Slashdot Mirror
CyberTerrorism - Reality or FUD?
Random Utinni writes "The director of the U.S. Cyber Consequences Unit (part of Homeland Security) claims that terrorist hackers are poised to create total chaos. He predicts all sorts of scenarios, from changing the formulae for medications to causing cars to explode after a few weeks of driving. Is this guy fearmongering for an increased budget, or is he on to something here?"
It's no good burying your heads in the sand. Cyberterrorism is VERY real
the term is being used to justify basically anything the american government wants to loegalize to suppress its peoples rights. the reason? who knows..
Is that the best they can come up with?
Attacks on SCADA systems?
Who puts their vital power infrastructure controls online anyway?
I cry FUD, and let slip the dogs of mainstream media.
I am a leaf on the wind
We all know the most efficient way to cause chaos over the internet is to control the traffic lights to all turn green at the same time.
I can't wait for it to actually happen.
Reminds me of the up coming horrors of Y2K that amounted to a few slot machines not working after midnight.
;).
Although chicken littles can be right once in a while given the sheer number of warnings tossed about, and then no one listens to them when they should have
I mean, really, this all sounds more like industrial sabotage than terror. I mean, are you really going to have people running in fear for their lives that... say... the next time they fill up their car, the gas pump might explode? Or that any pill that they take next could be their last?
Most acts that they're looking at would be one time things, and isolated/restricted in nature. (Also making it easy to identify/avoid/fix.) I can't see that something like this would actually cause terror.
Again, CyberSabotage. Nothing more.
It would take an expert insider a lot of work to cause the kind of catastrophes the author is predicting here. Making a bomb is quick, easy way to kill a lot of people, and it gets a lot more media attention. It's also much closer to Al-Quaeda's traditional area of expertise.
I hereby place the above post in the public domain.
From TFA:
"Chatter on Scada attacks is increasing," says Borg, referring to patterns of behaviour that suggest that criminal gangs and militant groups are now fully capable of unleashing such attacks.
Then especially in the case of terrorists, WHY THE HELL HAVEN'T THEY DONE IT YET? If one of them had a shot at bombing the White House tomorrow, do you think he'd say "Eh...no, I'd rather wait until next week and hope they don't improve security by then."
This is not fearmongering for money. This is fearmongering for POWER-and the power they're going to shoot for is the power to control the Internet.
What a hell of an ironic name for that guy, Borg. I think that might tell us about everything we need to know.
To fight the war on terror, stop being afraid.
Period.
"Think of the control systems for chemical plants, railway lines, or manufacturing facilities. Shutting these systems down is a nuisance. Causing them to do the wrong thing at the wrong time is much worse."
Am I the only one who is thinking? Why the hell are these things connected to the Internet then? And if its an absolute must why not setup the companies using a system like the US Governments's SIPRNet
I'd like to suggest he is on something rather than on to something.
The SCADA equipment does not have to be Internet accessible,
it just has to have a corrupted windows box attached to it.
You are being MICROattacked, from various angles, in a SOFT manner.
As far as fear mongering, you don't get a $93 million dollar budget for simply recommending that companies follow well established security procedures, including vigilance against social engineering.
As a former public servant, I can tell you that fear-mongering and blowing things out of proportion is an important way that a department justifies the resources they are using.
"damnit, trolley I want in your signature." - Elburrito
then tylenol scare?
Yeah, if people started dying because medical drug formulas were screwed up, it would cause terror, and for a longer time then a bomb could.
The Kruger Dunning explains most post on
Many years ago, I worked for a small company that had a contract to service the massive dot matrix signs that are spaced every few miles along the Southern California freeway network.
As part of the job, we were given a portable ascii terminal to enter test pattern data directly into the sign controller. Just for fun, we held an internal contest to think up 'What was the worst possible thing that we could type into the portable terminal for posting over the freeway at rush hour'.
The winner?
"INCOMING NUKE ATTACK - EST 15 MIN"
Just imagine the bedlam .
"A microprocessor... is a terrible thing to waste." --
GeneralEmergency
This doesn't seem like strictly "cyber" terror. My guess is that things like power plants valves and switches, prescription formulas, and car design specifications are NOT ON THE INTERNET. This is industrial sabotage, which requires physical access to the resources. The "cyber" part just means that computers are somehow involved. So what we have here is just a new way terrorists can fuck with us that we need to pay attention too.
Certainly people running power plants or pharmaceuticals need to secure their own internal computer network to keep some guy from reaching over a secretary's desk and altering the recipe for Prozac. But calling it "cyber" terrorism is just going to scare people into allowing the government to monitor their Internet traffic. After all, you wouldn't want a terrorist breaking into a nuclear powerplant over the Internet would you?! It's just another power grab instead of sanely alerting the respective authorities.
Did you ever notice that *nix doesn't even cover Linux?
Okay, folks, tell me: what can a cyber-terrorist do to a car that will cause it to burst into flames in a few weeks? All I can think of offhand is changing the spec for the gas line to gum rubber instead of neopreme, or soemthing like that --- and, of course, no one involved will ever notice, because cars are completely assembled by robots and no human ever sees the specs, buys the materials, or checks the figures.
And, if they were to do so, what happens? Someone announces a recall and a bunch of people take their cars to the dealerships.
Hell, why not do it the cheap way: wait until there is an accident, and just announce that it was done by your super secret ninja terror 31ee7 hax0rs.
Or consider the sources: this guy from the "U.S. Cyber Consequences Unit" --- with their empty website on a non-government '.us' domain.
Remember, kids, only a few years ago, the world didn't need computers to run. Chemical plants and other control systems have failsafes and safety valves and emergency shutdowns; people survive power blackouts, even if the birth rate does go up; we still have analog radios and mechanical water valves.
On the other hand --- here's some guy with a nifty-sounding name on a web-site, and Richard Clarke, who has been making a living from running around with his hair on fire ever since he said cyber-terror was a bigger threat than al Qaeda. Get a little attention, and people will start taking their calls again; maybe the USCCA" can even hire someone to make a web site.
Who benefits from this story?
I thought he might have something until I got to the exploding car part. Everything up to that is very unlikely, but probably doable for a determined attacker with local access. And there might even be some companies who put part of their SCADA on the internet--all of them deserve whatever they get. But changing medications and "car specifications so they explode after a few weeks"? Give me a break. Cars do not explode due to spec changes--short of including a pound of C4 and a triggering device in the spec. The worst might be putting a virus or trojan into the engine electronics that would lock the engine. And while cyberterrorists broke into a pharmaceutical company's central computer and changed the recipe for a pill to kill people on the Brit MI5 spy series, systems like that are not online and there is something called quality assurance--as in testing each batch before it goes out to the customers. So an attacker would need local access to the production facility, the automated QA, the manual testing, .... . I think this guy is watching to much TV. He would just have disqualified himself in any sane governmental organization. Thank god the DHS is not one of them.
There are serious cyber threats, though, denial-of-service attacks, attacks on online trading systems,... But that was probably not as dramatic as exploding cars.
now that it's been publicized we'll have terrorists sittin around in their boxers and socks drinkin beer at their puter screen giggling when they confuse the subway employees on the recipe for a roast beef sandwich.
re:"There will always be more terrorists."
Not if we had any balls and did the logical steps required to erradicate it.
See much terrorism in China? Why is that do you suppose?
Sweet, we might finally have a working Halt and Catch Fire command in our lifetimes!
september 11th was implemented with boxcutters
so let's loose the technophilia when addressing terrorism
it's the low tech/ no tech exploits that should be our focus
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
The current administration has a long history of scaring
people into electing and re-electing them.
Or at least close enough to electing them that they can make up the difference.
KFG
Cindy Sheehan was really effective against Bush for a while because she's a strong family-protection figure who made it clear that Bush had endangered her family rather than protecting it. And Katrina was even more effective, because it demonstrated that Bush wasn't decisive, or strong, or competent, when faced with an actual threat that he couldn't control but could have responded to. Osama bin Laden was just fine - if you're crying Wolf Wolf and a real Wolf shows up on occasion, that demonstrates that your strong leadership is needed just like you said.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Such as MySpace, Rotten, RealUltimatePower, Scientology, etc.
r or/
Jokes aside, good read on CyberTerrorism before 911. Evidently CyberTerrorism isn't post 911 antics. It's been around for years now.
http://www.cnn.com/TECH/specials/hackers/cyberter
"Don't let fools fool you. They are the clever ones."
And it doesn't matter if they don't succeed as long as they brag a lot, because the public _knows_ there are more real scum out there than they can catch. And a scumbag who escapes or a cyberterrorist who hasn't done enough to get caught at it yet are both fine publicity (as long as they don't look like bleeding incompetents in the process) - it means they obviously need _more_ powers so they can catch the next one.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I would like to see some discourse on the ability of these FUD spewers to actually react or inform people on actual network security.
I attended a cyber security thing once put on by these guys. It was completely worthless. When I say completely worthless I'm talking screendoor on a submarine worthless.
A scenario: "Half of your computers on the network are infected by a virus, it is tying up your internet bandwidth trying to spread itself, what do you do? what...do...you...do?"
Ok, for 1 if you're worth a damn you don't open port 25 outbound to client PCs anyway and proxy most internet traffic. The only outbound ports are for legacy systems with dedicated IPs. Second, say you do notice your bandwidth is consumed by something. Sniff the port, and close the firewall rule for said traffic until you have the info to take further action. Implicit deny anyone?
Their scenario was geared toward the morons of the IT industry who might truly be perplexed by such a situation, but I found it laughable.
That wasn't the totally useless part. The exercise as it was to be performed: IT provides the info on systems we are running and possible vulnerabilities. They come up with semi-plausable scenarios to exploit them. But in this event the EOC is fake-active and public safety officials are in a paper simulation of cyber attacks going on in their network. Notably, the analog radio system at the core is not mentioned.
For every problem the solution would be to call IT. IT isn't even part of the exercise. Our fire chief who knows fire and fire personnel management inside and out, doesn't know the difference between PCL6 and PostScript. Nor would anyone in their right mind ask him to write an ACL for cisco equipment much less give him enable priviledges. Not that he would ask for them, he knows better. He knows that if you have a leaky pipe you call a plumber, not an ambulance.
So the point of the whole exercise it to blow taxpayer money, ensure that public safety knows the numbers of appropriate IT personnel, possibly expose idiotic IT practices, and give public safety guys a little more FUD stress they could do without.
Have they even simulated what would happen if a local ISP had a truck full of manure driven into it. That could easily take out half a city's internet and probably a few people downstream in a single point of failure. Would it effect first responders? Not at all. They have radios.
I can't imagine many scenarios where cyber terrorism would be life threatening. Possibly have an economic impact, but I bet it would pale in comparison to phishing scams which they can't even police now.
So I don't think this guy is fearmongering. He is doing his job just as a firemen who tells you your house is going to burn down.
After reading your comment I found that I totally agree with you. He's not fearmongering but the article sure is!
I didn't see a single quote in that article with reference to terrorism. The quotes from those interviewed refered to criminal activities, but the terms "terrorism" and "cyber-terrorism" were thrown in by the jornalist. Why? Does it matter if they're "terrorists" or not? I couldn't care less - the potential consequences are what matters.
The only reason why the reporter uses the word "Terrorist" is because it gets far more attention than the pre 9/11 "Hacker".
"Who says nothing is impossible? Some people do it every day!" - Alfred E. Neuman
Here's what I've read so far before posting this note:
Some number of people say "political fearmongering". But most of them don't provide evidence to the contrary.
Some number of people say "absolutely real". Many of them express similarly unfounded views to the 'political fearmongering' crowd.
Some number of people say "there might be something here, but some of the scenarios are pushing it."
A few people cite personal knowledge/experience with respect to what could be done.
Now here's my $.02.
1. First we get into the discussion that's been around the block about whether or not any specific vulnerabilities on any specific system should be revealed. If you take the side of "no, keep it secret", you're back to the "do I trust this poster?" But some feasible/credible scenarios/examples have been posted, enough to counter the "reject out of hand" responses.
2. That being said, I have heard credible people talk about these kinds of scenarios (particularly with respect to the power grid) for at least 8 years. So I -explicitly reject- those who think this is an out-of-the-blue kind of thing. (I can't say if part of the motivation were political. What I can say is "this is not new...")
3. Certainly -some- computer viruses have the capability to do lots of malicious things to arbitrary computers. If these were targeted to specific machines with specific vulnerabilities (e.g. the LA Freeway signs or the traffic light control system for Manhattan traffic signals), it's easy to see the substantial consequences.
4. If I knew of specific efforts by either good guys or bad guys to do these kinds of things, I -sure as hell- wouldn't be posting here. That being said, I suspect I know people (who I'd consider 'good guys') who are both planning and prototyping 'offensive e-warfare', as well as 'defensive e-warfare'.
5. So my bottom line: Current systems, and not just Windows PCs, probably have substantial unacceptable vulnerabilities. I don't think someone can implement the "WarGames" (movie) scenario, but I do think that the ability to do things like mess with traffic signals or the power grid switching system is real.
The analogy with Y2K is only partly appropriate. There we -knew- when the bad thing could happen, and there was a concerted, very tightly focused effort to prevent it. But some of the scenarios that could have happened with unpatched Y2K software were very well documented and very real.
So as a community we need to consider these kinds of threats, not in the sense of 'fearmongering', but in the sense of "what should be we be doing to (a) prevent, (b) detect, (c) mitigate these kinds of attacks.
dave
Instead they have what they consider a growing problem with domestic terrorists. That's right, their own citizens taking terrorist actions against their government. Except we in America don't consider it terrorism because we don't like the Communist totalitarian rulers of China. So you tell me which is preferable, being hated by extremist members of other countries, or being hated by the general population of your own country. Take your time, I'll wait.
just some guy
This is a bad thing, right?
Those people who believe things in spam and act on it, all being consumed in flaming conflagrations... is bad. Right?
Time to terrorize the public again.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
On one hand, you have computer virus, online identy thieves, even people who stealmoney online and think that they can get away with it.
On the other hand, 99% of 99% of the time it is down right FUD.
Alternatively, the FUD is the Cyberterrorism. Isn't that what terrorism is all about? Playing on the Fears, Uncertanty, and Doubts of others? "The boogy-man will eat you some day."
The truth is the Boogy-man is right here.
The perception that the boogy-man could be a computer geek with a vendetta, an Arabian man with a video camera, an Iranian man with a degree in chemistry, or an American who has a private adgenda all depends on who is giving us that message.
The message is no longer the truth, it seems, since the truth is constantly altered and edited to suit the interest of a few media conglomorates, corporations, and miserly zealots.
The boogy man is not Cyberterrorism, Bioterrorism, or even FUD.
The real terrorists are the FUD-packers who deliver the yellow journalism and lie to the terrorists and to the public.
The true devils are the ones whispering in your ear.
The Rapture is NOT an exit strategy.