Slashdot Mirror
US Prepares for Eventual Cyberwar
The New York Times is reporting on preparations in the works by the US government to prep for a 'cyberwar'. Precautionary measures are being taken to guard against concerted attacks by politically-minded (or well-paid) hackers looking to cause havoc. Though they outline scenarios where mass damage is the desired outcome (such as remotely opening a dam's gates to flood cities), most expect such conflicts to be more subtle. Parts of the internet, for example, may be unreachable or unreliable for certain countries. Regardless, the article suggests we've already seen our first low-level cyberwar in Estonia: "The cyberattacks in Estonia were apparently sparked by tensions over the country's plan to remove Soviet-era war memorials. Estonian officials initially blamed Russia for the attacks, suggesting that its state-run computer networks blocked online access to banks and government offices. The Kremlin denied the accusations. And Estonian officials ultimately accepted the idea that perhaps this attack was the work of tech-savvy activists, or 'hactivists,' who have been mounting similar attacks against just about everyone for several years."
I mean who the FUCK would be stupid enough to have the controls for a Dam connected to the internet?
"Make cyberlove, not cyberwar!"
don't connect the dam floodgate controller to the internet ?
$ strings FTP.EXE | grep Copyright
@(#) Copyright (c) 1983 The Regents of the University of California.
As the government is getting ready for the upcoming cyberwar, the following ad was noticed in a local newspaper:
We're looking for a young man named John Connor, to lead our efforts in the war against the machines. We offer $1000 to anyone who has any substancial information in discovering his location. If you can help, please dial 1-800-ILL-BE-BACK.
- The Government (it's not Terminator this time, I swear)
Well, everyone needs a credible enemy to keep themselves in a job. I mean, what would all those government agencies do with their time? The whole thing is just playing peoples worst fears, and the scenarios they've got there are straight out of Die Hard......or that film Sandra Bullock was in, and of course the all have no basis in reality.
;-).
Bring back the Cold War, that's what I say, and it looks as though they are. This whole terrorism thing just isn't working out
In 2007, cyberwar was beginning.
Why is it that america is always preparing for a war? a war on 'terrer', a cyberwar, a war on drugs, a war on immigrants, a war on pirates, a war on guns. When is the last time america made peace?
I guess big budgets need big reasons
funny pics
Back in the late '90s I was infected by my first virus. I had never connected to the internet, I had just used the library and school computers. Somehow, I still managed to get a virus on my floppy diskette.
I don't think it is unlikely that there are people who hook their laptops up to their work network, and I suspect it is even more likely that people plug in a floppy/thumbdrive/cdrom from home. I don't doubt that it would be safer to stay disconnected from the Internet, but a handcrafted virus would be far more likely to avoid detection by most antivirus and probably accomplish just as much in a hacker war. It would have to be a targeted program, but that is really the point isn't it, that hackers could be targeting networks that are supposed to be secured. Of course, it probably doesn't help security that they probably assume their network is safe.
B) Eliminate all the stupid users. This is frowned upon by society.
***Isn't this blown out of proportion, again?***
Probably not out of proportion. The military has separate secure communications, but civil society doesn't. And many of our key networks aren't exactly robust. We've had incidents in the past of phone networks going down because of bad software upgrades to switches. And of power distribution networks going down for no very good reason and taking many hours to get back up. And satellites going out.
So what happens when a technically savvy bunch of folks with a point to make starts off by hijacking Microsoft Update to zombiate millions of PCs, uses other update services to brick all sorts of devices, then simultaneously goes after the DNS servers; North American power grid controls; and every satellite link they have previously found a vulnerability in? What if they can take down major parts of the cell phone network? Probably they can DOS the financial service network providers if they can't hack into them -- No functioning ATMs and likely no functioning banks and likely few functioning stores of any kind. And they reprogram a lot of the nation's traffic signals to turn all lights green permanently. They do the same for the railroads. And they turn off the natural gas distribution system -- in January. And they shut down the aquaduct pumping stations feeding Southern California. ... etc, etc, etc. And finally, they shut down as much of the phone system as they can get to.
A serious attack by a technically savvy attacker with significant resources and a good plan can very likely do most of those things and a great many more.
If an attacker can do even a quarter of that, it'd take any industrial country a week to get back up after a fashion, and months to really get things back under control. So, no, it's probably not blown out of proportion.
***I mean who the FUCK would be stupid enough to have the controls for a Dam connected to the internet?***
What is the cheapest and most cost effective way to control a remote power facility? And who says cyber attacks are limited to the Internet? If your dam is 300 miles away, you're going to need remote access -- at least for monitoring and quite likely for command and control. Seems to me like most, maybe all, of the technologies to do that -- internet, phone network, satellite, radio links, etc--are open to interception and attack. Even if you can't break into the control link, you likely can deny service in one way or another.
You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
That's right, because we all know that bullies only beat up other bullies. </sarcasm>>
I love that people assume that the US is a target because of it's actions. I wonder if these are the same people that assume that Microsoft gets hacked because it is an 'evil' company. Let me say it plainly: The US is a target because the US has a lot of money and influence. Microsoft is a target because they have a large number of users. There may be thousands of other reasons, but that is the real reason there is such a disparity in attacks against the two. I am not saying that MS shouldn't be a moral business or that the US shouldn't improve it's interactions in the world, I'm just saying that doing either one will not make a significant difference in the number of attacks.
Both have a need to do the same thing too, actually. They need to improve security and do it in such a way that it doesn't harm their base.
B) Eliminate all the stupid users. This is frowned upon by society.
Every US "Cybersecurity Czar" has quit in disgust. The Homeland Security agency can't even find someone to run the office, because it's a total joke.
Meanwhile, the US has already been under siege by China in a full-blown cyberwar for several years.
It's cheap to attack the US tech infrastructure, and expensive to defend against it. That's what asymmetric warfare, like terrorism, is all about. So 6 years into Bush's Terror War, and the government is still preparing to get started, while our enemies just surge around us.
--
make install -not war
Okay, this is serious, and the US could be in serious danger. Here's my plan for action to make sure we can come through a potential cyber-war victorious:
1. "Security through Conformity": Standardize on exactly one platform. Make sure everyone in government is using it. That way, if we discover a gaping security hole in that platform, we only have to patch one type of system. Homogeneity is the key.
2. We need to put our trust in professionals. That one platform should definitely be Microsoft Windows. Sure, having people from all over the world looking for bugs might be quicker and more effective, but that also means that people from all over the world have the potential to find a security hole, but we have no clear target to blame for that security hole. And don't forget that backdoor that was almost slipped into Linux (though, fortunately, caught before it got into source control because of all of the people able to look at it)! We wouldn't have to worry about that with Microsoft Windows
3. Don't leave computer decisions in the hands of long-haired computer geeks who spend all day working with technology. They tend to have decidedly leftist--if not communist!--leanings. All IT decisions for the US government should be made by the people best qualified to make them: Career bureaucrats.
Can't they call it "Digital Warfare" or "Internet Warfare"?
"Cyber" is so 1990's... anything that inserts it into the language more often is a nuisance. Can you imagine if it gradually became a synonym for "good"?
Dude, that pizza was totally cyber!
Ugh...
Just fix the darn protocols, dammit. It's been a year since Blue Security was taken down by PharmaMaster and NOBODY has done ANYTHING to prevent any subsequent DNS amplification attacks from happening.
If ISPs at least blocked forged-ip packets from exiting them, then THAT would be a nice start.
I am a registered professional controls engineer. I design and manage a large SCADA system. I'm also a member of the SP-99 standards committee (the ISA standard for industrial control system security).
Industrial Control System Security is the subject of many books (with many more on the way), security committees, and even pending regulation. I could spend a long time trying to explain why things are the way they are. Here's an overview of the issue:
1) SCADA systems started out in isolation. Most were never designed for internet access and many were designed without any thought to security because there is a more important concern: Reliability and performance.
2) Office folks got wind of what information could be had from SCADA systems and the next thing that happened were a mass of people clamoring for the data. However, very few gave much thought to how that data could be extracted securely without affecting the reliability or performance of the system. As a result, there are many security compromises.
3) It's not easy to retrofit security in to an existing SCADA system. It would be like putting seat belts and air-bags on a Ford Model T. Such measures will help, but what is really needed is a re-engineering of the whole system.
4) Many of the protocols we use every day live in carefully validated embedded systems. You can't just "update" them without digging in to a morass of other embedded systems issues, in addition to the protocol itself, you have issues of performance and expected behavior. For this reason, updates of embedded firmware are rare.
5) SCADA systems live for a long time. Typical lifetimes are at least 10 years for the field devices and five years for the control room software and hardware. These configurations are carefully validated (a very tedious and expensive process), so companies are loath to upgrade them unless there is a very good reason to do so.
I can go on, but that's should give you a taste of what the situation is.
Now for the reality of interational red-teams. Yes, they exist. The US has them too. I don't design for a red team. First, that would require very frequent software upgrades, something which I've already explained is not feasible for most SCADA system operators. Second, we opt for defense in depth. We try to segment our systems so that they fail in to smaller peices which are semi-autonomous in themselves. They won't be as efficient, but they will continue to work. And finally, in case you hadn't noticed, we design our physical security to eliminate the casual vandal, not the determined para-military group. The cost of going fully secure is so high that nobody would be willing to pay for it.
At the utility where I work, we keep our SCADA system carefully shielded behind firewalls. Yet many other SCADA system managers do not understand the security issues because they're not IT savvy. Conversely, most IT staffers in utilities and manufacturing companies do not understand what a SCADA really is and does. This is not just another app. The notion of a real time or even a near real time system is alien to most. Furthermore, there is no such thing as "rebooting" in this business. In most IT applications, restarting the application or rebooting the machine is routine. Not so in SCADA. If we restart, we often lose track of many critical on-going processses. You see in most IT applications, they are the whole system. With SCADA, there is a physical world of things going on with or without them. If you're not up and running all the time, you're probably going to miss something critical.
Finally, opening dams by remote control isn't likely. We have dams where I work too. Even if we did open them by remote control (we open ours manually), the systems that we use are as far as possible from the internet, and even our office intranet. Yes, we can wash out parts of a town downstream if we're not careful. The operators of such dams are licensed and they must be very careful about how the
Nearly fifty percent of all graduates come from the bottom half of the class!