacks shutting down our stock markets, dirty bombs in New York harbor, nuclear missiles raining down from God-knows-where, etc.

Why do they do that? Certainly not to improve our life expectancy or security. If we wanted to do that, spending $280 billion on public health and education would save a lot more lives than a missile defense system even in the unlikely event that we were attacked and that the system worked. If we are worried about attacks on our financial system, stopping crooks like Enron and WorldCom executives would be a whole lot less trouble and costly, not to mention less threatening to our civil liberties; Osama sending a Microsoft Word virus out of his cave pales in comparison to what a single felonious US executive can achieve.

No, people create fear in order to gain power. That's true for Afghan terrorists as much as for the US government and the media. Creating fear gives people power and it allows politicians to move billions of dollars to their favorite campaign contributors.

Folks, life is dangerous: live with it. And learn to evaluate risks and spend dollars wisely on prevention. Nearly 50000 people die each year in the US in traffic accidents, more Americans than in the entire Vietnam War. Cars cause even more deaths each year from pollution. Smoking causes 440000 premature deaths each year. Obesity causes about 280000 premature deaths each year. (Data comes mostly from JAMA.) Those are all easily preventable, with better education, reduced stress, and a better transportation infrastructure. Instead, however, we get worked up about obscure threats and spend enormous amounts of money on anti-terrorist measures and military hardware that will almost certainly not protect us anyway.

In the literal meaning of "terrorist"--people who create terror for power--governments and the media are way ahead of any third rate coward in some cave halfway around the world. Hold the people who spread fear accountable the next time you go to the ballot box.

Re:the real terrorists are governments and media

[MrResistor]

If the missile defense intercepts the missile over the Pacific ocean, bordering the edge of space, we can assume that it will not affect the mainland as much as if its burst a mile over the ground.

Yes we can! After all, such an intercepted attack would only effect the coast, which means we have nothing to worry about since our most densely populated regions are the coasts. Oh, wait...

And for an intercept to happen as you describe we would have to launch the intercept at pretty much the same time as the attack was launched. I doubt that China is going to call us up and say, "OK, get ready because we're going to launch missiles at you on my mark..." We have to detect the launch, determine that it is actually an attack on us, and activate our defense system, all of which takes time. As my old sensei was fond of saying, action is always faster than reaction.

Then, of course, we have to actually hit the missile with something which, according to a friend of mine who is an engineer on a missile defense project, is extremely difficult. Sort of like using chicken wire to keep out mosquitos.

That pretty much invalidates Chinas' need to use several smaller warheads to "try" to get through the "defense". Even if we did intercept a big one, by the time we did it would be close enough to us to cause real and significant damage.

My terminally ill arguement had nothing to do with nuclear fallout (although I don't see how you've invalidated that, given the realities of the situation), but rather with the fact that we waste billions of dollars on an ineffectual defense against an improbable attack rather than spending that money on curing diseases that millions of real people battle with every day.

And as for my moronic economic arguement, I suppose you have a better explanation for why China is repeatedly granted Most Favoured Nation trading status, despite repeated, blatant, and systematic human rights abuse, not to mention our own claims to be fighting Communism, than that our economy is dependent on the cheap manufactured goods they provide?

For attackers who's aim is the stone age,

[crovira]

and the destruction of the morally bankrupt, corrupt western civilization, we sure are giving Al Qeda and the Q'Ran-and-ravers kudos for a lot more hightech savvy than they need to infect themselves with to accomplish their goals.

Have you read about how Islam is treating anybody with enough education to frame a question to ask the immams? After they've shot them?

Have you read the clap-trap that their schools, in those countries where they still pretend to have some, are spewing in an effort to reconcile the Western scientific viewpoint, based on letting things describe themselves so that we can understand them, and Islam's mystical religious authoritarian fervor, which is based on Allah this, Allah that and nothing happens without the will of Allah and the Q'Ran is the only book you need and the immams will guide you in its interpretation so you don't need to know how to read. (Very Catholic of them. Watch your sons around that bunch of androsterone loving creeps.)

Given the patterns shown to date and the historic emnity betwen the Q'Ran-and-ravers and our transportation infrastructure, (you don't need to leave your village and the influence of your immam,) we'd probably do better to watch who the country's transportation workers are.

What do they do to spread terror and interfers with our lives? Mall bombers are a very ineffective way to spread terror. They have noticed that our conveyances offer the opportunity to murder and do a lot of harm to many people in a tight space. Now they set bombs off next to busses, hijack planes, crash them into buildings.

River bridges and tunnels are far more vulnerable than airports right now. Truckers and their rigs are the vulnerable underbelly of America.

Re:Forgotten Y2K fiasco already ?

[MrMickS]

Y2K is called a fiasco because work was done and there were no disasters. People talked about it, spent money checking systems, upgrading systems, fixing problems before the event. No great disaster so all of this was in vain. A hoax. A fiasco.

If the work hadn't been done and there had been disasters wouldn't that have been a greater fiasco?

Situations like this are a no-win. If you do the work and fix problems, you've talked up the problem to get work. If you do nothing and their are problems you are negligent.

Choose now.

Another dimension

[Ryu2]

Most of the critical infrastructure stuff is air-gapped from the Net (that is, they are completely separate from it, and not connected, not even indirectly), and rightfully so. So any job would have to be an inside job by a sleeper agent or something.

But it might be easier for terrorists to take out something (physically) like the root DNS servers, or a major point like MAE East/West -- it may not cause the apocalypse, but that will still screw things up majorly for the world... the Internet does have lots of single points of failure, believe it or not.

Not an Al Quaeda tactic

[Dilbert_]

I don't believe Osama's buddies would attempt something like this. Somebody else, maybe, but not Al Quaeda. They're much more interested in the 'honor' and the 'glory' of making big, bloody direct attacks. Look at their history of attacks: WTC, Khobar Towers, USS Cole, WTC again, Kenya embassy,... All aimed at directly attacking symbols of US hegemony, with big booms and many dead. Computers is just not like them.

Anthrax, maybe.

Re:Not an Al Quaeda tactic

[Saint+Fnordius]

Right on. The whole problem with cyber-attacks is that they're not sexy--I mean, thrilling--enough to the average glory hound. Even the Anthrax scare is too low-key for Al Qaida.

Terrorists want to grab the front page, the lead story, and kill people so that other people will listen to them. They're in it for the adrenalin rush, the feeling of power. Computers are too impersonal to hold their attention for very long.

If anybody's going to start cyberterrorism, it won't be for political purposes. It'll be for extortion, "protection money" and industrial espionage. Cybermafiosi are *much* more likely than Cyberterrorists.

Have you learned nothing?

[WasterDave]

I'm having a hard time believing that Al Qaeda is capable of anything along these lines.

So they have towels on their heads, hide in caves and currently live somewhere between Afghanistan and Pakistan - so this makes them stupid, right?

Whatever. Have you forgotten that these people managed to simultaneously hijack FOUR aircraft, in a country with absurdly tight border restrictions, keep the whole thing quiet from an increasingly Orwellian state, run the whole gig on a budget of eighty dollars and five camels AND get away with it? Hmm? Do I see Osama Bin Laden's head mounted on a plaque in the oval office? Quite.

Thing 2 - Sysadmin's are notoriously lazy, particularly Microsoft ones. Count the number of no brainer hacks we've had over the last, say, two years: Default passwords on SQL servers, unpatched IIS installations by their thousands... Not to mention the notoriously bad security record of the vendor itself.

Not that you need to actually attack anything, don't forget that the multi billion dollar Yahoo! empire was reduced to rubble by some kid in fuckwad Arizona calling himself "Mafiaboy". And he bragged about it on IRC, hardly the gold standard in attempting to get away with things.

Fucks' sake, A "cyber attack" is so thoroughly within the reach of Al Queda that the only reason I can suggest that they've not done it is that they've been busy regrouping after their previous hosts, the Taliban, had their arses royally kicked a few months back.

You think they're going to run forever? Grow up America. You're not as smart as you think you are, and you're very much a target. Have a nice day.

Dave

Re:Have you learned nothing?

[Mr+Guy]

in a country with absurdly tight border restrictions

Absurdly tight? Which part? The part where thousands of Mexicans (by customs estimates) cross every month? The parts where you can go from Canada to the US with only a small roadsign telling you which is which? The part where you can take a boat across any of five very large lakes to enter the country, and customs consists of calling in on the honor system to let us know you've arrived?

The part where any fool can hop a ride to any of a dozen small islands in the Carribean and take a charter to Florida without EVER going through US Customs?

Sorry, but while the United States does it's best, there is no way you can call the border restrictions absurdly tight.

Doesn't take that much effort to get into the country. It doesn't take more than a swatch watch to have four simultaneous attacks, and until we AT LEAST give pilots TASIRs (-sp?) it ain't that hard to take out a jet.

As them being able to launch a "cyber attack" being a script kiddie doesn't cut it. That's a cyber nuisance at best. Taking out one misconfigured system (and much of DOS and even DDOS attacks can be taken care of by reconfiguring) does not a battle make.

You DO need some decent skills to do damage that lasts longer than a server reboot takes. Quite frankly few people have them. A real attack:

• Needs to last long enough without detection to corrupt back ups
• Needs to take out more than one system
• Needs gain some type of strategic advantage, ie cause real death, erase vital records, allow easier access to the country for actual terrorist people
• Needs to have the source provable, no honor for anon cowards

Re:Have you learned nothing?

[RobinH]

The (approximately) 9,000 km border with Canada is completely uncontrolled except at major highways and urban areas.

Yes, but none of the 9/11 terrorists came through Canada. In fact, doing so would be pretty silly, since then you'd have to go through two immigration procedures, and both Canada and the U.S. share a list of known terrorists.

It would be easier to smuggle yourself into the U.S. aboard a ship than trying to cross the "completely uncontrolled" U.S.-Canadian border. Actually, the border between the U.S. and Canada employs quite a few high tech gadgets, such as motion detectors, IR video surveillance, and even low-level radar to track anyone trying to cross the border without going through a checkpoint. Forested areas are clearcut for 10 metres (or yards) each side of the border to make anyone crossing visible to surveillance.

Most of these practices are in place to catch drug smugglers, but they are equally effective against anyone trying to sneak across the border.

In summary

[Graymalkin]

Al Qaeda has hired script kiddies to bring down rain down computer destruction. I don't understand why the fuck things not designed to be hooked up to the internet are being hooked up to it.

I ask in all seriousness, why is a railway switch hooked up to the public internet? What good reason is there for eletronic valve controls for fresh or sewage water to be hooked up to the internet? Does a passing shit or dead goldfish need to check its e-mail? I can understand having some sort of network linking a bunch of sensors and whatnot, that makes sense. I do not understand however why that network needs to be on the internet or even publicly accessible. In some cases, like the guy in Australia, the method of intrusion was not the internet or a network of any sorts, just an unsecured method of entry. Having singular systems with unsecured entry point is understandable and pretty forgivable. Not everyone expects some jackass to try to scre with something. A network of systems with unsecured entry is ridiculous.

I remember reading a billion and a half philez back in the day on how to fuck with systems through Tymnet and other networks similar to it. I still don't see why the SCADA system controlling the Hoover damn needs a modem in it, if it does need that modem in it what is up with the lack of intense and thurough handshaking and password challenges?

The internet is an obvious target regardless for you bozos who question militant religious fanatics and their target aquisition. Why attack the WTC? It was a symbol, same with the White House or Pentagon. They're both symbols. The internet is another symbol of Western culture. Who is the internet big with? A hint: it is not a bunch of predominatly Muslim countries but the word does start with W and end with est. It would be yet another symbol to attack if you're in the mindset that the West is the source of all of your ills.

If you're worried about phone lines going down and needing network access get some geeky friend together, get yourselves Ham licenses and form yourself an emergency packet radio network. If you've got laptops and battery powered equipment you'll be fine even if your power goes from al Qaeda script kiddie attack. While it sounds sort of ufnny to some it is a good idea, hams in an area suffering from power outages or down phone systems can be a big help keeping the flow of information flowing. Nothing helps in an emergency situation like the right information getting to the right people at the right time.

an attack would give an excuse for legislation

[Purdah]

There is only one problem with an attack on the infrastructure, and it is not the actual attack.

Indeed there would be a days work lost, but any company that has a good tech department / disater recovery plan would be able to sort themselves out within a day, although the backlog of mail might take a little longer. This is not in fact a massive deal.

The biggest problem would come from the fact that all the current anti privacy legislation would have an excellent excuse to go through with the backing of all in congress/parliment (for us in the UK)

Re:Didn't Yugoslavia disrupt a NATO e-mail server?

[Ron+Bennett]

So NATO got less spam that day...not exactly a catastrophe. I doubt anyone at NATO really noticed anyways - and one would hope that NATO and other military related entities would communicate sensitive information through more secure and reliable channels as opposed to email.

When most think of an infrastructure related terrorist attack, they're thinking more along the lines of power being knocked out, phones not working, no water, etc. Email, despite all the hype, is something most people can live without or at least work around. Email at many companies goes down so often that many employees also use IM programs or other methods during such outages...sometimes even resorting to using the telephone. Oh what is this world coming too...

Hitting the infrastructure doesn�t generate fear.

[Saggi]

One of the most important issues for a terrorist is to generate fear. The more, the better. To hit the world trade centre surly get the public attention. Now lets say you create a powerful virus and called it "AQ_FUCK_USA". It may do a lot of damage. It may cost millions of dollars and cause a lot of people to be angry. But it won't create fear.

Even if you hit a vital structure like power plants or hospitals. Yes it will be an annoyance. Some might die (due to lack of traffic lights, respirators etc...), but it's nothing compared to killing 5000 people (or more in some of the other possible scenarios).

You can't tell the terrorist world; "We just cost the evil USA 2 billion dollars". It doesn't give as much "respect" as saying "We just killed 100 Americans" (or some other western "evil" country).

But I wouldn't feel safe anyway. Someone (maybe AQ) will try it anyway. Why not? But do it make a change whether a script-kiddie or AQ hits us?

how Islam is treating anybody with enough educatio

[dpilot]

So right, and the really funny and tragic thing about this is that 1000 years back, Islam was the cultural light of the world. They had no problem with science, saw it as studying Allah's creation, and a truly proper thing to do. Large parts of the Rennaissance were merely bringing knowledge from the Islamic world into Europe.

Then sometime in the past few hundred years, they began to throw all of that away.

Kind of like the US and Freedom.

A contrarian to this thread...

[SledgeHammerSeb]

I have read about 15 posts here. It is the naive arrogance of these posts that causes me to be happy we, the USA, are going to be concerned about infrastructure security.

It is true that today Al-Qaeda or who ever are not be able to disrupt our infrastructure anymore than any script kiddie. Of course these enemy forces have a great deal more resources and time than even an army of script kiddies. That is the real problem.

Please assess the situation as it is, not as you want it to be or think it might be. There is an enemy force that killed 2823 Americans on Sept. 11 2001. This force probably spent as many as 8 years and much money planning that attack; since the previous attack in 1993. They are patient. They may field students that get jobs in very vulnerable places, and then do a great deal of harm. This will take time and money, and they have a track record of doing just that.

I appreciate the hubris expressed by everyone here, but as Teddy Roosevelt said, lets "walk softly and carry a big stick".

Cheers, SEB

Re:A contrarian to this thread...

[carlos_benj]

They are patient.

Excellent post.

We tend to be an impatient society, microwaves, fast food, etc. and we tend to project whatever we are on others. The problem is that many other cultures are vastly different than our own. This was one of the mistakes we made in the Vietnam era. When we went to Paris to negotiate with the Viet Cong we rented hotel rooms. They bought a villa. They were in it for the long-haul while we hoped (as always) for a quick solution.

Desert Storm was a "good" war for the American people. We saw results early on, it didn't last long and there were few American casualties. The current conflict is wearing on an impatient public because we can't see the bad guys backing out of a country they'd overrun or other visible results. Soon it will be a "whole year" since the attack and we don't have everything tied up in a nice package with a bow on it.

The worst thing we can do is underestimate the resolve of these organizations. This is not a new conflict. It is centuries old. We are merely new players or more accurately our role has recently changed. Early on we heard that there will be more attacks. We have heard that warning repeated. Since Sept. 11 we've had a guy try to light his shoes up and a few other minor incidents. Most Americans seem to feel that this is a case of the boy who cried "wolf!" and don't really understand that there actually will be more attacks. Part of this is also the result of the govt. to grab as much additional power as they can under the guise of patriotism and homeland security, but the bulk of it is because of our cultural biases.

Believe it, or at least the concept

[Pvt_Waldo]

Though we have all seen this sort of attack as a possiblity for a long time, I'm having a hard time believing that Al Qaeda is capable of anything along these lines."

You're not the only one.

Yea and if I told you a year ago someone would crash three airliners into major buildings in the US you'd have said the same thing.