Slashdot Mirror
Is the Cyberterror Threat Credible?
Scott Pinzon writes "Is the idea that cyber terrorists might take down US networks or utilities realistic, or over-hyped? One of the authors of the Patriot Act and several Black Hat 2005 speakers debated the issue informally at WatchGuard's "Security and Beer Roundtable." Participants include Dan Kaminsky, Johnny "Google Hacker" Long, Tim Mullen, Sensepost penetration testers, a guy from Microsoft's ISA team, and others."
Considering that, as of now, we can just pull money out of nowhere and just increment our debt up, it looks like that'll be the case for a looong time.
Yea, money's the real issue. With enough money, they can buy out enough hardware, encourage enough research, hire enough programmers, etc, to do almost anything. On the other hand, I'm sure that no matter what they do, their system will still have critical vulnerablilities, but that's just a fact of life.
Anyway, when we spend a quarter of the money on cyber-counter-terrorism that we do on physical defense, then people can think about beginning to complain about costs. OTOH, it's not like we really know where that money's going anyway...
http://www.TheGamerNation.com/Forums
Who cares if the power company's website is defaced or their web server brought down? That won't lead to the lights going out.
The question is not whether the threat from cyberterrorism (what a stupid term) is credible, but who in their right mind sees it necessary to put critical systems online?
If you want to take out half the internet, you don't need hackers. A backhoe works just fine. So why in the world would anyone put such important things on a network that is easily disabled?
Jesus saved me from my past. He can save you as well.
Criminals that use computers for fraud and other crimes should be described by a less stupid and emotive term than cyberterrorism.
Even if it's not credible, it doesn't mean it's okay to leave networks unsecured. Having consultants do security analysis is probably a good idea (although I don't personally know to what extent the federal government deliberately gets ripped off by those consultants, as you contend).
The threat of cyberterrorism has more to do with whether we should spend money analyzing threats to electronic infrastructure, and planning responses to potential attacks on it. Not the sort of thing you hire pen-testers for.
Personally, I don't feel in any way threatened by any word, phrase, or sentence with the prefix "cyber" in it. Cyber*, to me, means a way for non-geeks to explain something that they don't in any way understand.
Frankly, I think most terror threats aren't credible. My philosophy is that in most cases, if you're on the ball enough to understand a threat, it's not threatening. The real terrorism are the attacks (cyber and...um...Analog?) that come from behind.
In Soviet Russia, backwards is everything.
Yes, there is a threat posed by cyberterrorism.
I had an old friend/acquaintance (who was very well placed in the networking community) once tell me he could bring the internet to its knees in a matter of half an hour with some poisoned routing tables or somewhat similar at the router/peering points. Granted this was years ago, but as I recall being told it was one of the 'nets darker secrets -- e.g. a handful (or more) of people knew about the security hole, but it was baked into how things were being done within the IOSes of the routers that the peering points used. Perhaps this hole has been fixed by now, but I seriously doubt that people with enough dedication couldn't find another similar type of hole.
Unfortunately, I don't think the end user/consumer is able to much about it because this pertains to the provider/peering level.
Two fish swim into a wall, one turns to the other and says, "Dam".
The Bush administration has been warning of a digital Pearl Harbor for years.
However, their desire to collect and to centralize information on government computers for 'homeland security' purposes makes such a threat more dangerous, not less dangerous.
If their proposals for government-accessible backdoors for all encryption were actually to become reality, then a single successful hacker could compromise millions of secure computers and documents in a single attack.
The best solution is to go back to the policies of Clinton's presidency. Let us, the people, take care of our own security without government intrusion, as is our natural right and privilege.
We live in a culture of fear.
First it's anthrax (anyone remember that?)
Then it's suitcase nukes..
Then it's bird flu..
Suddenly terrorists are going break into our computers?!
All of these are existant 'problems' blown WAY out of proportion. I'm counting the days before termites are found in the whitehouse, thus becoming the next terrorist threat.
Cyberterrorism is a stupid word.
But beyond that, there are easier targets.
Railroads carry tanks full of lovely chemicals like SO4 and HCl. For commercial efficiency, they often put all the tank cars together. For historical reasons, the railroads, state highways, and interstates often run close together and intersect. Not far from where I am now is an intersection of two interstate highways, two state highways, two US routes, and a railroad.
Take out the tank cars and drive away in any direction.
Raise your children as if you were teaching them to raise your grandchildren, because you are.
The broader question: is the treat of terrorism credible? Considering that politicians made up the whole concept of "the terror network" from disinformation planted in european newspapers and then failed to listen to the CIA when they told them the Soviet Union was not funding terrorist groups and in-fact it was the CIA that was planting the propaganda, how can we possibly believe that terrorism is capable of any more than the few isolated incidents that have befallen the world in the last dozen years? We're talking about a total number of deaths less than a year of ordinary people driving cars on the national highways. The chances of becoming a victim of terrorism are less than the chances of being hit by falling space debris.
How we know is more important than what we know.
Maybe. But probably not. If terrorists use a computer to do something that kills people, its regular terrorism. If somebody screws with my computer, that person is not a "cyber-terrorist," he is just a regular criminal (and also, likely, a douchebag.)
So maybe what I mean is... no, it isn't remotely credible.
Who did what now?
I don't know about a cyberterrorist, per se, but there sure are a lot of compromised machines out there. Anyone remember the article that quoted an estimated 200,000 zombies added every day?
2 /alan-cox.html:
Alan Cox said it best in this interview http://www.oreillynet.com/pub/a/network/2005/09/1
"We are still in a world where an attack like the slammer worm combined with a PC BIOS eraser or disk locking tool could wipe out half the PCs exposed to the internet in a few hours."
Y2K - Nuff said.
GetOuttaMySpace - The Anti-Social Network
There's something a little strange about spending hundreds of billions to create a missile shield on the off chance the terrorists are smart enough to build a viable nuclear weapon AND deliver it on target via ICBM from thousands of miles away... but too dumb to figure out how to trigger a cascading failure with a DDOS attack.
Truth is, if the raids on strongholds in Iraq are any indication, they can barely figure out how to upgrade to Windows 98. I'd be more worried about my government bankrupting me than anything the evil terrorists could pull off.
I'm not sure that's really what you want. IIRC, the attempts to make key escrow mandatory with Clipper were on Clinton's watch. The sooner we quit believing that one party or another is interested in freedom, the sooner we have a chance to preserve the dwindling amount of it we have left.
I too have felt the cold finger of injustice.
We just want to print one page...
"It's too bad that stupidity isn't painful." - Anton LaVey
Fear is a fantastic way to control people and get big dollars into big lobbiests pockets. It is also a good way to divert focus from real issues.
Unfortunately these measures only give a false sense of security. All the aircraft carriers can't stop a few punks with box cutters from hijacking a plane or whatever.
Huge security measures in the internat will be equivalent to airport security. Pain in the ass (in more ways than one), queues, loss of service etc for Joe Average and ineffective.
Engineering is the art of compromise.
I don't know if it will happen from what we think of as terrorists, but I'll go on record saying that we'll eventually have a Nightmare worm.
It could have already happened, but perhaps the worm writers had a conscious. There will be a worm that 0-day exploit that compromises a common MS Windows service and isn't so polite as SQL-Slammer. Slammer infected almost every vulnerable host in the world within 10 minutes. I would call Slammer a 'polite' worm as it did no harm other than flooding networks.
It's certainly possible to write an impolite worm. One that doesn't just spread itself, but after 20 minutes of attempting to spread itself decides to stop all of your services and then wipe the data off your hard drive. If a computer isn't directly affected, it will probably be affected downstream by the network traffic or reliance on Windows network services. Those that managed to survive may have a hard time finding other surviving resources.
Hopefully the business world has backups, but can you imagine the global disaster that would follow? In 30 minutes almost every computer in the world is down. Airlines will be grounded, you may lose electricity, you might not be able to order a mocha frappancino(tm) at your favorite fourbucks.
(Not to be judgemental, but in today's world if it doesn't target Windows it's not the Nightmare worm)
Kind thoughts do not change the world
I was working at home on 9/11, and yes: CNN was down until they put up a no-graphics static page. Slashdot was up and running just fine.
Anent to the article, I think the so-called cyberterror threat is not so much Al Qaeda as it is Eastern European organized crime, and the threat is more centered towards e-commerce (Amazon, eBay, gambling sites) than public infrastructure.
Al Qaeda wants to perform acts that make people afraid to go to work, not acts that keep them from bidding on Beanie Babies or playing Texas Hold-em. DDos-ing Amazon or Partypoker.com isn't the sort of deadly blow against the infidels that gets them out of bed in the morning. Yuri and Vladimir, on the other hand...
But the real "cyberterror" threat is the potential US Government overreaction towards any potential threat, real or imagined. Since the early '90s, the government has viewed the Internet as something big, scary, and untamed. COPA, DMCA, you name it, they'll regulate it. Even now, look at the way the Federal Election Commission has been eyeballing political blogs: free speech or political contributions?
If there's a threat, it'll be from Capitol Hill or 1600 Pennsylvania Avenue, not some cave on the Afghani-Pakistani border.
k.
"In spite of everything, I still believe that people are really good at heart." - Anne Frank
Yes, I know that deaths due to terrorism is low statistically-speaking. Honestly, it's not something that I spend awake nights worried about. Overall, I'm probably a lot like you in feelings about the terrorist threat. Statistically speaking, it's so far into the noise that maybe it should be ignored.
The problem with this way of thinking, though, is that most ordinary people believe that terrorism is not an act of God, and that it is, in some way, a preventable issue. When it comes to auto accidents, ordinary folks want to put controls on those items that can lower the risk of death (preventing DUIs, speed limits, mandatory seat belt laws, etc). It's the same with other deadly issues--like how people want McD's to have healthy choices on their menus because heart disease is so prevalent (now, whether people make good choices is another issue...). Or smoking--how much energy/money has been spent on getting people to stop?
People can accept deaths. It's a normal fact of life, and it sucks when it hits close to home. It sucks even more when those deaths could have been prevented with simple measures. If a party got out of control and a guy that was totally blitzed got behind the wheel and kills your wife/husband/mom/sis/friend/etc, you'd be pretty darned pissed and that incident would leave a hole inside you that might not ever heal completely. That's reality. Also, you, being a responsible citizen and registered voter, would be so upset and hurt that you just might demand more steps be taken to prevent others from feeling how you do. So, you call your local politian.
Economically speaking, no deaths are without consequenses. If it's preventable, then it can be calculated how much the solution would cost and how many deaths it would prevent. Those "non-dead" people earn incomes and pay taxes. If those expected taxes are greater than the proposed solution, then we have a winner. Of course, not all decisions are made based on pure economics. Many people are simply willing to pay higher taxes in favor of more safety, just because we like not having to go to our loved one's funerals.
I do understand what you're saying, and the rational part of my brain agrees. The part that hates going to funerals, though, tells me that if a death can be prevented, maybe we should go out of our way a bit to prevent it.
Long, cute, or funny Sigs are just another form of over compensation, used by geeks, nerdz, etc.
The DOD already operates a separate internet for classified material. It's known as the Secret Internet Protocol Router Network, or SIPRNet. So yes, an alternative "G-Internet" is more than feasible - it already exists.
I've seen lots about not probable or not possible but lets look at it this way, how big is the internet? next question how many possible methods of terrorism can exist? some I can think of are; air traffic control (die hard style); automated flood gate control (I've seen HPsUX computers that do this); what about the manipulation of satellites; and affecting train routes, collisions and subway disasters?
If you really think about it anything technological that requires a computer is at risk to "cyber"terrorism.
Now okay most of these services are not live on the internet and can't be done in some afghani basement, but on US shores with the proper utilisation of inside Intel of infrastructure, social engineering, etc.
Looking beyond the simple break down of the technical problems associated with such a threat look at the practical day-to-day ones..
Makes it a little bit more plausible.
For starters, not pissing off other countries, by having abusive/manipulative policies. I'm sure there are other ways to ward off an attack of any sort, and the easiest way is to not have that enemy in the first place!
Zhrodague.net - I do projects and stuff too.
No, staying technologically superior makes a lot of sense. Even if it is to fight an enemy that does not exist yet.
Staying technologically superior is also a form of corporate welfare. Same with war. Without going into the obvious politics of war, was the $30 Billion Shock and Awe phase of the war needed? We could have done just as much damage dropping $10 million worth of diesel fuel and nitrate in 50 gallon drums from cargo planes. But who would that have helped out? Not GE, Lockheed, Boeing, or anyone else who makes high precision implements of death.
Call me an idealist, call me a purist, but if we rewarded technology for the sake of technology, not for how many people it can accurately kill, then maybe people wouldn't want to attack the U.S. Don't believe that "They hate our freedom" line, it's a lot more complicated than that. If a country acted benevolent, didn't cowtow to corporate interests, and took a leadership role, both in its own society as well as in global matters, as well as (and not just) a moral compass, then do you think that country would be the target of attacks? If the U.S. said that they were going to develop a cure for aids, paid for that, and then licensed out the manufacture of the pharmaceuticals, then do you think that there would be a pissing match with African nations over patent controls?
Everyone says that technology is not a panacea, but even still, we've yet given an honest attempt to prove them right. We're still all stuck on that greed thing.
Wikipedia article on SCADA
357c3435686430372052757c3335 (A cookie for anyone who decodes that.)
5|45hd07 Ru|35
And for those that don't speak 1337 - Slashdot Rules
english is way to easy
That's another word for the filter, "Cyberterrorism."
/. are saying, this stuff shouldn't even be in the news.
I wonder how this stuff makes news anyway. Soon we'll have these pompeous dicks addressing games like WoW as "Cyber-cocaine," attempting to make it sound as if its addictive as the drug itself. Honestly who the hell comes up with these crappy titles? I mean, these are the same assholes who pulled that "Y2K" scam on everyone, people no different from making "Y2K compliant" appliances, and now, here we are again except we jumped from an alphanumeric word, into a strictly "Cyberterroristic" notion. Let me guess, "This computer is Cyberterror compliant?" Pfft, what a bunch of bs. Even judging from what other people on
Another thing, what the hell is up with a "Digital Pearl Harbour" ? Last time I checked Pearl Harbour was deliberately planned by the US so they can get back at Japan. Not a hint or anything but these journalists (not to be confused with bloggers) have too much time on their hands when they try to convey what they think is going to happen and accidently forget to read up on history of World War 2. I'll be expecting "Trojan Airplanes" soon enough.
Nice 0-day "Nightmare" exploit, sounds so fun I might as well run my unix on a backup generator. Great change from September 11, 2001 assholes. You took a regular word and added "Terror[-ism]" to it. Real smooth.
..."Internet Explorer" by thy name.
What other application could update itself weekly and be so intergrated with the OS that a complete removal would render the OS inoperable. Makes that Win32 virus that associated EXEs with itself look like child's play.
Hot-Swapping motherboards??? ROTFL. ROTFL!
Ok, maybe flamebait but here goes.
Yes there are critical systems on the internet. For those of you who think you're so smarty pants, "who would put crit systems out there", what about email? Or B2B? Or electronic trading on NYSE, NASDAQ, etc? Or, or, or.....
According to a study I read a couple of years ago, and unless this has changed in the last couple years, and I hope it has, there are only about 4 buildings in the US that need to go away and the internet would be virtually gone until they could be replaced.
A coordinated attack on these facilities could effectively remove all net communications in the US for who knows ho long. I imagine the recovery would take quite a long time.
Considering that my networking professor told the whole class about it, there are more than a handful of people that know.
For those that don't know, the issue arises out of the way the internet does routing. IPv4 uses a flat routing system. Every key router on the internet knows how many hops away it is from all of the other key routers and which direction the router is in. Consider (the dots are placeholders so slashdot will display my beautiful ASCII art properly):
[cute but erroneous diagram clipped to avoid lameness filter]
Router D knows that it is one hop away from router E. B knows that it is two hops from E. How? Because D tells B that it is one hop away from E, so if B sends a packet to D, D can deliver it in one hop. C knows that it is three hops away.
Now suppose router B goes down. C knows that it can't reach E through its usual three hops, but when it talks to its neighbor to the right, it sees that F can reach E in three hops, so C is now four hops away from E. Now when C sees traffic headed for E, it sends the traffic to F.
How do you poison the system? If one of the key trusted routers, such as C, tells everyone that they are two hops from everywhere, large portions of the internet will try to route through C. If you can take control of a trusted router in each of several key locations, you can confuse the overwhelming majority of the internet into thinking you are offering the best route to their destination.
The short route won't make a big difference for nearby traffic, but traffic headed ten or twenty hops away will wind up going towards C when it should go someplace else.
The above-described mechanism for updating the routing tables is the key to the internet's ability to automatically route around cities that have been destroyed by a nuclear weapon.
Oh good god, what complete and utter BS. Lest anyone believe this is actually how transit routing works:
All public ipv4 transit networks in existence use a routing protocol called BGP4 (Border Gateway Protocol v4 - rfc1771). BGP is an "inter-autonomous system" routing protocol. That means, as a whole, it has no network awareness of individual routers, links, specific static addresses or locations. Essentially, all it knows is that a set of ip networks comprise an Automous System (labeled via an ARIN/RIPE/APNIC assigned Autonomous System Number). When a bgp router in one AS has an established bgp session with a router in a different AS, it tells the other router all the foreign ASNs that the network is willing to take traffic for and prepends its own ASN to the front of the list. The same is done for networks that originate within the local AS (i.e. the ASN is appended to "nothing" and is thus respresents the final destination AS) [there is also an origin ASN field, but ignoring that for the sake of simplicity]. This list is known as a bgp path. Thus, to find a route(s) to any accessible ipv4 address, a bgp router need only look at all the paths that contain the destination ASN, and the shortest path is generally the best route (although certainly not always). The actual job of routing packets is handled on a per-AS basis; i.e. each network is responsible for knowing, internally, how best to move packets to all the AS' that are connected to it.
You will note, however, that the core problem you describe continues to exist in this model, simply not on a per-router basis. If AS999 sends a path such as "9999 701" to all neighboring ASes, they'll believe that a viable route for traffic destined to AS701 is via AS9999, which, given a large major network, could be extremely distruptive.
However, in reality, this has not been a grave concern for a number of yea
It's not just Tom Clancy who wrote about it - a 9/11 style hijacking actually happened for real in 1994 (using a FedEx DC-10 cargo plane rather than a passenger airliner). The crew managed to overcome their attacker though. There is a very good article about the attempted attack here:
http://www.avweb.com/news/profiles/182918-1.html
Oolite: Elite-like game. For Mac, Linux and Windows
This has my vote as the best comment ever made on /.
It's people, not political parties that need to protect freedom - political parties only protect the power of that party - whichever it is.
I can never decide what sig to wear... so I don't go out much.
The last comment is right on, and in fact the Clipper project illustrates quite well that neither party can be trusted. The Clipper chip was actually a Bush I administration project -- initiated and developed before Clinton came into office. It was pretty much a done-deal, and it was announced a few months after Clinton took office. So it was developed by one party, it could have been stopped or at least questioned somewhat by the other party, and both parties pushed it forward.
And the scariest part of it all is that the "voice of reason" at the time was actually John Ashcroft. Yikes.
Requirements:
1. It must be easy for them to understand.
2. It must be something they will follow (lots of pictures), and not a white paper.
3. It must be colorful
4. It must have a goal of educating the user and not taking their money.
5. I prefer it be securemypc.com rather than joe.blog.com/files/02/05/security101.htm
I have seen guides with this in mind but they are mostly all crap. The task is not hard and I see people clearly explain it over and over to people on web boards but I have yet to see a _good_ website where I can just say to them "go here http:"
Certianly if people can spend billions of dollars and have hundreds of orginizations to clean up the damage these systems cause than someone can write a simple to follow guide for the end users that do care...right?
Saying Java is nice because it works on all OS's is like saying that anal sex is nice because it works on all genders.
The sooner we quit believing that one party or another is interested in freedom, the sooner we have a chance to preserve the dwindling amount of it we have left.
I agree in principle - but it's also kind of unproductive to take the 'long view' and always claim precedent for everything bad going on right now. We don't have time machines, we can't change history- you have to focus on the present and the people who are perpetrating bad things right now. As far as two party politics go, if the elected official does bad enough, then you vote them out, you don't play games with trying to predict the future with what the opposing candidate might do, you focus on punishing the people in office right now who are screwing up right now. If you keep punishing both parties that way long enough, if every official is only there for one term, maybe they'll learn better eventually, or a third party will pop up.
The other thing is the more examples from history you point out, the further back you go, the more someone is going to think that it all turned out mostly all right so there's nothing to get excited about (even though the reason things did turn out all right back then was because people did get excited and took up arms and fixed it).