Slashdot Mirror
CyberTerrorism - Reality or FUD?
Random Utinni writes "The director of the U.S. Cyber Consequences Unit (part of Homeland Security) claims that terrorist hackers are poised to create total chaos. He predicts all sorts of scenarios, from changing the formulae for medications to causing cars to explode after a few weeks of driving. Is this guy fearmongering for an increased budget, or is he on to something here?"
It's no good burying your heads in the sand. Cyberterrorism is VERY real
the term is being used to justify basically anything the american government wants to loegalize to suppress its peoples rights. the reason? who knows..
Is that the best they can come up with?
Attacks on SCADA systems?
Who puts their vital power infrastructure controls online anyway?
I cry FUD, and let slip the dogs of mainstream media.
I am a leaf on the wind
We all know the most efficient way to cause chaos over the internet is to control the traffic lights to all turn green at the same time.
I can't wait for it to actually happen.
Reminds me of the up coming horrors of Y2K that amounted to a few slot machines not working after midnight.
;).
Although chicken littles can be right once in a while given the sheer number of warnings tossed about, and then no one listens to them when they should have
I mean, really, this all sounds more like industrial sabotage than terror. I mean, are you really going to have people running in fear for their lives that... say... the next time they fill up their car, the gas pump might explode? Or that any pill that they take next could be their last?
Most acts that they're looking at would be one time things, and isolated/restricted in nature. (Also making it easy to identify/avoid/fix.) I can't see that something like this would actually cause terror.
Again, CyberSabotage. Nothing more.
"...to causing cars to explode after a few weeks of driving."
I didn't know Microsoft made cars?
It would take an expert insider a lot of work to cause the kind of catastrophes the author is predicting here. Making a bomb is quick, easy way to kill a lot of people, and it gets a lot more media attention. It's also much closer to Al-Quaeda's traditional area of expertise.
I hereby place the above post in the public domain.
From TFA:
"Chatter on Scada attacks is increasing," says Borg, referring to patterns of behaviour that suggest that criminal gangs and militant groups are now fully capable of unleashing such attacks.
Then especially in the case of terrorists, WHY THE HELL HAVEN'T THEY DONE IT YET? If one of them had a shot at bombing the White House tomorrow, do you think he'd say "Eh...no, I'd rather wait until next week and hope they don't improve security by then."
This is not fearmongering for money. This is fearmongering for POWER-and the power they're going to shoot for is the power to control the Internet.
What a hell of an ironic name for that guy, Borg. I think that might tell us about everything we need to know.
To fight the war on terror, stop being afraid.
1) His name is Borg
2) He works for "Homeland Security"
3) He's a fucking quack
Period.
"Think of the control systems for chemical plants, railway lines, or manufacturing facilities. Shutting these systems down is a nuisance. Causing them to do the wrong thing at the wrong time is much worse."
Am I the only one who is thinking? Why the hell are these things connected to the Internet then? And if its an absolute must why not setup the companies using a system like the US Governments's SIPRNet
I'd like to suggest he is on something rather than on to something.
...and what will follow?
We all know the drill, nothing to see here, drive though...
If developers / designers make these systems so incredibly vulnerable over a network such as the Internet that you'd be able to do all that hogwash, the users deserve to have their cars blown up over a week and their medication formulas changed.
*rolls eyes*
The threat posed by "Islamic Terrorism" is dead serious to some and FUD to others. The threat posed by "DRM" is dead serious to some and FUD to others. The truth on both is probably, as usual, somewhere in between.
BTW my CAPTCHA is "massacre." Coincidence?
The SCADA equipment does not have to be Internet accessible,
it just has to have a corrupted windows box attached to it.
You are being MICROattacked, from various angles, in a SOFT manner.
he's on Something....
Oh, wait a minute..."on to something"
Never mind.
I've got your sig, right here.
As far as fear mongering, you don't get a $93 million dollar budget for simply recommending that companies follow well established security procedures, including vigilance against social engineering.
As a former public servant, I can tell you that fear-mongering and blowing things out of proportion is an important way that a department justifies the resources they are using.
"damnit, trolley I want in your signature." - Elburrito
Cyber terrorism is very real indeed. Most large nations rely on electronic communications. So would perhaps say an E-bomb could be even more devastating to cripple a nation more so than say some sort of DoS of a particular IT infrastructure? I think so. I heard something the other day that an E-bomb only 30 miles over the earth above the US could take out about 1/3 of the continental US electronics. Secondly, if they could get one 300 miles above the surface, they could potentially wipe out the entire continental US. This is very scary!
-- Brought to you by Carl's JR
then tylenol scare?
Yeah, if people started dying because medical drug formulas were screwed up, it would cause terror, and for a longer time then a bomb could.
The Kruger Dunning explains most post on
This time, on the internet.
Read radical news here
That's fearmongering for political advantage. Pure and simple.
The current administration has a long history of scaring
people into electing and re-electing them.
This is no different.
..that read "masturbation media"?
Faith: n. -- That human impulse that drives them to steal appliances when the power goes out
Many years ago, I worked for a small company that had a contract to service the massive dot matrix signs that are spaced every few miles along the Southern California freeway network.
As part of the job, we were given a portable ascii terminal to enter test pattern data directly into the sign controller. Just for fun, we held an internal contest to think up 'What was the worst possible thing that we could type into the portable terminal for posting over the freeway at rush hour'.
The winner?
"INCOMING NUKE ATTACK - EST 15 MIN"
Just imagine the bedlam .
"A microprocessor... is a terrible thing to waste." --
GeneralEmergency
This doesn't seem like strictly "cyber" terror. My guess is that things like power plants valves and switches, prescription formulas, and car design specifications are NOT ON THE INTERNET. This is industrial sabotage, which requires physical access to the resources. The "cyber" part just means that computers are somehow involved. So what we have here is just a new way terrorists can fuck with us that we need to pay attention too.
Certainly people running power plants or pharmaceuticals need to secure their own internal computer network to keep some guy from reaching over a secretary's desk and altering the recipe for Prozac. But calling it "cyber" terrorism is just going to scare people into allowing the government to monitor their Internet traffic. After all, you wouldn't want a terrorist breaking into a nuclear powerplant over the Internet would you?! It's just another power grab instead of sanely alerting the respective authorities.
Did you ever notice that *nix doesn't even cover Linux?
Big Brother will be able to protect us better with full visibility into our email and IMing patterns, JUST LIKE they've saved so MANY of our military's lives by intercepting our phone traffic - FUD!!!
What happened to "Give me liberty, or give me death!"?
We've forgotten how strong we truly are, under a very careful campaign designed to keep us afraid and convinced we're powerless to act in any direction whatsoever, a massive misdirection of american attention so that they can steal what they're convincing us we don't have while we drool in front of idiot-boxes.
Sorry, Karl, ol' buddy, the *hard* opiates hadn't been refined when you were alive - satellite TV and Internet-connected PCs, THAT'S the ticket...
(I'm remembering the old Carlin routine about how the truly hip used to answer their phones "Fuck Hoover! Hello...")
Take the 90-Day Challenge! http://rwmurker.bodybyvi.com/
Okay, folks, tell me: what can a cyber-terrorist do to a car that will cause it to burst into flames in a few weeks? All I can think of offhand is changing the spec for the gas line to gum rubber instead of neopreme, or soemthing like that --- and, of course, no one involved will ever notice, because cars are completely assembled by robots and no human ever sees the specs, buys the materials, or checks the figures.
And, if they were to do so, what happens? Someone announces a recall and a bunch of people take their cars to the dealerships.
Hell, why not do it the cheap way: wait until there is an accident, and just announce that it was done by your super secret ninja terror 31ee7 hax0rs.
Or consider the sources: this guy from the "U.S. Cyber Consequences Unit" --- with their empty website on a non-government '.us' domain.
Remember, kids, only a few years ago, the world didn't need computers to run. Chemical plants and other control systems have failsafes and safety valves and emergency shutdowns; people survive power blackouts, even if the birth rate does go up; we still have analog radios and mechanical water valves.
On the other hand --- here's some guy with a nifty-sounding name on a web-site, and Richard Clarke, who has been making a living from running around with his hair on fire ever since he said cyber-terror was a bigger threat than al Qaeda. Get a little attention, and people will start taking their calls again; maybe the USCCA" can even hire someone to make a web site.
Who benefits from this story?
I thought he might have something until I got to the exploding car part. Everything up to that is very unlikely, but probably doable for a determined attacker with local access. And there might even be some companies who put part of their SCADA on the internet--all of them deserve whatever they get. But changing medications and "car specifications so they explode after a few weeks"? Give me a break. Cars do not explode due to spec changes--short of including a pound of C4 and a triggering device in the spec. The worst might be putting a virus or trojan into the engine electronics that would lock the engine. And while cyberterrorists broke into a pharmaceutical company's central computer and changed the recipe for a pill to kill people on the Brit MI5 spy series, systems like that are not online and there is something called quality assurance--as in testing each batch before it goes out to the customers. So an attacker would need local access to the production facility, the automated QA, the manual testing, .... . I think this guy is watching to much TV. He would just have disqualified himself in any sane governmental organization. Thank god the DHS is not one of them.
There are serious cyber threats, though, denial-of-service attacks, attacks on online trading systems,... But that was probably not as dramatic as exploding cars.
"Scott Borg, the director and chief economist of the US Cyber Consequences Unit (CCU)"...
http://archives.cnn.com/2000/TECH/computing/12/08
FYI: Clarke, hero of certain partisans in 2004, was also the guy who approved the bin Laden flights out of the country after 9/11.
He also suggested a connection between the Oklahoma City Bombing and al Qaeda, and was worried that Osama bin Laden would "boogie to Baghdad" if the U.S. invaded Afghanistan.
1st off to generate a pulse sufficient to do what's been suggested would require a minimum of a 5megaton Nuclear Detonation that's designed specifically for that.
2nd: Any such detonation above the 50 miles limit would have little chance of taking out hardened military electronics because they're designed to survive the EMP from a 5 Mile high airburst.
Now should terrorists manage to sneak a suitcase nuke into a major metro area, it's likely to be a dirty bomb and not a true nuke. What would happen is contaminate a large area with radioactive isotopes that take 20 years and billion of dollars to clean up.
Psst. Buddy, I've got some interesting Knifes to sell. They're made from Area 51 metal and glow in the dark. Ya Interested?
What an hilarious coincidence ! Listen to this: Bruce Schneier is currently running a contest on his blog where people are asked to invent dumb movie-plot terrorist threats. The purpose of this contest is to demonstrate that such invented threats are only "good for scaring people, but it's just silly to build national security policy around them". And a recent suggestion (that predates TFA!) is precisely based on the idea that terrorists could build faulty parts into automobiles. I litteraly ROTFL when I heard the director of the U.S. Cyber Consequences Unit saying that terrorists could cause cars to explode :)
now that it's been publicized we'll have terrorists sittin around in their boxers and socks drinkin beer at their puter screen giggling when they confuse the subway employees on the recipe for a roast beef sandwich.
Why are these things possible?
You'd think, if you have a major security flaw like the ones listed, you would fix it. Who actually puts the controls for their manufacturing process on the internet? No, I'm serious, who does this, and why do we let them get away with it? Screw making kinks in the industrial formation process, if I can get that kind of access over the internet, I'm going to take control of those freakin' huge fabrication robots used to bend metal into shape and go haywire taking out the enitre city. I'm sure that's going to inspire more terror than a few cars exploding. After all, cars have exploded before, but it's not everyday that you have an insane robot go on a rampage and destroy your home (unless you live in Japan).
Seriously, short of a Shadowrun on the corp to take over their computer systems, I don't see this happening. But if it is possible, the best thing to do is fix it. Period.
Realistically, trying to capture terrorists and criminals is going to accomplish one thing for certain, it will create more terrorists and criminals. The only way to make the terrorists go away is education and tolerance, no amount of warmongering or fighting is going to stop terrorists, that just encourages them. If you want to really end terrorism, make their job so ridiculously hard that the next generation of terrorists don't see any value in it. Same for cybercriminals, if the return is too little for the work involved, they'll find a different area to work.
This is FUD, but it's not necessarily bad FUD. He can scream all he wants to justify his job, but if these kinds of things are actually possible, someone needs to work on making them not possible, someone who actually knows how to fix these systems.
just some guy
Maybe it is think tanks run amok, or maybe it is politicos making hay, or maybe it is simply bureaucrats increasing thier staffing (importance, income and power).... Likely all this and more. I really don't see a number of things. This is not some Bush Administration plot to take away our freedoms, nor is it the Masons (or what ever conspiracy theory one might subscribe to). The worst case scenarios are really not possible. Maybe on some small scale in some isolated incidents with no lasting effect. Remember before 9-11 the airlines were going bankrupt, then after 9-11 they wer going bankrupt, and they still are going bankrupt. Matter of fact, the airline industry has always had some major issues with bankruptcy. Tylenol was poisoned, the 'Uni-bomber', 'Green River Killer', 'Son of Sam', 'Boston Strangler', etc. reigned terror all for many years (plug in any story of "gloom and doom" you wish).
International terrorism as we seem to know it today is loosely based on a fractured ideology, a hijacked religion. They have no huge infrastructure to support sustainable campaigns on a widely defined front, rather they are semi-independant cells which outside of their common enemy and common "faith" if you will, are people who would just as likely kill one another over disagreements about their own interpretations of these ideologies.
Terrorists as we know them today use the internet and technology to their advantage whenever possible. They communicate amongst themselves, research their targets, and communicate with the ever voracious press to happily get their message(s) across. Theri infrastucture of terror is our freedom. On one hand the terrorists need the cyber world, and quite frankly they are gaining much more for their cause through articles such as this, than they ever would by mounting some extreme attack.
Hookers don't run.
Hot and cold slinking hookers.
But if you wave a $10,000 bill at them they'll slink really, really fast.
KFG
Sweet, we might finally have a working Halt and Catch Fire command in our lifetimes!
I don't believe that becoming a computer expert for any portion of the government under Bush's executive branch can allow you to display your self as a computer expert. I mean, I got my A+ in the mail last week and I got a call to head the White House IT department.
Easy.. Said terrorist creates fake web page claiming dousing your car's interior with gasoline while smoking cigarettes increases fuel mileage. Said terrorists then spams millions and millions of people with link to the page. 99.9999% of the recipients are smart enough to realize that dousing your car with gasoline is very dangerous, the other people's cars go boom.
Have you ever been to a turkish prison?
He is blatently fearmongering, as is everyone with this supposed war on terror. It all serves to take away your rights and let the powers that be continue with business as usual. It is a charade. It will never return to green.
wouldn't someone notice that they're using way too much rubber tubing and try to find out why? At the end of all the computers, there are bean counters who are REALLY anal.
Not a Twitter sockpuppet... but I wish I was.
september 11th was implemented with boxcutters
so let's loose the technophilia when addressing terrorism
it's the low tech/ no tech exploits that should be our focus
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
In a way that smoke detector the fire department tells you to install is no different. How many houses burn down? Not that many actually, the chances of you ever needing the smoke detector are remote. In fact it will most likely go off on a false alarm.
Yet few would argue with the need for smoke detectors in the kitchen. But how about your bedroom? How many electronic gizmo's are near you bed with hot power adapters?
So I don't think this guy is fearmongering. He is doing his job just as a firemen who tells you your house is going to burn down.
As human beings we got to weigh the dangers vs the benefits. Some american idiots live in hurricane zones and earthquake areas, said this dutchie living in an area that is two meters below sea level with only a natural dune protecing him (Amsterdam, Holland).
We need people to come up with the most terrible storms that can happen and then calculate what will happen to the dykes and dunes if those storm happen to coincide with a tide in a period of heavy rain.
Then we can say if we are willing to take the risk OR invest in a better defences.
This guy has the same job. Are any of the attacks possible? Well considering that a lot of people believe the recent american power failure was due to a windows security hole I think there is a possibilty. Are we willing to accept this risk or do accept it as the price of living in this world, as I accept the risk of drowning and LA's people accept the risk of being the meat in a bridge sandwiche?
But calling fearmongering is just stupid. Accepting the risks is one thing. Denial is another.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
This guys just trying to justify getting $93 million from tax payers for something that will never benefit them.
It's just so funny that this kinda b/s is still going on. Personally the 911 attacks made me think the joke is well and truely over.
Hey America, I'll do you one better, give me only $27 million and I will personally ensure that no cyber criminal ever infects a computer with the bird flu virus.
Look at what happened after CAN-SPAM....
---- Teach Peace. It's Cheaper Than War.
He's not on to something, he's on something!
Cindy Sheehan was really effective against Bush for a while because she's a strong family-protection figure who made it clear that Bush had endangered her family rather than protecting it. And Katrina was even more effective, because it demonstrated that Bush wasn't decisive, or strong, or competent, when faced with an actual threat that he couldn't control but could have responded to. Osama bin Laden was just fine - if you're crying Wolf Wolf and a real Wolf shows up on occasion, that demonstrates that your strong leadership is needed just like you said.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I always find it interesting to see how paranoid governments are, compared with their citizens.
As a Sr. Research Scientist responsible for CyberCrime/CyberTerrorism assessment and training materials for several groups including the Department of Homeland Security's Office of Domestic Preparedness, I can say for certain that technology-assisted terrorism is already going on around the world. From the Australian hacker that accessed a waste-water treatment plant's SCADA system and released tends of thousands of tons of raw sewage into the water supply to disgruntled employees changing medications and surgical orders in hospital computer systems - these things are very real. Both terrorist and governmental-sponsored hacking teams practice and take control of thousands of systems per day to create massive botnets able to target elements of the technology infrastructure. Hacktivists deface websites or redirect browsers to spread their own brand of hatred.
Considering the restart process of a single refinery, which requires more than 3,000 individual steps to be properly controlled in order to bring the system back online - it is very easy to see how a cyber terrorist could simply tweak a little overpressure here or a little too much heat there to turn a refinery into a ball of flame a mile high with devastating effects in the area. More subtle attacks, like misrouting critical suppleis (food, water, fuel) could take weeks even to identify - and then more time to correct by hand as all electronic records would become suspect.
This is a very serious issue - not one that can be ignored.
Well, they are right once in a while, so if we amortize that rate, we can say that chicken littles predict minor disasters quite frequently. Minor disasters are usually the responsibility of the local firedepartment. Issue resolved. Next!
Such as MySpace, Rotten, RealUltimatePower, Scientology, etc.
r or/
Jokes aside, good read on CyberTerrorism before 911. Evidently CyberTerrorism isn't post 911 antics. It's been around for years now.
http://www.cnn.com/TECH/specials/hackers/cyberter
"Don't let fools fool you. They are the clever ones."
the term is being used to justify basically anything the american government wants to loegalize to suppress its peoples rights. the reason? who knows..
the term [FUD]is being used to quickly dismiss anything "the american government" has to say without providing supporting arguments. the reason? who knows..
P.S. On 9/10/01, the gov't claiming that bin Laden was poised to strike within the US by hijacking airplanes and flying them into buildings would have been considered FUD (no?).
Uttering logically derived and empirically supported truths to the disciples of the orthodox establishment.
And it doesn't matter if they don't succeed as long as they brag a lot, because the public _knows_ there are more real scum out there than they can catch. And a scumbag who escapes or a cyberterrorist who hasn't done enough to get caught at it yet are both fine publicity (as long as they don't look like bleeding incompetents in the process) - it means they obviously need _more_ powers so they can catch the next one.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
And not that much stronger too..
If the terrorist Mohamed Al-blowyouup hacks into the tylenol factory computer and sets the process to add twice as much of the active ingreedient, the workers will begin to notice that they are running out of the stuff faster than before, using more than they should, Al-blowyouup could instead put less in - bad consequences tylenol stops working so well (and workers think hmm tank is still full?).
Al-blowyouup has no choice to add somthing like rat-poison to the mix, at least by remote control.
This of course is assuming the control and mixing computer is even attached to the internet.
It depends on what people were saying was nonsense. If the media had been running reports about how "Y2K will cause untold manhours in overtime labour!", that would have been a reasonable thing to take seriously. But the media was actually running reports about the shortages of fresh water we'd all be facing, and how there wouldn't be enough shotguns to go around when the zombies came for us. So yes, that was definitely ridiculous. Y2K was a serious problem in the sense that global warming is a serious problem -- it will take some work to fix, and millions of people will be tragically inconvenienced. It was NOT a problem in the apocalyptic sense that fear-mongers made it out to be.
I would like to see some discourse on the ability of these FUD spewers to actually react or inform people on actual network security.
I attended a cyber security thing once put on by these guys. It was completely worthless. When I say completely worthless I'm talking screendoor on a submarine worthless.
A scenario: "Half of your computers on the network are infected by a virus, it is tying up your internet bandwidth trying to spread itself, what do you do? what...do...you...do?"
Ok, for 1 if you're worth a damn you don't open port 25 outbound to client PCs anyway and proxy most internet traffic. The only outbound ports are for legacy systems with dedicated IPs. Second, say you do notice your bandwidth is consumed by something. Sniff the port, and close the firewall rule for said traffic until you have the info to take further action. Implicit deny anyone?
Their scenario was geared toward the morons of the IT industry who might truly be perplexed by such a situation, but I found it laughable.
That wasn't the totally useless part. The exercise as it was to be performed: IT provides the info on systems we are running and possible vulnerabilities. They come up with semi-plausable scenarios to exploit them. But in this event the EOC is fake-active and public safety officials are in a paper simulation of cyber attacks going on in their network. Notably, the analog radio system at the core is not mentioned.
For every problem the solution would be to call IT. IT isn't even part of the exercise. Our fire chief who knows fire and fire personnel management inside and out, doesn't know the difference between PCL6 and PostScript. Nor would anyone in their right mind ask him to write an ACL for cisco equipment much less give him enable priviledges. Not that he would ask for them, he knows better. He knows that if you have a leaky pipe you call a plumber, not an ambulance.
So the point of the whole exercise it to blow taxpayer money, ensure that public safety knows the numbers of appropriate IT personnel, possibly expose idiotic IT practices, and give public safety guys a little more FUD stress they could do without.
Have they even simulated what would happen if a local ISP had a truck full of manure driven into it. That could easily take out half a city's internet and probably a few people downstream in a single point of failure. Would it effect first responders? Not at all. They have radios.
I can't imagine many scenarios where cyber terrorism would be life threatening. Possibly have an economic impact, but I bet it would pale in comparison to phishing scams which they can't even police now.
"Voice or no voice, the people can always be brought to the bidding of the leaders. That is easy. All you have to do is tell them they are being attacked and denounce the pacifists for lack of patriotism and exposing the country to danger. It works the same in any country."
-- Nazi Reich Marshal Hermann Göring during the Nuremberg Trials
(found this about a fifth of the way through on the wikipedia article about 1984)
New government order: in order to prevent cyberterrorism, all citizens are required to buy and install the new government approved monitors and tv sets that will be able to monitor them at any time. Special bonuses will be given to those that install the govenment approved activity watcher on their PCs so Big brot-- I mean, the government can make sure you aren't trying to commit acts of cyberterrorism. (Ha guess who will be the instant criminals, those who don't install the spyware on their PCs)
If computers vital controlling major infrastructure such as train signals, etc are not properly isolated from the internet, they are vulnerable to hackers.
While i severely doubt hackers could cause at-once catastrophic infrastructure collapse (my ill probably pay for that now that i said they cant do it XD), I do believe targetted attacks can cause disasters like, in my example, train wrecks.
I'm not too incredibly worried. The same headaches with compatibility and differing standards among private companies will assure it will be incredibly difficult to cause anything catyclismically bad in one fell swoop.
VLC FOR MAC IS DYING! IF YOU DEVELOP, PLEASE SAVE IT!!
* lon3st4r *
Of course there's the risk of cyberterrorism. But what's being done here is a scare tactict. It involves taking something real and hyping it to the point that people are so afraid that they give in. If the government is serious about cybersecurity then it needs to look at its own networks and see how insecure they are.
Firstly, calling it "cyber terrorism" gives it away as FUD. No penteseter or basement hacker seriously uses the word "cyber", we prefer "information" as in INFOSEC. "Cyber" is more a marketing term thats used in words such as "cybernetics" and "cyberized" (ok I made that one up).
Secondly it's not really terrorism, because it's hard to terrorize people with a blue-screen-of-death, kernel panic or some tech saying "we don't know why the mainframe is down today". Also it's pure Hollywood that you can take planes out of the sky or blow up entire cities by hacking into a computer. "Cyber Terrorism" falls more into the area of organized sabotage. Large organized sabotage doesn't have the same psychological impact as traditional terrorism. People fear traditional terrorism since they can easily become it's victim, just takes being at the wrong place at the wrong time. "Cyber Terrorism" is directed at large technical assets, not your average joe. It might inconvenience the public and create a sense of foreboding, but no mushroom clouds. The only way "Cyber Terrorism" can be classified as "Terrorism" is if the media keeps using it's name to scare the public.
We've been hearing about the coming "Cyber-Armageddon" since the 80s and we've only seen it being used to sell security products and draconian new laws.
The darkside likes to create noise in order to hide signal.
You are being MICROattacked, from various angles, in a SOFT manner.
... that "blowing up the engine" kind of 'sploits happen all the time ... due to mistakes made by the programmers themselves.
... one thousandth? Oh boy the terrorists are going to terrorize us big time ...
A determined hacker could increase the likeliness of it happening by a good, what
Gimme a fucking break.
Come on, I'd think Slashdot folks if anyone would have known this already.
I'm as skeptical of this administration as anyone, and I agree with all the people who said that this Borg guy is probably doing this as a bureaucratic tactic. I agree that DHS couldn't secure a microwave oven.
But still, we live in a Windows world and mom and pa user click OK more or less randomly. Malware runs amok outside of corporate citadels and a few well-administered networks. Gangs of spammers demonstrate that they can go toe-to-toe with the white-hat community and win. Does anyone really doubt that taking down the internet really requires more than the will to do so?
Who knows what al-quidia could do--thanks to the Bush admin, we really have no way to tell fact from fiction any more. But, ignoring the Michael Criton stories Borg gives us, I'm sure at least a few nations could turn the U.S. off if it really came to it.
So, we have this guy predicting fire and brimstone from angry people familiar with computers. . .
.
. . . and his name is Scott Borg. .
Am I the only one that's drawing the parallel?
Here's what I've read so far before posting this note:
Some number of people say "political fearmongering". But most of them don't provide evidence to the contrary.
Some number of people say "absolutely real". Many of them express similarly unfounded views to the 'political fearmongering' crowd.
Some number of people say "there might be something here, but some of the scenarios are pushing it."
A few people cite personal knowledge/experience with respect to what could be done.
Now here's my $.02.
1. First we get into the discussion that's been around the block about whether or not any specific vulnerabilities on any specific system should be revealed. If you take the side of "no, keep it secret", you're back to the "do I trust this poster?" But some feasible/credible scenarios/examples have been posted, enough to counter the "reject out of hand" responses.
2. That being said, I have heard credible people talk about these kinds of scenarios (particularly with respect to the power grid) for at least 8 years. So I -explicitly reject- those who think this is an out-of-the-blue kind of thing. (I can't say if part of the motivation were political. What I can say is "this is not new...")
3. Certainly -some- computer viruses have the capability to do lots of malicious things to arbitrary computers. If these were targeted to specific machines with specific vulnerabilities (e.g. the LA Freeway signs or the traffic light control system for Manhattan traffic signals), it's easy to see the substantial consequences.
4. If I knew of specific efforts by either good guys or bad guys to do these kinds of things, I -sure as hell- wouldn't be posting here. That being said, I suspect I know people (who I'd consider 'good guys') who are both planning and prototyping 'offensive e-warfare', as well as 'defensive e-warfare'.
5. So my bottom line: Current systems, and not just Windows PCs, probably have substantial unacceptable vulnerabilities. I don't think someone can implement the "WarGames" (movie) scenario, but I do think that the ability to do things like mess with traffic signals or the power grid switching system is real.
The analogy with Y2K is only partly appropriate. There we -knew- when the bad thing could happen, and there was a concerted, very tightly focused effort to prevent it. But some of the scenarios that could have happened with unpatched Y2K software were very well documented and very real.
So as a community we need to consider these kinds of threats, not in the sense of 'fearmongering', but in the sense of "what should be we be doing to (a) prevent, (b) detect, (c) mitigate these kinds of attacks.
dave
Their most important political strategy has been to keep announcing things that Americans should be afraid of and announcing that they're strong decisive leaders who can protect us from the enemies that are trying to kill your children and hate your freedom.
Syd Barret wrote a brilliant song about this way back when.
(Quoted with the deepest respect):
Effervescing Elephant
An Effervescing Elephant
with tiny eyes and great big trunk
once whispered to the tiny ear
the ear of one inferior
that by next June he'd die, oh yeah!
because the tiger would roam.
The little one said: "Oh my goodness I must stay at home!
and every time I hear a growl
I'll know the tiger's on the prowl
and I'll be really safe, you know
the elephant he told me so."
Everyone was nervy, oh yeah!
and the message was spread
to zebra, mongoose, and the dirty hippopotamus
who wallowed in the mud and chewed
his spicy hippo-plankton food
and tended to ignore the word
preferring to survey a herd
of stupid water bison, oh yeah!
And all the jungle took fright,
and ran around for all the day and the night
but all in vain, because, you see,
the tiger came and said: "Who me?!
You know, I wouldn't hurt not one of you.
I'd much prefer something to chew
and you're all to scant." oh yeah!
He ate the Elephant
The Hacker's Guide To The Kernel: Don't panic()!
Bush and Co come up with draconian laws to reduce the threat of motorist terrorism-
* Anyone may now be randomly stopped and their cars put through a safety test - if you are found with bald tires, oil leaks, suspension problems etc you can be charged with conspiracy to commit motorist terrorism.
* Random breath tests and saliva drug tests (as seen in countries like Australia)
* Electronic surveillance mandatory in all vehicles - if the cars computer and GPS determines you are speeding or driving dangerously you can have police turn up at your home and interview you then issue fines/arrest you.
Of course this is the USA and many of these measures are seen as unconstitutional, so during the debate several ammendments are written fixing up some of the privacy aspects and requiring judicial oversight etc etc. Then in the middle of the night congress is given the final version of the bill which they think is the ammended version but it's actually had all the dodgy bits put back into it by the attourney general and they pass it without reading it because it's essential to the countries future.
"Those who cast the votes decide nothing. Those who count the votes decide everything" -- Josef Stalin
I have seen the cars of which they speak, they are called Geo Metros...
ahem... we'll be appearing here all weak....
A computer once beat me at chess, but it was no match for me at kick boxing. Emo Philips
read the book by Dan Verton, Black Ice4 /qid=1149217071/ref=pd_bbs_4/103-9307374-3103061?_ encoding=UTF8
http://www.amazon.com/gp/product/0072227877/sr=8-
I wonder just how much more it would have cost applications to use 4 digits instead of 2. I imagine a lot of this was just needless pre-optimization, especially as the years rolled by and prices went down exponentially. I also wonder how much of this was just cultural -- humans were writing 2 year dates on paper, so it would be natural for the programmer to adopt the same convention without even thinking about it.
That instead of being afraid of Hussein, bin Laden or South Korea, we are afraid of the "real" source of all axis of evil... piratebay.org
Botnets
Rootkits
SPAM
Keyloggers
Spyware
DDOS attacks.
If you don't believe me, ask Six Apart, Blue Security and Tucows.
All our control stuff is on UNIX. It never misses a beat. The corporate LAN is on Windows Server. That has horrendous downtime. A very large line company which buys power from us runs their transmission control system on Windows Server. They have horrendous downtime too. But they also have tremendous backup systems, including backup-backup-backup, a legacy (but still 100% functional) UNIX-based system.
We have a backup system as well, naturally, but nothing like the line company's...a system which they only have - and need - because they run their critical line transmission systems on a dodgy platform. Seems kind of pointless to me, when they could be using their UNIX one fulltime instead, and save a fortune.
Y'know, this type 'negative' FUD, reminds me of everytime some politician says, "Do XYZ for the Children." Or more common to Calif... "Do XYZ, otherwise we'll have to close 3 firehouses..."
that American corporations can keep putting out lower and lower quality product, and instead of copping any blame for it when it fails catastrophically, they can blame it on Cyberterrorism (thus increasing the speed of the feedback loop causing increased "terror legislation").
No need to be the greatest country in the world techologically or otherwise when your population is so firmly under control that you can have them believe whatever you want.
Of course, since I work at a really big database company, I would imagine that by some paranoid metrics, I've touched the software that touches pretty much every other human being in the civilized world. I, and a few thousand of my closest peers, are "supernodes!"
Hi Tony! :)
Oh, and hi Sam, and Jiri, and Rahul, and everyone in Bangalore, folks in the SF Bay, folks in the UK, and Pete (oh wait Pete's gone..., no not that Pete, the other Pete...)
Part of the Second American Revolution!
This is a bad thing, right?
Those people who believe things in spam and act on it, all being consumed in flaming conflagrations... is bad. Right?
I am tired of all your stupid american paranoia (tm) regarding terrorism, and using it as an excuse to whatever you need at that point.
Oh, by the way, I am spanish. We have lived with real terrorism here for the last... 40 years. And didn't invade another country to solve our intern problems.
The US and Canada had the largest North American blackouts ever within weeks of Italy and the UK also having massive blackouts. People then were calling attention to the software involved but the story was never followed up.
i ty/recovery/story/0,10801,87400,00.html
Richard Clarke wrote about the weaknesses in the electric industry:
"Richard Clarke, a former cyber-security expert in the Bush administration, laments complacency. "People claim no one will ever die in a cyber-attack, but they're wrong. This is a serious threat."
Clarke says that each time the US government has tested the security of the electric power industry, he and his colleagues have been able to hack their way in, "sometimes through an obscure route like the billing system". He reveals that computer security officers at a number of chemical plants have told him privately that they are very concerned about the openness of their networks.
This was an article about software involved in the failures.
"Software failure cited in August blackout investigation"
(Computer World)
http://www.computerworld.com/securitytopics/secur
Time to terrorize the public again.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
In fact, this sort of exaggeration is prevalent on a massive scale on all levels of government, and causes trillions of deaths per year because our anti-exaggeration department is too poorly funded to deal with it. Who knows what will happen if terrorists also deploy such methods?
Kindly send your cheque today.
Especially considering I had a guy with the handle "islam_soldier" trying to take down my company's airplane design website for a couple days. A couple months ago, an Iranian holy institute DOS'd us for five days. I got involved with three nice local FBI agents. I work for a tiny aerospace engineering company, considering the amount of hacking in the name of religion I get, I can't imagine what companies like Boeing and Lockheed Martin put up with.
... is that the director and chief economist of the US Cyber Consequences Unit is a guy named Borg. }8-o
It will be mended, of course.
A higher investment in the Internet could prevent the problem, of course, just like a higher investment in power grid and levees could prevent the other problems.
I'm not the one to say what the appropriate place to put the tradeoff is.
Never mind cyberterrorism, 90% of the babble surrounding normal terrorism is FUD. Even before the post-9/11 security went into effect, you were far, far more likely to get killed by a drunk driver than a terrorist.
I think what he describes was "worst-case", which assumes that even the anal bean-counters get tricked. The point was (as I understand it) due to the lead time and the ambibuity of computers, it's nigh impossible for the cybersaboteur to claim credit. It's far too easy to claim that mislabeling was the cause, and that the group claiming responsibility is just trying to cash in.
I think the whole idea of ideological terrorists suing the internet is rather silly. Instead, the greater threat is from competitors hiring black hats to gum up rivals, and would-be terrorists are not nearly as sophisticated in that sense. In the case of the automobile plant, the safeguards are probably already in place due to fears that, say, Fnord Motors would try to introduce subtle flaws in rival GW cars.
I call bullcrap. I write ECU software for a living. Do people really think they can cause your car to blow up after a few weeks of driving? C'mon.
You'll notice I used the term "traditionally". America traditionally valued freedom, and ruined the shit of oppressive empires like Spain, Britain, and Germany. Sure, since then, America has only fought (and lost) wars against third-world nations, harmless weeds, and sharing -- but it really wasn't always like that. Up to and including World War 2, America was a relatively inspiring place compared to the alternatives.
On one hand, you have computer virus, online identy thieves, even people who stealmoney online and think that they can get away with it.
On the other hand, 99% of 99% of the time it is down right FUD.
Alternatively, the FUD is the Cyberterrorism. Isn't that what terrorism is all about? Playing on the Fears, Uncertanty, and Doubts of others? "The boogy-man will eat you some day."
The truth is the Boogy-man is right here.
The perception that the boogy-man could be a computer geek with a vendetta, an Arabian man with a video camera, an Iranian man with a degree in chemistry, or an American who has a private adgenda all depends on who is giving us that message.
The message is no longer the truth, it seems, since the truth is constantly altered and edited to suit the interest of a few media conglomorates, corporations, and miserly zealots.
The boogy man is not Cyberterrorism, Bioterrorism, or even FUD.
The real terrorists are the FUD-packers who deliver the yellow journalism and lie to the terrorists and to the public.
The true devils are the ones whispering in your ear.
The Rapture is NOT an exit strategy.
Without "Cyber Terrorism"(TM)(R)(C)(Patents Pending), FUD mongers like you wouldn't be getting big fat grant checks, university offices, and tenure track positions to spew this crap. Seems to me you stand to benefit quite a lot from terrorism. Hell, your post even reads like BS from the many companies that are profiting off of them too instead of a level headed and rational scientist (i.e. you're not a scientist).
I don't see what is so special here.. It only takes sound computing practices (patch your software, don't expose critirical infrastructire to a public network, limit access, etc) and better software (don't install Windows or Linux on the nuclear reactor's safety system). You're telling me you are a "scientist" who whiddles away my tax dollars just to tell people what I basically have just said but in a FUD and fearmongering sort of way?
Can I get a tenured professorship in Door Lock Security Science? After all, there are plenty of idiots who don't lock up the office after they leave (but yet I don't see such FUD-filled headlines and reports when it happens).
How about Stephen Harper Eats Babies
I hereby assign you the task of posting "This is fear-mongering for POWER-and the power they're going to shoot for is the power to control the Economy (and Private Individuals.)" whenever global warming is mentioned.
Let's try this out. I'll mention global warming, and you'll respond as told.
"Global Warming".
Free as in mason.
Homer: Not a bear in sight. The "Bear Patrol" is working like a charm!
Lisa: That's specious reasoning, Dad.
Homer: [uncomprehendingly] Thanks, honey.
Lisa: By your logic, I could claim that this rock keeps tigers away.
Homer: Hmm. How does it work?
Lisa: It doesn't work; it's just a stupid rock!
Homer: Uh-huh.
Lisa: But I don't see any tigers around, do you?
Homer: (pause) Lisa, I want to buy your rock.
i knew it. definitley opens a loophole of blame to pass any screw up along to the terrorists. We got hacked - we couln't have seen it!!!
2 wrongs dont make a right - but 3 lefts do
Just very different from this guys hallucinations.
/. Blue Security, remember?
Not long ago, we could see it here on
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Yesterday, the swedish police website was taken out by hackers, probably as a response to the closing of tpb. They also hacked the anitpirate website a year ago or something when they were getting cocky.
Whats the point is doing bespoke terrorism? Spending weeks hacking into the power company and blacking out a city for a few days. Those weeks could be much better spent buying a few good quailty day zero exploits packing them up into nice infectious package and giving it a really nasty payload, say wipe the hard disk and flash the BIOS. Then you can attack every power company at the same time!
Ah I hear you cry really deadly virus never last long in the wild because they kill their host.... Thats because biological virus can't count. Consider a computer virus that could count the number of hosts its infected and until it has filled its (random) quota, sits back and passes the time adding single bit errors to the text in Word, Excel and Access files.
Its a good thing all the good virus writers are gainfully enployed by the Spammers and Crime syndicates at least its in their interest to keep your PC running.
I find medetating on the Doomsday Virus does wonders for my backup policy!
Mind you, in 2005 people were still doing stupid things when it came to SCADA system security. Using a home computer to control the water supply of a city of 3 million people? Not smart.
Any sufficiently advanced technology is indistinguishable from a rigged demo
--Andy Finkel (J. Klass?)
Mod parent up. And to the poster: changing your subject line to something other than "Re: " increases the chances that your post will be seen and modded ;)
The AACS key is NOT 0xF606EEFD628B1CA427BEA93A9CA9773F
Seems that to die in a martyrdom operation is the true benchmark of extremist Islamic manhood. But tapping away at keyboards at a cafe? Where's the excitement in that? Where's the spectacle?
No, these kinds of attacks are too abstract for these guys, otherwise we'd already have seen it. Cyber attacks might be a supporting role for terrorists but not the main dish.
you know those that are...
1. beeing corrupt from start and have their election campaign funded by lobbys
2. obviously lieing
3. send children to war that arent even allowed to go into a night club
4. are pretending to have the peoples interest in mind while only working for the lobbys that sponsor them
5. are creating chaos on this planet
6. are corrupt enough to not prevent the pollution and destruction of this planet by industries
7. those that take away more and more of the citizens rights with their lies and fud to establish more and more of a police state.
Something tells me that it's better that we never learn. ;-)
Is this guy any relation to the borg.
.. based on Windows 2000 and rely .. [on] the Internet .. for exchanging
information
"One key target would probably be the vital Supervisory Control and Data Acquisition (Scada) systems in power plants and similar industries."
Only if your SCADA units are run on Windows and use the Internet to communicate.
"(SCADA) systems
The decision to run the DHS computers on Windows isn't too wise either. And since the intelligence services have deliberatly weakened security so as they can monitor the bad guys it's hardly supprising that systems can be broken into so easily.
Who benefits? The people who are trying to scare everyone in this country into appointing Bush el-presidente for life to protect us from dem terrrrrsts without having to worry about that due process hullabaloo and pansy assed Consitiution crap.
Coding with assembly is like playing with Legos. Coding an application in assembly is like building a car with Legos.
They hijacked planes with poorly filled out Visa applications, 4" knives, and box cutters.
They were trained in remote Afghanistan, with little-to-no electricity, let alone internet connectivity (maybe one shared low-baud satellite connection for bare bone communications..... but then again, probably not).
The vast majority of Islamic fundamentalist terrorists, the primary "threat" today, do not attend standard schools, but rather attend Koran training at religious academies.
Yeah, I'm sure their next step is widespread disruption of our infrastructure via cyberterrorism.
I'm far more worried about Russian hackers extorting for money, script kiddies on steroids, or genuine, old school black hats bent on causing disruption. And among these categories, the primary "threat" to our 'cyber-infrastructure' (I hate that word) is Windows. Nothing else. I'm not saying switching off Windows will make us invulnerable; but right now, if you are worried about "cyber-attack", its because you are a Windows user, or you have a piss-poor Unix admin, or your company does a lot of serving.
The vast majority of intra-company or intranet equipment should have nothing to do with the outside world. Follow standard Unixy security procedure, and your biggest worries are thing like data theft, not catastrophic failure.
In this day and age, with properly configured Unix-like systems its easier to bomb the fucking building than 'cyber-attack-hack-whatever'. Given our poor physical security, and our "enemies" expertise with conventional means, and our "enemies" inability to access modern hardware/software.... catastrophic failure is going to come from explosions, fires, and *gasp* WMD. Not hackers.
Note: I don't bring up WMD to say it is going to happen. I bring up WMD to say that is FAR more likely than evil Osama hackers.
WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
What a cool name for a director of cyber-security experts. I'd pay ten bucks for an autograph on a genuine Homeland paper. No, not an identity theft, just a collector's item!
There you are, staring at me again.
sniffle sniffle
EGOTIST, n. A person of low taste, more interested in himself than in me.
What can we do about this? put a signal in the sky and hope for help (NOT an "amber alert" mind you)
OR maybe running scared or scaring others isn't the most productive solution. NOT creating problems in other countries might help...
Look at the organised response to Blue Security. The internet is threatened, and a significant organised response to the threat is required.
"WHY THE HELL HAVEN'T THEY DONE IT YET?"
Training maybe? Planning a coordinated attack? There are plenty of reasons. It is better to attack when it is advantageous than to attack when it is simply possible.
It's the same problem that existed with WOPR in the Wargames movie - connected and unmonitored phone line and backdoor password. But with SCADA systems, many companies just leave the default usernames and passwords active. With a wardialer you could find SCADA systems, but you need the same SCADA package that runs on the target to be able to communicate with it unless you really wanted to make an effort to decrypt the communications protocol.
The only thing that has stopped someone from accidentally hitting a SCADA system just like the plot in Wargames is the lack of widespread knowledge about SCADA system software packages and that even minimal SCADA packages cost more than $1000 - however, there are free demo packages available. The only thing that a person could access would be production data and maybe a few phone numbers, but they could totally control the production process and cause chaos.
Many SCADA systems also have things like VNC or PCAnywhere running on them with minimal security. I've worked on SCADA's in one country while sitting in another just using a phone connection. I've also worked on SCADA's across the Internet. This saved the company plenty of money and was quite convenient, but anyone else could have done the same thing if they had known the IP address or phone number. Of course we used passwords, but not everyone that uses remote connectivity bothers with passwords even on a SCADA system.
Until a spectacular attack actually happens, SCADA security will continue to be pathetic. I'm surprised that such an attack hasn't happened already. When the Great Lakes area/New York power failure occured, the first thing that I suspected was an attack on the power companies SCADA systems. Supposedly that isn't what happened but such an attack could yield similar if not worse results.
The real threat is someone with bad intent getting a job at Lucent and putting a backdoor in the telephone switch code, and another guy who is affiliated with him who gets a job at Microsoft and puts a backdoor in Windows, and a third guy who got a job at Sun hacking up Solaris, and another guy gets a job doing the software for gas pumps, and another gets a job at Diebold, etc.
When they send out The Signal, every computer system with a modem gets it, (including the gas pumps, who use their phone line to check credit cards...) and they send to every system they can reach over the internet. So you get a multipoint flood of what's apparently a multi-platform worm/virus...
The bad guys can make phone calls to contact one another, (cause they phreaking 0wn the phone system) but no-one else can, and the power grid goes down (cause they got the controlling Solaris boxes), and every gas pump in the country stops working (or starts spewing gasoline all over the ground?) The ATM's start spewing money on the ground...
And of course to find out how they did it, you need to peruse the entirety of those assorted operating systems to find a "bug" that's intentionally well hidden... How long do you think it would take? Days? Weeks?
Until we start building software systems in a manner that assumes possible evil intent from our devlopers, and tests and reviews the living daylights out of them, we won't have a defense against this. Oh, and by the way, it will catch lots of basic garden variety (non-evil-intent) bugs, too.
- "History shows again and again how nature points out the folly of men" -- Blue Oyster Cult, 'Godzilla'
well, maybe the FUD is somewhat justified.
http://en.wikipedia.org/wiki/Bluesecurity
Right, and that's why it's Richard Clarke being quoted and the Independent running the story.
Idjit.
Consider this...
In Australia, our annual death toll due to road accidents is about 1500 - 2000.
The annual death toll due to terrorism is about 0.
'Terrorists' are rank amateurs at killing. We are so much more efficient at killing ourselves!!!
I accept that terrorism exists but we could do so much more to combat it by being good regional and international citizens, than by introducing draconian measures (ID cards etc) that do nothing more that penalise the law abiding citizens.
Wanted: A better sig than this one. I have neither the wit nor motivation...
If someone can imagine such malicious acts of caos on a scale of theoretical proportions. then consider it a possiblity. 'Be afraid, be very afraid' and do something to prevent such a process. If someone can think of it, chances are possible.
Uh, most of the people who died on 9/11 were scrunched by a falling down building, not blowed up. Others falled, were burnded alive, etc. Compare to getting your brains blowed out by a robbery-doing person guy with a gun-type fire arm device. I would prefer the ladder to the formal. This is just my only personality op onion, though.
Welcome to Slashdot, Mr. President!
Easy.. Said terrorist creates fake web page claiming dousing your car's interior with gasoline while smoking cigarettes increases fuel mileage. Said terrorists then spams millions and millions of people with link to the page. 99.9999% of the recipients are smart enough to realize that dousing your car with gasoline is very dangerous, the other people's cars go boom.
:)
But the important question is if those who's cars go boom could qualify for a Darwin award or not