Slashdot Mirror
Japan Will Stage Mock Cyberattacks
freaktheclown writes "Japan is set to start staging mock cyberattacks on various companies as precautionary exercises. According to the article: 'Japan will conduct nationwide exercises next year to prepare effectively for cyberattacks on computer networks. Mock cyberterrorists will simulate attacks on computer networks of businesses and government organizations to discover vulnerable areas, the Yomiuri Shimbun reported Wednesday. Participants in the exercises will include financial institutions, communications companies and Internet service providers, as well as the central government and local governments.'"
If you are developing your own cyberattack techniques, here's your chance to test them while "hiding in plain sight".
The NSA: The only part of the US government that actually listens.
Japan better not try to attack Microsoft, they might end up with BSOD hell.
He who knows best knows how little he knows. - Thomas Jefferson
So how many radioactive reptiles does it take to bring down a server?
This is great. I hope we learn something important from observing this, and frankly I'm glad we (US) aren't having to pay for it.
.sigs are for post^Hers.
Nonsense. Next time you might try RTFA instead of hurrying so much to get in an early post. If you'd read it you'd realize that the intent is to set up mirrors of the real machines, and the scheduled attacks will be against the mirrors. Any attack against the real machine will look just like it always would.
--
The universe is a figment of its own imagination.
The universe is a figment of its own imagination.
It's mock servers of these companies, not the real thing. This isn't any "Trial by Fire". No damage can be done.
Whenever I need to test my new firewall installation, I just open up an IRC session or post a Usenet post (containing my IP address) saying something like "Hi there, I'm a researcher for Microsoft/SCO/Natalie Portman/George Bush and I've been watching you all and you are all lamers"
Then I just wait for the attack to begin.
(although, when I say I'm working with Natalie Portman, most of the attacks seem to come in on port 79 for some reason...)
Company: Somebody set up us the bomb
...and 8 others - we'll call them 'undecided'.
Government: HAHAHAHAHAHA
Company: You killed kenny.somecorp.com.jp! You bastards!
Maybe they're trying to stimulate hardware sales.
--
There are 10 kinds of people in the sig
Smart people like me who understand binary.
Those who don't.
I wonder if this is your typical test where only the strongest points are tested. Will hackers cold-call targeted businesses pretending to be admins verifying passwords?
"God fights on the side with the best artillery." - Napoleon, Marshal of France - speaking truth to power
These are either full attacks (perhaps cancellable) or they will lead to false confidence (IMHO more an American than a Japanese trait).
To follow up the mock cyber-attacks, Japan will then undergo a mock giant robot attack, which will be followed by Godzilla drills.
It's good to use your head, but not as a battering ram.
Just post up a link on slashdot to any of the companies needing a test.
Live forever, or die trying.
The companies are warned and can make their backups in time.
Anyway, I consider this to be a logical step forward, after all, Japan is one of the countries that have suffered most from earthquakes and Tsunamis, and they surely take the prevention measures against these disasters.
Why should a network attack be any different?
Do these mock attacks include agents dressed as multi-tentacled demons attempting to rape the women?
- For the complete works of Shakespeare: cat
In my days in big financial services tech hell, I was on the Disaster/Recovery planning committee. If the plan could not be really tested, it was fantasy hoping for good luck.
The test cases weren't only terrorism - just what would happen if we had a steam explosion, the building was sprayed with asbestos, and the NYPD and FD put yellow tape around it.
In Peopleware, Tom DeMarco tells of the job interview... "We need a juggler. Can you juggle?" "I'm great!" "Burning Logs?" "No problem!" "Animals?" "No problem-o!" "You've got the job!" "Don't you want to see me juggle?"
So the idea of something that resembles live-fire testing is a very good idea. Intrusion testing, auditability (even open book audits as in "we're gonna ask you this, uber-geek!")is not perfect; however, I remember speaking with smug black frocked dotcommers who built systems that couldn't scale etc. etc.
Ok. I think I'm gonna get some of that spray-on hair now and sort punch cards. But a test (if not completely lame)is a critical part. If the thing fails, do it again. If it passes the test, make the test harder. Fight dirty when you test - it will make for better results when the stuff hits the fan for real.
Verizon: Latin for "poor rural service".
You must not have been paying attention. This has been going on for about a decade. Or did you completely miss the fact that Yasser Arafat was president of the Palesinian Authority for several years before his death. Then there were new elections in Palestine, and the Israelis withdrew from the Gaza strip.
If you're suprised, I suggest you pay a little more attention to international news, rather than conspiracy theorist sites like infoshop.
Your tinfoil defense sheild is preventing me from accessing those websites!
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
Just post your targets at Slashdot, and we will simulate a DoS attack.
Circumcision is child abuse.
All your base are belong to us!!!
An increasing number of companies and government offices have experienced cyberattacks. In one such case, kakaku.com, Japan's largest Web site specializing in product comparison information for consumer goods, had to be shut down temporarily after its code had been tampered with. ---------
Sounds like they need to secure their code first, then they can perform mock attacks.
On a side note, Kakaku.com sounds like a pr0n site
He who knows best knows how little he knows. - Thomas Jefferson
Microsoft sales will likely skyrocket as a result of this test.
US Will Mock Staged Cyberattacks
Be a real patriot: Question authority. Think for yourself. Formulate your own conclusions.
Ah, yes, round-eye. I see you suppry I speck Engrish so werr.
Who needs to stage it? Just post your website here and Slashdot will take care of it.
Comment removed based on user account deletion
I thought what I'd do was, I'd pretend I was one of those deaf-mutes...
"MIT betrayed all of its basic principles."
In my opinion, mock attacks largely allow people to feel good about their mock defenses.
This sig has absolutely no significance and serves only to take up screen space and waste the time of the reader.
I can't beleive that someone with a UID that low wouldn't know that it's been done.
Simple, just send 165+ text messages in less than a minute..
Who says we're not paying for it?
A) We're "paying for it" by not simulating our own right away and experiencing it ourselves.
B) We're sitting by while someone else gets experienced hardened professionals out of it while we sit and watch.
C) We're hoping they'll share information with us about the attacks and precautions taken. Do you really think they'll share everything? Hell no.
My presumption is that we've been invited, but you never really know how much the US will be permitted to see or to participate.
"Love is like pi - natural, irrational, and very important." (Lisa Hoffman)
I mock staged cyberattacks...
Chris Mattern
Original publication: http://www.yomiuri.co.jp/dy/national/20051005TDY01 003.htm
They should definitely try social engineering techniques too. There was article [http://www.pacifict.com/Story/%5D written by a former Apple catractor that details how he worked on the graphing calculator app for a year without being an employee.
Where I work, you just have to mention an employee's name and someone will assume that you work there. Of course I do work at Starbucks, but whatever [not really, I'm mean really not really].
W32.GODZILLA.K@MM!!!!!!!!!!!!
I am currently staging a mock time-wasting drill in my office. The goal is to find out what would happen if an employee here were to spend all morning looking at slashdot instead of working. Will I be caught? Stay tuned for the results!
There is no address tonight. It was at 10 this morning and it was merely a rewrite of Bush's standard terrorism speech.
When Japan is worried about an "electronic Pearl Habor", you know comedy's a dead art form. Now tragedy, that's funny!
I'm proud of my Northern Tibetian Heritage
[Note to terrorists: please disregard this message.]
SoundTimer makes you sound busy.
An Ad comes up and covers the article so I cannot read it. Same on IE... is there somewhere else I can go to read it?
Out of the corner of my eye, I could have sworn the title of this blurb was :
"Japan Will Stage Cyber Monkey Attacks"
Step 1.
Turn off the router.
Step 2.
Order pizza and have a party
Step 3.
Go home and sleep - take a couple days of vacations
Step 4.
go back to work, and reboot the router.
That's all they have to do.
... sorry, wrong address.
Let's test everyone just to make sure they are ready for the holiday season...
http://swankmartini.com/contact/
Am I the only person who couldn't read the article because a Flash advertisement covered up all the text and refused to be closed when I clicked the little "X" in the top corner?
Direct away from face when opening.
Just go to the front page of that publication, and click some of the links of the list on the right hand site of the list on the bottom of the page. One of them is our story, but without that obnoxious advertisement.
I'm not surprised, the Japanese do have experience with officially organized and controlled attacks: Tokyo Police Cataclysm Division.
or they will lead to false confidence (IMHO more an American than a Japanese trait).
I can think of one exception. That time the Japanese had false confidence that if they hit Pearl Harbor, the Americans will be too weak or timid to respond, and they will be able to rule the Pacific unchallenged.
Who knows what might be lurking underneath it...
They're the ones the burned Penny Arcade to the ground for the past 2 days.
On the other hand, the Chinese don't go in for Giant Steam-Powered Mecha Robots, so this could be, like, cool...
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Did anyone else read this as "Japan Will Mock Cyberattacks on Stage" at first glance?
I can just picture it:
"Pfft, You call that a cyberattack?"
Next!
Cyber attacks mock you!
I apologize sincerely
...belong to us
Mongrel News all the news that fits and froths
On September 22, Bruce E. Bernstein, President of the New York Software Industry Association (NYSIA), testified in writing to the U.S. Senate Committee on Banking, Housing and Urban Affairs during a Hearing on "Examining the Financial Services Industry's Responsibilities and Role in Preventing Identity Theft and Protecting Sensitive Financial Information", mentioning Prof. Malkin project analyzing the security configuration of TLS-protected servers.
Part of the testimony read:
"The most pertinent is a project undertaken by Dr. Tal Malkin and her team in the Computer Science Department at Columbia University, in partnership with researchers from IBM, related to the cryptographic security of Internet servers. Cryptography is an essential component of modern electronic commerce. With the explosion of transactions being conducted over the Internet, ensuring the security of data transfer is critically important. Considerable amounts of money are being exchanged over the Internet, either through shopping sites (e.g. Amazon, Buy.com), auction sites (eBay), online banking (Citibank, Chase), stock trading (Schwab), and even the government (irs.gov).
Dr. Malkin and her team made a systematic study of the cryptographic strength of thousands of "secure" servers on the Internet. Servers are computers that "host" the main functions of the Internet, such as Web sites (Web servers), email (mail servers), and other functions. Communication with these sites is secured by a protocol known as the Secure Sockets Layer (SSL) or its variant, Transport Layer Security (TLS). These protocols provide authentication, privacy, and integrity. A key component of the security of SSL/TLS is the cryptographic strength of the underlying algorithms used by the protocol. Dr. Malkin's study probed 25,000 secure Web servers to determine if SSL was being properly configured and whether it was employed in the most secure way. Improper configuration can lead to attacks on servers, stolen data identity theft, break-ins, etc. Dr. Malkin's project is the most extensive study of actually existing server security on the Internet.
The team's findings, relevant to these hearings, included some serious weaknesses in how Web servers, including eCommerce servers employed by financial service companies, are currently being configured.
The most prevalent is that an old, outdated version of SSL, known as SSL 2.0, is still being supported on over 93% of these "secure" servers. SSL 2.0 has many flaws, including a vulnerability to "man in the middle" attacks, which are commonly used for identity theft. While most of these servers also employ a more advanced version of SSL, the incoming communication can choose to use Version 2.0 and thus breach the defenses of the server.
Another serious problem is the use of 512 bit "public keys" (1,024 bits are recommended), which can be broken readily, thus compromising all of the data on the server using this key length. Over 5% of the "secure" servers are using this key length.
These security shortcomings are quite serious, and pose risks both to the consumers and the providers in the financial services industry. Financial server security can be increased both by popularizing the correct configurations and, possibly, by greater government oversight in this area.