Slashdot Mirror
Is the Cyberterror Threat Credible?
Scott Pinzon writes "Is the idea that cyber terrorists might take down US networks or utilities realistic, or over-hyped? One of the authors of the Patriot Act and several Black Hat 2005 speakers debated the issue informally at WatchGuard's "Security and Beer Roundtable." Participants include Dan Kaminsky, Johnny "Google Hacker" Long, Tim Mullen, Sensepost penetration testers, a guy from Microsoft's ISA team, and others."
Yes, there is a threat posed by cyberterrorism.
I had an old friend/acquaintance (who was very well placed in the networking community) once tell me he could bring the internet to its knees in a matter of half an hour with some poisoned routing tables or somewhat similar at the router/peering points. Granted this was years ago, but as I recall being told it was one of the 'nets darker secrets -- e.g. a handful (or more) of people knew about the security hole, but it was baked into how things were being done within the IOSes of the routers that the peering points used. Perhaps this hole has been fixed by now, but I seriously doubt that people with enough dedication couldn't find another similar type of hole.
Unfortunately, I don't think the end user/consumer is able to much about it because this pertains to the provider/peering level.
Two fish swim into a wall, one turns to the other and says, "Dam".
Cyberterrorism is a stupid word.
But beyond that, there are easier targets.
Railroads carry tanks full of lovely chemicals like SO4 and HCl. For commercial efficiency, they often put all the tank cars together. For historical reasons, the railroads, state highways, and interstates often run close together and intersect. Not far from where I am now is an intersection of two interstate highways, two state highways, two US routes, and a railroad.
Take out the tank cars and drive away in any direction.
Raise your children as if you were teaching them to raise your grandchildren, because you are.
If I'm reading this correctly, yes.
The fact that an idea is really dumb doesn't mean it's never been implemented.
Fuck the system? Nah, you might catch something.
I don't know if it will happen from what we think of as terrorists, but I'll go on record saying that we'll eventually have a Nightmare worm.
It could have already happened, but perhaps the worm writers had a conscious. There will be a worm that 0-day exploit that compromises a common MS Windows service and isn't so polite as SQL-Slammer. Slammer infected almost every vulnerable host in the world within 10 minutes. I would call Slammer a 'polite' worm as it did no harm other than flooding networks.
It's certainly possible to write an impolite worm. One that doesn't just spread itself, but after 20 minutes of attempting to spread itself decides to stop all of your services and then wipe the data off your hard drive. If a computer isn't directly affected, it will probably be affected downstream by the network traffic or reliance on Windows network services. Those that managed to survive may have a hard time finding other surviving resources.
Hopefully the business world has backups, but can you imagine the global disaster that would follow? In 30 minutes almost every computer in the world is down. Airlines will be grounded, you may lose electricity, you might not be able to order a mocha frappancino(tm) at your favorite fourbucks.
(Not to be judgemental, but in today's world if it doesn't target Windows it's not the Nightmare worm)
Kind thoughts do not change the world
who in their right mind sees it necessary to put critical systems online?
The internet itself is considered a critical system. As valuable (perhaps more) as the telephone and electricity utilities.
What is concerning to many is another Morris internet worm or a similar crash of the internet. Take the recent cisco bugs - these make up a significant portion of internet routing capability. Should someone succeed in developing a cisco worm that infects even 5% of the cisco routers (specifically the "big iron" type routers at major peering points) then the internet will instantly become fairly useless. It will take hours, days, and weeks to get it working well again.
Such a hit to the internet would significantly affect the economy. Further, the entire internet would feel the effects of more stringent regulation.
It's not the simple hacks that people are concerned about. Just like an earthquake, a significant event is going to occur without warning - how can it not happen? If you believe it won't happen, then one of the following must be true:
1) You believe there are no significant enough security problems in routers/computers/etc to cause such a major fracture or
2) You believe that those individuals and organizations who have the ability to target such security problems will choose not to do so.
Can you safely make both assumptions? If so, I suspect you overestimate human nature.
It may be useful to note that the US government will treat a catastrophic internet event in the same manner as they would a catastrophic attack on the telephone, electric, or even road infrastructure.
The difference is that the internet is much, much more vulnerable. The point of penetration can be continents apart from ground zero - and homeland security isn't scanning packets for proper visas.
-Adam
Yes, I know that deaths due to terrorism is low statistically-speaking. Honestly, it's not something that I spend awake nights worried about. Overall, I'm probably a lot like you in feelings about the terrorist threat. Statistically speaking, it's so far into the noise that maybe it should be ignored.
The problem with this way of thinking, though, is that most ordinary people believe that terrorism is not an act of God, and that it is, in some way, a preventable issue. When it comes to auto accidents, ordinary folks want to put controls on those items that can lower the risk of death (preventing DUIs, speed limits, mandatory seat belt laws, etc). It's the same with other deadly issues--like how people want McD's to have healthy choices on their menus because heart disease is so prevalent (now, whether people make good choices is another issue...). Or smoking--how much energy/money has been spent on getting people to stop?
People can accept deaths. It's a normal fact of life, and it sucks when it hits close to home. It sucks even more when those deaths could have been prevented with simple measures. If a party got out of control and a guy that was totally blitzed got behind the wheel and kills your wife/husband/mom/sis/friend/etc, you'd be pretty darned pissed and that incident would leave a hole inside you that might not ever heal completely. That's reality. Also, you, being a responsible citizen and registered voter, would be so upset and hurt that you just might demand more steps be taken to prevent others from feeling how you do. So, you call your local politian.
Economically speaking, no deaths are without consequenses. If it's preventable, then it can be calculated how much the solution would cost and how many deaths it would prevent. Those "non-dead" people earn incomes and pay taxes. If those expected taxes are greater than the proposed solution, then we have a winner. Of course, not all decisions are made based on pure economics. Many people are simply willing to pay higher taxes in favor of more safety, just because we like not having to go to our loved one's funerals.
I do understand what you're saying, and the rational part of my brain agrees. The part that hates going to funerals, though, tells me that if a death can be prevented, maybe we should go out of our way a bit to prevent it.
Long, cute, or funny Sigs are just another form of over compensation, used by geeks, nerdz, etc.
Yes they are on the internet kind of. They are on SCADA networks that are connected to corporate networks (through a firewall) so that the bean counters can maximize productivity...... General configurations include data stores with linkages through the firewalls, vendors that require some type of access to the SCADA systems and servers to perform maintenance and patching, and online help systems on the SCADA systems that use web based help systems (located on critical systems) that can call out to vendors sites, and basically any other wbe site.
As a new IE exploit is out in the wild it is not hard to imagine that critical systems can become infected from client side attacks. A hacker has to get past (in general) two firewalls, then yes the critical systems are acesseble via the internet. As most attacks these days use a combination of social engineering/ client side attacks against the corporate LAN getting a foothold behind the first firewall is not too difficult.
Basically power, oil distribution, water, sewer, gas piplines, communication systems, and most manufacturing processes use SCADA or digitsal control systems that in some way are connected to the internet.
I am currently on a team at a DOE lab that has 20 very good researchers who spend all their time and energy hacking SCADA systems and performing pen testing of various vendor products and pen testing in production control systems at a lot of utilities.
We have not performed and on site assesment in which we have not found access to the SCADA system (eventually) through an external internet connection.
Thats not the half of it...... most of the RTU out in the world have unsecured dial up access......
So the threat of cyberterrorism is very real. Economic impact from a well directed cyber attack could exceed billions of dolars.
Fly Fish? Participate in our forum
Many 'fat' internet connections share a single tunnel. Long haul fiber outages and what not can have a huge sweeping blow to thousands of websites if properly planned. Yes, there are redundant links, but if you cause a large enough chunk of traffic to be routed through alternate paths, you will cause those paths to get flooded and DOS not only the originally effected sites, but also the sites that WERE using the alternate paths but now have to share.
It isn't a single backhoe, though I don't doubt certain peering points could be FUBARed with a single snip, that we should be worried about. But a small coordinated attack on a couple (2, 3?) peering points, well planned, and you could take down much of the internet in a chain reaction.
No, staying technologically superior makes a lot of sense. Even if it is to fight an enemy that does not exist yet.
Staying technologically superior is also a form of corporate welfare. Same with war. Without going into the obvious politics of war, was the $30 Billion Shock and Awe phase of the war needed? We could have done just as much damage dropping $10 million worth of diesel fuel and nitrate in 50 gallon drums from cargo planes. But who would that have helped out? Not GE, Lockheed, Boeing, or anyone else who makes high precision implements of death.
Call me an idealist, call me a purist, but if we rewarded technology for the sake of technology, not for how many people it can accurately kill, then maybe people wouldn't want to attack the U.S. Don't believe that "They hate our freedom" line, it's a lot more complicated than that. If a country acted benevolent, didn't cowtow to corporate interests, and took a leadership role, both in its own society as well as in global matters, as well as (and not just) a moral compass, then do you think that country would be the target of attacks? If the U.S. said that they were going to develop a cure for aids, paid for that, and then licensed out the manufacture of the pharmaceuticals, then do you think that there would be a pissing match with African nations over patent controls?
Everyone says that technology is not a panacea, but even still, we've yet given an honest attempt to prove them right. We're still all stuck on that greed thing.
Wikipedia article on SCADA
That's another word for the filter, "Cyberterrorism."
/. are saying, this stuff shouldn't even be in the news.
I wonder how this stuff makes news anyway. Soon we'll have these pompeous dicks addressing games like WoW as "Cyber-cocaine," attempting to make it sound as if its addictive as the drug itself. Honestly who the hell comes up with these crappy titles? I mean, these are the same assholes who pulled that "Y2K" scam on everyone, people no different from making "Y2K compliant" appliances, and now, here we are again except we jumped from an alphanumeric word, into a strictly "Cyberterroristic" notion. Let me guess, "This computer is Cyberterror compliant?" Pfft, what a bunch of bs. Even judging from what other people on
Another thing, what the hell is up with a "Digital Pearl Harbour" ? Last time I checked Pearl Harbour was deliberately planned by the US so they can get back at Japan. Not a hint or anything but these journalists (not to be confused with bloggers) have too much time on their hands when they try to convey what they think is going to happen and accidently forget to read up on history of World War 2. I'll be expecting "Trojan Airplanes" soon enough.
Nice 0-day "Nightmare" exploit, sounds so fun I might as well run my unix on a backup generator. Great change from September 11, 2001 assholes. You took a regular word and added "Terror[-ism]" to it. Real smooth.
It's not just Tom Clancy who wrote about it - a 9/11 style hijacking actually happened for real in 1994 (using a FedEx DC-10 cargo plane rather than a passenger airliner). The crew managed to overcome their attacker though. There is a very good article about the attempted attack here:
http://www.avweb.com/news/profiles/182918-1.html
Oolite: Elite-like game. For Mac, Linux and Windows
This has my vote as the best comment ever made on /.
It's people, not political parties that need to protect freedom - political parties only protect the power of that party - whichever it is.
I can never decide what sig to wear... so I don't go out much.
The Nightmare Worm will not be fast. It will have as its first priority not being found. It secondly will be self-updating and thirdly cross-platform.
:)
Not being found is impossible, but if kept as a goal it would go a long way towards improving the survivability and reach of the worm. By staying hidden the worm would delay analysis and would promote its chances of being 'out there' somewhere forever. It should colaborate with its peers to avoid attacking a host or network more than once within a large period of time, like six months. It should use kernel modules on whatever platform it's on to hide itself. It should delay installing itself on a harddrive when it can help it (in a honeypot, all bets are off) and only do so when the likelyhood of detection is sufficiently low. It can use persistent storage for data, but should keep it obfuscated and only use disk space that appears free to the system. The worm should not use up more than a 'background noise' level of resources. It should not use up all the CPU, RAM, disk space or bandwidth. It should not hide processes, but should insert itself into existing processes so that hidden process detection won't find it. It should tunnel its worm activity over existing sanctioned and necessary protocols like ICMP, using stegonagraphy and similiar obfuscation methods. It should piggyback its communications on legitimate traffic whenever possible, never adding more than a few percent of overhead. The worm would also need to have counter-measures for all the popular detection mechanisms, and even some of the unpopular ones. It should have exploits for anti-spyware systems, Tripwire, etc, to allow those programs to keep running and generating reports, even having them 'find' things now and then that aren't the worm, to keep from raising the suspicions of the host computer's admins. If the worm were REALLY clever, it could hoist itself into a supervisor role on machines with hardware support for virtualization. It would have to find a way to exploit the existing supervisor, and then convince that supervisor that it still has control of the machine. This is hypothetical, but still...
It should keep a list of peers with trust levels, and should accept patches to itself from sufficiently trusted peers. This peer-based patching system would probably be the same system which allows the worm to share knowledge about already infected and blacklisted computers with itself and the update system would aid the worm in covering its tracks by allowing the author to patch any vulnerabilities in the worm itself. It would also allow the worm to learn about new platforms, new vulnerabilities, and to strengthen itself. This would also allow the worm to reveal as little of its plan as possible at a time. Each instance would contain just enough of itself to maintain control of its host, stay hidden, and to participate in the worm net.
The cross-platform aspect is helpful for improving spreading. A bunch of windows machines are probably going to be behind some kind of unix-like network infrastructure. If the worm could only attack and infect one or the other, it would never make it to the chewy center of the tootsie pop.
With this worm in place it would be possible to push updates out to the worm peers which perform all the terrible Doom's Day actions speculated of elsewhere in this forum. Wipe drives, wipe BIOSes, drive all the devices as hard as possible in hopes of burning something out. But more importantly, if the worm stayed mostly hidden for 10 years and was infecting backups for that whole time, there's a good chance that entire datacenters would have to be rebuilt (including replacing zero'd BIOSes) from the OS up.
But I think there are even worse things that the worm could do, like providing its owners with all the interesting secrets on the host machines or modifying important data.
When such a worm is developed, then the internet will have the best chance of becoming self-aware.
As for the rest of your post...Crusades? The Spanish Inquisistion? The Salem Witch Trials? Christians (fine, seem to be mostly the Catholic Church) have been just as bad. Give Islam a break. It's still several centuries younger than Christianity. Maybe it'll grow out of this phase. Besides, you're taking the actions of extremists and saying they're representative of the religion. That's just wrong. Do you know any Muslims?