Slashdot Mirror
CyberTerrorism - Reality or FUD?
Random Utinni writes "The director of the U.S. Cyber Consequences Unit (part of Homeland Security) claims that terrorist hackers are poised to create total chaos. He predicts all sorts of scenarios, from changing the formulae for medications to causing cars to explode after a few weeks of driving. Is this guy fearmongering for an increased budget, or is he on to something here?"
the term is being used to justify basically anything the american government wants to loegalize to suppress its peoples rights. the reason? who knows..
Is that the best they can come up with?
Attacks on SCADA systems?
Who puts their vital power infrastructure controls online anyway?
I cry FUD, and let slip the dogs of mainstream media.
I am a leaf on the wind
I mean, really, this all sounds more like industrial sabotage than terror. I mean, are you really going to have people running in fear for their lives that... say... the next time they fill up their car, the gas pump might explode? Or that any pill that they take next could be their last?
Most acts that they're looking at would be one time things, and isolated/restricted in nature. (Also making it easy to identify/avoid/fix.) I can't see that something like this would actually cause terror.
Again, CyberSabotage. Nothing more.
It would take an expert insider a lot of work to cause the kind of catastrophes the author is predicting here. Making a bomb is quick, easy way to kill a lot of people, and it gets a lot more media attention. It's also much closer to Al-Quaeda's traditional area of expertise.
I hereby place the above post in the public domain.
From TFA:
"Chatter on Scada attacks is increasing," says Borg, referring to patterns of behaviour that suggest that criminal gangs and militant groups are now fully capable of unleashing such attacks.
Then especially in the case of terrorists, WHY THE HELL HAVEN'T THEY DONE IT YET? If one of them had a shot at bombing the White House tomorrow, do you think he'd say "Eh...no, I'd rather wait until next week and hope they don't improve security by then."
This is not fearmongering for money. This is fearmongering for POWER-and the power they're going to shoot for is the power to control the Internet.
What a hell of an ironic name for that guy, Borg. I think that might tell us about everything we need to know.
To fight the war on terror, stop being afraid.
Period.
"Think of the control systems for chemical plants, railway lines, or manufacturing facilities. Shutting these systems down is a nuisance. Causing them to do the wrong thing at the wrong time is much worse."
Am I the only one who is thinking? Why the hell are these things connected to the Internet then? And if its an absolute must why not setup the companies using a system like the US Governments's SIPRNet
Maybe there was no Y2K disaster because people where pooring over code and fixing them before they happened?
I saw some testing of systems in '95, I can tell you for a fact that they would have failed in some very spectacular ways.
It's like knowing there is going to be a tidle wave on a specific time. Then building a huge wall to prevent it. Then when the wave comes and the wall prevents people from dying people say "That wasn't so bad, we shouldn't have built the wall"
The Kruger Dunning explains most post on
The SCADA equipment does not have to be Internet accessible,
it just has to have a corrupted windows box attached to it.
You are being MICROattacked, from various angles, in a SOFT manner.
As far as fear mongering, you don't get a $93 million dollar budget for simply recommending that companies follow well established security procedures, including vigilance against social engineering.
Well done that man...
I get sick and tired of the "Y2K was all nonsense" line of argument. I saw plenty of companies that would have been unable to function without their Y2K upgrades.
Sure, the Hollywood spectacular was never on the cards, but we all knew that right?
Y2K was real. It was a problem. We solved it. Well done to all concerned.
I am a leaf on the wind
Okay, folks, tell me: what can a cyber-terrorist do to a car that will cause it to burst into flames in a few weeks? All I can think of offhand is changing the spec for the gas line to gum rubber instead of neopreme, or soemthing like that --- and, of course, no one involved will ever notice, because cars are completely assembled by robots and no human ever sees the specs, buys the materials, or checks the figures.
And, if they were to do so, what happens? Someone announces a recall and a bunch of people take their cars to the dealerships.
Hell, why not do it the cheap way: wait until there is an accident, and just announce that it was done by your super secret ninja terror 31ee7 hax0rs.
Or consider the sources: this guy from the "U.S. Cyber Consequences Unit" --- with their empty website on a non-government '.us' domain.
Remember, kids, only a few years ago, the world didn't need computers to run. Chemical plants and other control systems have failsafes and safety valves and emergency shutdowns; people survive power blackouts, even if the birth rate does go up; we still have analog radios and mechanical water valves.
On the other hand --- here's some guy with a nifty-sounding name on a web-site, and Richard Clarke, who has been making a living from running around with his hair on fire ever since he said cyber-terror was a bigger threat than al Qaeda. Get a little attention, and people will start taking their calls again; maybe the USCCA" can even hire someone to make a web site.
Who benefits from this story?
I thought he might have something until I got to the exploding car part. Everything up to that is very unlikely, but probably doable for a determined attacker with local access. And there might even be some companies who put part of their SCADA on the internet--all of them deserve whatever they get. But changing medications and "car specifications so they explode after a few weeks"? Give me a break. Cars do not explode due to spec changes--short of including a pound of C4 and a triggering device in the spec. The worst might be putting a virus or trojan into the engine electronics that would lock the engine. And while cyberterrorists broke into a pharmaceutical company's central computer and changed the recipe for a pill to kill people on the Brit MI5 spy series, systems like that are not online and there is something called quality assurance--as in testing each batch before it goes out to the customers. So an attacker would need local access to the production facility, the automated QA, the manual testing, .... . I think this guy is watching to much TV. He would just have disqualified himself in any sane governmental organization. Thank god the DHS is not one of them.
There are serious cyber threats, though, denial-of-service attacks, attacks on online trading systems,... But that was probably not as dramatic as exploding cars.
september 11th was implemented with boxcutters
so let's loose the technophilia when addressing terrorism
it's the low tech/ no tech exploits that should be our focus
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Cindy Sheehan was really effective against Bush for a while because she's a strong family-protection figure who made it clear that Bush had endangered her family rather than protecting it. And Katrina was even more effective, because it demonstrated that Bush wasn't decisive, or strong, or competent, when faced with an actual threat that he couldn't control but could have responded to. Osama bin Laden was just fine - if you're crying Wolf Wolf and a real Wolf shows up on occasion, that demonstrates that your strong leadership is needed just like you said.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I would like to see some discourse on the ability of these FUD spewers to actually react or inform people on actual network security.
I attended a cyber security thing once put on by these guys. It was completely worthless. When I say completely worthless I'm talking screendoor on a submarine worthless.
A scenario: "Half of your computers on the network are infected by a virus, it is tying up your internet bandwidth trying to spread itself, what do you do? what...do...you...do?"
Ok, for 1 if you're worth a damn you don't open port 25 outbound to client PCs anyway and proxy most internet traffic. The only outbound ports are for legacy systems with dedicated IPs. Second, say you do notice your bandwidth is consumed by something. Sniff the port, and close the firewall rule for said traffic until you have the info to take further action. Implicit deny anyone?
Their scenario was geared toward the morons of the IT industry who might truly be perplexed by such a situation, but I found it laughable.
That wasn't the totally useless part. The exercise as it was to be performed: IT provides the info on systems we are running and possible vulnerabilities. They come up with semi-plausable scenarios to exploit them. But in this event the EOC is fake-active and public safety officials are in a paper simulation of cyber attacks going on in their network. Notably, the analog radio system at the core is not mentioned.
For every problem the solution would be to call IT. IT isn't even part of the exercise. Our fire chief who knows fire and fire personnel management inside and out, doesn't know the difference between PCL6 and PostScript. Nor would anyone in their right mind ask him to write an ACL for cisco equipment much less give him enable priviledges. Not that he would ask for them, he knows better. He knows that if you have a leaky pipe you call a plumber, not an ambulance.
So the point of the whole exercise it to blow taxpayer money, ensure that public safety knows the numbers of appropriate IT personnel, possibly expose idiotic IT practices, and give public safety guys a little more FUD stress they could do without.
Have they even simulated what would happen if a local ISP had a truck full of manure driven into it. That could easily take out half a city's internet and probably a few people downstream in a single point of failure. Would it effect first responders? Not at all. They have radios.
I can't imagine many scenarios where cyber terrorism would be life threatening. Possibly have an economic impact, but I bet it would pale in comparison to phishing scams which they can't even police now.
So I don't think this guy is fearmongering. He is doing his job just as a firemen who tells you your house is going to burn down.
After reading your comment I found that I totally agree with you. He's not fearmongering but the article sure is!
I didn't see a single quote in that article with reference to terrorism. The quotes from those interviewed refered to criminal activities, but the terms "terrorism" and "cyber-terrorism" were thrown in by the jornalist. Why? Does it matter if they're "terrorists" or not? I couldn't care less - the potential consequences are what matters.
The only reason why the reporter uses the word "Terrorist" is because it gets far more attention than the pre 9/11 "Hacker".
"Who says nothing is impossible? Some people do it every day!" - Alfred E. Neuman
Here's what I've read so far before posting this note:
Some number of people say "political fearmongering". But most of them don't provide evidence to the contrary.
Some number of people say "absolutely real". Many of them express similarly unfounded views to the 'political fearmongering' crowd.
Some number of people say "there might be something here, but some of the scenarios are pushing it."
A few people cite personal knowledge/experience with respect to what could be done.
Now here's my $.02.
1. First we get into the discussion that's been around the block about whether or not any specific vulnerabilities on any specific system should be revealed. If you take the side of "no, keep it secret", you're back to the "do I trust this poster?" But some feasible/credible scenarios/examples have been posted, enough to counter the "reject out of hand" responses.
2. That being said, I have heard credible people talk about these kinds of scenarios (particularly with respect to the power grid) for at least 8 years. So I -explicitly reject- those who think this is an out-of-the-blue kind of thing. (I can't say if part of the motivation were political. What I can say is "this is not new...")
3. Certainly -some- computer viruses have the capability to do lots of malicious things to arbitrary computers. If these were targeted to specific machines with specific vulnerabilities (e.g. the LA Freeway signs or the traffic light control system for Manhattan traffic signals), it's easy to see the substantial consequences.
4. If I knew of specific efforts by either good guys or bad guys to do these kinds of things, I -sure as hell- wouldn't be posting here. That being said, I suspect I know people (who I'd consider 'good guys') who are both planning and prototyping 'offensive e-warfare', as well as 'defensive e-warfare'.
5. So my bottom line: Current systems, and not just Windows PCs, probably have substantial unacceptable vulnerabilities. I don't think someone can implement the "WarGames" (movie) scenario, but I do think that the ability to do things like mess with traffic signals or the power grid switching system is real.
The analogy with Y2K is only partly appropriate. There we -knew- when the bad thing could happen, and there was a concerted, very tightly focused effort to prevent it. But some of the scenarios that could have happened with unpatched Y2K software were very well documented and very real.
So as a community we need to consider these kinds of threats, not in the sense of 'fearmongering', but in the sense of "what should be we be doing to (a) prevent, (b) detect, (c) mitigate these kinds of attacks.
dave
Instead they have what they consider a growing problem with domestic terrorists. That's right, their own citizens taking terrorist actions against their government. Except we in America don't consider it terrorism because we don't like the Communist totalitarian rulers of China. So you tell me which is preferable, being hated by extremist members of other countries, or being hated by the general population of your own country. Take your time, I'll wait.
just some guy
Time to terrorize the public again.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!