Slashdot Mirror
Cyber-Attacks?
Galahad2 writes "The Washington Post has a lengthy article about the Bush administration's fears of an Al Qaeda cyber attack on the nation's infrastructure. Though we have all seen this sort of attack as a possiblity for a long time, I'm having a hard time believing that Al Qaeda is capable of anything along these lines." You're not the only one. The article does cite an example of the only known infrastructure attack, a case in Australia where a consultant used his inside knowledge of a local sewage treatment system to dump raw sewage, hoping for a contract to solve the problem he created.
I'm having a hard time believing that Al Qaeda is capable of anything along these lines.
I had a hard time believing the events on September 11th even whilst they were happening!
Flak 1: "Hey, we're really getting pasted over the fact that we "knew about" 9-11 and didn't warn anyone." ... oh you'll think of something! Ted, start posting stories on Slashdot; those hackers suck up every meme that's going..."
Solemn pause as the room thinks. Scratching of heads, etc.
Flak 2: "I know, let's warn everyone about every possible type of attack, so that if and when the next one occurs we can say..."
Flak 1: "... I told you so?! That's brilliant! Bob, call your guy at the Post and see if you can sell that cyber attack story. Frank, get the Times on the phone, tell them
Scene of chaos as flunkies run in every direction to Flak 1's barked commands.
Something like that, right?
I don't know whether to be more concerned about a potential cyber attack or the fact that the Assistant Secretary of Defense refers to critical infrastructure as "some sophisticated, tricky cyber thing."
Why are any of the computers controlling national infrastructure on the Internet or available via modem? Anything that important should be completely cut off from the outside world.
Give a man a fire, and he'll be warm for a day, but set him on fire, and he'll be warm for the rest of his life.
And detain all known contributors to any "terrorist" operating systems in military prison camp. Don't forget to do that.
Think about the children
Shaun
Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
Prior to September 11th, 2001, it was inconceivable that anyone would be capable of using airplanes as guided missiles and then fly them into buildings. Look where we are now.
Okay what about kamikaze?
"Those that don't learn from history are doomed to be beat to hell by those who do. " -- red5
I know I'm going to hell, I'm just trying to get good seats.
Why do they do that? Certainly not to improve our life expectancy or security. If we wanted to do that, spending $280 billion on public health and education would save a lot more lives than a missile defense system even in the unlikely event that we were attacked and that the system worked. If we are worried about attacks on our financial system, stopping crooks like Enron and WorldCom executives would be a whole lot less trouble and costly, not to mention less threatening to our civil liberties; Osama sending a Microsoft Word virus out of his cave pales in comparison to what a single felonious US executive can achieve.
No, people create fear in order to gain power. That's true for Afghan terrorists as much as for the US government and the media. Creating fear gives people power and it allows politicians to move billions of dollars to their favorite campaign contributors.
Folks, life is dangerous: live with it. And learn to evaluate risks and spend dollars wisely on prevention. Nearly 50000 people die each year in the US in traffic accidents, more Americans than in the entire Vietnam War. Cars cause even more deaths each year from pollution. Smoking causes 440000 premature deaths each year. Obesity causes about 280000 premature deaths each year. (Data comes mostly from JAMA.) Those are all easily preventable, with better education, reduced stress, and a better transportation infrastructure. Instead, however, we get worked up about obscure threats and spend enormous amounts of money on anti-terrorist measures and military hardware that will almost certainly not protect us anyway.
In the literal meaning of "terrorist"--people who create terror for power--governments and the media are way ahead of any third rate coward in some cave halfway around the world. Hold the people who spread fear accountable the next time you go to the ballot box.
Isn't this exactly what happened with y2k ? Consultants talked up a problem in the hope of being paid to "fix" it.
Whats even more funny is that I remember an incident of a sewage spill during a y2k test in Australia. Is this the same incident?
I know I'm going to hell, I'm just trying to get good seats.
and the destruction of the morally bankrupt, corrupt western civilization, we sure are giving Al Qeda and the Q'Ran-and-ravers kudos for a lot more hightech savvy than they need to infect themselves with to accomplish their goals.
Have you read about how Islam is treating anybody with enough education to frame a question to ask the immams? After they've shot them?
Have you read the clap-trap that their schools, in those countries where they still pretend to have some, are spewing in an effort to reconcile the Western scientific viewpoint, based on letting things describe themselves so that we can understand them, and Islam's mystical religious authoritarian fervor, which is based on Allah this, Allah that and nothing happens without the will of Allah and the Q'Ran is the only book you need and the immams will guide you in its interpretation so you don't need to know how to read. (Very Catholic of them. Watch your sons around that bunch of androsterone loving creeps.)
Given the patterns shown to date and the historic emnity betwen the Q'Ran-and-ravers and our transportation infrastructure, (you don't need to leave your village and the influence of your immam,) we'd probably do better to watch who the country's transportation workers are.
What do they do to spread terror and interfers with our lives? Mall bombers are a very ineffective way to spread terror. They have noticed that our conveyances offer the opportunity to murder and do a lot of harm to many people in a tight space. Now they set bombs off next to busses, hijack planes, crash them into buildings.
River bridges and tunnels are far more vulnerable than airports right now. Truckers and their rigs are the vulnerable underbelly of America.
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
If the work hadn't been done and there had been disasters wouldn't that have been a greater fiasco?
Situations like this are a no-win. If you do the work and fix problems, you've talked up the problem to get work. If you do nothing and their are problems you are negligent.
Choose now.
You may think me a tired, old, cynic. I'd have to disagree about the tired bit.
I don't believe Osama's buddies would attempt something like this. Somebody else, maybe, but not Al Quaeda. They're much more interested in the 'honor' and the 'glory' of making big, bloody direct attacks. Look at their history of attacks: WTC, Khobar Towers, USS Cole, WTC again, Kenya embassy,... All aimed at directly attacking symbols of US hegemony, with big booms and many dead. Computers is just not like them.
Anthrax, maybe.
superblog.org: all your favourite blogs on o
I'm sure there are people who have a Web interface set up for some seemingly non-critical facet (though there probably aren't many cases of "Look Honey, I can manage the dam's intake system from my iBook in the backyard!"), but there is probably a greater number of people who use the Internet for some communication/reporting feature ("Hey, I'm encrypting all transmissions, I'm using port 18937, I'm not publishing this info on a Web site and I'm not controlling the infrastructure in any way through this interface, so I should be safe."). Should such people be running infrastructure control systems? No. Does that mean they're not running these systems? No.
I think the article's primary purpose is to send a "Hey, infrastructure engineers, this means YOU" (or "does that guy who works for you have infrastructure controls connected to the Internet? Ask him.") message to people who think they're already covered.
I'm having a hard time believing that Al Qaeda is capable of anything along these lines.
So they have towels on their heads, hide in caves and currently live somewhere between Afghanistan and Pakistan - so this makes them stupid, right?
Whatever. Have you forgotten that these people managed to simultaneously hijack FOUR aircraft, in a country with absurdly tight border restrictions, keep the whole thing quiet from an increasingly Orwellian state, run the whole gig on a budget of eighty dollars and five camels AND get away with it? Hmm? Do I see Osama Bin Laden's head mounted on a plaque in the oval office? Quite.
Thing 2 - Sysadmin's are notoriously lazy, particularly Microsoft ones. Count the number of no brainer hacks we've had over the last, say, two years: Default passwords on SQL servers, unpatched IIS installations by their thousands... Not to mention the notoriously bad security record of the vendor itself.
Not that you need to actually attack anything, don't forget that the multi billion dollar Yahoo! empire was reduced to rubble by some kid in fuckwad Arizona calling himself "Mafiaboy". And he bragged about it on IRC, hardly the gold standard in attempting to get away with things.
Fucks' sake, A "cyber attack" is so thoroughly within the reach of Al Queda that the only reason I can suggest that they've not done it is that they've been busy regrouping after their previous hosts, the Taliban, had their arses royally kicked a few months back.
You think they're going to run forever? Grow up America. You're not as smart as you think you are, and you're very much a target. Have a nice day.
Dave
I write a blog now, you should be afraid.
They keep using that word. I do not think it means what they think it means.
SpyDock: Scientific Python in a Docker container
Al Qaeda has hired script kiddies to bring down rain down computer destruction. I don't understand why the fuck things not designed to be hooked up to the internet are being hooked up to it.
I ask in all seriousness, why is a railway switch hooked up to the public internet? What good reason is there for eletronic valve controls for fresh or sewage water to be hooked up to the internet? Does a passing shit or dead goldfish need to check its e-mail? I can understand having some sort of network linking a bunch of sensors and whatnot, that makes sense. I do not understand however why that network needs to be on the internet or even publicly accessible. In some cases, like the guy in Australia, the method of intrusion was not the internet or a network of any sorts, just an unsecured method of entry. Having singular systems with unsecured entry point is understandable and pretty forgivable. Not everyone expects some jackass to try to scre with something. A network of systems with unsecured entry is ridiculous.
I remember reading a billion and a half philez back in the day on how to fuck with systems through Tymnet and other networks similar to it. I still don't see why the SCADA system controlling the Hoover damn needs a modem in it, if it does need that modem in it what is up with the lack of intense and thurough handshaking and password challenges?
The internet is an obvious target regardless for you bozos who question militant religious fanatics and their target aquisition. Why attack the WTC? It was a symbol, same with the White House or Pentagon. They're both symbols. The internet is another symbol of Western culture. Who is the internet big with? A hint: it is not a bunch of predominatly Muslim countries but the word does start with W and end with est. It would be yet another symbol to attack if you're in the mindset that the West is the source of all of your ills.
If you're worried about phone lines going down and needing network access get some geeky friend together, get yourselves Ham licenses and form yourself an emergency packet radio network. If you've got laptops and battery powered equipment you'll be fine even if your power goes from al Qaeda script kiddie attack. While it sounds sort of ufnny to some it is a good idea, hams in an area suffering from power outages or down phone systems can be a big help keeping the flow of information flowing. Nothing helps in an emergency situation like the right information getting to the right people at the right time.
I'm a loner Dottie, a Rebel.
The idea that critical systems of a power-plant of any kind would be on-line and accessible via the web or dial-up is so preposterous as to defy reason. The idea is surely suggested by ignorant kooks, and snatched up and carried into daylight by "journalists" who would rather see their name in a byline than verify the information in the stories they rush to press. In short, someone has seen one to many USA Channel Sunday Night Movies.
Having worked on nuclear plant monitoring systems software, I can tell you for a fact that the critical systems not only can not be tripped from off-site, but also can not be accessed from anything but specific, highly secure and redundant systems.
These systems have physical switches that often require two hands to operate. They are designed to prevent insider sabotage, so no wanker with a laptop, sitting in a cave or boardroom half a world a way can do anything. The only action that can be caused by any local anomaly is a controlled, safe shut-down. The only thing that a remote action will result in is a line-item in the logs, period. A plant shutdown may be costly and greatly inconvenient, but hardly lethal, and absolutely not catastrophic. The "terrorists" will have better luck flying a 747 into the Hoover Dam.
The notion that someone with access from outside could trip a plant or cause anything but the generation of a non-critical statistics report to be generated is lunacy. Yes, some aspects of some systems may be monitored from outside, but this is only for informational purposes only.
The usual attack pattern goes:
- Enter the site on a "powered by freebsd" google search reference
- Cause an error ("GET
../.." or a "GET / HTTP/1.0" request) to get the web server name and version.
- If the version is a vulnerable version of Apache, an attack commenses with a different tool.
If everyone hasn't upgraded Apache to a safe version yet, I strongly suggest you do. It's not just a Microsoft hole any more.Of course the Bush administration will finally have a real reason to blame the Clinton administration for somthing, with Al Gore being the inventor of the Internet and Cyber-everything.
_______
2B1ASK1
So NATO got less spam that day...not exactly a catastrophe. I doubt anyone at NATO really noticed anyways - and one would hope that NATO and other military related entities would communicate sensitive information through more secure and reliable channels as opposed to email.
When most think of an infrastructure related terrorist attack, they're thinking more along the lines of power being knocked out, phones not working, no water, etc. Email, despite all the hype, is something most people can live without or at least work around. Email at many companies goes down so often that many employees also use IM programs or other methods during such outages...sometimes even resorting to using the telephone. Oh what is this world coming too...
I'm sure that many government computers are safely isolated from any public nets, but many of them have the sole purpose of serving information to the Internet, and would be pretty useless if they were isolated! Furthermore, it's not just government installations that are at risk. The 9-11 attacks weren't just aimed at the Pentagon. Or perhaps you forgot about the WTC?
The major US backbones of the Internet itself could be considered part of our national infrastructure. I hope you're not going to ask why the backbones are on the Internet!
One of the most important issues for a terrorist is to generate fear. The more, the better. To hit the world trade centre surly get the public attention. Now lets say you create a powerful virus and called it "AQ_FUCK_USA". It may do a lot of damage. It may cost millions of dollars and cause a lot of people to be angry. But it won't create fear.
Even if you hit a vital structure like power plants or hospitals. Yes it will be an annoyance. Some might die (due to lack of traffic lights, respirators etc...), but it's nothing compared to killing 5000 people (or more in some of the other possible scenarios).
You can't tell the terrorist world; "We just cost the evil USA 2 billion dollars". It doesn't give as much "respect" as saying "We just killed 100 Americans" (or some other western "evil" country).
But I wouldn't feel safe anyway. Someone (maybe AQ) will try it anyway. Why not? But do it make a change whether a script-kiddie or AQ hits us?
-:) Oh no - not again.
www.rednebula.com
So right, and the really funny and tragic thing about this is that 1000 years back, Islam was the cultural light of the world. They had no problem with science, saw it as studying Allah's creation, and a truly proper thing to do. Large parts of the Rennaissance were merely bringing knowledge from the Islamic world into Europe.
Then sometime in the past few hundred years, they began to throw all of that away.
Kind of like the US and Freedom.
The living have better things to do than to continue hating the dead.
It is true that today Al-Qaeda or who ever are not be able to disrupt our infrastructure anymore than any script kiddie. Of course these enemy forces have a great deal more resources and time than even an army of script kiddies. That is the real problem.
Please assess the situation as it is, not as you want it to be or think it might be. There is an enemy force that killed 2823 Americans on Sept. 11 2001. This force probably spent as many as 8 years and much money planning that attack; since the previous attack in 1993. They are patient. They may field students that get jobs in very vulnerable places, and then do a great deal of harm. This will take time and money, and they have a track record of doing just that.
I appreciate the hubris expressed by everyone here, but as Teddy Roosevelt said, lets "walk softly and carry a big stick".
Cheers, SEB
....a consultant used his inside knowledge of a local sewage treatment system to dump raw sewage, hoping for a contract to solve the problem he created.
Isn't that what consultants do everywhere? Come in, dump raw sewage, hope for a contract.
--
As a matter of fact, I am a lawyer. But I play an actor on TV.
Look at the graph titled "Rise in Cyber Attacks".
It shows an exponential rise in the "Number of reported cyber incidents".
Pretty scary, no?
Now read the footnote
*Includes probes, illicit entry and attacks aimed at causing damage or taking control
It's hard to take something like this seriously.
It's like putting up a graph showing "Rise in illegal activity", with a footnote that says,
*includes parking violations, theft, and murder
- SWM
Yea and if I told you a year ago someone would crash three airliners into major buildings in the US you'd have said the same thing.