Slashdot Mirror
Jane's Intelligence Review Needs Your Help With Cyberterrorism
Jane's Intelligence Review, a famous "in group" publication read by political, military and intelligence honchos the world over, has an article on Cyberterrorism scheduled to run in its next issue. But Jane's editor Johan J Ingles-le Nobel believes Slashdot readers may (ahem) actually know more about potential Cyberterrorism tactics than the article's author, and would like you to comment on his work - for publication. The article is up on a private preview page. Please read it, then post your comments. Johan will read them, here on Slashdot, and will select some of them for publication in Jane's alongside the original article. Before you post, please read a message from the Jane's editor (below).
These are the specific questions Jane's wants answered:
- Using CT, how easy or otherwise is it to bring down or attack vital systems?
- What sort of skills would be needed to do so, and are they common/teachable?
- Commercial-off-the-shelf software: can it really do CT?
- Which systems are actually attackable?
- Can a recovery be made from such attacks?
- Is it likely to improve/get worse?
- What sort of preventitive work would you recommend them to carry out?
Many thanks,
Johan J Ingles-le Nobel,
London, England.
johan.ingles@janes.co.uk
The biggest threat with cyber terrorism is not so much direct attacks, but as a tool to gather information on organisations for other purposes. If a cyberterrorist attacks an ISP succesfully they can gain access to many more networks belonging to the global customers, Manufacturing concerns, Government agencies, Lobbies, Financial institutions. The ISP is the passageway for all of its customers and a large reputable ISP can have direct access to all sorts of customer resources. Monitoring a central router an an ISP can be the ultimate wiretap. ISP's often have financial and personal data of customers warehoused for disaster recovery reasons, these resources are often stored on Internet connected machines.
Worse yet ISP's do not necessarily want to cooperate with officials. They do not want to be slammed with liabilities for their transmission of dangerous material. ISP's (last I checked) are not immune to this sort of legal attack like telcos are.
-Rich
In my opinion, the fundamental difference is that Cyber attacks are utterly unlike any other form of attack because they do not involve the delivery of large amounts of energy to the enemy (unless you would call EMP or HERF attacks "Cyber", which IMO would be wrong -- a HERF gun aimed at a computer terminal is really the same sort of thing as a grenade thrown at same.)
Cyber attacks, therefore, are aimed at the information, which is much less easy to destroy because of the possibility of making qualitatively and functionally identical copies. I'd divide cyber attacks into two species: "Destruction of information" (erasing) and "Corruption of information" (spoofing).
Erasing is very difficult to carry out because any system worth attacking is also worth backing up. I know that UK and US interbank transactions are backed up daily, with multiple remote backup tapes. Any Cyber attacker wanting to "destroy" the interbank market will cause the loss of at most one day's worth of transactions. Erasing attacks can be straigthforwardly guarded against through multiple, remote (in both geopgraphy and network topology) backups, taken at sufficient frequency that the maximum possible loss is bearable for the system (the "safe frequency"). Any system for which the safe frequency is too low for the backup defense to be practical (for example, a power grid) should be kept remote from networks; although this does not defend against attacks from insiders, network seclusion should allow the terminals of the vulnerable network to be physically guarded.
Spoofing is much more difficult to guard against. This kind of attack comes in two flavours; attempts to create phony records, or phony messages in a system (such as creating false bank accounts), or attempts to create phony instructions to the processing system, causing a failure of the system which is as bad as an erasing attack.
The easiest way to defend against non-destructive spoofing would be to use backups once more, and to operate a kind of "double-entry book-keeping" which traces every record to its creation and requires consistency between numerous (again, preferably topologically remote) sources. This multiplies the difficulty of a Cyber attack, as the attacker now has to break several systems instead of just one.
Destructive spoofing aimed at the processor rather than its records is a different matter. Causing the processor to execute phony instructions could allow the Cyber attacker to erase records, transmit phony messages and, potentially, to "cover its tracks" well enough to escape consistency checks. Of course, this kind of attack is more difficult than any other -- usually the only way to get another machine to execute rogue instructions is to exploit buffer overflows.
I have no particular suggestions for defense against the final kind of attack, except for the rather obvious advice not to create situtations in which buffer overflows can happen. The use of non-standard operating systems or instruction sets could, in principle, make it harder for an attacker to work out what to do with a buffer overflow once discovered, but to me, this seems too much like security through obscurity to be recommended.
I'd add that using the Internet as it is currently designed to communicate between members of a terrorist organisation would not be a good idea -- it goes against the "cell" concept which is known to be the best way to organise. Even messages on private bulletin boards carry enough information in the headers to allow substantial information about the whole network to be deduced for any security agency which can gain access to the routers.
Just some idle thoughts
jsm
Imagine, for example, a terrorist group with a skilled cracker included. They bomb a large public building, and then, at the same time, they knock out a section of the power grid around that building. Perhaps on a town/city level. How much would this hamper rescue efforts? How many more people would die due to insufficient response ability? And, perhaps most importantly, how much more effective at terrorising people would this be? The terrorists send the message "not only can we blow you up with impunity, but we can also take away things you depend on, like electricity."
Now, to be effective, electronic warfare must be carried out by someone who really knows what they are doing. A lot of people keep mentioning bugtraq and lopht advisories, but really, to be able to predictably and reliably cause serious havoc with this information, you need to have a large amount of clue. I do not count web page vandalism as "cyberterrorism" in any way. It's a lot more akin to spraypainting on walls. (Article hint: get rid of that part about terrorists altering web pages. That's just silly.)
The real short-term threat from electronic warfare, as I see it, is that when it is used in concert with other tactics, it can sharply magnify the effects of the attack. It will not be long before some group realizes and exploits this, and it will be ugly.
Publishing content to the web is not exactly a crtical system, but I'd love to see your sources for the estimates on bank attacks. Having worked with banking infrastructure before I'd like to see some evidence here. I'm not saying you're a liar, but personally, I find that estimate highly doubtful.
(Unreachable does NOT equate to the scenario you outline, although that would be one way to arrange it. A network of computers, connected via the Internet, using a secure VPN, encrypted with a OTP of equal length to the data stream being transmitted, and per-packet authentication, where each computer was in a public facility but with shielding against radiation leakage or tampering, OTP encrypted non-standard file systems, digital certificate-verified passwords, and where all user applications were verified against security holes, would also be completely secure against attacks.)
To be 100% secure requires not -physical- isolation, but VIRTUAL isolation. It doesn't MATTER if a person can -reach- a machine, by a physical network, in person, or whatever, if they can do nothing with that machine, once they get there.
Physical security, alone, is like a brick wall. Good against casual attacks, but useless against a demolitions expert. Virtual security, on the other hand, is not dependent on the technology or knowledge of the opponent. If it's sound, it's sound against anything, because it's only dependent on it's own integrity, not on what's going on around it.
The military is notorious for thinking solely in terms of physical security, rather than virtual. That's why defences never last. They depend on their opponents, and their opponents are the last people the defenders should be thinking of relying on.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
I thought the article as a whole was fairly good in regards to coverage of CBRN / "weapons of mass destruction" attacks. Unfortunately, it melded Cyberwar (or "Infowar" as it is more commonly known in industry) into the description of CBRN attacks which caused it to miss the point.
Infowar is inherently different from other forms of attacks. As several others have pointed out, Infowar attacks aim to disrupt critical infrastructure by undermining the computational basis of that infrastructure, as opposed to conventional attacks which just blow up the infrastructure, or CBRN attacks which kill all the people in/near the infrastructure.
IMHO, this is not the critical difference, as all these forms of attacks focus on disrupting the infrastructure.
The real difference, then, is in delivery. Conventional weapons must be built at physical locations, then transported (by land, sea or air) and delivered (by hand delivery, shelling, missile, etc.) All of these operations take place in more or less the same fashion regardless of whether the end munitions are explosive, chemical, biological, radioactive, or what have you.
On the other hand, the munitions of Infowar are constructed on computer and delivered by computers, with no transport phase. A competent cracker can understand, create, and deliver an attack without leaving his bedroom. The parts he needs are the same computers and modems that you and I buy off the shelves and the same software development tools (to create the attacking software) that all software developers use.
This raises another issue, which is competence. So called "script kiddies" may be able to take out a public web site, but it takes a lot more knowledge and effort to bring down critical infrastructure pieces (communications networks, power networks, banking networks) that are not connected to public networks, have some experience being attacked, and have the money to pay for better defense.
A country cannot hire a 15 year old off the streets to go take out the credit card networks. On the other hand, they can find some very bright 15 year olds and give them computers and pay them to sit around for five years until the now 20 year olds have the experience to make such an attack. The problem here is that such a strategy would be very hard to notice - satellites and HUMINT will help find a chemical weapons manufacturing facility, but they won't tell you which 6 post-adolescents in a company of millions are browsing amazon.com, which are downloading pornography, and which are preparing to eliminate steal the pension plans of all the toll collectors in the state of New York.
This example highlights another problem: the sheer variety of targets. Information technology touches so much of modern post-industrial society that just about anything you can think of has some form of vulnerability. We cannot patch all those holes - we cannot even identify them. What is vital? What can we live without? How much do we have to defend? A power company can harden its systems all it wants, as can a bank, but if the connection between the two is vulnerable they both suffer, along with all of both their customers. Your security is only as good as your weakest link.
As to specific questions asked:
* Using CT, how easy or otherwise is it to bring down or attack vital systems?
It depends largely on the people involved and the systems involved. Various people claim to be able to knock out vital systems today. An NSA experiment found that a group of trained crackers were able to penetrate the Pacific Fleet's infrastructure within a matter of weeks, without detection.
* What sort of skills would be needed to do so, and are they common/teachable?
For simple attacks against undetected targets on public nets, the skills necessary would be mostly social, and would involve getting access to pre-packaged attack software and using it. These skills can be learned online with very little effort.
For more complex attacks the attacker will need to be proficient in computer programming, computer system designs, and will need to spend time understanding the mechanisms and vulnerabilities in the target system. The attacker will need motivation, intelligence, intellectual curiosity, and will need to be comfortable with computers. The specific skills related to attacking (beyond knowing how to program, etc.) can be learned in months, with the techniques for any given attack needing to be developed on a case-by-case basis.
* Commercial-off-the-shelf software: can it really do CT?
To the best of my knowledge there is no COTS software that is designed for system attacks. However, there are many pieces of software available on the Internet that are used for such attacks, both as detection devices (a security tool that finds holes in your system can also be used against you) and as attack devices (programs which exploit specific features of known systems to attack the system, e.g. the notorious AOHell program for gaining free access to AOL).
* Which systems are actually attackable?
Any and all. There is no such thing as a completely secure system (or if there is, no one I know has ever seen it), only progressively more difficult systems. For modern Infowar the primary concern will be for systems that have some form of outside network access from which they can be attacked (e.g. anything on the Internet). Most intelligence agencies have "physically secure" networks, which indicates that they are never connected to other networks (such as the Internet). Someone attacking the NSA networks would have to actually enter an NSA facility to gain access to one of these networks.
* Can a recovery be made from such attacks?
It depends on the attack. If the attack intends to merely disrupt the quality of information (e.g. corrupt a target database to produce unreliable output) the system can generally be brought back from backup. If the attack triggers a event (such as launching a nuclear missile), recovery means reaction to the event rather than resetting the system to the status-quo ante.
* Is it likely to improve/get worse?
It is likely to get worse and worse and worse as the number of computers in the world continues to increase. It will probably get dramatically better at some point as people finally become security conscious, then continue getting worse again.
* What sort of preventative work would you recommend them to carry out?
The best preventative work will involve security audits for critical systems, improved security measures for those systems, and training and protocol. Some examples of better techniques include:
better training for personnel dealing with computers. 80% of attacks are facilitated by poor security policies at the attacked organization.
ubiquitously available public-key encryption. public-key encryption brings two forms of security: secured transport of information, and authentication of the transmitting parties.
A well rounded article for the most part.
Some comments:
On the other hand, the information revolution ushered in by the Internet allows terrorists to access articles and documents from the World Wide Web about the manufacture or acquisition of BW or CW agents, and commercial-off-the-shelf (COTS) software products can easily be obtained to conduct cyberterrorism, making CB/Cyber attacks much more feasible to launch than hitherto.
These documents (called anarchy philes for the uninitiate) have been around as long as the modem.
I remember first encountering them in 1989, and even then they had been around for ages. It wasn't until the "Information Revolution" that the media finally clued in to the existance of documents such as the Jolly Rogers Cookbook and the Terrorist's Handbook (the better known of many more documents) and started scaring the public with them. About the best you'd get from these documents are a few stupid pranks from the average idiot. Attempting to control these documents will have no effect whatsoever on any organized force of terrorists.
To launch a cyber attack, a terrorist group could purchase relatively inexpensive commercial-off-the-shelf (COTS) software and hardware, with some weapons of mass disruption software available on hacker bulletin boards and Web sites.
The "weapons of mass destruction software" available online is script kiddie material.
It's like using a handgun. You might be able to kill a soldier, but not a tank.
Most cracking that could do any real damage requires a highly skilled cracker at the wheel. Most skilled crackers make their own tools, and, like any profession, would NEVER release their best tools to anyone.
Always remember: The best protection from cyber attack is not to have the system hooked up to anything external.
Many modern control systems *DO* have a remote access capability. This allows engineers to log in remotely to troubleshoot problems.
Some of these control systems are based on Unix variants such as Solaris. Unfortunately, they are often administered by people that are completely unfamiliar with Unix and network security. At least one vendor that I know of asks that you do NOT change the root password on their system so that their support people can dial in and run system tests occasionally as part of their service contract!
Is this(1) a joke? (2) posted to show how clueless the people responsible for things like our interbank transfers and such are (3) an appeal to what used to be called the military industrial complex for internet controll and censorship. Seems mostly like the latter.
What is the reason for lumping together the two types of attacks?
I would think it's because they are both terrorist style attacks. Attacks that have the ability to effect a great many people or to great harm to a target, but that can be launched by a small enough organization that no deterrant (ie MAD) would be effective.
Using CT, how easy or otherwise is it to bring down or attack vital
systems?
Any teeny could do this to a improperly implemented system. Some systems are inherantly easier then others.
What sort of skills would be needed to do so, and are they
common/teachable?
Many systems can be "attacked" in one way or another by downloading pre-existing software.
Commercial-off-the-shelf software: can it really do CT?
Some can, yes.Procomm plus could be used to work around call back security.
Which systems are actually attackable?
Anything someone can get access to. Meaning if it is possible for someone to access your system offsite for legit reasons then someone can do it for CT.
Can a recovery be made from such attacks?
Assuming PROPER backup proceders are in place and used then yes. Mission critical apps should have a secure redundency system. Meaning a system that is up-todate but NOT accessible, except onsite.
Is it likely to improve/get worse?
Hard to say, on one hand computers are getting more powerfull, but on the other hand system people are now taking security seriously.
What sort of preventitive work would you recommend them to carry
out?
A sysadmin should always budget some of his/her time to attempt to break their own security by keeping up to date in whats going on in "the underground" in regards to their hardware, and
software.Then trying to implement it against their own system.Carefully.
Personally I believe that anyone who wants true security should have COMPLETE source code control.
If yhou want to do business with a vendor, then they need to give you source code, if the Software is totally in-house then you need a team to double check it. And if you want to really test the system, set a test system up and offer rewards to whom ever can crack it. Greed can work for you as well as against.
As with ALL types of security, it's a balance between how convienant and how secure.
Hello! I am Inigo Montoya, you killed my father, prepare to die
Ok, lets step back for a moment and think about this. 90% of this article is bunk because it fails to slip into the mind of the cyber-terrorist. Let's try to take a little trip into that mindset:
Let's imagine that you are an intelligent, well educated sympathizer with a cause in direct opposition to the aims of your intended CT victim. Note first how general I'm trying to be here. I'm not assuming that you are even attacking a government agency. Perhaps you are a religous zealot that wants to attack the Hollywood entertainment machine because of all the (as you see it) amoral filth it produces each year. It makes no difference to the mode of attack, or the general feel of what your mindest is.
You want to hurt them; show them your right; show themy they're wrong; make them change. So what do you do? Go on a shooting spree? Blow up a movie lot? Poison all the drinking water in southern California? No. You're too squeamish for all that. You don't want to get too close to death and destruction. You want to live to fight another day yourself too. No good getting caught, is it?
But then you see the way... You're good with computers and communications systems, you know electronics, you know networking, and you know how to find out all the particulars of any infrastructural technical system that they could possibly use.
You take your time learning everything you can. You are methodical and keep to yourself most of the time. You don't need an organization, you just need yourself. You can pull it all off yourself and you don't have to get caught.
A little social engineering and you have access to information about what computer systems they use, what communications systems are in place, what trash they throw in the dumpsters. Soon you develop a plan to strike, and you do it with no fanfare. Next thing you know it's Friday night and the latest Tom Cruise/Nicole Kiddman flick pops on three thousand screens accross America and the opening credits have been replaced with an offer to have the Book of Mormon shipped direct, at no cost, to all the viewers. Guess the film's distributor should have secured the email server better... maybe then you wouldn't have been able to forge the request from the CEO that the footage be replaced at the last minute and that the celluloid be shipped to the theaters immediately, without the need for internal review.
Seriously though... My point is that it takes only one person for CT. Anyone with a bone to pick and the time and determination can do it. Most of the time they'll be smart enough to not get caught. All that will be found to track them is the 'AOL coaster' account they used and the number of the pay phone in Salt Lake City they dialed from.
* Note: Please forgive me if you are Mormon, a religious zealot, work for a film distributor, or are a really sexy hollywood bombshell. I like movies, really and some of my best friends are religious zealots. No disrespect intended.
-- Begin thoughtfuly, end insensitively.
-- Begin thoughtfuly, end insensitively.
It has more impact that way.
If a wire carring vital information exits a secure building, REGAURDLESS of encryption CT can occur. ala Wire cutters.
Hello! I am Inigo Montoya, you killed my father, prepare to die
One of the problems I've noted with the article as I've read it so far is the fact that, throughout much of the article, it talks in terms of "CBRN/cyber" as a single form of attack/device. But the article DOES make a differentiation in "External Hurdles", where the author finally states that "there is a clear distiction between CBRN weapons and cyber devices." Unfortunately, the author continues on the analysis about CBRN weapons, but never explains what that distinction is.
All in all, it seems to me that the idea of "cyber" devices for terrorism was added to the article as an afterthought, and that the analyst was either not knowledgeable or not skilled in incorporating the links between the two types of terrorism.
A more detailed response pending as I do some more reading, and have re-read the article a couple of times.
In the meantime, the article also uses "Thus" waaay too much. Thus this and thus that, and thus, the article sounds way too "rough" to be ready for publication.
Ich suche die Leidenschaft, die keine Leiden schafft.
a terrorist team makes walking to the servers impossible. think crossfire, general mayhem. meanwhile, their crackers go in and mess with the systems, unhindered and unfettered by nasty sysadmins.
or... nerve gas dropped into an installation, killing/disabling most everyone inside. the nearest sysadmin capable? 100s of kms away. damn! now that walk is a long drive. too bad they can't just securely ssh in and take care of the problem remotely and quickly.
by limiting ourselves to the console we take that which that empowers the 'enemy' (crackers) away from ourselves.
yeah, lets handicap ourselves.
no, the solution, imo, is to set up SECURE and STANDARD remote administration and have access to the machines only available when REQUIRED. letting someone site in front of a machine is MUCH more dangerous that forcing them to access it over the net.
think about it: easier to gain access (rebooting is phun) and harder to trace, especially if their wearing gloves =) networks give us a trace, a trail. physical access gives us nothing if they get past the defenses.
Phone rings. "I'm Bob in IT support. I'm having trouble with the modem bank. Can you check the modem to make sure it's turned on? Also, can I have the number to make sure I'm using the right one?" Of course, being the deligent and helpful worker that he/she is, they are happy to help. Just got finished watching "Hackers"?? HEHE jk Accually your senerio can and does happen, just for some reason couldn't quite get the scene out of hackers out of my mind while reading your comment. I'm not insulting, just chuckling:) (or the sushi I just ain't could be talking.. who knows)
If I were a global terrorist in the early 21st century, I would pay a lot of attention to the rampant insecurity of COTS installations at most web sites and ISPs. I would select my intended casualty audience and determine which type of damage (theft, threats, service outages, etc) would best terrorize that population. Then I would make a dynamic map of the C3I needs of that population, extended to include power, and find the most cost effective attack points. Perhaps that means exploiting poor RIP/BGP protocol interactions at the MAE level to disrupt North American Internet traffic during a televised protest, bombing Pamplona's power grid, or jamming AT&T switching equipment on Mother's Day.
The point is that a few Evil Geeks could do some really bad things to internet service if they were reasonably motivated and had attended the right party at DefCon. It seems likely that a terrorist organization willing to unleash Sarin on innocents would be quite interested in causing those bad things to happen.
Caezar
caezar@flashmail.com
>>Using CT, how easy or otherwise is it to bring down or attack vital systems?
Well protected, properly firewalled systems are extremely difficult to break, but government networks are notoriously easy to break. This is partially because their networks are admined by full time military personnel and contractors. The wages the government pays admins are ridiculously low for network admins and thus attract people who just don't have what it takes. From what I've been told, it's extremely unusual for a full time Unix contractor to make more than 45,000 a year in a government job. When working as a contractor for the military it's very usual to find sprawling networks of boxes that haven't been patched since they where put in. Often the security of these boxes is based on strange network topologies that the designers assumed (wrongly) would make them unreachable from the outside. It's amazing to me, but a friend of mine actually worked at a DISA facility where the head Unix admin didn't know how to patch the kernel on their HP-UX boxes.
>> What sort of skills would be needed to do so, and are they common/teachable?
Most exploits now-a-days are packaged in easy to use scripts than can be used by any one who can read English. Minor damage can be caused by any 12 year old who understands what an IP address is. A reasonably experienced Unix admin can use these scripts to slowly leverage as much power as he needs in an improperly secured network. www.rootshell.com has everything a person needs to break into a network as soft as a standard military system. And if the system you want to crack isn't vulnerable right now, all you have to do is wait, somebody will find a bug eventually.
The problem with these scripts is that once they become known it usually only takes a few weeks to a month for a commercial vendor to create a patch to protect the target from them. However, in practice, most patches don't get applied in a timely manner. Especially in a government network where low profile machines assumed to be unreachable from the outside may simply go un-patched.
>> Commercial-off-the-shelf software: can it really do CT?
Reading the Bugtrack list and keeping an eye on sites like www.rootshell.com and http://packetstorm.securify.com/index.shtml are much more effective than any commercial software I've seen. The problem with commercial CT utilities is that they don't have much of a market and by the time you get them on the shelves the bugs they exploit are too rare to be worth buying the software for. Good packet sniffers/port scanners/spoofers are very useful in the general case if you are reasonably adept. These can be bought commercial, but I prefer to get mine from ftp:\\sunsite.unc.edu.
>> Which systems are actually attachable?
All systems will have windows of opportunity. Open source systems have smaller windows because they have faster patch times and fewer bugs. Custom programs have the largest windows of opportunities because they are unlikely to ever get fixed.
>> Can a recovery be made from such attacks?
Complete backups and a rehearsed recovery plan can fix nearly anything I've ever seen unless the attacker has been insidiously poisoning your databases for months (Which is in my opinion the most detrimental type of attack, and also the least likely to be noticed).
>> Is it likely to improve/get worse?
Software and os's are becoming much more complex, feature rich, and flexible which dramatically increases the opportunity for attack. Example: Windows 98 had about 11 million lines of code, Windows 2000 I hear has upwards of 40 million lines. Complexity breads bugs, and flexibility allows attackers to use your systems in ways you never imagined possible.
>> What sort of preventative work would you recommend them to carry out?
1. Hire well paid and intelligent admins with a network penetration background.
2. Have at least one person who's whole job is properly configuring firewalls, another whose is maintaining patch levels.
3. If any of the people in the above teams of people ever have less than a few hours a work day to read web pages then double the size of the teams.
4. Routinely audit the security of every computer and system.
5. Never assume a machine can't be reached from the outside.
I would enjoy fielding any questions you or your readers may have. Contact me if you would like any clarifications. Please forgive my english, I'm an admin, not a writer.
Poor article in many dimensions.
...
... Not much damage for a hell of a lot of effort and risk (easy to do better in all dimensions simultaneously), no real damage to the US as an institution or economy, no profit to finance anything else.
... Salem proposed substituting inert powder for the ammonium nitrate, FBI nixed it. Salem kept them informed of all plans, including when they were to set the bomb off. Salem was on the scene when the bomb went off. Bomb went off with full afore-knowledge of the FBI.)
Jane's article has a statist slant -- one gov against another or individuals against a gov.
Suppose I just want to make a lot of $ with little work. There are lots of ways to profit from advance knowledge of all sorts of damage to infrastructure, civilian factories,
No need to reiterate the possibilities, but any engineer worth their salt looks with distain upon such feeble attempts as the World Trade Center bombing,
Integrated strategy is required 8).
(BTW: Our very own FBI did the WTC bombing via its agent provacateur, Emad Salem. Read the NYT for 19 Oct, 1993, I believe. Salem taped his FBI handlers, and the transcripts were put into the trial records. The FBI's payments of $1M to Salem paid for the bomb,
Gov terrorism aside, it is pretty scary to think about such efforts getting loose -- some SciFi postulates corporate-scale wars.
We are, as a civilization, balanced on a high needle of technology. Doesn't take much of a jolt to kick it over and plunge us back to, at least, a lot lower standard of living.
Lew Glendenning
"The Constitution, the WHOLE Constitution, and nothing but the CONSTITUTION."
Quote: "The American terrorist group, the Christian Patriot movement, is active in the Internet.??? The Osama Bin Laden group utilises an extensive network of computers, disks for data storage, and Internet for e-mail and electronic bulletin boards to exchange information. Hamas operatives in the Middle East and elsewhere use Internet chat rooms and e-mail to coordinate activities and plan operations. Other Middle Eastern terrorist groups, such as Lebanon's Hizbullah and Algeria's Armed Islamic Group, also utilise computers and the Internet for communications and propaganda. " This section alone is enough to debunk anything written in the rest of the article. The author clearly has no idea what is important and what isn't. He may as well have written that Hizbullah also use telephones, hand-written communications, face-to-face information interchange (talking to each other) and publishing pamphlets - thus, I think we can fairly implicate Caxton and Bell as leading suppliers of non-lethal weaponry to terrorist causes. This kind of shoddy thinking is pervasive through-out the article, and it is not worth anyone's time. But, at least the editors are asking people rather than just relying on a journalist happy to rehash discredited old propaganda... personally though, I feel they would be better off just trashing the whole article.
Using CT, how easy or otherwise is it to bring own or attack vital systems?
Define a vital system. If you define a vital system as a hospital, bank, telephone (911), police and C3I, there are much easier and more effective ways then using computers. In most cases the "critical systems" within these orginizations are isolated and have few external components. Sure you can crash the St. Lukes web page, but I doubt it would be nearly that simple to get patient data. That being said, if you can get enough information about how the place, company, or group, operates and does business you can usualy find a way in. Once in you can work on editing, deleteing or destroying data and/or systems. All that being said, I think there are easier ways to disable vital systems, blow up a church will clog up a large number of services, or destroying a power station, relay station, or transmission lines will cut out large amounts of power to an area and are hardly ever guarded or monitored. No skills needed for those.
What sort of skills would be needed to do so, and are they common/teachable?
They aren't common skills, and I'm not sure if they can be taught. To hack/crack you have to have that kind of mind set. You have to be able to think of a problem and then logicaly break it down into steps, or sub problems, and attack those pieces. You often have to be a bit rebelious, and try and do those things which they say can't be done.
Commercial-off-the-shelf software: can it really do CT?
If you consider DoS attacks as CT, sure in some cases.. but mostly no. There is no Commerical off the shelf (CoS) CT kit. Usualy the vital systems are one offs or specialized enough that the vast majority of the people out there won't have seen them, or their design.
Which systems are actually attackable?
Once again, I don't know what you mean by vital systems. Military levl C3I is usually pretty anal about security, so I would say it's not easily attackable from the outside. Most civilian vital systems are fairly vunerable in that they have more access points and fewer physical safeguards. However, anything is attackable from the inside.
Can a recovery be made from such attacks?
Depends on the attack. I've written programs to replace dump and tar that corrupt one random byte in a random amount of data so that even though the backups look good the data is bad. And there is no way of telling unless you recover the whole tape and find the one or two data files that have changed and go threw them with a microscope. Now imagine the problems if someone had 10 weeks of backups each with different bits of bad data and the system got totaly flushed, there would be no way to know which data was good and which wasn't. SO to make a long story short, if done properly, and if they know enough about the system they are attacking, you may not be able to recover from it.
Is it likely to improve/get worse?
As the people who make the decisions get more out of touch with the actualy technology and skill sets of the job the worse it will get.
What sort of preventitive work would you recommend them to carry out?
Train people in security. Have someone on site who's job is security. Make them responsible for any "issues" that come up in regards to security. Force them to notify the decsion makers if there is a breach, or suspected breach. Then give them the budget to make it happen. Not cheap, not quick, but it will work.
Lord_Rion
--Hired Net Grunt
Or whoever Jane has do that...
... He just quit? Shoot. I was hoping he could get something for me ..."
The key to a lot of cracking attempts lies in getting specific information. Names of key servers. Names of people who have user accounts. Passwords. Descriptions of security provisions. That kind of thing.
Much of this is easiest to get on the phone. The same techniques that a real journalist uses to get at information that is not public knowledge, is the information that crackers use to break into systems. So stop and think about whether you manged to (or could have) obtain information that would help you break into the system. Said information can be as innocuous as knowing who the employees are, personal tidbits about current employees, that sort of thing.
Don't believe me? Well a common technique is to call someone up, pretending to be another employee. Pretending to be a real person that they person on the line is likely to have heard of is more likely to get you in. For instance you could call up and say, "Hey, this is Greg Watson over in accounting. I am looking for Bill Smith. Do you know where he is?
See? By knowing the name of someone who just left, someone who is still there, and someone in another department, you have an excellent chance of getting information that you should not have.
As for security, no, not all systems can be easily broken. Of course there are some people who if they want in, will get in. You have to expect that. But most of what you have to worry about are common yet easily exploitable holes. For instance a lot of companies trust Microsoft's VPN implementation. In fact it is about as secure as swiss cheese and cracks are fairly readily available.
As long as easy targets are readily available in large numbers, I would be more worried about terrorist attacks on them than I would about anything else. (Attacks against information sources can be very profitable as well. Infilterate a VPN. Sell the information to someone else...)
Cheers,
Ben
My usual seat in the cluetrain is at A HREF="http://pub4.ezboard.com/biwethey.ht
Howdy, Attacking an information system would be a good way to either distract the target or otherwise enable the attacker to perform a physical-world attack. An example might be to attack an airline and delete transport manifests to cover the transport of illegal materials. Had Asahara Shoko and crew been able to crack the tokyo power system and stop the subways, trapping passengers on the trains, the number of casualties might have been significantly larger. "Cyber terrorism" may be used for more than just killing data. e.
Well, the thing is most companies and some govt agencies don't really think about secuirty until theirs has been compromised.
That said, ANY company or govt agency with sensitive data needs to have regular security audits. Tiger teams from bonded intrusion testing companies come to mind; four times a year is not a bad schedule. This costs money, but so does loss/corruption/theft of data. Make sure you admins are keeping up with security issues for the OS(es) that's being run on your sensitive server(s).
Also, internal security is often overlooked. If you run a company that uses internet access, and you have sensitive data, strictly limit internal users' access to the big bad net. Firewalls and NAT are a good start. Use anti-virus scanners on your email server. Keep access to internal servers at a minimum. Use internal firewalls to protect sensitive departments.
Well, just some basic suggestions.
"shop smart:shop s-mart" ash
It has been my experience that the skills needed to successfully conduct CT are quite teachable, given that the person whishing to learn the nessecary skills is motivated, has a minimum profiency with computers and network technology in general, and has access to the information required. There is also the additional requirement that they posses the correct hardware.
Motivation doesn't seem to be much of a problem with most terrorist groups, unfortunatly.
Contrary to popular belief, it does not take a genius to hack into a system. The genious factor only determines how quickly he is caught. However, at a minimum, a hacker must be able to think cleverly and be somewhat devious in order to be a successful hacker. Someone who can only follow the instructions of others won't be able to come up with a new solution when he encounters something new. It should also present an aspect of fun for the hacker. (Is a terrorist allowed to have fun? Does this make their crimes more heinous?) However, I think that this is fairly widespread knowledge.
In order to become a proficient hacker, you also need access to information about the inner workings of the systems you are attacking. A lot of this information can be found on the web, but nothing beats having a good Perl book or the users guide to the operating system by your side, in print. This is an area where a foriegn terrorist group may have trouble. Can they get the information they need? It is almost impossible to pay cash at an online bookstore, and many books are not available from your corner bookstore. I suppose it is again just a matter of motivation - these books can be purchased, you might just have to jump some hoops to get them.
As for hardware, this is relatively easy to get, because you can run Linux on nearly anything these days. The real problem is connectivity. In order to successfully mount an attack, your machine has to be physically connected to your victim's machine (obvoiusly). I really dont know how good connectivity is in most areas in the world (how easy is it to get connected to the net in Uzbekistan anyone?), but it seems that in many parts of the world, it might approach near impossibility. However, state sponsership could very easily ease this. The only other option is to actually base your operation in a country like the US where you can get connected for cheap. The only problem with this is that it may be a bit more difficult to remain anonymous.
So, to sum it up, yes, any decent, hardworking terrorist group can set up a CT "department" and succesfully attack virtualy anthing they want.
I'm not sure how help full this will be, because all it really amounts to are my random thoughts on the issue while doing a little "work" in the campus computer lab. If you are going to quote me, at least fix my spelling.
...or, perhaps, *will*. It's arguable that the failure in 'Nam was of will, not of might or resources (troops, funding, what have you).
Actually, hm. That does bring a few additional possibilities to mind.
* Spreading dis-information; spread rumors and watch as they get picked up by conspiracy theorists, activists and so forth. This is aided by the speed and occasional pseudo-anonymity of, say, e-mail/chat/etc.
* Possibly, attacking media outlets and other sources of information. I'm sure CNN.com gets a decent number of hits, and a minor change there might affect things. Exploit a vulnerability in stock trading system (say, one that feeds prices to systems which then apply automated rules for making trades... !) and you might affect a market.
* This isn't quite cyber-, perhaps, but the insecure use of cell phones and so forth has led to incidents. If memory serves, some Secret Service traffic relating to Presidential movements was once publicized, and a certain Chechen leader (now deceased) named Dudayev owes much of his present state to giving his whereabouts to a Russian rocket artillery unit (via cell phone).
Sorry janes, I really wanted to just run thru this after I saw it because it's kind of.. well, bleh, I apologise for the grammar but if i'd had more time I would have written you a shorter letter, as mark twain would say.
/. would love to see. The problem is that most people don't give a crap about politics edgewise, so changing a website to push the agenda oppsite to what the website would normally be saying would be the equivilant of someone putting down a woopie cushion where the UN Secretary General sat, good for a laugh, nothing else.
The article is really grasping at straws. The problem with the article is that it assumes so many things and points out the obvious far too often to be of any use. Obviously if you damage a country or groups telecommunications they will have a harder time using that network to communicate.
As for using IRC and email, it's alot harder for governments to regulate and sort thru and de-encrypt (where applicable) or even know exist to detect plots brewing, this is diffrent from if they used the telephone which is easily wire-tapped, an ISP could be asked to hold over email but with the proliferation of things like hot mail, the fact that everyone and their brother has eighty or ninety email accounts, and the fact that it's really just impossible to deal with everyone who takes out their agressions online where their speech isn't restricted, so yes, email and IRC and chatrooms are used, but quite sparingly, and quite frankly I see "plotters" on various IRC networks all the time, although usually they are semi-retarded white-supremists in the age group of 15-25 who really, well, they aren't that bright.
On breaking into websites and changing what they say, politically this has little or no effect. I think personally each american might look at a government website once a month, and I don't think any american reads *.gov to learn about political agenda, well not yet although that is what the people over here at
One part of the article I enjoyed was the political factors that motivate terrorist groups to cause violence. This is very informative and useful.
The article, however, suffers from one tragic flaw that appears to affect many, many articles on the same subject have. It assumes the false truth that all computers on a network are automatically linked to a network. If you do this and a cracker (note the use of the term Cracker, and not hacker. I'm stuck up.) destroys your stock market they will need to have done a few things.
They will need access to the network; this is not a problem if the network is linked to the internet, but most networks are intranets simply because there is no logical pourpose for linking the network to the internet. Governments who do this most tragic error will fall to darwin's theory of natural selection when someone gets lucky. If you have a missle base, and someone who is say on vacation needs to shoot the missile in a pinch because of political actions, then they should have to fly back and do it that way, OR they should have to dial straight into the system via long distance with a protected and undisclosed number that changes often and is only enabled when people who need to get in in a pinch are away from the base. And of course they'd still have to log-in with a funny looking username and password. This is my solution for the problem, there are probaly a thousand others, just about all of them will prevent catastrophe from all but the BEST terrorist organisations.
The best terrorist organisations will capitalise on any oppourtunity given and the fact that they have access to the internet has absoloutely nothing to do with it, except for the intresting recuiting procedures via the internet, which is of course dangerous because if you put up a big sign that says RECUITING TERRORISTS everyone comes to the party just to take a peek.
I think the reason why you haven't seen many extremely tragic cases where people were killed by 'cyberwarfare' is because as terrorists learn about the very intresting buzzword they realise there is essentially jack they can do. I once read a story about a group of terrorists who inflitrated a place where traffic was controlled, the terrorists learned about the program controlling it and almost killed a state offical. However this is fantasy.
You see this is perhaps every networks greatest defense that runs a specific operation. When the software is developed in house, (usually because there is no market for selling such software, like for instance software to drive traffic lights.) you would need to figure out how the program worked how to cause the most havoc (or in a 'surgical' strike, how to kill the one person you want to kill.), when this relates to something so mathematically complex as a series of traffic lights as it relates to one mans path relative to his speed and make a four way stop go all green, sure, it's possible, but only if you already have operatives inside the operation, you can't just run in, learn about the program and the laws behind what it does on the fly and cause havoc. You don't have that much time, unless of course you're an operative inside the operation, in which case i'd find getting the operative in much more impressive than 'cyber terrorism'
I think the more terrorist groups research computer science and cyber warfare the less of it we will see, well, we wont see much that is JUST cyber terrorism, When you put a master of geography and navagation, a physicist, and someone who understands nuclear missles, all with computer science knowledge and knowledge of the system, you've got one frigging scary scenario, But quite frankly, it's not cyber-terrorism, knowledge of computer science just comes with the biz. People who run the things normally have to understand whats going on just to maintain it, people who want to cause havoc REALLY have to understand it.
In conclusion, I think the article needs a major revision, The guy really knows what hes talking about when it comes to politics and thats obviously his forte, but I don't think he knows what hes getting into when he says 'cyber terrorism', it's a remarkably boring (and on it's own, useless) thing.
-[ World domination - rains.net ]-
terrorism - thats what the word means!
-
__
Comment submitted. There will be a delay before you understand what you posted.
Attacks involving cyberwarfare are much easier to carry out than your typical CBRN attack. Depending on the security of the target, an untrained attacker using an exploit found on http://www.rootshell.com can bring down critical servers. I don't believe it is quite that easy to design/construct/use a chemical, biological, or nuclear weapon. On a well implemented system, however, it can be much harder to disrupt with cyberwarfare than with more conventional means of mass destruction. The knowledge required to put forth such cyberattacks is not very common. Anyone can run a script and exploit a fresh Windows NT Web Server, but disrupting a service, especially a non-networked service, is not in the grasp of your average computer user. As far as off-the-shelf software, ummnn... No. There is no magical software which can bring an entire country's infrastructure to it's knees (other than stock Windows ;P). I personally don't know of many attackable systems, but I would generally think it would be systems that have become more computer controlled than not. Power grids, possibly, but unlikely... I have my doubts that anyone can shut down an entire power grid without using some form of non-cyber attack. Telecommunications seems it would be succeptable to a well developed cyber attack. Recovery from such an attack would most likely be quick for a majority, and long lasting for the remaining minority. The problem with cyberterrorism will definitely get worse before it gets better. There are some pretty big information gaps between the well informed "Wizard" of technology, and John Q. Public. I understand that most of the world's infrastructures are not run by total bafoons, but most of them are just normal people with normal jobs who know very little about how the system they work on *REALLY* works. The only thing that can really be done preventatively, is to assess security with a realistic standpoint. Security is more a set of compromises than a true 100% solution. Nothing can be truly secure if it is computerized. Instead, we use the best possible security which still allows the system to function (things can be *too* secure). Many sites may need to reassess their security policies, since many security policies are quite old. This, along with more technical training for John Q. Public (this'll be a while) will help to ensure that cyberterrorism's threat is more limited, since it will never go away. FeeDBaCK
This article seems to be more about using current and future technology to assist in conventional terrorism and warfare than using the technology itself as a weapon. The article focused primarily on the use of the internet as a communication/propoganda medium for terrorists when you can just as easily insert the word 'Telephone' for every instance of 'internet' with almost identical results.
If you want to write about 'Cyberwarfare' then the article should focus more on the abilities and technology needed to bring down the computer based infrastructure of a country. A few hundred script kiddies turned loose with the latest hardware and software could probably cripple most governments simply by destroying the ability to communicate through any means other than Shortwave radio. Given enough knowledge of an opposing system it would seem that a determined group of crackers could knock out Telephone, Electrical, Water, and Gas as most of those are now computerised and the computers are sitting on a network with an access point on the internet somewhere. Many times these systems seem secure and unbreakable, but that is only because no one has yet made a concerted effort to take one down.
As I was saying, this article should focus more on the actual Computer Warfare aspect as opposed to the Conventional Warfare with the aid of computers line that it currently follows.
Kintanon
Check out JoshJitsu.info for Brazilian Ji
The threat of cyber-terrorism is a growing concern for many western governments. I do agree with Johan J. Ingles-le Nobel that it can become a very new method of attack and attention gathering for terrorist groups. Fortunately most groups of terrorists have resorted to conventional methods of operation (physical violence, intimidation). The very nature of using computers to create havoc upon the military or social infrastructure of western nations has and will in the future require large amouts of capital and technical expertise. The only groups with that sort of financial and technological resources are governments and corporations. Terrorist hardly ever have the skills, expertise, or resources to cause massive amounts of damage. They rely on fear and the the intimidation created by press coverage and government crack down.
Historically, very few terrorist organizations have ever overthrown a government or colonial authority. In every case it has taken the backing of another world power or the withdrawl of colonial authority due to morale collapse to facilitate a victory. The American revolution, Sandinista revolution, the Banana Republics of South and Central America were all due to outside financial or political intersts. In Africa and Asia, most former colonies that had insurrection were only "victorious" due to the withdrawl of occupying forces and the collapse of morale. After World War II, it was the loss of status as world powers and the collapse of Europe that allowed the so called success of terrorist and revolutionary movements in colonies.
However in the close of the 20th century, most governments can rest assured that no terrorist group will be able to overthrow the governemt. The only aim of these groups is to create fear so that goverment reprisals will make these regimes unpopular. The underlying fanaticism of these groups is not very strong either. The smarter terrorist organizations uses the poor, religeous, or politically fanatical as martyrs. All decision making is accomplished by secular not religeous people. Look back at recent history to the Middle East and South East Asia. All of the martyrs or dead from those issurrections were among the poor and uneducated. The losses by organizations like the Viet Cong and Hama/Hizbullah were spectacular. Yet these groups kept going. This requires outside political and ecomomic support. The Viet Cong collapsed in the mid 1960's. North Vietnam had to take over and prevent its losing to South Vietnam. By the time of the Tet offensive, all officer and non commisioned officer roles in the Viet cong had been replaced by army regulars.
The cyberwarfare and cyber-terrorism of the coming years will not be any different. The computers and other communications hardware have gotten faster, better, and inexpensive, but are still out of reach to most terrorists. It would take tremendous financial backing by a state or corporate entity to euip this kind of ware. It would be cheaper and more cost effective in personnel to recruit the lower classes as martyrs in conventional terror campaigns than to invest in trying to crack the Pentagon.
It would be prudent for intelligence and police authorities to take safegaurds against this kind of attack. However, the loss of civil liberties or privacy through laws meant to combat this threat would only serve the terrorists intersts of a frightened asd disgruntled public. Another threat is from the governments themselves. It has already been revealed that the CIA/Defense Department used to inflate the military capabilities of the Soviet Union to justify their own budgets. The CIA's budget is still classified. It has also been revealed that the NSA listens to private telephone conversations on the average citizen--Echelon.
I think that great care must be taken to see that goverment does not overstep its bounds and forgert that it is governemt of the people, for the people, and by the people. I do not want me government making me feel like a criminal.
Romanes eunt domus? People called Romanes, they go the 'ouse? It says Romans go home. No it doesn't. What's Latin fo
* It would depend upon the vital system, of course. It's unlikely that there's a remote 'stop burn' option for a coal-burning power plant, for instance.
Don't forget though, if all it takes to "throw water on the fire" is a simple text e-mail message signed "Management" asking to shut down the plant, this is a concern. Either the procedure needs to be changed or have secure/reliable communications which can be compromised. In this case any system can have a remote stop burn option.
Anywhere people rely on computers, cyber-terrorism can be a concern. It doesn't have to be completely electronic.
~afniv
"Man könnte froh sein, wenn die Luft so rein wäre wie das Bier"
~afniv
"Man könnte froh sein, wenn die Luft so rein wäre wie das Bier"
Richard von Weizs
But we are starting to depend on highly unreliably systems.
What if you use a Hotmail or other free account to receive "important mail"?
What if a page showing say stock quotes or temperatures is altered? Maybe not you and me but there are people who are leaving some decissions to systems this unreliable.
Not life or death (by now).
--
__
Men with no respect for life must never be allowed to control the ultimate instruments of death.
GW Bu
Don't annoy anyone.
Requires limited gov.
Switzerland doesn't have a terrorism problem.
Lew
"The Constitution, the WHOLE Constitution, and nothing but the CONSTITUTION."
I hate the media... I always hear atleast 2 contradicting stories - who know what the hell to beLIEve? Sorry that I don't have anything interesting to say...
-Chris
Went ignorance reigns, life is lost.
Would you rather go to a cafe and get your leg blown off because some crackhead doesnt like your country, or have your countrys website cracked and a porn pic placed on it? This is a question to all those afraid of cyber terrorism. On another note, currently Russian government is fighting with it. Theye succesfully used it to deface website of Russian separatist rebels in Dagestan. Of course, to Dagestani rebels it makes no difference whethere their website is being cracked or theres an SU-25 launching a missile at them.
My military friends call me "the builder of targets" since I'm a civil engineer who does computer work. I have the mindset that everything I do has the distinct possibility of coming under attack and I wish it was a mindset more programmers had.
First: The word "cyber" does not mean what you think. Please have CT mean "Computer Terrorism." Second, a hacker "hacks" code and makes software. A cracker "cracks" security.
The writer does document the type of resources for CNBR but leaves CT out. Let's document the publicly successful crackers' profile and resources:
- White male, teens to twenties with borderline obsessive-compulsive traits.
- Computer of sufficient horsepower (@ $5,000 US. Assume system is useful for 1-2 years)
- Network connection (varies, @ $30/month)
- Basic necessities of life (food, caffiene, shelter) (varies, but about $500/month per person)
- Time.
Cost to a terrorist group for having and equipping self-motivated crackers is on par with that of arming and supporting any other agent. Training could be an issue, but most crackers are largely self-taught. The difficulty is in finding someone with the correct mindset.CT is not very appealing to many extremist cults. Damage to human life caused by crackers tends to be low and not incredibly flashy (few fireballs or destroyed buildings). Rather, CT is a tool used by forces who target infrastructure: power grids, airports, communications systems. It harasses an entire populace with a low chance of creating martyrs. This is extremely advantageous to native terrorist groups (a.k.a. rebels) who wish to limit the loss of human life.
It is also a counter/intelligence tool. By co-opting something as basic as email a large amount of information can be intercepted. Further, that data can be corrupted and/or altered. Depending on the subtlety of the data damage, it may take long periods of time before it is caught, making restoration of "pristine" data difficult. A simple example would be modifying satellite images on a file server to conceal enemy forces.
Finally, CT can be a source of funding or resources. Many convicted crackers used their skills at some time to purchase items via mail-order, eliminate bills, or steal credit card numbers. This can turn CT from a costly venture to a financial asset used to fund their more conventional terroristic endeavors.
As to the specific questions:
- Dependent on target system, as always. Some systems, like Microsoft operating systems, were "retrofitted" with security. Naturally they cannot compare to systems with security designed in.
- The skills are common and widespread. Further, weaknesses in systems are widely disseminated to notify people of their vulnerabilities. Slow administrators leave themselves at risk if they do not implement patches.
- Yes, but it's affect will vary from an annoyance to catastrophic failure.
- All systems with an active network connection. Even if the software is set to reject all requests, a classic "ping flood" of requests can take so much processor power that the machine ceases to be functional.
- Typically yes, but some very, very rare attacks can damage hardware; typically drive arrays. This can dramatically slow recovery.
- Both. Well managed systems will become harder to attack but there will be more and more systems available to target increasing the likelihood of finding a poorly secured target.
- Again, depends on your system. Have external security audits done randomly is the best way to find and secure holes.
-James McPherson kilroy @ ntr . netIn certain cases a system can be disabled temporarily with great ease, however most attacks are transitory and should be repairable in 24-48 hours.
Second, a long-term program of CT could implement an exploit that waits for weeks or months before being used, meaning that most backups would possess the vulnerability.
I've been on slashdot so long I'm starting to get out of touch with the cool stuff if it ain't on slashdot.
In my humble opinion,
Any group (be it country, or whatever) which uses WMD will incur serious political costs. Most sophisticated leaders of such groups who have read Mao, etc., will recognize the benefits of external sympathy, and possibly support.
The difference is this: if a group desires to affect change in a target state, WMD or traditional terrorist methods will rarely work. For instance the IRA has done much to unify and solidify England's stance on Ireland--a dismal failure for the IRA. Those Oklohoma dudes, nor the Japanise Terrorists have not affected change either.
A group which is "rational" (eg not waiting for God in a UFO to pick up the chosen, but still willing to use illegal means to alter some government's/corporate policies) will find much more utility in CT.
CT can be targeted to exploit the schisms in any society. In Canada, a group could attact a Bank and gain political support from some quarters--banks are unpopular here. An attack such as this (if the spin was played right) might not force a government to solidify its present policies, because of popular indifference to the victim(s) plight. The "stick it to the Man" effect, if you will.
If the group wants to affect change in a *third* state, then WMD might come into play. Group T destroys something in country A for country WE_HATE_A's support. This only works for a few countries, if at all. Retaliation to supporting states is likely.
As many have said, most companies and states are extremely vulnerable to CT. Though most users cannot check the source of WinNT/Win9X for vulnerabilities, you can bet that there are those hostile to the West who are doing just that.
open source digs appended! : )
Cheers, all.
bobzibub.
U.S. finds malicious code changes in Y2K "fixes"
Think how much easier it will be for attacks now that we've had a massive "upgrade" (Y2K fixes) by imported workers.
Who has spread the fear? I see lots of quotes from the State department. We all know that the White House is controlled by the Chinese.
So this is a build up of a massive Chinese attack on the US computer infrastructure.
Now I need to finish wrapping my house in aluminum foil.
JBoy
> I'd add that using the Internet as it is
:-)
> currently designed to communicate between
> members of a terrorist organisation would not
> be a good idea -- it goes against the "cell"
> concept which is known to be the best way
> to organise.
Au contraire. Using the internet the way most people do (i.e. only believing they're anonymous) would certainly defeat the concept of private terrorist cells, but on the other hand there are infrastructure like double-blind anonymous remailers, "onion routing", etc, which can be used to implement true anonymity (at some cost, up-front and ongoing).
These kinds of infrastructure already exist publicly, and I have no doubt that there are similar networks of a more underground nature in existence.
One hears rumours every now and then of "super-cracks"..some of them have made it here - spooky stuff which Should Not Have Been Possible. A lot of it (undoubtedly most of it) is fantasy, of course, but it makes you wonder..
I've often thought about what it would be possible for a well-funded agency to achieve in terms of penetration tools; a lot of systems (in fact, according to studies, most systems on the public internet) are vulnerable to really stupid holes, but the tougher nuts (probably the most individually interesting nuts) require more sophistication to attack.
However, given some decent programming expertise and resources, I'm sure it would be possible to create an intelligent automaton which contains a vast repertoire of cracker tricks, from the subtle to the overt, which could be pointed at a network (with suitable background research) and throw its bag of tricks at it until it gets inside, and from there rapidly subverting the connected trusted hosts. Giving the worm a wide variety of "stealth tools" to allow it to hide once inside would make it in practise almost invulnerable once entrenched.
This is not far removed from the "counter-ICE" intelligent tools of cyberpunk lore.
Obviously, this is not easy to do, but on the other hand the rewards for anyone who was able to create such a beast would be immense.
Some possibilities:
* Given that most networks on the internet are vulnerable (Reference: the folks who did the study using BASS recently - URL not handy at present), you could take down a goodly proportion of the hosts on the internet with a concerted attack (subvert widely-distributed systems for a while as a platform, then on D-day use them to launch all hell onto the internet). While this wouldn't have much effect on the Real World, it would cause an enormous resource committment to repair the damage, generate huge publicity, and even bigger "fear factor" among the people you don't penetrate. It would probably hit the economy pretty hard, actually..all a result of some aberrant ones and zeros - neat, huh?
* Variation: covert agent X injects the worm into the private (non-internet) network of a target - e.g. a foreign military network, or the operations management system of emergency services. Used in conjunction with other forms of attack, like frontal, obvious, "direct assault" electronic attacks to divert attention to the real attack, and ("conventional") physical attacks like bioweapons, this would create mass confusion, and potentially, mass destruction.
* Corporate blackmail: your worm finds its way into the network of a company you find politically objectionable, and then releases all security measures (deactivates firewalls, installs backdoors, alternate passwords, etc), and publishes them to the world, or to a competitor. Result: potential devastation of the company (loss of intellectual property, exposure of business secrets and practises, skeletons in the corporate closet, etc).
The internet worm of 198x was solved by people who were able to coordinate rapidly to analyse, solve and fix the entry mechanism. That (like more recent variants, like Melissa), was a one-track, stupid pathogen which was correspondingly easy to defeat once the vector was known.
Now imagine a worm which selectively exploits all known remote buffer overflows, many unknown (publicly) ones, denial of service attacks, TCP sequence spoofing, network sniffing, breaking of insecure protocols, ad infinitum, can hide stealthily within an operating system and network so the system's tools do not show its presence, which contains binary code that runs on every major OS, which responds to detected attempts to "capture" it by death and/or retaliation, etc etc.
How do you even begin to deal with that kind of thing on an enterprise level? You'd have to assume every machine is infected, and low-level wipe everything, being careful to distrust the existing data when you put it back. Then you'd have to patch every possible entrance mechanism onto the machine (difficult, given that Windows 9x machines are fundamentally unsecurable), and if you miss just ONE access hole then your machine is under again. Of course, this assumes you even know what you're dealing with, which is unlikely for the first few iterations, and you know about every vulnerability the worm is exploiting on your machine.
In principle, there's nothing stopping you from writing such a beast - individually the components are all well understood (except perhaps the "intelligence" behaviour which would have to be abstracted from human knowledge). In the face of an attack like this, the confusion would be enormous, when finally discovered and believed: "My solaris system got rooted by a RPC exploit". "That's okay, I don't run solaris. Hmm...my NT box is acting funny, though. Probably just needs a reboot..damn script kiddies".
This should be enough to make people very, very worried..given the notorious complacency of management towards security policy and implementation, and the continued daily proliferation of new remote exploits, it's a problem which is only growing in size, and it's a matter of time before Something Happens.
Sooner or later, someone is going to write this so-far (I hope) mythical ueber-worm, and when the Cybercalypse happens it's going to be a long week indeed for all of the professional sysadmins out there (and at the end of it, all they've got to look forward to is being fired for building a bad network, even if it wasn't their fault).
I only hope that once the network rebuilds, people learn to do better next time
[This descent into paranoia sponsored by the Judean People's Front, that guy sitting on the computer behind you, and the number FNORD]
A good chance to let people know the differenceetween hacking and cracking..... Laurion
"Is this not a rare fellow, my lord? He's as good at any thing, and yet a fool." -from "As You Like It", Act 5,
There's not that much blatantly wrong with it, however it just is not that good. Very rarely does it actually address info warfare and only gives two examples of it (LTTE hacking Sri Lankan websites and Zapatistas flooding Mexican mailboxes)
Problems:
1) terrorists making use of the internet (Hamas using email and chat rooms to coordinate and plan, bin Laden using email and BBS to exchange information) is NOT info warfare. They are mearly using it to improve their organization like any other group today.
2) even if you leave that in, the phrases "[use] disks for storage" and ". . . Patriot movement, is active in the Internet" are incredibly stupid
3) " . . . with some weapons of mass disruption software available on [BBSs]." Uh, sure, whatever
4) the entire essay is truly about CBRN, not info, warfare. All the problems that terrorists are described as facing are almost exclusively limited to CBRN attacks
Missing:
1) Basically everything that would make it an article about info warfare
2) Possible motivations of info-terrorists
a) revenge (person get's fired, leaves nasty trojan to activate in 3 months)
b) espionage (break into competitors computers to steal plans, source code, etc)
c) fun/education/curiosity (some virus writers and hackers)
d) profit (like the Russian guy who transferred a few million from CitiBank to his own account or the cracker groups that are extorting some European banks for "protection")
e) publicity (put propaganda on govt website)
3) Types of attacks
a) DOS
b) backdoor
d) defacement
e) destructive
4) Means of attack / Vulnerabilities
a) EASY TO GUESS PASSWORDS
b) trojan
c) poor encryption
d) buffer overflow
e) SOCIAL ENGINEERING
5) Preventative measures
a) open vs. closed source
b) firewall
c) high encryption
d) backups
e) keeping patches up to date
f) logging
g) security education and awareness
h) virus/trojan scanners
i) correct configuration of accounts/security
6) What is actually happening
a) accidental deletions / formats / crashes currently cause far more damage than any info warfare
b) by far, most (successful) attacks occur from the inside
c) the next most common problem is viruses
d) some stats on actual number of cracks and amounts of dollars lost
A good article on info warfare should cover these points at minimum
I wouldn't run the article. It was deeply confused, and provides little actual information.
There are three different, and very distinct threats:
Note that the terminology is new enough that the first two are not strictly defined. However, there are two distinct concepts, and I will use those words as I have heard them used in my community.
Cyberterrorism is the easiest of the three. Security experts periodically fine bugs in software that allows for certain types of remote exploits. Although the software is fixed usually fixed in a few hours to a few days, many organizations fail to update it. The exploits are then indexed on a number of web sites. A terrorist group can trivially download the exploits, and run a script to automatically try them against thousands of government servers. Some percentage will invariably fall, and the terrorists can then disrupt those systems. More skilled cyberterrorist may also try social engineering, or attacks based on knowledge of specific organizations, but these are, in general, well-known, "boxed" attacks. Cyberterrorism is random, and takes minimal resources or training (certainly less than conventional terrorism). In general, even a teenager can easily pick up the skills needed to become a cyberterrorist. It is also in many ways similar to regular terrorism; attacks are targetted at random targets, based on which have the weakest defenses. As with terrorism, it is easy to secure individual targets against it. It is nearly impossible to secure an entire nation against it.
Cyberwarfare is a big set up from cyberterrorism. In cyberwarfare, a security agency will try to find new exploits in the software the opponent is running. Cyberwarfare can be much more targetted than cyberterrorism, since a cyberterrorist attack will only work on poorly secured targets, whereas with enough resources, cyberwarfare can potentially be aimed at almost any target. Unlike cyberterrorism, this can take a good deal of expertise and resources against a reasonably secured network. For an idea of what a simple attack of this nature consists of, see how the PC Week "crack this box" contest was broken (the PC Week box had a very obvious security hole; in most cases, although the procedure would be similar, it would require much more effort). In some cases, cyberwarfare can involve cryptographic efforts, which take a very high level of mathematical expertise, and potentially, large amounts of computational power. Cryptoanalysis is beyond the reach of normal (non-government backed) terrorist groups, and is probably beyond the reach of most smaller governments.
Jane's seems to be familliar with CBRN, so I won't go into details about it.
There is no easy way to completely protect oneself from cyberterrorism. However, there are steps that governments can take to make it more difficult:
Please do not use specific quotes from this article without permission. I can be contacted at pmitros@mit.edu.
Ok a few points here.
1. You don't have to actually bring a system down or even seriously disrupt it to succeed in CT. All you must do is make the "Other Guy" Think you can. Or will. (see point 4) You must however have enough in the way proof to make the organization believe you can. Uncertainty about thier own security will do much of the work for you.
2. The "skills" neccessary are actually quite slim. You need a bit of experience with the industry you are tying to disrupt, a bit of inside knowledge of the company helps tons (ie: what OS it's running, what's the organization's default Passwd (most companies have them) ) And lastly you just need to know where to look for exploits. (aka "Kode Kiddiez", this is NOT real cracking, but will acomplish the goals you have set forth).
3. Few ties in the organization you are taking down. it's hard to be successful if your the prime suspect.
4. FUD (Fear Uncertainty Deception) can acomplish much, (ie: the Valentine Day's "hack" of AOL a few years ago. AOL responded, and was disrupted even though the "hack" did not take place)
5. Media ties. CT matters little if you can't get the media's attention. Most of the damage to an organization will occur from the public's reaction. (most true of non-traditional (non-brick and mortar) organizations)
Tadghe Djin
Bugs Bunny was right.
I like a lot of the points that neophase makes here, & I'd like to add to a couple of them:
* Motivation. As pointed out elsewhere, any given company or government organization has more to fear from disgruntled employees than politically-motivated terrorists. A disgruntled employee will know the IT weaknesses (& in some cases is disgruntled because no one she/he has reported this to will either fix or let anyone fix these problems), while an external terrorist *has* to learn about them.
* Asset types. I have heard of one US government computer that is (or was -- I heard about this confiugration 4 years ago) secure because not only is it not connected to any network, access is only thru dump terminals, & no user has direct access to any printers or floppy drives. Assuming that this configuration is repeated in a number of other countries, social engineering (e.g., either bribe or blackmail the guards & sysadmins with access) would be the way to compromise this setup.
* IT infrastructure weaknesses. Consider the quality of phone systems outside Europe/North America/Far East. Would *you* want to try to crack a computer over a 2400 baud modem over a static-ridden phone line?
IMSNHO, People will remain the chief weakness in any security arangement for the foreseeable future -- but this does not excuse taking the steps to lock down networked computers.
FWIW, I have little experience with security issues, except for running a few kiddie scripts on NT servers & being appalled at the results.
Geoff
I think I see a trend here. Maybe for them it really would be easier to muzzle the entire internet than to produce p
Finance. The article implies that major finance is required to implement major attacks; this is not the case for cyber attacks; L0pht bulletins and Phrack are all that's required, along with a script kiddie mentality.
Nature of attack. Cyber attacks in general don't attack people; they attack infrastructure. If properly implemented a lot of people will die, but as a side-effect. Biological attacks, OTOH, attack only wetware and leave infrastructure intact.
Personnel. One deranged chemist can do quite a bit of damage, but an embittered genius nerd can do much, much more. Remember that interview with L0pht? "I can shut down this power grid now."
On the subject of state-sponsored terrorism: I honestly don't believe that this is the problem a lot of people make it out to be. If you're system goes down, it's a lot cooler to say it was the Indonesian Government than a dodgy cgi script. I'm not saying it doesn't happen, but I do believe that it's seriously overhyped.
Finally:defenses. Up to a couple of years ago, people thought of security they way people in the 80s thought of Y2K: it'll probably be a problem some day, but we'll muddle through. Any system put together in the last couple of years was implemented with security in mind (if it wasn't, shoot the sysadmin), but most systems more than a couple of years old are inherently insecure. Ironically, Y2K could prove to be a boon, as audits will give detailed reports on exactly what's in a system, and this information can be used to boost security.
How to grow botulism
1. Make broth of water and meat.
2. Add soil (see below).
3. Thoroughly boil the jars of meat broth and soil.
4. Seal the jars while they are still hot.
What you have done is create perfect conditions for the growth of anaerobic spore-forming bacteria. The boiling will kill all the bacteria in the culture medium, but not destroy the spores. This way, you will not have aerobic bacteria interfering with the botulism spores as they activate and begin eating the broth. You will get gangrene growing in the broth, but since this also produces deadly toxins, this is not a drawback.
Eventually, the bits of meat will be black and thoroughly destroyed. The seals on the lids of the jars will also be showing some damage from the bacterial action.
Note on soil -- virgin soil works best. Most US soil contains the B-strain of the botulism critter, which is exactly what you want, as it produces the most toxin.
Anyone with highschool level chemistry or biochemistry coursework would be able to cultivate botulism or extract ricin from castor beans.
Equipment required: Masonry jars, beef, water, stove, dirt, time, and privacy. An individual can quickly manufacture huge volumes of botulism using very little money. No organization required.
Organization and funding is trivial. No state assistance is necessary.
I bring this up because I think Jane's is being misleading in their article about the difficulty of developing CBRN weapons. I won't even get into the energy weapons one can make out of a microwave oven (purchasable at thrift stores for $10 each).
-- Guges --
1) Do we get to read the article that we are providing the real content for?
a ge.html?forum=2&head=32&id=32 for the skinny.
2) Every time I see the word cyber, I get queasy and naseuous. However, by all means use it to increase readership and funding. Its effectiveness increases by 80% if you prepend it to an ordinary word. Some examples: cybercar, cybertrade, cyberbomb, cybergame, cyberlie, cyberfrenzy.
3) I have not seen any references to the Internet Auditing Project. It showed that _massive_ scans for vulnerabilities are now practical. Source code is avaiable. Check http://www.securityfocus.com/templates/forum_mess
4) The United States Government is the best friend an information terrorist could have. The draconian US restrictions against crypto result in OS'es missing basic functionality. See www.opensbsd.org for a system that is allowed to use crypto.
Saber Taylor
staylor@cis.ohio-state.edu
The main thing that comes to mind when reading this is the fact that a person with about 1k US$ to spare can go to radioshack and pick up the parts for a machine which will "crash" an unshielded soldid state computer. Things like that are in my opinion the worst threat. Hackers can only do so much, but a terrorist with one some type of EMP, or other such, device could just disable some important facility. Think about air control towers, are those computers shielded? How about 911 dispatches? I could be wrong, if I am tell me.
(---- The public is merely a multiplied "me". -- Mark Twain
I think the effects of cyber terrorism are being blown out of proportion. Cyber terrorism takes a great deal of technical skill and intuition to carryout with any success. Some 16 year old that spends his time running scripts on any machine he finds is not going to cause a great deal of damage. The only people currently known to have sufficent knowledge, desire and skill tend to have little desire to cause great amounts of damage. One of the first CT events of moderate damage was a programming bug in the first place. This would be the RTM Internet worm. It was only ment to traverse the internet to see how far it would propagate. Unfortunatly it replicated far faster than RTM had envisioned thus causing the massive shutdown.
People such as this are far more interested in aquisition of information or the 'Thrill of the hunt'. If they have access or knowledge of the techniques for breaking into critical systems, then they have little reason to show their presence.
I would say that that we are actually in pretty good shape. Systems are attacked daily by crackers, and this has been going on for so long now that 99% (Completely made up, but probably low) of the flaws originally existing have been fixed. Without crackers, script kiddies and a few exceptional individuals, nearly every computer would be wide open to attacks sponsored by other nations. If companies had to pay people to find holes in their systems, The REAL cost would run much higher than even the imaginary cost they list when they try to prosecute crackers today. It's like a free benefit to businesses. Really the only way they could screw it up for themselves is to pass legislation against it--then what would happen? Our systems, in general, would be much easier to crack. On the other hand, perhaps that's what our government wants? Wasn't there an article about an attempt against the Australian stock exchange from a US military base today?
- Dept. of Defense headquarters (Pentagon), plus several major military and intelligence installations (a few bases, CIA, NSA and NRO headquarters) and plenty of defense contractors all over the place
- A major chunk of Internet traffic runs through here (MAE-East), not to mention ISPs (MCI, UUNet, GTE, Sprint & AOL are all either headquartered here or have a major presence...and let's not forget InterNIC)
- The local police organizations are woefully unprepared for an emergency of that magnitude (they couldn't keep traffic clear for a football (American) game on a *Sunday* that was scheduled well in advance, what will they do if/when it hits the fan?)
Let me shut up...I just remembered that I live in the areaSituation:
most systems have weak security
1.exploit info is widely available (Phrack/L0pht/etc)
Everyone knows the FBI hires people who work on these publications. Anti-virus teams routinely read similar magazines like the old 40h.
Solutions:
* restrict access to security weaknesses (net censoring/eavesdropping/illegalizing reverse engineering/etc...)
Leave the alarmist hype to the media, please.
This only encourages arrogance, which is a serious threat to security and also is the best attack against a country's infrastructure. The net is used by millions of all skills, opinions, cultures, backgrounds, tastes. You cannot expect an internatiopnal organization to finish a product if their biggesat concern is not setting off filters. That does more damage to productivity than taking a porn break during work hours.
Eavesdropping? No one in a position to
Reverse engineering is the most useful teaching tool that exists. Corporastions and independent developers provide such tools to all types of customers, home PC users to companies trying to cut down the cost of fixing Y2K by having machines search through code for trouble spots. Auto mechanics, computer technicians, and hackers (not crackers), take their machines apart and put them back together to learn how they work.
The message on the other side of this sig is false.
It's nice to see someone not taking an academic position in regards to the matter, but actually inquire with the people that may know a bit more about the practical realities of hacking or, by association sometimes, cracking.
Now; let's make sure we point out the difference between hacking and cracking, here. :)
"There is no surer way to ruin a good discussion than to contaminate it with the facts."
As noted already, this article erroneously groups a number of threats as one. It also fails to discriminate between how Cyberterrorism would/could be practised in the 3rd world as opposed to the industrialized nations.
Dependance on networks and PCs susceptible to network attack or viruses is much more widely distributed in the west. I suspect that the ability of western computer users to get help or to solve their own problems also going to be quicker and more authoritative.
Although its been a long time since I lived overseas, I can't imagine that things have changed that much. Most of the software is pirated, the support for it is non-existant. Although the staff may be very knowlegable, the knowlege is spread much more thinly. If a tech in an organization is sympathetic to the terrorist cause, there may not be anyone else available to
diagnose the problem introduced. Remember: social engineering is an essential component for many
damaging attacks.
I would imagine that more and more 3rd world organizations are going to regard computer/network presence as a status symbol, without regard to the risk it implies.
Turn-key solutions orginating from the west will include computers where computers were never depended on before in the third world. Do these folks have a generation of folks who have used computers for the last 15 years, and at least know the rules about computer security (but maybe don't always practise.) No - except for the upper echelon of management who may have been sent to college in the West.
This article is extremely poor. It reads as if the author had done a global search-and-replace of CBNR to CBNR/Cyber, plus added a very few It paragraphs. The tone is unreasonably alarmist.
It make no distinction between cyberterrorism, which is an attack upon C3I (command, control, communications & intelligence) systems, both military and civil, and terrorists using their own cyber C3I.
Worse, it confuses C3I (infosystems) with CBNR (weapons systems).
Jane's editor asks some good questions, but this article cannot even be rewritten to answer them.
-- Robert
The real potential in Cyberterrorism lies within obtaining/manipulating information in order to undermine a nations stabillity (I.E. false data inserted to stock tickers showing Microsoft Stock dropping drastically causing a selling frenzy). While such things are possible, they generally are not viable options. Such things would be much more difficult to do than say, building a nuclear missle from weapons grade plutonium purchased at a garage sale.
As for the price of such a venture? Depends on how much your terrorists want to be paid, anyone who could actually successfully engage in such a venture would certainly be in enough to demand to be able to ask any price he or she desired. The price of equipment required would be negligible (a few thousand bucks here or there).
The simple solution to such problems is to simply not put data of importance on anything that is connected to any network. No number of switches or firewalls will make any computer 100% safe from invasion or attack.
RyanI'd also like to bring up the very good point that your vulnerability is directly related to the systems you are running, and how well they are configured and maintained. For starters, any machine not on a network is almost infinitely more secure than one that is. But if you have to have a computer on a network, you better make sure you have someone who knows what they are doing configure it for security. Or get something that is inherently secure. Not to sound like a fanatic (just a fan), please note the Army's recent decision after counsel with the W3C to switch their web server to a Macintosh. However, it may not be practical or desireable to switch every machine in the operation to something else. The only way to fight knowledge is with knowledge. Fight cyberterrorists by being smarter and better than they are. That alone should take care of most of the script-kiddies. Then you have to worry about those who are smart enough to do it for other reasons...
"Is this not a rare fellow, my lord? He's as good at any thing, and yet a fool." -from "As You Like It", Act 5,
The intense focus on "shut down the power grid" scenarios, and tight analogies with physically violent techniques (unlike CBRN, "Cyber" warfare is not inherently violent/destructive), serve only to ignore much more potentially effective uses of IT in terrorist warfare - intelligence-gathering, counterintelligence, and disinformation. The article does not touch on these points *at all*, and quite frankly is worthless sensationalism without them.
In warfare as well as in business, IT is "the great equalizer". Its low financial barrier to entry, relative to heavy industry, allows even the poorest organizations an IT effectiveness equal (or nearly equal) to the richest, most powerful nations and corporations. The greatest advantage the covert warfare arms of major nation-states (CIA, Mossad, etc) have over small terrorist organizations is the financial wherewithal to develop massive intelligence networks, and to easily spread disinformation via access to public media and an enemy's internal communication channels. IT very much levels the playing field in this regard.
If a terrorist group can penetrate the security of an enemy organization's computer networks, they do not need to do any damage to be militarily effective. Rather, they can quietly copy information to process at their leisure, without having to physically smuggle it out of secure facilities. In particular, this approach, combined with automated "data mining" techniques, can be used to search for useful patterns in vast stores of insecure and apparently unrelated data (c.f. Stoll, Clifford: _The Cuckoo's Egg_ (a very well documented example of state-sponsored computerized intelligence gathering)).
Another use for this access is disinformation. False or misleading information can be planted in (or deleted from) databases, undermining the effectiveness of organizations relying on that information. And in our current world, where authentication via strong encryption is still rare and nonstandard, IT can make forgery easy. Credentials can be forged to fool authorities or the media for purposes of disinformation, or to enhance covert physical activities.
Encryption also provides effective counterintelligence for very low cost, both maintaining information secrecy and providing authentication for otherwise anonymous data. Public key encryption can allow a network of intelligence to communicate secretly, without direct contact, and with sophisticated tools for obsoleting compromised keys and secrets. The major governments, who have long depended on spying on civilians, have good reason to fear this technology.
Another use for IT is the copying and *publication* of encriminating information. For an example, consider an environmentalist "terrorist" organization uncovering and publishing secret corporate or government documents on toxic waste spills, or covering up the hazards of a project. No physical violence need be performed to do terrific practical damage. Remember the Pentagon Papers? Their publication was instrumental in turning the tide of public sentiment against the Vietnam War. Yet those had to be delivered as physical copies by an internal spy to a major media group, and the government nearly succeeded in supressing the evidence in court. With electronic copying and widespread distibution, governments no longer have any power to stop such publications.
Of course, we could go into much greater detail, with more specific examples, but I think the point has been made. The article ignored the most effective uses of IT for terrorists, while simultaneously advancing unrealistic and undocumented doomsday scenarios (shutting down the power grid), and blowing normal organizational activity out of proportion (bin Laden's use of email, for example). Rather than a Slashdot-driven rebuttal, the editors would do well to reconsider publication of the article altogether, until a more comprehensive and realistic article can be written.
---
Maybe that's just the price you pay for the chains that you refuse.
Hand me that airplane glue and I'll tell you another story.
Comments on the specific Q's
* It would depend upon the vital system, of course. It's unlikely that there's a remote 'stop burn' option for a coal-burning power plant, for instance.
* Skills? There has to be somebody available to *write* the original program, and that probably means knowing something about how the target site is operated. If it's done well and does not require user input, it *might* then be possible to hand the program to a 3-year-old with his finger on the 'enter' key, and take the next flight.
* Define CT. Does a denial-of-service count? Did the "Ping of Death" count? Does 'telnet' count?
* The only way to know what's attackable is to know every system. I don't pretend to be omniscient, but common sense should apply; my refrigerator is not running a Telnet server, for instance. My bank probably uses encrypted communications and a journaling filesystem with transaction logging. A web guestbook might not have been written w/ an eye towards preventing filling-up-the-disk. Etc.
* Recovery? It depends. If one gets "rooted" and the attacker simply wipes all files, it's time to go get the mag tape. If the attacker simply uses your machine to go on online chats and doesn't actually *do* much, that's a different story. Of course, many will point out that you can't *really* know unless you were watching the entire session, and should therefore reach for the mag-tape.
* It's a continuing race. Those who neglect security have more to lose, however.
* Advice? Use your head. Use systems by people who actually care 'bout security. Follow principles 'bout least-privilege and so forth. And don't bring your box online before searching for relevant docs -- but also don't believe that the sky is going to fall as soon as you plug in that cable.
Misc notes --
* (minor) Possibly, the full name of the LTTE -- the Liberation Tigers of Tamil Elam -- should be used. {shrug}
* Similar minor nitpick: Is is 'bin Laden' or 'Bin Laden'? I've seen both in print.
* Something to note: a 'Cyber' attack, as the article terms it, would most probably not incur nearly as harsh retalliation as a CBRN attack would.
* As was noted above and no doubt below, substitute 'cracking' for 'hacking.
* Consider adding the motive 'extortion'. This may or may not be plausible based on the difficulty of getting the money...
* Consider adding the motive 'fear-mongering'; that is, to a population to be unduly alarmed at the alleged possibility that their banks will be raided or that malicious crackers will down a jetliner or so forth.
while i'm dubious that cyberterrorism itself could lead to a massive loss of life, it would make one fine distraction for a CBRN attack.
it wouldn't even take an attack on financial/government servers...the trucking industry, for instance, is every bit as important to everyday workings of the country as being able to use the atm. how much of a distraction was it when that satellite (whose name just dissolved from my pitiful excuse of a memory) went down?
for that matter, i wouldn't imagine it would be difficult redirect any shipment enroute if the company uses satellites to track shipments/inform drivers. "hey joe, those bins of auto parts we picked up don't go to the saturn factory, we're taking them to a warehouse in downtown Nashville now."
"The things we wizards have to put up with."--Jethro Bodine
So, basically, our tax dollars go for you to help governments be more effective in beating their discontent population, or strengthening the domestic military (police), or who knows what, maybe killing someone about to make a legitimate scientific advance in the name of national security.
And you expect a group of people who believe in something greater than the primitive nation-state to assist you in doing so.
My advice for your article (that was written by a 5-year-old, it appears) is to produce some journalistic integrity, prove that you do not use all of your "intelligence" to make yourselves richer and shady government institutions stronger, and then come back and maybe we'll be nice enough not to hack your website.
(Permission is granted to JANE'S and/or others, as designated by JANE'S, to reprint this posting, in whole or in part, provided that any editing is made clear in the final printed result and that Robert J. Hansen, rjhansen@inav.net, is attributed as the original author. If anyone wishes to contact me regarding information warfare issues, please feel free to use the abovementioned EMail address. My public key is available at the usual keyservers, and also here on Slashdot.)
Q: What's the accepted terminology -- "cyberterrorism"?
A: Most hackers avoid anything "cyber" like the plague; I prefer "information security" for what I do, which is defending systems from information warfare. Besides, "chemical, biological, radiological and information warfare" sounds better than using "cyberterrorism".
Q: Using CT/Information Warfare, how easy or otherwise is it to bring down or attack vital systems?
A: It depends a great deal. A lot of it depends on whether an attacker wishes to target a specific vital system/subsystem, or whether an attacker is going after targets of opportunity. Many vital targets are inappropriate for information warfare. For instance, although an IW attack against a sewer-treatment system could devastate entire cities with plague and disease, very few sewer-treatment systems have their vital components hardwired into the Net. Unfortunately, a great many systems are both appropriate and not in any substantial way secured against IW. The telephone network, for instance, is a prime example of a system which substantially under-secured.
Q: What sort of skills would be needed to do so, and are they common/teachable?
A: Bruce Schneier (schneier@counterpane.com, public-key available from the usual servers) once said that "only the first person has to be smart, everyone else can just use software". The skills needed to invent and/or discover new attacks against networks are substatial, somewhat rare, and are very demanding to learn. However, once the attack has been invented/discovered, software can be written to vastly simplify the task of executing this attack. It took Cult of the Dead Cow months of hard work to develop Back Orifice and Back Orifice 2000, but after they developed this software it was available to the community at large. CDC are ethical hackers who released Back Orifice as a way to embarass Microsoft into patching their awful security model, but there are thousands of wanna-bes who are now attempting to use Back Orifice for unethical and criminal ends.
Q: Commercial-off-the-shelf software: can it really do CT?
A: It's not sold at Fry's or Best Buy, so it's not exactly "commercial, off-the-shelf software". There is a significant software black market, though, and software to conduct IW can easily be found on this market. There's no real guarantee of software quality, though; for every skilled engineer who designs a tool, there are a dozen half-trained monkeys who think they can do the same thing. That's true in both the commercial and underground software markets.
Q: Which systems are actually attackable?
A: If it's got a connection to the Net, it's attackable. Some systems are just more attackable than others.
Q: Can a recovery be made from such attacks?
A: Sure. Hiroshima is a booming, bustling city today. If Hiroshoma can recover from the savage insult of The Bomb, then I'd have a hard time believing that a community, state or nation couldn't recover from an IW attack.
Q: Can a recovery be made quickly from such attacks?
A: In theory, absolutely. But you need to prepare for post-incident recovery before you're actually attacked. Most places don't have any kind of post-incident procedure in place, and those that do frequently forget all about their post-incident procedures.
Q: Is it likely to improve/get worse?
A: I think it's going to get a lot worse before it gets better. People tend to view computers as magic boxes; you plug them in and they go. Very few people really want to think about how many individual components go into a computer, and how much more complex a computer network is than a single computer. You wouldn't dream of driving your car 10,000 miles without changing the oil; we've been taught that this is a Bad Thing. Many people lack the technological savvy to realize when they're doing the technological equivalent of driving 10,000 miles without an oil change.
Q: What sort of preventative work would you recommend them to carry out?
A: There are some very good computer security firms out there. Hire these outside, independent contractors to perform audits of your security. When they talk, listen -- don't fall into the trap of "we didn't come up with it, therefore, it's inferior". Secondly, only use open, peer-reviewed protocols, algorithms and operating systems. Many people think that if a system is open it's insecure, since an attacker can see how it's put together and determine how to best attack it. This logic is faulty. Open systems are designed to be secure even if the attacker has perfect knowledge of the system; closed systems are designed to be secure only if the attacker has minimal knowledge of the system. And any attacker worth his salt is going to have intimate knowledge of the system he's attacking, which means that closed systems operate at a distinct disadvantage.
Q: Any last words?
A: Yes. Please, please, please do the hacker community a favor. Please learn the distinction between "hacker" and "cracker", and bring up this distinction in your publication. Jane's is an esteemed, respected publication, and I would be delighted to see some well-known source explain to its readers that, contrary to media usage, hackers are usually ethical individuals with a high degree of technological savvy; crackers -- criminal hackers -- are fiends and malcontents who deserve nothing but condemnation and scorn from society.
One of the things I thought is:
what benefits can a Slashdot reader get from getting posts republished in commercial press like Jane's?
Isn't it just "work for me for free"? (Apple PSL)
Remember:
"All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-99 Andover.Net."
This is the other meaning of the phrase "open source" mentioned on the opensource.org Web pages: in intelligence/surveillance circles, an "open source" is one openly available, like a newspaper or magazine you can just buy anywhere, as opposed to a source that's handing you information that not just anyone can get. The two communities may be closer than we'd guessed!
--
Xenu loves you!
>net censoring/eavesdropping/illegalizing reverse engineering/etc
i hope you are being sarcastic...!
I have to agree entirely. When I was reading the Jane article I kept on waiting for something original or insightful but it was just too shallow. Compare this to the description of the PCweek server crack last week. (Jane does have a different audience but still its a boring read.)
One of the main problems is that it doesn't specifically define CT and why it is dangerous.
>Using CT, how easy or otherwise is it to bring down or attack vital systems?
>which systems are actually attackable?
Every system can be attacked/shutdown.
Assumption:Every system requires an organization to support it or has access to the physical hardware. E.g. Banking IT departments, Telecommunications Consulting firms.
All a terrorist group has to do is to plant an agent into these groups and then, maybe during an major company re-org or Dec 31, 1999, attack the physical hardware. These computers are located in a secure room but how many are built to withstand a C4 explosion? How about stealing backup tapes, alter them with hostile program, replace the tape then cause the system to have to restore the tape?
Hell, how about infiltrate Bell/Lucent/Citicorp/IBM, rise up the ranks of management, then cripple the institutions by making PointHairBosses decisions to weaken the systems from within?
My point here is that human engineering can go farther than any software/cracker if a dedicated organization sets its mind to it.
Warfare is the ability to strike at the military and incapacitate it's ability to fight. I would figure that this is nearly impossible to do. A friend working at the DOE at Sandia described the "air gap" between the classified and unclassified parts *in a single mainframe*. There's no physical method for the information to move between the two parts of this monster computer. I believe that standard procedure on all government computers states that no classified information can be stored on machines connected to the outside world. Similarly, military's have plans to deal with bombs dropping on their communications centers, I don't think that a regular DoS will bother them much.
Terrorism on the other hand, involves striking at civilian targets in an attempt to advance a political agenda. (Which is distinct from war: Clauswitz was wrong, war is not an extension of podlitics, see Keegan, and others). In general, these actions are going to be attempting to disable civilian infrastructure: power plants, power grids, phone networks, etc. I would guess that as these institutions move to exploit the power of modern computing, some will use remote administration tools. Some of these tools will be buggy, some of these bugs will enable attackers to incapacitate the utility. I don't think that these attacks will be common, or effective, as most of these company's are large enough to hire some smart computer security people once the first such attack makes the newspapers.
Crime, on the other hand, is going to be theft or fraud of various kinds. These issues will affect financial institutions, ecommerce, etc. Like terrorism, as these institutions move towards more computing, they will become initially more vulnerable, but eventually they will settle into the same type of security as they currently possess.
Once a failure occurs, Americans (as opposed to say, the Japanese) are usually pretty good at identifying the problem, publicizing it to their peers, and fixing it. I would expect that as society moves more into the information age, various illegal elements will follow us. However, as always, we will have methods of policing them and limiting their damage.
Distinguish between these cases, as the principals have very different motivations and goals. The difference in funding (for attackers of these different classes) is irrelevant as most of these systems are just as vulnerable to a lone kook as to a well funded organization.
btw: the authoritative computer security book is O'Reilly's by Spaf and Garfinkel. It covers most of these threats and more. I'd highly recommend it for anyone interested in computer security.
just my $0.02,
--sam
--sam
Any technology distinguishable from magic is insufficiently advanced.
refer to the many science fiction worlds because some of the conventions they use are not just for convenience.
1. Using CT, how easy or otherwise is it to bring down or attack vital systems?
This depends on the level/quality of security measures and goals of the attackers. "Attacks" against computers and networks most likely don't have a goal to perform actual destruction -- access to "enemy's" computers and networks is much more valuable for gathering information while those systems are considered to be secure rather than for performing actual acts of destruction and very likely exposing the insecurity. Well-known cases of successful unauthorized access to computers are more at the level of high-visibility pranks (defacing web pages, demonstrating the access to private information stored on some company's servers, etc.), and even though they can be used to threaten companies and governments, there is no evidence that it ever was done.
However if the goal is to actually perform something destructive, the possibilities are abundant -- everything that is controlled by computers theoretically can be vulnerable to some kind of computer-based attack. The possibility of attack depends on the possible ways, computer and/or network can be accessed.
2. What sort of skills would be needed to do so, and are they common/teachable?
Basic skills are very common, and are available to every person with basic understanding of computers and networks. Pre-made scripts, kits, etc. (software-only) are widely available, and skills, necessary to apply them are at the "advanced computer user" level. Some of them are targeted for gaining unauthorized access to some kind of systems, some are designed to temporarily disable some functions (denial of service attacks) however none of them are specifically targeted to perform actual destruction of something in particular (phone systems, banks, military, etc.) -- some more advanced knowledge is required to actually perform an attack with noticeable consequences beyond the level of shutting random computers down, disabling parts of networks, disrupting email and file transfer services and gaining unauthorized access to various information.
Skills necessary to design software for sophisticated attack, perform the attack while unknown obstacles are present, and establish monitoring of compromised systems or networks are less common, however still widespread. In most of cases they are at the college student level.
Skills, necesary to establish an outside link from the closed network or standalone computer, with communication equipment present, are basic skills necessary for any work with computer/communication equipment, however it does not include the ability to perform those actions secretly.
3. Commercial-off-the-shelf software: can it really do CT?
Both commercial and noncommercial software can be used for all kinds of attacks. Software specifically designed to be used for such attacks is available as well as various kinds of security probes, monitoring software, etc. that are not specifically designed for such a goal yet can be used for it. However more important is that large amount of software that is used in various systems is vulnerable to attacks because of poor design, bugs or unrealistic expectation of secure environment, the software is supposed to work in.
4. Which systems are actually attackable?
Obviously, system that is not connected to any kind of communications is only vulnerable to the direct physical attack, and if physical access is gained, attack can't be stopped by any means other than disabling the access and recovering the system. However the goal of the physical access to that kind of computer may be to establish some kind of communications between those kinds of machines and something else instead of performing destructive actions or copying the data directly -- for example, by attaching some kind of communication equipment, by the use of existing but disabled equipment, etc. Usual physical security measures and restricted access to this kind of computers can prevent all kinds of physical attacks, and measures that restrict the use of communication equipment, shielding, etc. can prevent unauthorized links.
Computers, connected to some closed local network (with no physical links outside the secure environment -- not systems that have networks with physical connections outside, restricted by some kind of firewalls or gateways), or have long console links are vulnerable to attacks that originate from within the network. The difference from true standalone system is that those networks already have large number of communication equipment working, and their size and accessibility allow more possibilities to establish "invisible" links. In most of cases there is some possibility to attach something that establishes this kind of link without bringing any additional equipment, and even in the case when external communications are severely restricted (no phone lines) it's possible to add some wireless device, powerline communications, etc.
Computers, connected to some restricted local network (with connections outside, restricted by some kind of firewalls and gateways) are vulnerable to various kinds of attacks, originated both from within and from outside. Attack from outside may be started from using some service, accessible from outside for some reason, or from directly compromising a firewall, accessible from outside. Attack from inside can be everything mentioned above plus compromising firewall or installing some software or hardware that establishes connections from something outside by mimicking a legitimate use of the firewall, and attack from outside very likely can have a goal of installing a software of this kind. After firewall is compromised, this configuration can remain inactive for a long time without being detected by any reasonable means. The service, used for initial attack can be something innocent-looking enough to be allowed by the firewall and vulnerable enough to be used for its compromise -- email with vulnetable mailreaders, HTTP with vulnerable browsers, etc.
Virus or trojan programs can be used for initial attack if the computing environment in such a network allows them to be viable.
If a restricted network allows some computers outside to access some "privileged" services that can be used for an attack, those computers can be the initial target, and once compromised, can be used to access the restricted network even if the means for communications between those outside computers and restricted network are secure. If the means of access are in some way insecure, they can be attacked instead of computers with the goal of spoofing communications with those computers and gaining access on their behalf.
Stand-alone computer with dial-out or dial-in modems, or closed local networks with such computers are in the same category as restricted local networks.
Restricted network after the firewall compromise are either in the same state as unrestricted networks, or, most likely, unrestricted and compromised in some way.
Computers, connected to unrestricted local networks or "directly to the Internet" (what is basically the same thing) can be vulnerable to various attacks, with vulnerability depending on the secure configuration of the Internet" (what is basically the same thing) can be vulnerable to various attacks, with vulnerability depending on the secure configuration of the system software and applications running on it. Vulnerabilities can be divided into two classes -- "local" and "remote". Local vulnerabilities allow various kinds of access to data and functions (up to absolute control of the system) to users that already have some restricted access to the system. Remote vulnerability allow users that have absolutely no access to the system except possibly the use of services, available to the "public" -- such as sending email to the system, accessing HTTP server, etc. to gain some access, and often absolute control of the system. Note that "local" in this case does not mean that user is physically present anywhere near the computer -- it means that user has to perform some action while logged into his account on the computer, as opposed to "remote" user that may have no accounts at all. Protection against attacks directed against such computers include proper configuration of security features, provided by applications and operating systems and disabling unnecessary or known to be vulnerable software and services.
All kinds of computers, including ones that are connected to restricted or closed networks, should be protected against attacks of this kind, even if restrictions placed on the networks are supposed to prevent them. This is important because networks, despite being protected, often have large number of point of failures from the security standpoint, and attack may originate from within the network. Networks that have computers, using software known to lack security features, should have those computers separated from the rest into subnets, with firewalls, configured to prevent exposing those vulnerabilities to all other, even "friendly" computers.
Networks can be compromised to allow an intruder to read, disable or spoof traffic through them, thus allowing the possibilities to attack computers attached to them. In general, once one computer or router is compromised, and attacker gained the complete control over it (root, administrator, etc), part of the network is compromised with it. In different network configurations such compromise may be limited to the traffic to/from the host, some local group of computers, local subnet, group of sumnets before some firewall, or the whole organization.
Computer, connected to non-compromised local network or "directly to the Internet" is in most of cases more secure than computer, connected to compromised network, unless it uses unencrypted or poorly encrypted communications to pass sensitive data through parts of the network that can be compromised. Computer, connected to compromised network can remain secure if it only uses sufficiently encrypted communications, and does not depend on other computers that are already compromised.
5. Can a recovery be made from such attacks?
In most of cases once something is compromised, it can't be trusted until all potentially corrupted data/prograns are replaced. This means use of backups, loss of some data and potential risk of restoring compromised data.
Recovery from denial of service attacks is easy however temporary, unless the vulnerability is eliminated.
6. Is it likely to improve/get worse?
With the increase of software quantity, lack of increase of software quality from security standpoint, vulnerability in general will increase. With the adoption of computers in various activities the possible harm from successful attack will increase.
7. What sort of preventitive work would you recommend them to carry out?
1. Competent sysadmins (with sufficient education to understand the threats, design and implement security measures for every particular situation -- this is beyond usual sysadmin training programs).
2. Physical security and no-connection policy on standalone systems, use of secure software everywhere else, minimal configuration of users and services on all security-sensitive computers, use of sufficient encryption in all sensitive communications, separation of secure and insecure parts of the networks with minimal insecure traffic between them, distrust of any protection provided by firewalls except against minor denial-of-service problems, security-aware backups policy.
Contrary to the popular belief, there indeed is no God.
This depends on the system that is being attacked. The ease increases significantly if the system is isolated from networks. In this case, an attack may require physical access to the computer which may be difficult to obtain. Conversely, if the system is accessible by the Internet and is not kept up to date then it may be easy to attack.
Something else that you need to consider is the type of attack being conducted. A DOS (Denial of Service) attack merely entails others from using the system/service being attacked so it more easily conducted. If you are trying to gain system access, things become more difficult by several orders of magnitude.
What sort of skills would be needed to do so, and are they common/teachable?
At the most basic level, the skills needed could be learned in a few months at most from sources available on the Internet. However if you need to come up with new attacks or techniques, the skills may take years to learn.
Commercial-off-the-shelf software: can it really do CT?
Although commercial software does not do CT per se, commercial security scanners can point out security holes in software. With this information, attacking the system becomes much easier. Also, there is free software that will do CT available.
Which systems are actually attackable?
Guaranteed security is not possible for any system. It is possible to make attacks extremely difficult to conduct but the safety of the system can never be assured. That being said, systems designed with security in mind are generally very difficult to sucessfully attack.
Can a recovery be made from such attacks?
If the damage from the attack is limited to data or the system then a recovery may consist of just restoring a backup or switching to a backup server. If this is the case, you can recover in a few seconds(if a backup server is available) or a few hours(restoring a backup). How much data you lose depends on the recovery method, but its possible to lose virtually no data.
Is it likely to improve/get worse?
The situation will probably remain constant for most services although sites with a good security policy will probably become more secure as more people become aware of the risks.
What sort of preventitive work would you recommend them to carry out?
Ideally critical systems should not be accessible from public networks. In extreme cases, the system may even be isolated and all access to system may require physical access. However even for publicly accessible systems, firewalls, intrusion monitoring systems, and similar techniques can stop all but the most determined attackers. If a good logging system is being used, the attack's source can be determined even if the attack is successful.
I dont think it's overblown. I used to work at an ISP who was being attacked by bulgarian nationalists, we weren't small or insignificant, just not able to keep on top of every system at every moment, and once you piss a competent hacker off you have to worry about more serious retribution (We had a guy blow away /usr on one of our server becasue we cancelled his account). I've talked to people who have either used IT to attack people and organizations, or been attacked. It is serious. Real serious.
I dont know what these Bulgarian guys were finding, but we had all kinds of customers who could prove to be interesting targets.
Sure I thnk CT is overblowin to an extent, but I also think there's alot of people out there not doing enought to prevent it. We're unprepared. Someone needs to prepare us.
I think the real danger of attacks on computer systems are to the civilian infrastructure. This happens to be exactly the target of terrorists; they want to terrorize the people and the govt. of a country.
/. yesterday. They claim they can take out most of America's electricity grid within minutes.
Here are the scenerios:
- there are a lot of foriegn contractors developing software for public utility, phone and other companies related to civilian infrastructure. So, the terrorist groups finds one who sympathizes with their cause (or their money) and this person inserts malicious back doors into the software.
- Most chip manufacturing is done abroad (ie the fabrication) and also a lot of design and development is also being done abroad. Again, insert a malicious hardware unit onto the processor which can be activated by only the right set of inputs. This is virtually impossible to detect.
To get an idea about how clear this danger is, read the article about the hacker group L0pht which was reported on
First, I agree with others that the distinction between physical and digital threats is blurred, and needs to be broken out as a separate alternative. Shutting down a power grid and blowing up a nuclear reactor are vastly different things to accomplish, and have vastly different results.
Second, I agree with others that the costs of homemade warfare are most definitely not restrictive. That sarin gas was much more expensive than a good old-fashioned bomb, which would have done much, MUCH more damage on the subway.
Third, one skilled tech can do a whole heckuva lot more damage than a well-funded attack squad that lacks the right experience. The costs are non-existent, as the motives of those capable are rarely understood... I do not believe that you can buy skill, at least of the world-class variety, but there are those with the needed skills that are interested in just about any major issue out there - and are willing to fight for the cause they believe in. The people with those skills exist, and they will do what they can (it is human nature after all); and I am just glad that we can open a dialog and be aware of the possibilities.
Last, there are a few typos. Really.
- mitchy
"The mind is a terrible thing to, um, uh, oh bollocks." -- Me
-Using CT, how easy or otherwise is it to bring down or attack vital systems?
Most systomes on the internet are fearly easy to comprimise using "off the shelf" tools found on the internet. This sead most of these systomes are of little intrest when engaged in CT.
othere systomes such at uititilys are much harder to attac and would require lots of resarch and work to attack these systomes are not vonarable to attac by off the shelf tools.
I beleave that the vonaribalty that exists in public utitaly serveouses is mostly due to a misguided trust it obscurty and laseiness. These type errors are easely fixed and hard to descover. as a example I know of a city where the trafic lights can be controled over a modem. these lights thoe are all on unlisted phone numbers. so where a attac is posible aginst them becouse the managor of the lights bleaves that it would be two inconveanent to install passowords on the lights it requires three speashell peasos of knolage to attac. one the fact that thay are vonreable, two the phone numbers for the lights, three the protocall that must be used to talk to them. with work all of these peases of information can be obtained, but only after a great deal of work. It should also be noted that even once comprimised the damage one can do with the lights is minimal. THere is hardware that prevents the all green probilme no mater what the software on the controlar comands. This atack could be made more deficult by confergering the software on the light gontrolers to use a password for athunication instead of just alowing anny one with the phone numger and the wright soft ware to connect and control.
An atack agest this of type can be taught to anny one given enough time. The three most imporant skills in preforming these typ of tasks are patience, logic skills, and sochil engerining.
In genreal I beleave that where there is a real danger for such an atack now if we change our atuduteds as a contrey we can easealy make these atacks largly imposable for a terorest groop.
1) Log on to the following address
http://skyscraper.fortunecity. com/gpfault/134/dloads FYI, this is not a hacking site.
2) Click on any of the first array of names. Either something will reply 'Bad File Type', or pop up 'Pick App'. If 'Pick App', browse and find any file you want to run, Click.
WARNING!: I accept NO responsibility for anyone using this technique, however, I can provide the cure for this, as a consultant. If I am going to be branded a threat thank-you-very-much, I would like you good folks to accuse me of being a white hat.
UWMilwaukee Golda Meir Library ran me off, calling me a pornagrapher, for no reason other than finding their mistakes, and that they hire incompetent people, unable to stop this. I offered to fix their flaws, and they'd rather fix me. They might be able to ban me from the entire UW system, depending on how court goes(yes!) Also, Marquette University has some of the same flaws, but minor. I would check your systems, sysadmins. This one will work BEHIND a firewall!
Email me, I could use some help myself. =(
This mind intentionally left blank.
The KKK a bunch of sheetheads? You decide!
I think the most effective use of computer technology by terrorists would be to research vulnerable infrastructure links or nodes, which could then be attacked with conventional methods. This could cause dramatically more disruption than random attacks on infrastructure.
For example: terrorists who wanted to seriously mess up a city could determine what power lines supply the city, and attempt to bring down all of them at once. It is relatively easy to destroy a high-voltage transmission tower. Just destroying a few power lines at random might not have any effect on the population, as the system has redundancy.
The resulting chaos could be effectively used for cover for further operations. A relatively small group, say 50 people with inexpensive equipment and explosives could probably keep a large city completely disrupted for weeks by repeated, coordinated attacks on infrastructure.
Recent events demonstrate that a single backhoe can do a lot of damage to the internet, despite redundant links. What could terrorists do with a few dozen backhoes across the country, carefully orchestrated to take out as many redundant links as possible? If they had some detailed knowlege of how the internet was routed and where the fiber lines are, they could probably destroy coast-to-coast connectivity for at least a day or two. This is the kind of knowlege that "hackers" could probably aquire.
It would not be expensive, or difficult, or dangerous for terrorists to do these things. It is difficult to guard against. There are thousands of miles of fiber optic cable, clearly marked "Call before you dig!"
Torrey Hoffman (Azog)
Torrey Hoffman (Azog)
"HTML needs a rant tag" - Alan Cox
Some of us who were around for the Morris Internet Worm have been screaming about the need for better Software Quality Assurance (SQA). Bad SQA was the proximate cause of the fingerd buffer overflow that Morris exploited.
Much more worrisome is the proliferation of proper, Turing-complete interpreted languages in unsafe contexts, e.g. Microsoft Word Macros, JavaScript and ActiveX in web pages, etc. We should not be designing and deploying programs which allow for execution of "foreign" code from untrusted sources without prior, explicit permission from the computer user, each time!
Unfortunately, the pull of additional functionality has been greater than the pushback of potential security flaws in the basic model, so these incredibly dangerous systems get deployed, and those of us who speak out against them as decried as alarmists.
And do I need to mention that the vast majority of desktop Operating Systems (e.g. MacOS, Microsoft Windows) do not use the MMUs for any kind of application address space protection, which makes any incursion that much more serious?
You can do more than shut down an infastructure with a computer, what about attacking a system at fort drum that tell me that a division of troop just left there and now the is a sudden up curve in supplies needed at fort benning.
or how about getiing recepting and decoding capabilities of the CIA's RORSAT's.
How you like to know what info your enemy has on you? How would you like to give them the false impression that their new ally is stabing them in the back?
There are a myriad of thing that can be done with tech. DO NOT limit yourself to meer attacks, there is the art of deception, destraction, and intel.
Keep an open mind there is almost no limits to the tactics that can be applied, both in small arms war and strategic battles.
Elephant: a mouse built to government specs
The author lumps Cyberterror with CBRN and fails to distinguish military from civillian.The author further mistakes the cost of civillian cyberterror. A hospital I am aware of runs its entire building management system on what is essentially an unsecured network with remote access. What is the cost to hack such a network? Quite low, made lower by the fact that technically unsophisticated users (maintenance staff) use it. What is the potential payoff to a terrorist who gains control? Very high. Consider the psychological effect of a major hospital suddenly having all it's fire alarms and sprinklers go off, the heat rocket to over 100 degrees F. in all the common areas, while the magnetic fire doors slam shut and the card readers stop working. Scary, and entirely possible.
It was commented on another top-level response that the physical aspect might be the most vulnerable. If you wish to see more evidence of this, look back about a month in /.'s entries and look at the EMP device (from hardware store components) that could disable an electronic system from a reasonable distance. In certain circumstances you could probably fry some hardware with that sucker. (Note that NASA actually has notions of EM resistant hardware that they take into consideration when they launch shuttles because of the background radiation that would normally be filtered by our atmosphere.)
IM(PNS)HO, this analysis is more the domain of the NSA (though I'm uncertain whether they have a division catering to the safeguarding the nation's infrastructure.) They supply hardware and information to protect the FBI, CIA and military from similar threats, why not use their repositories to at least inform infrastructure organizations about their vulnerabilities.
In general, I think the article was just a bunch of technobabble, similar to all the Y2k hype and all the destructive salesmanship so prevalent nowadays. If the administrators of these important sites listened to the techies instead of the salesmen on the security aspects of their systems, there would be much less need for concern about this issue. Sadly, even taking into account DEFCON (also highlighted today) I'd say that the techies have a far superior comprehension of ethics than salesmen...
#include"disclaimer.h"
One might argue that after all the build up of nuclear power since the 50's, and after all the intelligence that was expended and lives lost for the sake of the cold war, the USSR fell to "economic warfare". The country with the most money left, wins.
You are correct, a hack of the NYSE wouldn't harm US Military effectiveness at all. But, cyberwarfare isn't about military might (how would you know where to send the troops/missiles?), it's about your service surviving an attack.
Anyway, I think the point is rather moot; any node of sufficient importance has a disaster recovery plan in place, if not "resonable" security policies too. Cyberwarfare (hacking servers) can inflict an inconvenience on the enemy, but it's the information that should be protected (hence the fear of releasing 128-bit to the world), and since there's no such thing as 100% security (with the exception of that perverbial buried system encased in cement), we can be pretty sure that anything we know (and post) is known to all.
So, we're back to conventional warfare, with the balance of power dictated by "who can afford the most/best weapons".
Ken
The article does not touch at all on specific threats (or "exploits") that cyberterrorists might use. Nor does it list any prevention measures. The article simply stirs the crowd up and leaves them hanging with little information, a classic rhetorical device for provoking fear and/or anger.
That being said, here are some general tips for security:
1) Don't connect anything to the internet that is "secret" or "classified".
2) If a terrorist can get physical access to a computer, then they can hack it. Period.
3) Always have physical safeguards that cannot be bypassed for critical systems.
If everyone followed those rules, cyber life might be a whole lot safer.
FalconRed
GhettoHackers
I have to agree entirely. When I was reading the Jane article I kept on waiting for something original or insightful but it was just too shallow. Compare this to the description of the PCweek server crack last week. (Jane does have a different audience but still its a boring read.)
One of the main problems is that it doesn't specifically define CT and why it is dangerous.
>Using CT, how easy or otherwise is it to bring down or attack vital systems?
>which systems are actually attackable?
Every system can be attacked/shutdown.
Assumption:Every system requires an organization to support it or has access to the physical hardware. E.g. Banking IT departments, Telecommunications Consulting firms.
All a terrorist group has to do is to plant an agent into these groups and then, maybe during an major company re-org or Dec 31, 1999, attack the physical hardware. These computers are located in a secure room but how many are built to withstand a C4 explosion? How about stealing backup tapes, alter them with hostile program, replace the tape then cause the system to have to restore the tape?
Hell, how about infiltrate Bell/Lucent/Citicorp/IBM, rise up the ranks of management, then cripple the institutions by making PointHairBosses decisions to weaken the systems from within?
My point here is that human engineering can go farther than any software/cracker if a dedicated organization sets its mind to it.
The surprise isn't how often we make bad choices; the surprise is how seldom they defeat us.
I think it's an injustice to lump information warfare in with "traditional" NBC-type warefare.
The problems of INFOSEC today are the infrastructure of tomorrow. Power grids, water treatment plants, telecommunications infrastructure, etc. are all quite vulnerable in at least several instances. Don't forget that it doesn't take an anonymous long-distance attack to get "in." A virus on a demo CD, a trojan in an executable "greeting card", etc. Timebombed code can be left by a temporary employee, cleaning person with physical access...
Today, employers, even those who are running critical infrastructure are hard-pressed to not give employees Web access (401k plans, health insurance plans and others are starting to _mandate_ it) Most of those employees are on inseucre, poorly administered, untrusted desktop operating systems. Add SSL and VPNs to make tunneling next-to-impossible to detect and you've got a recepie for serious electronic mayhem.
The barrier to entry here isn't very high. If you look at the number of viruses and compromised hosts on the Internet, and see if you can get hold of the statistics for telephone fraud that relate to compromised PBX's. You'll see that the knowlege is already fairly easy to gain. It's fairly easily transferable too. But *there's no need to transfer it*. Recruiting people who are already good at it should be trivial for most either well-funded organizations or organizations with a strong "appeal" to either a targeted individual, or a member of the target's preferred sex group. Ideologies tend to be better draws, but it wouldn't be difficult in either case, nor would extraction of several unwilling potential accomplices. One sympathetic organization member with competence would probably have a trivial time recruiting as well.
Some of the people who have the skillsets aren't socially very far evolved, don't necessarily have access to material things they'd like and are under age. All of those groups are easily targeted.
It's all software and easily gained knowlege, and testing is trivial and not necessarily dangerous. Unlike most traditional weapons, it's fairly simple to test out information attacks without anyone detecting it because you can do it on your own systems.
Until infrastructure vendors start making secure-by-default infrastructure (switches and hubs predominantly) and it becomes widespread in the install base, things like hospitals, power plants, water and waste treatment facilities, telephone exchanges, banks, etc. will be good targets of oppertunity.
While some places practice good security, not all do. It's becomming quite trivial to place a small 2" square machine onto a LAN port. Wireless networking on the back side and you're in. For less than USD$1000 you could build such systems and disguise them as appliances like lamps.
Not many places outside of the national security arena even do RF sweeps. Infrared is starting to make even that less useful.
Look at what the failed S&L industry cost, it's possible to disrupt commerce in key segments enough to cause millions of dollars of damage today, and billions over the next 5-10 years, not all electronic terrorism need be traditonal warfare, economic warfare is just as valid.
We're "used" to terrorists who directly cause terror, now we're building the capability for them to set events in motion that have longer-term effects and aren't first-order effects.
Finally, the combination of electronic and unconventional warfare, since they need not be exclusive, is a new one. False SNMP trap, compromised phone switch and a ready to deploy "customer engineer" is just one example that springs immediately to mind.
I could go on and on, but that's probably enough for now.
Paul
http://www.pauldrobertson.com
There are a couple of points that need to be stressed in this article.
In essence, CyberTerrorism should be taken as a serious threat and should be treated as such, now and in the future. We should instill in our children a sense of technical know-how and understanding of how to combat these threats as well as a moral obligation to fight the elements of our society who threaten to destroy us.
----
Lyell E. Haynes
+1 Insightful, -1 Troll. What can I say, I'm an Insightful Troll.
I'm much more concerned that someone will use real-world weaponry against the net. For example, using a couple truck-bombs
against MAE-West and other NAPs simultaneously. A sufficiently coordinated attack of this nature could do real damage to the
global economy just in terms of panic and disruption (massive stock sell-off, etc.). Plus, since it's a real-world attack, the
damage is harder to contain/repair. I mean, anyone got a backup tape that'll rebuild MAE-West?
This ort of thing is a huge huge worry. I once spoke with a consultant who worked with a major telco who told me that a fire that destroyed a central office taught them more about vunerability than they evern wanted to know. The example he gave was how banks were not able to trigger remote alarms because of destroyed equipment.
This sort of attack could be devastating on the net. Taking out a few NAPs would devastate the Internet. The fault tolerance is not there. Worse yet an attack to the main NAPs could force traffic through smaller less-secure nodes where monitoring has already been put in place because security may be lax.
Perhaps more importantly, anyone with enough skill to launch serious cyberattacks is probably going to be making serious $$$ in
legitimate industry.
Why cant they both? If someone is motivated by the same agenda, helping via cyberattack is a very low profile way to take part in the jihad. Those folks at the Dept. of Energy selling secrets to China were making good money I'm sure.
the history of the name "Jane's"? I've always been curious why all these combat simulators, military intelligence thingies, etc., were produced under this name. Is the female connotation supposed to make it seem less threatening?
Fuck Slashdot
As one of the other readers commented, this article just about looks like they are replacing Terorism with CT, and rehashing a previous article. The two really have nothing to do with each other, outside of the fact that both are disruptive to the intended target. In addition, there is nothing in this article that goes into any kind of depth; I'd expect to get this article back out of an academic article abstract database, like ERIC or PSYLIT, or something similar. At least include references for additional reading.
Standard terroristic attacks are designed to physically disrupt or injure the target. CT attacks are intended to logistically disrupt or subversively capture sources of information, communications, or other lines of non-physical infrastructure. Because of this, it is much harder to identify from the inside what you are trying to defend against (would you think to secure your "recent documents" list on a computer that regularly handles sensitive material that may include logistical data?)
Reading back on this, it sounds alarmist, but I've worked in both the financial and transportation industries, and have seen points in the companies that, given the right circumstances and the right time, could cause irreparable harm to the operations.
This is really the point of CT; if I blow up a bridge, you can wade through the river, or go around to the next one; or build another command center, or have another one available. However, if I have access to your computer systems, or have the ability to alter your data, you may never be able to tell your people about the blown bridge, and half of them will walk right off of it.
This space for rent. Call 1-800-STEAK4U
If I had 1 nuke to work with, I'd put it in a
plane and EMP Washington.
Lots of cheaper ways to kill people.
The article starts with the assertion that CyberWarfare is an accepted fact. The evidence for this seems to consist of a few web pages being replaced with propaganda and a physical attack by the LTTE on telecommunications facilities. Neither of these count for much as CyberWarfare. Changing web pages does not cause significant disruption and bombing telecommunication facilities has been a feature of warfare since before the internet.
Cyberwarfare/cyberterrorism is usually taken to mean causing disruption of communications or physical damage using electronic means. This article presents no evidence of either. There is a risk, but don't get carried away in the hype.
Hmmph. Article was full of crap -- it was trying to draw on 'big fears' and tie a couple together (cyberattacks + weapons of mass destruction in the hands of terrorists! lions&tigers&bears! oh-my!). More importantly, a terrorist is not likely to use weapons of mass destruction because they are such a pain in the ass to deal with (conventional bombs are cheaper -- both in terms of money and opportunity costs). A terrorist organization blows a lot of money and time on THE-ONE-BIG-SHOT, and then fucks it up somehow, then they've taken themselves out of the game. Large-scale cyber-attacks [say, i don't know, trying to crash a train track switching network with a virus, or something), even more than WMD, requires you to raise your signature to find out a lot of information before you've even done anything [i.e. is a big pain in the ass to try and put together and has a potential for failure that is intimidating]. The weaknesss in the approach is that it relies to heavily on *one* method of attack. However, a small scale cyber attack -- when coupled with a small scale physical attack like a conventional explosion -- could be a very effective force-multiplier. For instance, a really large conventional explosion at [or even near] a nuclear power plant, when coupled with a massive spamming (by phone and e-mail) of news organizations, radio stations, 911, with a follow-on crashing/bombing of the local phone network switching centers (and maybe jam some police and emergency vehicle radio communications while we're at it?) right at the point where a lot of rumour has spread but no truth has been reported, has the potential to create an *incredible* panic at very little cost or risk. You have to think of cyber-attacks as things that do not stand in-themselves; once they are coupled with physical methods of attack, they can be extremely powerful. But you combine the attack, AND keep both the physical and cyber attack *simple*. At least, that's what I would look for if I were a terrorist. [disclaimer: be advised, I am not advocating any activity that I've talked about in my post. I am merely using notional examples to make some points about terrorism.]
Regards, Paul Cox --------------- "It is right to be taught, even by an enemy." -Ovid
While I think the article is pretty much on point in relation to CBRN and other weapons of mass destruction I do think the author ascribed the requirements in infrastructure and funding of CBRN projects to cyber warfare...this I think is totally inaccurate. In my opinion the most advanced cyber-weapon is an Electromagnetic Pulse bomb which that be constructed by anyone with a 1940's level of engineering skills and less than $10,000 in the bank. Such a weapon even crudely constructed could have an effective radius between 200 and 400 meters. Granted since most high tech military installations are shielded against such attacks their use is limited. But the use of such a weapon against satellite uplinks and remote listening posts is definately an option because by nature such systems need remain unshielded. Using such an attack in support of other terrorist activities could be devastating. Think of French partisans in WWII operating behind enemy lines to disrupt command and control activities during D-Day. Anyone could drive a truck bomb up to FIX(Federal Information eXchange) east or FIX west but what does that get you long term unless it's in support of larger operations. Even if we were speaking about the most basic use of cyber warfare such as hacking into systems, defacing websites, ... they would almost always be used in support of larger operations. Think intelligence gathering and propaganda. The cost of such activities is minimal because most information regarding system vulnerabilities is open source and available to all. As with the current revelation by the FBI the companies that have outsourced Y2K fixes to other countries found malicious code and backdoors inserted in their fixes. An evaluation of the limited information available on this attack shows it to be elegant and very cost effective after all the companies themselves paid for their systems to be attacked and the attackers can explain it as just another disgruntled employee. Another aspect of this attack shows countries that most Americans would consider friendly (Israel, Ireland, India) have their own long term "goals". What it comes down to is NEVER trust a third party to handle your security because third parties have their own goals and objectives that are almost never the same as yours. It's not in a commercial software's best interest to reveal that their new OS or application is riddled with bugs and vulnerabilities, or that the latest router has buffer overflow "issues" in it's management system. Guess what, its definately going to get worse. Nevermind the advances in information technology that is being touted as the "next best thing to change your life". When it comes down to it we are still in the industrial age...90% of IT is still used to support the industrial manufacturing process and its related supply chain. There are no robot butlers, no flying cars, and no artifical "brains" thinking for us. Security is your responsibility not theirs....no matter what ZDnet thinks (inside joke). mailto://mystik@ix.netcom.com
People who bite the hand that feeds them usually lick the boot that kicks them
The first difference is in motivation. While a Cyber attack is potentially highly destructive (if the target were an infrastructure site rather than a propaganda site, as in the recent LTTE incident) the psychological impact of a disruption of services is much lower than that of a direct physical attack. A terrorist group attempting to sway a populace by fear would therefore not be as interested in such an attack unless they could carry out an extremely damaging one on a repeatable basis. (The threat of "we can do this anytime we want") Since it is possible to erect defenses around any Cyber target post facto, repeatable attacks are almost impossible without developing a new strategy every time; thus this sort of group is not a Cyber attack candidate.
The more serious candidate is a group attempting to generate a specific disruption as part of a more complex purpose, e.g. disruption of emergency response services in advance of a CBRN attack. This means that, although the Cyber attack has a very low organizational requirement, the motivation for one has the same requirement as a large Conventional/CBRN attack.
The other possible source is the accidental attack; if a "script kiddie" (a recreational pseudo-hacker using tools provided by a skilled hacker to gain access without a knowledge of the systems) were to somehow access an infrastructure system, they could cause substantial damage out of ignorance or malevolence. Such attacks are essentially unpredictable because there is virtually no needed organizational structure and a first-time incident may be damaging.
So several specific questions were posed as well:
Anything less severe than this is always vulnerable in some sense; it is not possible to predict the full spectrum of possible attacks. The needed skill to do so may range from the minimal (vulnerable to 'script kiddies') to the very high (requires detailed technical knowledge) but in any case there are many people throughout the world with the requisite skills. Any security system must be based on the assumption that all electronic security is ultimately vulnerable.
For an "overall recommendation" on Cyber terrorism, the points I would make are:
That's my 2c... anyone feel that I'm totally off base?
I think the article might be used by some to advance efforts to control the internet, like:
- banishment of cryptography
- censorship
- giving government agencies special access to computers on the internet
just to name a few.
Apart from the problems specific to these schemes (cryptography is a necessity for e-commerce in the long run, who is held responsible for content, backdoors can also be accessed by the wrong groups) they also make the internet a more unfree place and almost always hinder development of the internet or limit its use.
In the mentioned cases the cure is worse than what it's meant to cure, mostly because determined groups will work around or ignore such laws, so only it's negative sides come to effect.
Thus regulations of the internet should be carefully crafted, with much thought given to their proposed implementation and the resulting effects.
These dangers of cyberterrorism, namely its mentioning being used as an argument to hastily impose new rules on the internet, should at least be mentioned, to avoid that the article itself is used that way.
"By the way if anyone here is in advertising or marketing... kill yourself." -- Bill Hicks
Hello,
I've been involved with computer security for over 10 years and currently am a developer for a commercial vulnerability scanner and intrusion detection system. I also produce a set of free tools that help secure Unix hosts. I say this as a brief introduction to my qualifications, not as an ego booster. Regardless, I have some comments:
Using CT, how easy or otherwise is it to bring down or attack vital systems?
This question is difficult to quantify as every organization has a different definition of what is "vital" and what is not. Since attackers typically do not know this information, they make it their task to break into every system they can on a target network and see what looks interesting. Even worse, focused attackers may actually plan what sub-systems they want to control and may have different objectives that fall outside of what someone may deem "vital."
For instance, a bank may assume their electronic funds transfer system is the most vital system to protect, but a terrorist may only want access to the financial records of persons or groups that are the bank's customers. This may not even involve destruction of data (which is what most people think is the end goal but isn't always), rather the pure information which is often much more valuable than simply destroying random records. Reconnaissance attacks like these are difficult to stop but extremely damaging. In the case of the bank, the terrorist may simply choose to track sources of funding based on deposit records to harm the person or group who is the target. In a situation like this, going into the bank to destroy the information is only a temporary setback and will raise attention. Why completely destroy a valuable point of information gathering by doing something silly like disrupting operations? It's rare that a single offensive has any lasting effect, you must attack from different levels and leverage all available resources for maximum impact. Only dispose of resources that you need to.
What sort of skills would be needed to do so, and are they common/teachable?
The skills are easily teached and commonly available. Anyone can learn to hack systems it is not hard and the people who deface web pages are not "computer geniuses" (as commonly portrayed), they just know where to look for the exploits. As with any information, exploits can be used for good or bad. Personally, I don't distribute attack code and probably never will.
There was a time (back in 1994-95) when I ran an extensive exploit archive on a low-bandwidth connection. The archive contained quite a number of useful tools, attacks, dictionary lists, etc. and was publicly available, but not advertised. It came to be one evening that I discovered a lot of activity on my MODEM (a lot of download activity). I looked at the server logs and caught a system from scientology.org that was mirroring my *entire* archive. For the un-initiated, Scientologists are an extremely destructive group and their intentions are rarely good (see http://www.xenu.net). I immediately unplugged the MODEM and took the archive offline. Since then I have refused to contribute to the problem by distributing attack code. It was an interesting lesson, one that taught me that some information needs to be *earned* and not just *given away*.
If this story doesn't send chills down your spine I don't know what will. There *are* groups of people who are gathering this information for purposes unknown to anyone. They are *surely* not out to deface websites, but you can be certain whatever it is they are up to is not good. People need to take more seriously the consequences of their actions when they release code that makes it easy for anyone to compromise a network.
Commercial-off-the-shelf software: can it really do CT?
I'm a developer on a vulnerability scanner called NetSonar. It is a COTS vulnerability assessment tool from Cisco Systems, Inc (I speak for myself, not my employer). I can say with fair certainty that these tools are not ideal for "cyber-terrorism" because they are designed with a different purpose in mind. For one, they are very "noisy" on a network during a scan because they are literally trying hundreds of different attacks and consuming a huge amount of bandwidth. From our experience, even totally clueless admins will probably notice a problem if any of the commercial scanners are used just because they are so incredibly hard on a network (causing errors, crashes, performance problems, user complaints, etc.). Also COTS tools aren't designed to gain remote access to a host as much as they are to tell you that someone *could* gain access to a host if so inclined. This is a significant difference because most scanners don't provide purely automated access mechanisms. In otherwords you still have to work a little once the scanner has found a hole. In most cases you need to run a third party exploit to gain access. If this is the case, why not just run the attack to begin with and see if it works to get in? Using a scanner is just another step you can eliminate as an attacker. This is what most intruders do: Blindly run an attack and see if it works. Unfortunately network security is so bad that this is more than enough. Now there *are* tools that exist that would be wonderful for offensive operations, we even have some ourselves that our consultants use. These tools are made to be quiet, quick, and targeted. They facilitate remote access, but that is what they are designed to do from the beginning. Tools like this exist in the underground too and will surely find a wider distribution in the next year or two.
Which systems are actually attackable?
Assume anything you have connected to a network is attackable, even if not immediately obvious why a person would want to attack it.
Can a recovery be made from such attacks?
Of course. It depends on what your backup and recovery strategies are. It is very hard to remove an attacker from your network once they gain access though. There are simply too many ways for them to dig in and spread. The best way to recover is to not let the person in to begin with. This is cliche, but true. Most times you'll need specialized personnel to help you recover from a bad infestation, even then there are no guarantees.
Is it likely to improve/get worse?
It's going to get worse. The software industry is introducing new code and new bugs everyday. They even manage in re-introduce old bugs solved years ago. Additionally, the industry still relies on antiquated languages such as C and C++ to do mission critical and general purpose coding. These languages are incredibly dangerous for most programmers and promote bugs and vulnerabilities through a lack of internal protection mechanisms. Bad code can be written in any language, but C and C++ are especially *good* at promoting *bad* code. As the Internet becomes an indispensible part of everyday life new programs (and attacks) will emerge that provide new opportunities for abuse. This is the problem for any technology and is not unique to the Internet.
What sort of preventitive work would you recommend them to carry out?
For one, take security seriously. Few organizations take security seriously until they've been compromised. At this point it is very hard to recover and truthfully you never will know you got rid of the problem. COTS vulnerability scanners, Intrusion Detection, anti-virus products, and maintaining current on patches for operating systems and application software are all critical. These four areas alone can stop most all hackers cold.
-- Craig
http://www.psionic.com
The views below are my own and not that of my employer.
Using CT, how easy or otherwise is it to bring down or attack vital systems?
Depends how you define a vital system. The claims by some hackers to take out an electricity system are over rated. Finance institutions is another matter. As more and more internal computer networks move over to open standards away from customised systems you increase the risk of a security breech as it is more likely that an attacker would have experience of your system. The greatest (current) danger is in a reduction of security protocols to help increase 'ease-of-use' of web products such as internet banking. In most cases, unless the attacker can get access to the administrators account, it should have a limited effect. Dialling directly into the mainframe is another big potential problem that is sometimes overlooked.
Another important point to realise is that nearly every major computer network now has back up systems in case of terrorist attacks, fire, or earthquakes. This policy reduces the impact of a whole system being wiped out as backups are frequently made.
However, the more invasive product that can cause immerse damage (as Microsoft UK found out a couple of months ago) are viruses. An average company receiving documents from the web gets on average 100-390 viruses each week. By timing a virus to active at a particular time, you can cause the most havoc inside any organisation. I would rate virus programmers as more dangerous than any hacking attempt.
Another area that perhaps you should look at is satellite highjacking. This does require some specialistic knowledge (as well as a radio dish) but can be quite effective in taking down a vital system (such as a telecommunications network).
What sort of skills would be needed to do so, and are they common/teachable?
Writing viruses is pretty easy, but developing a sophisticated package to escape around the more common virus detecting programs would require some experience. With hacking it always helps to have some expertise of the organisation that you are trying to break into. If you wanted to do more than simply trash a site, it would take a couple of years of solid research to pick up the skills from scratch.
Commercial-off-the-shelf software: can it really do CT?
On the whole, no. That is a myth unless you include standard programming tools such as C++, Visual basic, java etc..
Which systems are actually attackable?
Any computer system is attackable but the ones with the greatest risk are those that allow remote access or have things such as ActiveX active on their systems.
Can a recovery be made from such attacks?
Yes, as long as you do good back ups.
Is it likely to improve/get worse?
It is likely to get worse over the next ten years, and then improve.
What sort of preventitive work would you recommend them to carry out?
Simple stuff, good virus checker, do not put systems onto the web that do not need such access. make sure units such as ActiveX are disabled if possible, introduce firewalls for your company, make your staff aware of the risk of activating files from people unknown. Switch to systems that are not so well known to hackers such as MacOS. Have very strong encryption. Make sure the telephone network is disconnected from the mainframe if possible. ------------------------------------------------
I've got some general comments about the article as well.
Cyberterrorism is not beyond the skills of some terrorists. The nature of terrorism has changed in the past twenty years. As both bombs and detection methods have increased in sophistication, so have the skills of the terrorists. Today's terrorist is more likely to have a higher education degree than at any time since the second world war. The attraction of a number of engineers to the Aum Shinrikyo cult, or to Hamas has shown that.
Moreover, the biggest cyberterrorism threat comes from communication and information. The cost of running a large terrorist organisation has dropped significantly because of the internet. It is now simply a lot cheaper to set up terrorist cells and communicate securely with them worldwide compared to a few years ago. This is the single biggest threat intelligence agencies have to contend with. Not attacks against government web sites, but the fact tracking terrorists has just got a lot harder. You've also seen that the amount of scientific material put on the web can make building some weapons a lot easier, as the recent case from Los Alamos has shown (although Lee I believe is innocent. But the lax security may have cost them some information).
During the kosovo crisis NATO's web site was hacked on a number of occasions, but because NATO doesn't store any serious information there, it had no impact on the eventual outcome - in other words, cyberterrorism in this instance was useless (except for propaganda purposes).
Claims by other hackers of stealing data on India's nuclear weapon program was bunk. The data they produced clearly showed standard civilian experiments which had nothing to do with bombs.
It is also unlikely that most terrorist states such as North Korea would have experienced personnel to train terrorists in hacking techniques. It is much more likely that these groups will be either recruit people or train people from the west.
Finally, the main significant threat to the network remains the actual physical connections. Most countries outside Europe/USA only have a few limited links out to the internet. By targeting these cables you can cut off the country from the internet. This would have a large effect on any society that is gradually becoming dependent on these links. However, as the number of these connections grow, you reduce the chances of such an event happening. I think there is a window of about 10 years in which this could be a problem. After that it becomes a misnomer.
I also think the phase cyberterrorism is misleading in that it suggests only a linkage to the internet. TechnologyTerrorism is a better description as it describes the use of technology to carry out acts of terrorism, not just the internet.
The web address of The Hacker Crackdown, ISBN 0-553-08058-X Copyright (C) 1992 by Bruce Sterling
http://www.mit.edu/hacker/hacker.html
Probertly the best (abait a little dated)information on/about hackers
Funny that you mention this. One of the tools that's rarely (if ever) used in wartime is hyperinflation. By destroying the country's currency, you make it impossible for them to continue waging war effectively. I actually don't think it's ever been used due to the very destructive effects on the population, but I vaguely remember it was considered during the Gulf thing and rejected.
In any case, destroying or disabling the NYSE, etc would cause major disruptions. Whether this would stop/start a conflict is unclear (goals?). However, it may not be that difficult to engineer the collapse of the financial system in the US.
The web address of The Hacker Crackdown, ISBN 0-553-08058-X Copyright (C) 1992 by Bruce Sterling
http://www.mit.edu/hacker/hacker.html
Probertly the best (abait a little dated)information on/about hackers
Actaully, The "script-kiddie" phenomenon does provide an interesting toolset; once you find any security hole in a system, the off-the-shelf toolkits let you infest that system with backdoors, etc. in a rapid, automated fashion. So you find just one bug in the system you're attacking, via either black-box or white-box testing methods, and the "root kits" promptly pry it the rest of the way open.
- "History shows again and again how nature points out the folly of men" -- Blue Oyster Cult, 'Godzilla'
1. It depends on what systems you are talking about. Defacing websites, and other publicly acessible systems requires a minimal amount of technical know-how, taking down a section of the national power grid would most likely require months of careful research and planning... 2. Knowledge of LAN/WAN theory, remote access, common security protocols,current exploits for UNIX/Linux/NT, C++, Perl, Java, etc... Beyond the nuts and technical bolts however, their are certain acquired skills ie social engineering, system penatration and take down, that one must acquire within the cracker community. These tricks of the trade are also difficult to practice for most individuals, for fear of involvement with law enforcement or other authorities. 3. Certain system tools, SAINT(satan), as well as other security diagnostics, and cracker script tools can significantly automate the process of cracking less secure systems. I feel that that best use of these script based tools would be to masquerade a more serious attack under the barage of multiple automated, script based attacks. 4. Anything. If you make it, someone will crack it. However, the most secure O/S. out is, IMHO, is OpenBSD. However, even OpenBSD can be made insecure. OpenBSD is the only O/S I know of that has had a complete, line by line audit of the source to spot security errors. 5. Yes, however the speed of recover will depend on the whether or not an attack was prepared for in a proper manner. 6. Most likely, as computer technology continues to intertwine itself into our everyday lives, the threat will grow. 7. If you care about your data, keep a computer security specialist on staff. Impliment wide spread encryption. Also, the most important things is to educate the end users about security. Let's face it. Nobody is going to dive into the sewers, splice into a piece of telco fiber, and spend months decoding that spiffy RSA-512 crypto you've got on your WAN lines to protect you data. They're going to ask Joe sixpacks for the RAS number, and if he could *please* readback his username and password for "validation with our databases".
There's a major gap in the opinions / assertions I've seen with regard to this article so far. The article at one point alludes to the issue of visibility:
"A final consideration is whether the group needs
to claim credit for a CBRN/Cyber attack. In fact, the reduced need
to claim credit for such attacks signals the emergence of the
"silent terrorists," and is another factor contributing to loosening
self-imposed constraints against higher levels of lethality."
This statement betrays a bias that may not apply to cyber terrorism. It implicitly invokes a framework in which the objective of the terrorist is a classical one - gain "visibility" through the commission of heinous public acts and create an atmosphere in which the legitimate authorities "crack down" on ordinary citizens in effort to prevent further such acts. Desired result is to create an environment in which all citizens eventually revolt against the establishment.
Effective "cyber terrorism" may in fact bypass entirely the violence implied in the initial step of the classical terrorist paradigm by "cracking" the governmental systems and directly engender the perception of unacceptable governmental activity. For instance, what if government computers gradually became less accurate and tended with increasing frequency to send notice that the IRS was freezing bank accounts of normal law abiding citizens. At the same time, various department of motor vehicle computers indicate that licenses are not being paid and justice system computers are indicating that random vehicles may contain "armed and dangerous" felons? Electrical grids become unreliable, telephone service intermittent and so on. It's possible that future governments may not even perceive that they are under systematic attack until a lot of progress has already been made by their opponents. A new face of terrorism?
"I believe the children are our future: nasty, brutish and short."
A single CT attack isn't usually too bad.
However, consider this... there are a LOT of cable modem users out there. They got a lot of bandwidth. It seems that many of them do not properly secure their systems, according to reports from some people. A seemingly minor oversight like leaving open file sharing on results in their system getting install with a trojan, such as Back Oriface or Netbus. These systems can then be used to mount distributed DOS attacks, for example, ping flooding of an important system. Ping floods can be blocked, but when the source is several thousand systems, this may be difficult. Another DOS attack could be mass email to a critical system. During the "Zippergate" incident, Congressional email servers choked under the load of mass constituent email. Flooding these servers with email from multiple sources intentionally could have the same effect. The potential here is to try to disrupt the process of democracy. Another use could be to try to bring to it's knees online brokerages. A proper attack distributed among tens of thousands of computers could bring the NASDAQ/AMEX site and a bunch of online brokerages down for a day, adversely affecting trading and perhaps the economy.
In addition, if some group manages to "own" a large number of private, home, systems, these can be used to carry out brief attacks that are routed through several. Home users do not tend to keep logs, so, for example, if a 5 minute attack were carried out through three home computer intermediaries, tracing could be very difficult. I'm not referring to DOS attacks here--I'm referring to cracking attacks. For example, if access to a banking network had been obtained previously, commands to redirect funds could be routed through several home systems. This would result in raids probably on the first system if discovered, and then perhaps up to the level of several. IF it were possible to trace back to the source, by the time this was done, which could be weeks, finding the original perpetrators could be impossible. The crackers would of course try not to get caught, but this is extra insurance for them if they are.
Referring to the recent backhoe incident where four OC-192's were cut, I don't think that physical attacks against critical networking infrastructure would have as great as an effect as some groups might hope, considering the redundant nature of the internet, unless these attacks were carried out at a large number of critical points.
As far as breaking into industry systems used for control--this is difficult, due to security measures normally in place. However these systems often rely on security by location--i.e. computers inside an internal network at a chemical plant may have access, whereas those from outside may not. If a route can be found to get inside the internal network, this is compromised. Still, usually only a few select computers have access to change plant parameters, such as the control room computers. The potential for spoofing once an attacker is inside the network is a danger still. In addition, if an attacker manages to get past firewalls and inside the internal network, DOS attacks can be carried out which will result in plant shutdowns. Older plants generally don't have such external connections, but some new plants under design (I worked in one) have a firewall separating the internal computer network from the internet, to provide internet access for even the control room computers. This is a danger.
Using CT, how easy or otherwise is it to bring down or attack vital systems?
It depends. While some systems are quite vulnerable others are quite secure.
Most potential targets are secure enough that it would not be trivial to
attack them. If however you consider graffito on web sites a viable attack
then it is a relatively trivial task.
What sort of skills would be needed to do so, and are they common/teachable?
Yes, the skills needed to crack a web site common/teachable. Almost any
system administrator has the skills, as those needed to defend are the
logical inverse. No, the skills needed to take down the power grid are not
generally common/teachable, except for a few techniques mentioned below.
Commercial-off-the-shelf software: can it really do CT?
Crack a web site, yes. Can it generally do anything else, no. There is no
point and crack interface for taking down power grids like there is for
spell checking.
Which systems are actually attackable?
Given the following list of possible targets that are attackable; Financial,
Power, Gas, Water and Sewage, Telecommunications, Television and Cable Media.
The following are Methods of attack that are either IT based or capable of
attacking IT infrastructure.
Hardware based attacks
EMP Weapons; If a delivery truck parked at the corner of Wall St and
Broad St with a large EMP weapon on board, it would most likely be able
to take the NYSE and NASDAQ exchanges down for quite a while and drive
away when they were done. If this were timed with the opening of the
stock market on the first business day to the year 2000, the impact
would probably be worse then black Monday.
Van Eck Phreaking; I include this as an attack due to the fact that
having internal knowledge is sometimes more dangerous then anything
else. The lack of RF shielding is a troubling issue, publicly available
information tends to indicate that most organizations outside DOD and
the intelligence community are using shielded equipment, thus
potentially exposing internal data to the outside word.
Backhoe; A backhoe is probably one of the easiest to use forms of
IT infrastructure attack. A coordinated attack with multiple backhoes
could seriously disrupt nationwide communications for perhaps 24 hours
or more. The economic loss to this could be quite large.
Conductive Wire; A conductive wire draped over long distance power
transmission lines could disrupt and or destroy unprotected IT
infrastructure. The large-scale loss of power could likely cascade to
take out power to an entire multi-state region.
Satellite Killer; A rocket capable of achieving low earth orbit or
better could place a few pounds of steel shot into space. Loss of
critical communications and intelligence satellites is almost guaranteed.
Advanced rocket guidance technology is not necessary, as this attack is
akin to aiming a shotgun at a flock of birds, you donÕt need to be any
good to take something down.
Software based attacks
Viruses and Worms; Examples of the effectiveness of this attack are well
known. However in the future these attacks are likely to get much more
destructive and widespread.
Cracking Web sites; I do not personally consider graffito a threat.
Cracking of electronic control systems; As organizations continue to
automate their control systems they stand the risk of exposing
themselves to Information warfare attacks. The Internet is not the only
threat entry, X.25 and simple dial in lines are also potential entry
points. I cannot emphasize enough that having a modem connected for
remote operation of control systems is a potential danger, dial back
authentication is not enough. The best example of this is the ATM
network, though not connected to the Internet its kiosk based dispensers
dial-in system is inherently vulnerable to disruption or worse. The loss
of a telephone switching station due to flooding from hurricane Floyd
kept people without ATM access for almost a week. A simple attack could
be implemented by forwarding the phone number dialed by the ATM to a
phone sex hotline. A more advanced attack would involve tapping ATM
transactions, followed by masquerading as either the ATM or the back end
network.
Logic Bombs; Given the diversity of vendors and the sheer volume of code
generated during the software development process, the threat of
software timed to self destruct or compromise security from the inside
is significant.
Flicker Vertigo; An attack on a cable or television station where control
of the output signal was achieved would be capable of broadcasting a
flicker of light and dark inducing seizure and vertigo in a sizable
percentage of the population. An unintentional example of this was the
seizures induced in Japan during a PokeMon episode where many children
become ill. Imagine the effects of this kind of attack during the super
bowl or any other widely viewed national show.
Social Engineering attacks
Unintentional Internal Attacks; Given the broad history of the art of
the con I will not elaborate much besides saying that IT infrastructure
is quite vulnerable to internal attacks and many people are likely to
comply with requests if they are phrased the right way.
Can a recovery be made from such attacks?
Recovery can be made from most of these attacks however the psychological
effects may not be easily recovered from.
Is it likely to improve/get worse?
It has been getting worse, and it will continue to get worse. The worst
possible case is for a coordinated attack that coincides with the end of
this year, which will cause the most widespread terror. It is most likely
to disrupt life for the average person. Extremists and Terrorists may choose
Y2K change over for a variety of reasons, but the outcome of a coordinated
could be extremely dangerous.
What sort of preventative work would you recommend them to carry out?
Encryption is necessary to authenticate and secure the communications and
control infrastructure, until encryption is widely available it will be
exposed. The current widespread belief of security through obscurity is
unreliable at best, I have dealt with far too many people who believe in
it and fear the outcome.
Financial institutions and others with sensitive data should be implementing
TEMPEST or TEMPEST like solutions to prevent eavesdropping.
Critical computer equipment should be housed within faraday cages to prevent
EMP attacks.
Critical infrastructure need to be prepared for extended loss of power.
Network diversity is mandatory for any communications provider, continuing
and expanding on this trend would be a very good idea.
Education is something that needs to be provided to the people at the head
of organizations.
I have worked at far too many places where the people at the bottom care
about security and where the people at the top consider it an unnecessary
expense in terms of cost and time spent elsewhere. "We donÕt have money in
our budget for a firewall, we will buy one later." This is perhaps the
biggest problem, and perhaps the reason why we still lack widespread
encryption technology.
- The Secret Organization
Reply via news:///alt.fan.secret.org
As a number of other posters have pointed out, the article, as is, is on CBNR terrorism, with a global search and replace to add "cyber". Much, if not most, of the article is unrelated to "cyberwarfare" (CW).
For one thing, there is *no* recognition of the direct relation of corporate espionage and warfare to CW. Just last week, for example, a letter was posted by Iambe on the userfriendly web site concerning a sr. IT manager requesting that the co. security & sysadmin perform what, were it done by a political group, instead of a company, would be CW (btw, the author of the letter resigned rather than comply). Clearly, any company is capable of serious CW, and individuals are only slightly less capable. Yet in the article, there is no discussion of corporate CW, both as a training ground for CW agents, and as an instigator of CW. Let us also not forget that merely having been exposed to the idea that it was do-able by ordinary people, *and* *acceptable* *as* *a* *tactic* by socially-acceptable companies, the population of people who would be able and willing to do it is increased dramatically.
Another part of what is wrong with the article is the failure to assimilate the lesson of the Rodney King affair: that a few years after high tech is available, it's old tech, and available on the street, which will find its own uses for it, even as it was suggested in the novels of the cyberpunk genre. Note that, in many cases, those uses will be the same as the "official" uses...just from a different viewpoint.
Refusal to recognize this, while it leads to a terminology that Jane's regular users are familiar with, and perhaps does not cause heart attacks among them, does a great disservice to them, since it does not make clear the real logistical and tactical situation they find themselves in, and with which they may have to deal someday. We do not need another Maginot Line.
Note that "training" is not that important in CW, since any college will provide this, and it is, instead, the intellegence and viewpoint of the people performing the CW.
Consider how easy it is for people to write virii and worms, and that they come from second and third world countries as, or more frequently, as from the first world. Now consider a revolutionary or terrorist group member writing a virus or worm with a timer, which does nothing until the day of their Big Event. All this scenario needs, for the CW side of this, is one college student with net access and any old PC.
Yet another serious issue in security is the dilemma of security vs. inconvenience and obstructionism. Do you force peole to go through all sorts of contortions every time they log on to a machine, or access a file (as in B2 security), all of which slows things down, or do you make it easy for them to do their work, and spend less time in time-waisting contortions?
I also had a problem with the article in the section concerning motivation. What I did *not* notice was anything beyond what I'd hear on tv news. For example, *why* does Hammas have as much support as they do in the West Bank and Gaza? A few years ago, I heard on a news story that Hammas provides half, or more than half, of all the schooling and medical care in those areas.
CW *is* a form of guerilla warfare. The article does not appear to realize this, nor point it out to its readers. I suggest to you that the only real and effective way to counter terrorism, as in any guerilla war, is to reduce the support the local community provides. By doing that, you wind up with a larger base of computer-oriented people who are less willing to perform CW actions, and more willing to fight it on a personal programming and security level.
mark roth-whitworth
whitroth@wwa.com
Might also want to point out that when a web site is hacked, it is just like any other college hack. Most infamous is when they turned that one building into R2D2. Now THAT was done by some truely awesome hackers.
Coders are still the worst, people who write their own, instead of hacking other peoples.
In the article, Jane's discounts the benefits of state sponsorship to cyberterrorism, since tools are commonly available. This is misguided.
Most of the recorded cyberterrorist attacks have been either defacement of a website, or crashing a system on the internet. I would call this the "car bomb" level of cyberterrorism. It causes a little mayhem, gets a little publicity, but doesn't make a big wave in the scheme of things.
A cyberterrorist can do a lot more with a full scale infiltration of a key system. Assuming social engineering doesn't work to get sufficient access, crypto might be required to ensure access. That requires a lot of CPU time, something a terrorist organization won't have without help from the big boys.
Lastly, if the goal of a cyberterrorist is to disrupt electronic systems, there's nothing that does it better than an EMP. "EMP Guns", that is a portable device that can produce a localized or directed EMP without human or property damage, are a persistant urban legend that clearly has some kernel in fact. With over the counter hardware, you can build a HERF gun able to produce a trivial EMP. Is it that far fetched to think that the big governments have the technology to do better than that, considering they've been researching EMP for the past three decades? One could possibly find its way into the hands of terrorists. The midwest millitias seem to be very proficient at obtaining US military hardware.
Regardless, it's not an urban myth that an airburst nuclear weapon can produce a substantial EMP with little human or property damage. In fact, here's some congressional testimony detailing this. The biggest problem facing a terrorist who wants a nuclear weapon isn't figuring out how to build it, it's obtaining the fissionable material. Here again, government sponsorship of a terrorist organization could become key. China has shown itself very willing to supply governments that might sponsor terrorists with nuclear materials.
A terrorist with a nuclear weapon might well decide that a country-wide EMP would be a better use of it than blowing up a piece of a city. It would be easy to implement too, just place the weapon on an airplane and time it properly.
In all, cyberterrorism is in its infancy, and in order to determine an appropriate response to or defence against it, you need to look at what's possible, and not what happened so far.
It's also worth noting that the FBI's requests for additional computer tapping rights and restrictions on encryption "to protect against terrorism" would not do anything against such a terrorist. Any computer savvy terrorist will use strong encryption (easily available on foreign websites), and communicate on a server that is in a country where the US would have enforcement problems. The FBI's requests do not defend against either of these.
----
----
Open mind, insert foot.
No such thing as cyberterrorism. If the power goes out, I'm not 'terrified.' If my cell phone dies, I'm not 'terrified.' If someone hacks a web site and changes the content, I'm not 'terrified.' Isn't that sort of the idea of 'terror'-ists? Kind of hard to make a shocking political statement if one only annoys people. Is the blue screen of death cyberterrism? ;-)
In this article, Mr. Sinai purports to set down minimum requirements for a terrorist organization to acquire the capability to perpetrate wide-spread, disrupting cyberterrorism. We should first make a distinction that Mr. Sinai neglects: physical vs. non.
For many reasons, non-physical, cyber attacks on an IT infastructure are likely to fail or fall far short of causing chaos or damage. First, such an attack would need to exploit a security hole prevalent throughout the network or located in a key area such as a router. For this, information acquired over the internet, because it is common knowledge to the manufacturer of the intended target as well as to the terrorist becomes useless. The cyberterrorist would need to discover the security hole themselves and exploit it quickly and correctly before the manufacturer has a chance to close the hole. Judging by the industry response to such attacks as the 'ping-of-death,' potential terrorists would have approximately 24-48 from the time they initiated their attack to bring down their target before a patch is released that would subvert their efforts.
Second, in the world today, large security holes (the ones that would allow you to damage a network) are hard to find. Most holes are exposed by accident (i.e. the internet 'worm') or are found and fixed by the manufacturer before a product is shipped. This means that even with the smartest people in the industry working as cyberterrorists, their chances of success are minimal when pitted against the combined power of an entire industry.
The physical attacks on IT infrastructure are much more likely. This would include things like destroying routers, cutting backbones, etc. The cheapest, most effective way for a cyberterrorist to inflict chaos on the US internet would be to use 2-3 conventional bombs is Chicago, St. Louis and Austin, taking out MCI and SprintLink hubs, causing a massive re-routing of information over inferior lines and thereby effectively killing the network through overload. Or perhaps save the bombs to take out the satellite communication relay centers and simply use a backhoe to clip the backbones which crisscross the US.
The other mistake that Mr. Sinai makes is in setting the requirements for an attack by cyberterrorists. The external hurdles mentioned include: "acquisition of the necessary technologies, cooperation by foreign suppliers, creation of a logistics network for acquisition and deployment, obtaining state sponsorship, and also detection, penetration, and deterrence by foreign intelligence and counter terrorism agencies." In the non-physical realm, very little other than time is required. Computers can be purchased by anyone for a petty sum of money. Internet connections are not hard to come by. All told, a cyberterrorist could, for a few thousand dollars, set up a complete base from which to work from within the US in little under a week. A physical attack, while requiring more planning, is just as easy to carry out again without a large capital outlay. Small bombs can be created by almost anyone and renting a backhoe does not require proof of citizenship or intent. All that is required is the information about the location of the targets. This can be easily obtained from county planners' offices, gas companies, electric companies, anyone who digs will know where the off-limits lines lie.
For none of the above attacks is state sponsorship a requirement. It could be perpetrated by a single individual with a few thousand dollars. Moreover, this type of terrorism is not succeptible to conventional counter terrorism efforts. Terrorists can operate in a closed environment, testing their methods on their own dummy network before releasing it upon the general population. In addition, there is nothing to say that a computer could not be set to run a script itself, giving human perpetrators plenty of time to distance themselves from a crime scene.
Due to the conventional nature of physical terrorist attacks, I would dispute Mr. Sinai's conclusion that through correlation of factors and hurdles, one could predict which group would embark on cyberterrorism. Without doubt, it will be a non-technically oriented group which reads an article saying that Internet traffic was cut accidentally for half the nation by a farmer digging a new ditch.
The article ignores physical attacks on our communications infrastructure... Anyone with a railroad map can do significant damage to the communications network in the United States. Most of the fiber that has been installed follows the railroad lines across bridges and is buried less than six feet. There are plenty of remote areas where a train schedule would make it unlikely that someone would observe a terrorist planting timed explosives on these vital communcations lines. The financial impact of a systematic attack would be devastating because companies are becoming more depend on communications across these lines. In many cases you might as well send your employees home if they cannot use their computers to modify/view data off of remote servers. Ask a question: What would I do if I can't get to may atm for a week?
Can a recovery be made from such attacks?
Unless the machine is physically destroyed, and assuming that you are efficient about your off-line backup storage a recovery is always possible. Curing the holes takes longer, but a good admin is always able to do something that fixes problems.
Is it likely to improve/get worse?
My belief is that things will stay pretty much static. As attack methods get more isoteric, the security methods used become more complex as a result. The number of attacks will always increase in line with the number of people using computer systems.
What sort of preventitive work would you recommend them to carry out?
Really important machines should be on a private network and no computer system that has access to this network should have access to any other network.
Less important machines should be setup to use only the bare minimum of resources to lessen the chance that some module is vunerable to attack.
Regular audits and checksum comparison of code is always a good idea.
Regular user audits are needed too. Any user thats not recognised to a staff member is suspect. Any user that you don't have paperwork (not computer files) on is suspect.
Regular reading of security/bugtraq lists are always a good idea too. If you have a piece of software that appears on these as vunerable, apply a patch within hours or less.
Good security is easy to do, but harder to maintain, and no matter how many levels of security you have, one moment of stupidity always can break all the security you have, so be very careful about what you install, and code audit if you have to.
while i will have more comments. i will split them into more pieces by replying to this comment :)
hany
I have found that CmdrTaco can bring down almost any system with ease, given a Perl interpreter and a mod_perl enabled Web server.
Beer recipe: free! #Source
Cold pints: $2 #Product
Varies from easy to impossible, depending on:
The level of system security
The attacker's knowledge and desired result
An administrator can only control the level of system security. Therfore they should prepare as per their required level of security.
What sort of skills would be needed to do so, and are they common/teachable?
Again this varies depending on what you wish to achieve. Runs from:
Lowest levels: An ability to browse the web and follow instructions.
Highest levels: Years of experience.
Commercial-off-the-shelf software: can it really do CT?
Not if Microsoft wrote it *smiles*. Seriously though, I don't personally know of any commercial hacking software. I take commercially to mean "available and useable by my Dad". It would make for an interesting office assistant though.
Which systems are actually attackable?
In theory, the possibility of infiltration exists for any network connected to rest of the world**. Of course this probability can be prohibitively small.
** - This is why networks requiring high security generally have an airgap between them and the rest of the world. They also have sealed off buildings and men with guns. Think CIA. Think extreme predudice.
Can a recovery be made from such attacks?
The level of damage can run from none through to complete wiping of the entire system. The chance for recovery is inversely proportional!
Is it likely to improve/get worse?
I think it will get worse.
What sort of preventitive work would you recommend them to carry out?
The following:
Assume the worst is possible, and plan and setup your system accordingly. If it is important back it up. If it is secret don't put it on a "public" system. Follow those easily obtainable instructions on basic security that you usually never get around to. Lock down the users. Take it seriously. BUT don't buy jack boots, a bright lamp, and start saying "I vil ask ze questions". Well at least not for work anyway *smiles*.
Ask, listen to then TRUST whitehat hackers.
Raise your awareness. Start reading slashdot?
1. Depends on the system. Anything computer-controlled, where the controlling system is networked, it's likely to be easy. Security is often neglected, or a last-minute consideration.
2. The skills are basically the same for system admin, and are not only teachable, they're common. That's why system admins are paid amongst the lowest salaries in the computer industry. They're a dime a dozen.
3. Doesn't even have to be COTS. The "SATAN" program caused a huge stir, when it was released. But, yes, there are plenty of COTS packages which could be used for CT.
4. Any system that is both physically AND logically on a virtual public network is vulnerable to CT across that network. (Mere physical connection is not enough. If the s/w rejects everything sent to it, it is effectively not there. Also, you can have multiple virtual public networks on the same physical network, none of which interact.)
5. Yes. If you have HA, some kind of intrusion detection, and automatic restore, then you can just fail-over everything but the connection, restore the compromised system, and continue.
6. It's likely to get worse. As computers become increasingly wide-spread, and as civil dissatisfaction increases, the problem is likely to escalate. There is likely to be a spike of CT around the year 2000, as doomsday cults try to create their scenarios, and other groups try to take advantage of the psychological issues surrounding Y2K.
7. There are a great many things you can do to secure your systems against CT. Here are some that I'd recommend as worth doing:
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
1. Terrorists using conventions and WMD wepaons will use all the advanced communication equipemnt they can get including the internet and encryption
2. Cyberterroism has to aspects indivudal and group.
3. Individual cyberterrosim can be used to attack one person, mess up thier credit cards, bank accounts, phone bill, send em stuff which can ruin thier repuation (fake photgraphs done in PhotoShop showing them cheating on thier wife/husband
4. Group cyberterroism is aimed at disrubting ifrastructure to scare people. If a terroist wanted to mess up the american economy the could attack the following targets
- Bank accounts, seems like bank encryption is not that hard to crack so if terroists decide to mess around with enough people bank accounts they can create panik in consumers causing bank runs, which fuck up the economy. Of course the goverment can always declare a bank holiday to stop any bank runs.
- Telephone networks, If the telephone network can be brough down for a few days that would hurt the economy and piss off a lot of people. A good way to bring the phone network down is for a terroist to get themselves hired as a programmer for the phone company, once on the inside the terrorist will have a much easier time breaking into the phone networks and introducing malicious code into the phone system computers.
I hope my comments helpDid the US pull out of Vietnam because it was bankrupt? Economics matters, but the ability of impoverished nations to fight on should not be underestimated. The objective of war remains to incapacitate your enemy's fighting forces...
I doubt taking the NYSE offline for two days would do any harm at all to the US's *military* effectiveness.
Speaking as a layperson, is it the tools that characterise cyberterrorism or the intent of the individual/group/state that matters? Take a look at Peters' "Our New Old Enemies." Summer 1999 of Parameters. pp. 22-37 for some background.
It is easy to focus on the big baddies like chemical, biological, nuclear weapons as they are tangible tools and computer/communications infrastructure is going to occupy a Frankenstein niche for a while until people realise to balance between potential risks and rewards (after all we still use cars despite the high road carnage). Judging from history though, I would guess that white collar crime by individuals or small groups would be much more likely than state-sponsored subversion as the economic payoffs are much more obvious and direct. To postulate one example, the electricity market is shifting towards greater deregulation and adopting the use of complex derivatives to smooth out the supply/demand curves. Speculation becomes a moral risk if you know or even prearrange certain effects such as sabotaging a critical transmission pylon and clean up on placing a "sure" bet. Expanding this to a mass scale as in an entire industry sector or nation is much harder as it becomes beyond the means and abilities of individuals. The more people that know, the more likely something will slip up leading to discovery and nullation.
Most of the current transnational conflicts at the moment tend to be between states of low-medium technological sophistication. Despite trade friction and rhetoric, it's hard to see 2 first world countries like say Canada and US slagging it out, especially given the high level of C4I capabilities. Given today's modern capital markets, any signs of potential political conflict leads to rather rapid flight of money and vocal outcries from the citizens. However, unscrupulous subgroups may elect to target high capacity limited infrastructure (e.g. robot subs to cut underwater cables) if they think they could get away with it.
The only two other groups I can think of that would have the motive and mindset for mass disruption through cyberterrorism would be closed religious or fanatical groups whose value systems are so out of sync with mainstream that they feel threatened enough to take as much of the world with them as they "go under". The other would be individuals or companies on the fringe of legal juristictions deploying modern equivalents of extortion (threatening to disrupt business or services), theft (altering electronic records of property rights such as land titles or share quity ownership), fraud (diverting goods/money to different addresses), or systematic standover tactics to control and maintain monopoly profits (wreck reputations, steal customers by price dumping, fostering unwanted goods by scare-mongering, hire/scare away talented staff, etc). Old tactics in new guises and using computer leverage to accelerate the process. The biggest problem is that the larger it becomes, the more visible a target the group becomes to law enforcement agencies which, if necessary, can redefine what is lawful to control perceived excesses (e.g. RICO act against mob). IT is only a step up from indust rial espionage to industrial sabotage. For example, supposing someone wanted to compete against Amazon or Ebay, then by hiring insiders to sabotage equipment or arms-length outsiders to disrupt activities, can gain a temporary advantage. You can extend this to more critical and irreplaceable functions like financial clearance houses, genetic/fingerprint banks, blood records, tax history (now that would be an interesting target), credit checks, pension funds, international settlements, GPS maps etc. The other nasty trick is to insert fake data such as insurance scams then collecting on fake policies, falsify employment/death records to gain benefits, rig electronic lottery/gambling events, etc. However, this would require systematic planning and quite detailed inside process knowledge which would cut down on the list of suspects.
Mass terror, on the other hand, as a random and emotional act to demonstrate the lack of control and powerlessness of governments is IMHO harder to scale up to. The AIDS epidemic, while quite hyped by the press has settled into the background on the media horizon which shows that it is difficult to sustain a fear campaign across a wide geographical and temporal scope (even guns is an intermitent issue). The fear of nanotechnology (a la grey gloop) or the equivalent of the blob is probably a little too fanciful for the average joe unlike the persistant public fear of mutual assured destruction where everyone could look at the result of Japan. After all, turning a threat into execution is rather irreversible as it is hard to extort advantage from people that have reverted to stone age and any ongoing nebulous threat could quite likely be nullified given the usual capitalistic incentives. A series of ongoing semi-random cyber-attacks could be one possibility as it would force a country to spend on costly defences in depth across a range of infrastructure such that the economic costs are high enough to hurt. But being deprived of their MTV or other creature comforts is not the same as being physically threatened by fertiliser bombs so I suspect people (outside computer security experts) would eventually become rather blase about it. If the terror is suppose to obtain a political end, the sheer stubbonness of the human mind (e.g. reaction to bombing in Ireland) is enough to cause enough backlash to twart the original aim and thus force resolution through the normal political process.
On the other hand, it is much more feasible for a high-tech country to threaten or dominate a low-tech one (who knows that self-destruct signals are in the microchip they ship?) as the information asymmetry creates a significant disadvantage. From the point of view of the smaller country, cyberterrorism is probably all too real. Unforunately, technology is no substitute for trust.
LL
The article as written is rather vague, and in fact, it can be argued, all that was done is to take a stock terrorism article and add the word cyberterrorism. *yawn* Its too bad that the caliber of people who will read this, and then pound their fists on the table saying 'something must be done' , will ALSO be the people who find buying socks at K-mart an amazing experience because they had never seen a bar code reader.
>Using CT, how easy or otherwise is it to bring down or attack vital systems?
First you must define CyberTerrorism. Is it a computer virus? A (wo)man with a sledgehammer, inspired to violence by using a Microsoft product? A shipping Microsoft product? An action/code with a 'terrorist message' attached to it? "Script Kiddies"?
>What sort of skills would be needed to do so, and are they common/teachable?
Skill level: Do you have more than 2 neurons to rub together to generate heat?
Teachable: Is the method easily reproducible. If so, no teaching is needed.
1) As the defender, you only have to screw up once. The attacker gets many, many tries.
2) Most attacks are inside jobs.
3) The simplest attack is a denial of service. Just keep the target constantly busy. (Not a lot of rocket science needed)
Cyberterrorism is cheap. A well written virus is a one man job. On a now sub $500 computer, or even computers picked out of dumpsters. This is on par with creation of (spelling) Phosgen, the popular World War One nerve agent. (And we were told how to make this in HIGH SCHOOL Chemistry. If you were paying attention to the off-hand comment of the teacher)
Keep this in mind:
Dead bodies in your town will feel like terrorism.
Crashing computers will be written off as Microsoft products. (We seem to accept this form of terror)
>Commercial-off-the-shelf software: can it really do CT?
Yes, with tweaking. And Yes, without tweaking (see script kiddies)
>Which systems are actually attackable?
Any programmable machine can be subject to attack. If the machine is network aware, the attack vectors grow to the number of connections the machine has. Ideas like the government $500,000 grant for a radio based method for changing the code a machine is running will not work, not for the foreseeable future. It is easier to deliver code changes via more traditional methods, like a floppy or a porn download.
>Can a recovery be made from such attacks?
From a data perspective, yes. Restore from backups. From the lost productivity, no.
>Is it likely to improve/get worse?
Get worse.
>What sort of preventitive work would you recommend them to carry out?
Preventive measures? Common ones like
1) Know who your employees are.
2) provide traditional security for the machines/data.
3) Have a WORKING and WORKABLE disaster recovery plan.
4) A willingness to use the LAWS WE HAVE TODAY TO PROSICUTE 'crackers'
And, a bit of knowledge of the 'computer underground' wouldn't hurt 'law enforcement'. There are white, black and hats of grey out here. If 'law enforcement' wants to continue to make asses of themselves, then by all means, do not bother to educate yourselves, and go after Steve Jackson Games (GURPS Cyberpunks is a manual for "hacking") or, the case vs the original editor of PHRACK (massive financial damage claimed about the 'secret' 911 document, when for $29.95 + S&H and a credit card you too could get this 'secret ' 911 document)
Good Luck on creating a fair, reasonable document, that can be understood by policy wonks, and doesn't confuse hacker with cracker.
If it was said on slashdot, it MUST be true!
If you're further inclined, you can even find out exactly how each box is supposed to be config'd.
You raise a great point however - where is the source code accountability? There have been unreported horror stories associated with the Navy's use of NT and other invalidated/unverified programs, but I'm not sure what it is going to take to get it fixed... maybe accidentally shooting down a passenger plane.
Oh wait, never mind.
Any information stored online has the potential to be used. Find some embarrassing information (HIV results, credit card payment to a psychiatrist, chat room transcripts and history, etc.) about a target, and use it to compromise your way to a particular intelligence goal.
What if that Disney chat room dude was instead an exec in the defense industry (or a government staffer), and got outed by a foreign agent instead of the FBI? He might have an interesting decision to make: weigh a ruined career and 5 years of prison rape against giving up some national secrets to hide his personal secret.
"Using CT, how easy or otherwise is it to bring down or attack vital systems?" Hypothetical situation: "...a small country wants to distact the US while it launches an attack against its neighbour. Just about all of the US online financial website require a login/password to access ones account, and they have a lockout for x number of failed login attempts. If they do something like use the Social Security Number as a login, it would be possible for an attacker with a lot of bandwidth to script an attack that would "guess" passwords to SSN numbers. They likely hood of getting the correct password is slim, however the number of accuonts locked out would be huge. when teh news reported the attack that evening every single person with an accound would login to see if their account was locked out. This would most likey cause a massive denial of service as the online finacial marcket would be rocked and the ripples would spread throought the economy. The market and population would recover within a short time, days or weeks.. However, the focus of the nation would be on this DoS attack and the little nation that started it would be able to attack their neighbour unscathed... Bear in mind that this is not limited to a nation, Kevin Mitnick had such total control over an ISP that service was slowed by his bandwidth consumption. It is quite possible that an individual with control over a couple of ISPs, that is a clever cracker, could bring the US to its knees. "What sort of skills would be needed to do so, and are they common/teachable?" If the attack was scripted by someone who read the book "Learning Perl",they would know enough to launch this attack. The knowledge needed for a terrorist act, i.e. a massive denial of service against "soft" targets, could be gleaned from the internet in less than a week. A reasonably intellegent individual would have no problem learning all this and more. To pilfer information from an army server would be far more difficult, though not immpossible. L0pht, in an article in the NY Times claimed to be able to bring down electrical power stations within the US. If someone where to have access to that information, and soon they will because the l0pht is going to publish it in an advisory (I hope), then they would be able to cause a tremendous denial of service. The skills of a hacker are readily teachable so long as one can find a teacher.. "Commercial-off-the-shelf software: can it really do CT?" There is no need for commercial software, much of what is required is availible for free. The best public tools are availble throughout the internet, Linux, exploit source code, scanners, etc etc. "Which systems are actually attackable?" Just about anything connected to the internet is attackable. However, whether it is vulnerable or not is another question. A well built secure firewall that is properly configured will stop most attackers cold. "Can a recovery be made from such attacks?" In most cases, yes. However, if sensitive information is gleaned, there is no way to get it back. "Is it likely to improve/get worse?" I think that things will either worsen or remain the same. There is no real likely hood that things will improve, there will always be "script kiddies" there will always be the internet and computers. That simple fact implies that there will always be people who will abuse and misuse the networks. Think of them what you will these people will always exist. "What sort of preventitive work would you recommend them to carry out? " Nuclear war would work. Then no one would be left to mess with the charred remains of the computers. Short of that, increased vigilance on the parts of the governments and more time spent devoted to security might help.
"Using CT, how easy or otherwise is it to bring down or attack vital systems?"
Hypothetical situation: "...a small country wants to distact the US while it launches an attack against its neighbour. Just about all of the US online financial website require a login/password to access ones account, and they have a lockout for x number of failed login attempts. If they do something like use the Social Security Number as a login, it would be possible for an attacker with a lot of bandwidth to script an attack that would "guess" passwords to SSN numbers. They likely hood of getting the correct password is slim, however the number of accuonts locked out would be huge. when teh news reported the attack that evening every single person with an accound would login to see if their account was locked out. This would most likey cause a massive denial of service as the online finacial marcket would be rocked and the ripples would spread throought the economy. The market and population would recover within a short time, days or weeks.. However, the focus of the nation would be on this DoS attack and the little nation that started it would be able to attack their neighbour unscathed... Bear in mind that this is not limited to a nation, Kevin Mitnick had such total control over an ISP that service was slowed by his bandwidth consumption. It is quite possible that an individual with control over a couple of ISPs, that is a clever cracker, could bring the US to its knees.
"What sort of skills would be needed to do so, and are they common/teachable?"
If the attack was scripted by someone who read the book "Learning Perl",they would know enough to launch this attack. The knowledge needed for a terrorist act, i.e. a massive denial of service against "soft" targets, could be gleaned from the internet in less than a week. A reasonably intellegent individual would have no problem learning all this and more. To pilfer information from an army server would be far more difficult, though not immpossible. L0pht, in an article in the NY Times claimed to be able to bring down electrical power stations within the US. If someone where to have access to that information, and soon they will because the l0pht is going to publish it in an advisory (I hope), then they would be able to cause a tremendous denial of service. The skills of a hacker are readily teachable so long as one can find a teacher..
"Commercial-off-the-shelf software: can it really do CT?"
There is no need for commercial software, much of what is required is availible for free. The best public tools are availble throughout the internet, Linux, exploit source code, scanners, etc etc.
"Which systems are actually attackable?"
Just about anything connected to the internet is attackable. However, whether it is vulnerable or not is another question. A well built secure firewall that is properly configured will stop most attackers cold.
"Can a recovery be made from such attacks?"
In most cases, yes. However, if sensitive information is gleaned, there is no way to get it back.
"Is it likely to improve/get worse?"
I think that things will either worsen or remain the same. There is no real likely hood that things will improve, there will always be "script kiddies" there will always be the internet and computers. That simple fact implies that there will always be people who will abuse and misuse the networks. Think of them what you will these people will always exist.
"What sort of preventitive work would you recommend them to carry out? "
Nuclear war would work. Then no one would be left to mess with the charred remains of the computers. Short of that, increased vigilance on the parts of the governments and more time spent devoted to security might help.
First a point for point adressing of Janes concerns.
-Using CT, how easy or otherwise is it to bring down or attack vital systems?
Having done IS Disaster/Recovery and visited many of the Fortune 500 MIS centers and listened to their plans (Y2k and general response), you can take just about any company and make them non-productive for a day. This means a CT attack could shutdown a cities transitway or stop a production line in Detroit. What hackers don't tell you, is to even do this much damage it takes onsite familiarization with procedures and what those programs affect in Real World.
-What sort of skills would be needed to do so, and are they common/teachable? Harassments attacks can be done by eight year olds and a scipt. To divert NextTel's Accounts Payable wire transfers for a day to your Caymen Island Bank takes a team of varied senior programmers.
Commercial-off-the-shelf software: can it really do CT?
Well Denial Of Service attacks can be done with commercial apps that are meant as net accessories, and infiltration can also be done when combined with some physical penetration.
Which systems are actually attackable?
Easiest of course are any that are attached to the Net. And these are also the one ones that DOS attacks tend to hit and temporarily take down.
Those with remote terminal or even modem backup for IS support are a little harder to bother. -Can a recovery be made from such attacks? Reboot and reload from backup works 90% of the time and for the rest you call in the consultants to fix it.
-Is it likely to improve/get worse? As reliance on IS increases,of course CT attacks will get worse and occasionally somebody is gonna a score a big hit. But presently the likely Hacker to make that score is not a terrorist just a kid with malicious thoughts.
What sort of preventitive work would you recommend them to carry out?
Believe it or not , a lot of the Y2K preparedness has taken care of many of the basic precautions.
Now about IT vs CT in the world of terrorism
It is the advances in infrastructure and technology that allow some third world terrorist group to remotely launch a coordinated Chem/Bio attack across multiple targets at once with none of your group having been in the target zone for weeks or even months. With cellphones/modems and other portable tech you can set up multiple target zones and have them actually poll for release conditions based on 3rd party data. EXAMPLE: Your airborne bio weapon requires no rainfall and light winds for optimal dispersement. Yet your canisters are spread across 600 miles of varied conditions. The Palmtops each check local weather info and once consensus is reached via the wireless modem polling,they go off for maximun societal disruption.
IT is a major force multiplier in the global events scale of things since it allows something like a SuperPower's ability to project force anywhere on the globe. Except with good IT,it's all done via remote.
Reality is just a clever Hack, and the Planck constant is the refresh rate.
In other words, make it massively redundant and open.
How do you do this? Simple -- deregulate it.
If the FBI insists on adding special wiretap functions to every core router, they become expensive. Therefore relatively few are added to the net. If encryption is highly regulated, then it's expensive, therefore uncommonly used.
However, if everything is protected by cheap and easy encryption, and there are unmonitored networks going EVERYWHERE -- then no real-world attack below nuclear strength will have any effect. The only reason a real-world attack could work is due to our dependence on a limited infrastructure. A limitless infrastructure cannot be effectively attacked.
I'll put it another way -- if there were only ONE bridge over the Mississippi, wouldn't that make a great terrorist target? Instead, there are uncountable bridges -- lose one and it's a pain in the ass, but it's not the end of the world. Unfortunately, the Powers That Be don't see this -- they just see that if there was One Bridge they could charge lots of money to use it, and also keep secret police records on who uses it.
But I've always said that politicians are complete morons.
DWB
:wq
An excellent question indeed, because it brings to mind almost everything that can be done with a networked computer:
The list goes on and on. I realize that this'll probably get moderated as Flamebait, Troll, or, perhaps, as Just Plain Stupid, as I realize that some of the items on the list are rather ridiculous looking. Yet, you have to stop and think for a moment and realize what a large, gray field we've just leaped into by attempting to define cyber terrorism! Everybody thinks they know what it is, and I guarantee you that there won't necessarily be a happy middle ground. There are going to be people who will debate such issues indefinitely, and who will see defining cyber terrorism as an invasion of their First Amendment rights (freedom of speech, so forth and so on).
To be further frank with you, I don't have a good grasp as to exactly what I feel cyber terrorism is, but I know that if you're going to write an article about it, you've got to start poking around and finding out what others think it is, then you may begin to address it, its implications, effects, consequences, and advantages.
Insert mind here.
Using CT, how easy or otherwise is it to bring down or attack vital systems? Depends on how you define CT, or vital. It really also depends on how savvy the sysadmin is, and the type of technology you use. It could be as simple as using a script off a Web site, or with physical access to the machines, playing games with them, etc. Filling a disk with plastique, and then putting it into a drive with a mechanism inside to scratch a match across a piece of sandpaper when the disk is spun (mounted) is an example of a low-grade approach... RE: What sort of skills would be needed to do so, and are they common/teachable? Depends on the exploit. Kitchen chemistry for physical attacks, how to operate a backhoe for infrastructure physical attacks on cables, network administration courses, books from any computer dealer, a copy of said system, scripts, security advisories. They're definitely teachable in the sense that once a technique is found it can be handed down. Having people with the right monkey mind to find the holes is something else. RE: Commercial-off-the-shelf software: can it really do CT? Sure. Depends on how it's used. FORMAT.COM comes with Windows - it can reformat a hard drive. RE: Which systems are actually attackable? Anything. RE: Can a recovery be made from such attacks? Depends: do you have backups? Sometimes not; if someone diverts info from your system, you'll never get it. RE: Is it likely to improve/get worse? Worse. RE: What sort of preventitive work would you recommend them to carry out? Get rid of all insecure code. Do a code audit. Prevent physical access to all machines and cables to and from said machines. Change passwords frequently, make them long, and refuse standard english words. REMOVE THE DEFAULT PASSWORD. Hire some hackers to try and break in. Keep on top of security bulletins.
This article is extremely dry, and doesn't really cover much about Cyber attacks.
It does mention some truths, but one must be wary of confusing Chemical/Biological/Nuclear attack forms with "cyberterrorism." They are not the same at all.
As in any form of warfare, the defender's precautions generally limit the forms of attack. For instance, in ordinary (non-cyber) warfare, the presence of minefields and tank traps can change the methods used to attack a foe. The same principle holds true in the realm of information. The defender's precautions limit the applicable forms of attack.
Obviously, if the "vital system" is not connected to any outside system, then access is more difficult and an attacker would need much more preparation to actually attack it. Nonconnection is not always acceptable, however.
You can "do" CT with not much more than a modem and an operating system (DOS, for instance). The fundamental requirement is really knowledge-based, not equipment-based.
Almost any system can be attacked. Read through http://csrc.ncsl.nist.gov/
If you are a good administrator and keep backups, detect the intrusion early, and don't allow it to continue, you can probably recover. Expect the intrusion to recur, however, and take countermeasures!
It will get worse. As computers become more and more prevalent, more and more disgruntled people will use them to try and exact revenge or "justice" from other computer owners. Also, the more "funny stuff" is pulled by governments and corporations, the more people will be dissatisfied with the legal system, and the more they will seek alternative means of punishing their "oppressors" (sorry, that's just the way the human mind works. I personaly prefer lawsuits, but not everybody can get things done that way. And as more people perceive the failure of justice, more people will use less than legal means of getting back their own)
---
Administrators should implement cryptographic security measures, combined with every other measure possible and practical.
You should understand that cyberterrorism isn't all that effective unless the terrorist gets the information out of the system he's just cracked. Sure, he could take the system down (and even then only if the administrator has left the system wide open). But, really, what's going to happen then? The systems people will restore from the latest backup tapes, and they system will again be operational. They might even have secondary systems or tertiary systems they can bring online immediately. However, if he can get information off the system, he can sell it or use it. If the information is encrypted, it's that much more difficult for him to get it in a useful form.
---
Obviously, computer/cyber terrorism requires little investment. A computer (the only part requiring monetary expenditure), an operating system, a terminal program, some software tools (available freely off the web).
But as someone else has said, a few pounds of plastique expertly placed (say, to take down the power lines at the substations supplying a city) can wreak a great deal of general havoc.
Heck, a terrorist with a wrench and a utility-company decal on a truck could cause an incredible amount of damage -- with hardly any expenditure. Many high-voltage power lines run through urban areas with little (or no) security around the steel supporting structures. A wrench, a truck, and some guts is all it would take.
Cyberterrorists would be more effective in creating propaganda campaigns than in destroying infrastructure or destroying other people's computer systems. An "information war" would be conducted more as information, counterinformation, lies, propaganda, et cetera. One does not even need to break any laws to do these things. And anyone can do them.
But there are ways of defeating or destroying other people's systems. As stated previously, however, the defender's countermeasures usually determine the effective means of attack. If no countermeasures have been taken, then any form of attack can succeed.
System administrators should be aware that constant vigilance is needed. The administrators must be continually watching for odd activity on their systems. Security measures must be implemented that will allow invaders to be detected. Let's face it, the security measures that would be required to prevent intrusion are so prodigious as to be non-economical. However, if intrusion can be detected and the system subsequently defended, intruders will be less able to create large amounts of damage.
Systems administrators of possible target systems (and that includes just about everybody!) need to be aware of security holes in their software, in their hardware, and in their methods and procedures. One way to do that is to read -- constantly -- the various security-oriented web sites. Read. And implement whatever security measures you can.
- The DOD is starting to rely on Just In Time Logistics (JITL).
- The DOD uses the commercial internet to enable JITL.
- The DOD has a Separate infrastructure (although much of the high speed is leased lines) for both secure and insecure infrastructure.
- However the Interconnects to the commercial Internet, are limited.
Situation.The US is in a prolonged and unpopular war (Vietnam).
Enemy Strategy.
Make Military use of the commercial internet impractical at critical times.
Enemy tactics.
Through news groups web sites, and email, pass along programs that allow civilian sympathizers to SPAM (or ping of death, etc.) military address. The shear number of attacks coming from so many different areas could force the DOD to isolate its networks, placing strains on its logistics.
Factors necessary.
The enemy must have a critical mass of public sympathy among "net connected citizens." No centralized control or authority is necessary. All that is needed is wide dissemination of the call to action
Two uses of computers are discussed in the article: attacks against "good" computer infrastructure to make it fail, and use of "evil"
computer infrastructure to further other "evil" projects like chem weapons and nukes.
Point one, attacking "good" computer systems, I think is adequately addressed by the above posts - particularly the ones that focus on physical means of disabling computers and computer networks. The best admin practices in the world can't save you from a cut cable.
Of course, making computers fail has limited effects. Only systems that depend on the failed computers will stop working. The more that depends on them, the more that can be made to short- or long-term stop working.
This also occurs to me: computer attacks could cause disruption, economic damage, and isolated deaths and injuries, but they're not as bad as biological or nuclear attacks. If groups spend their energy on the first, they may be less likely to attempt the more difficult second...? But if computer attacks are impossible, they'd be forced into other avenues. In other words, computer infrastructure damage might be a useful thing to make attractive to terrorists, to divert their attention from worse things.
On the other hand, with the amplifying effect computer attacks could have on other kinds, that could be a big mistake.
Now point two, use of computers to further other "evil" projects:
Perhaps counterintelligence agencies could locate "evil" computer infrastructure and direct electronic attacks against it - it is vulnerable in the same ways "good" systems are.
Making computers systemically incapable of supporting "evil" activity while leaving them useful for "good" purposes seems like a lost cause to me. The same features that make them useful for "good" make them useful for "evil" - you can't cripple the latter ability without crippling the former.
Johan J Ingles-le Nobel is wise to wonder about the credibility of this article. The author is trying to link two entirely different spheres (cyber-terrorism and weapons of mass destruction) into a single subject--he even goes so far as to coin the phrase "weapons of mass disruption." Which is to say, you can draw a parallel between getting nuked and getting a busy signal.
The writer doesn't seem to grasp the impact of computers and technology on terrorism. And the writer also doesn't seem to grasp the concept that terrorists act intelligently--within their own world view. And so the writer focuses inordinately on the feats of prowess of Aum Shinrikyu, a cult of Shinshinto extremists who bumbled their way through a sarin gas attack on the Kasumigaseki and Kamiyacho subway stations in Tokyo in 1995. If Aum Shinrikyu, using a World War I sarin recipe, is the best the new breed of terrorists have to offer we can all rest easy. Would that it were that simple.
The fatal flaw of this article is the writer's complete ignorance of the principle impact of technology on terrorism: computer technology makes the up-to-date (and up-to-speed) terrorist vastly more productive.
Let's examine the writer's linkage of chemical, biological, radiological, and nuclear terrorism with cyber-terrorism. There's no correlation at all: CBRN warfare involves significant scientific achievement, a fairly high order of precision in manufacturing, a means of storing extremely hazardous materials, finding an anonymous--or at least deniable--means of delivering those weapons, and (for most terrorists) finding an exit strategy for any agents in the vicinity of the attack. As this article points out, there is a lot to it--manufacturing facilities, storage facilities, and testing facilities to start with. There are significant issues involved in transporting the weapons and triggering them. And there is the enormous difficulty of keeping the effort a secret--an oft-repeated maxim in suspense novels is that the likelihood of a secret's being blown is equal to the square of the number of people in on the plot. You can't even try to build a nuclear bomb, store it, and test it without hundreds (even thousands) of staff who have to be housed and fed to stand around in the dark on rainy nights trying to remember why they volunteered for this great assignment. If nothing else, CBRN terrorism pretty much requires having a sympathetic Saudi prince just to bankroll the scheme.
Cyber-terrorism, on the other hand, involves writing a program and running it. One graduate student, Robert Morris, accidentally launched a "worm" virus that shut down most of the Unix-based computers in the U.S. in the 1980s. While such an attack is more difficult today, any such attack would not take any significant amount of manpower. "DOS" (denial of service) attacks are a good example: it is relatively trivial to write a program that will attempt to connect to a remote server, asking for responses to an Internet address that does not exist. Each request takes a certain amount of time to process--you can flood that server with a large number of requests, effectively preventing anybody else from getting in. With the vast increase in affordable Internet bandwidth available today ($169/month for 192kpbs dedicated bandwidth in a residential suburb of New York, for example) it is a relatively trivial exercise for a "cyber-terrorist" with a thousand bucks and three or four talented high school students to become, at the very least, a cyber-annoyance.
But computer technology offers much more to the would-be terrorist. Just as an editor for Jane's can find expert criticism of an article on cyber-terrorism (amidst a stream of childish ranting, one expects) by searching the World Wide Web, a terrorist can find all sorts of useful information. The terrorist can also take advantage of the commercialization of high-end technologies (such as the U.S. Defense Department's vaunted Global Positioning System [GPS]). And the terrorist can take advantage of the computerization of toys (particularly the growth of robotics such as Lego Mindstorms, or radio-controlled cars).
Were I a would-be terrorist, particularly one with a political agenda based on hatred of the Western World, I wouldn't waste my time with nuclear weapons or World War I sarin recipes. Instead I would have a cadre of recruits developing expertise with the most commonly available explosive in the U.S.--the barbeque grill propane cylinder. With very, very little technological sophistication one could fabricate the poor man's Fuel Air Explosive [FAE]: program a Palm Pilot to set off a task on a specified date and time, create a robotic hand with Lego Mindstorms, attach it to the valve on the cylinder, and put the "package" inside a closed room. The Mindstorm "hand" opens the valve and vents the cylinder; a second Mindstorms device sets off a spark, and, well, you get the picture. You can mass produce what little specialized technology you need and transport it on airliners with no worry at all--you will buy the Palm computers at an office supply store, the Lego Mindstorms kits at Toys 'R Us, and the propane cylinder at the nearest convenience store.
I would begin my terrorism campaign by publicly asking the Great Satan to have greater regard for its poor--with all the usual verbiage about the terror inflicted upon the Third World by greedy Wall Street speculators. I would then follow up by using my propane packages at various convenient locations around Wall Street--despite the World Trade Center bombing a few years ago, it is child's play to leave a propane "package" anywhere in the vicinity. (If I had the budget, I'd fabricate brightly-colored trash cans with the "packages" inside. I'd distribute the trash cans, conspicuously empty them for several days, then set them all off at once. Press release: "the garbage of the world, that you throw away like yesterday's sandwich wrappers, will rise up to smite you.")
Then I'd go after the New York transit system, focusing particularly on those parts of it that are heavily-used by the financial community (continuing my Third World Liberation theme). So I'd use Mindstorms robots and GPS units to "crawl" packages into the PATH tubes under the Hudson River. The propane cylinders wouldn't be powerful enough to burst the tunnels and flood them--but that enclosed space would focus the effect of the explosions and do an awful lot of damage. And scare the entire NYC populace out of the subways for a generation. (Press release: "Financial swine, you are not free from the wrath of the people wherever you go--even into holes in the ground.")
Then I'd go after the Internet. It isn't rocket science--all it requires is some skill at title and deed work. Identify the rights of way of AT&T, MCI WorldCom, etc., to identify trunk lines. Most of those lines are on poles--right there along the side of the road. Even the "secure" lines that are buried underground have to surface to cross bridges, railway lines, etc. Spend some time, do a little traveling. The locations of the five major interconnect points in the U.S. are widely known (just look on the World Wide Web). In a month or two you can probably find key trunk lines for a good portion of the major Internet carriers. More propane cylinders, more packages. (Press release: "Witlings of the imperialists--now you have some glimmer of understanding of how your brothers in the Third World must live. Free yourselves from their oppression!")
Want to go whole hog? Really do it right? OK--we'd have to do a little prototyping by testing a package or two against some targets. Aum Shinrikyu tested sarin in the Australian outback for months without arousing undue suspicion. Blowing things up "just for fun"--particularly with a can of beer in hand--is considered Manly Recreation in many parts of the U.S. Then we'd do some planning (using PCs and Microsoft Project, of course) to identify the tasks at hand and the time it will take to plant all of our packages. We could identify task dependencies (frankly, the biggest difficulty would be getting an adequate supply of Lego Mindstorms kits--they are in very short supply) and we could distribute Gantt charts to the entire team. We distribute our packages across a relatively small area in the eastern U.S., and wait for them all to go off. At once. Kill hundreds of people, shut down the NYC transit system, cripple the Great Satan's telecommunications, and prevent a nation full of office workers from downloading pornography; all in one single, simple, coordinated attack. (Press release: "Now do we have your attention, big boy?")
If you're keeping score at home, here's what we're talking about: A Mindstorms kit ($200); a Palm Pilot ($500); a barbeque propane cylinder ($30); and related hardware (wire, spark, etc., figure $20). Add another $250 for boxes and other decoy containers (and to keep the math simple) and you're talking about $1000 per package. For $100,000 to $150,000, including airfare, hotels, meals, and gratuities, you and three or four comrades could conduct a terrorism campaign that would make the FALN and the PIRA look like amateurs.
The economics are undeniable: the ability to create bombs that combine software and robotics for chump change completely alters the question of terrorism. What we might term "legacy" terrorists (understand: in the parlance of computer programmers that is a punishing insult) are trying to win funding from bankrupt former First World spy agencies and hoping to score plutonium on the open market. The avant garde terrorist is the fellow in line in front of you at Toys 'R Us.
The security is undeniable: your chances of finding these guys before they strike is zero. This only requires one person. If the plot involves more than four or five people it gets overly complicated. None of the components can be characterized as a weapon--so even if you are questioned by the police ("you're correct, officer--I do not have a license for this Lego kit") there's no rational basis for suspicion. And once you do wreak havoc on the target country you will be practically impossible to find: just the kind of simple precaution you learn from reading John Le Carre novels (wipe the propane cylinders for fingerprints) is enough to prevent anybody from ever finding you.
And the politics are undeniable as well: the legacy terrorists help fund the day-to-day payroll by running guns, smuggling drugs, and generally operating like gangsters. It is difficult to gain the support of the oppressed when the selfsame oppressed also recognize you as the local drug dealers. Our high-tech robot-wielding terrorist, on the other hand, doesn't need to support a huge payroll--so he doesn't need to run guns, smuggle drugs, rob banks, or anything else. With some creativity and perhaps a slightly smaller budget he could literally do the entire project on credit cards.
Press release: "We have smote the Great Satan in his lair--we have left him wounded, bleeding, alone, and in the dark. We have deprived him of his filthy pictures of oppressed women. And we have done it with the products of his own depravity--the computer toys of his pampered children and the office toys of his fattened bourgoisie, fueled by explosives from his so-called convenience stores. And we financed the entire operation using the Evil Oppressor's own credit cards."
This writer is totally wrong: the impact of technology on terrorism doesn't mean that we have to add a new letter or suffix to the "CBRN" acronym. The impact of technology radically changes how productive, and how anonymous, the would-be terrorist can be. Ultimately, technology obviates CBRN terrorism--the terrorist doesn't need to be that extravagant, and doesn't need to take the risks of handling those materials. With a little bit of applied thought, and off-the-shelf technology (and off of shopping mall shelves at that), the avant garde terrorist can scare the daylights out of any country on the face of the earth.
To contact me by email, use the address above, but do not include the "nospam" entry in the address.
After reading this article, a few things are very obvious to me. Firstly that neither the author of this, nor the readers of slashdot have a proper grasp of what constitutes real Cyber Terrorism. This issue in and of itself seems to be the articles downfall. It muddles about making possible links to CBN incidents, but hardly links CT at all. While this may be possible in some ways, most modern CT involves and will continue to evolve to occur withing the civilian population. Current systems are still for the most part publicly connected to insecure networks and not properly protected. Of interest to the actual intelligence community are facts regarding "real" vulnerabilities of military C^3I and most importantly for terrorism issues, civilian target vulnerabilities. For example, during the 1980s AT&T's network infrastructure was setup in such a way that a concentrated terrorist group with 15-30 members using shortwave technology and simple explosives could have temporarily (up to 6 months!) wiped out the complete nationwide grid and sattelite connection system. AT&T and the DoD got together and realised this was a problem in 1989, and did a complete re-run of the routing and backups to more secure, less published sites. A few are now even in hardened locations. In 1994 att.com was receiving over 500 attacks on their firewall a week. The number has skyrocketed since. Military bases, ships are field personel rely on wave based communications technology that can be interrupted QUITE simply as proven by recent USNavy tests at the field weapons research center. Ships use sophisticated communications arrays and various forms of sattelite comm and nav systems to keep in touch, and problems with this continue to appear in the field. As yet no malacious attacks have been noted, but it is possible to jam various frequencies or create noise. Not of the proportion of James Bond style nonsense with GPS information being scammed, but real world c3 interruptions. It has happened by accident before, and eventually terrorists will use simple home-brew tech on a massive scale to interrupt enemy comm and nav systems. Realistic targets of modern terrorists should be examined for vulnerabilities based on mass hysteria and panic creation. Want to tie up a city? Take down its communications grid or power gen. link or water systems. Such semi-malicious groups such as L0pht and others have made bold comments about being able to do such things as shutting down the NYC power grid , and water supplies among other things. (as older & NY area readers may recall the great power outage caused by an amazingly simple failure some years ago, when all backups failed as well) While this was never proved, such groups do things more out of intellectual challenge then mallicious intent. This does not remove the risk. Such targets of oportunity DO exist across the nation, most are such that neither slashdot readers nor a Jane's author may be aware of them. The author also needs to research and re-think the link of CBRN and Cyber attacks. While a dedicated government sponsored group MIGHT be able to penetrate an enemies internal weapon control networks, many 1st world nations used offline networks with hard-encyption systems point to point. Make remote access improbable. This does not however make it impossible, as a hard line with encrpytion can still be tapped and key hardware acquisition occurs, then the tap can be used for access. The largest CT problem is still humans. Social Hacking and information revalation through contact is still the largest of military problems. Terrorist and other groups have free reign within most civilian populations, however military access is more troublesome and requires far more human to human interaction for intelligence gathering on starting points and access information. Proper instruction can lessen, but not remove this link. Possible future points of interest? Online voting and polling for political elections. What better way to assist your candidate than fudge the numbers electronically? Online banking and financial systems. Ever see the mess that runs some countries stock markets? Easily accessible! Military logistics; read: SUPPLY; systems are becoming integrated with suppliers, read:trouble. Online data transfers for economic information such as civilian infrastructure data and economic reports. And as commications move online, eavesdropping takes on a whole new era of interest. The network itself as a physical connection is a possibility. How often in the last 9 months have we seen things such as "Ohio gas company cripples OC-256 on accident" or "Sprint loses all frames". A terrorist could cripple buisness, commerce and even smaller government institutions in the US with a few backhoes. (amusing image, no?) However all risks must be balanced by exposure and consequences. Who will be inconveniced if a kid at a .cz site with a 386 accesses and accidentally knocks Boise, ID off the power grid? What if it was NYC? What if it was a concerted movment made by people also screwing with the water supply and sewage system? And another team takes out local phone and cable networks? CT enters a whole new realm, arm in arm with field operations. Web page defacement is only the beginning. A smart person with good access that has some issue with his current or former employers is THE most dangerous person today. We should fear this person most. Overly simplified question and answer session: 1) CT "vital system" definations? It has been shown in tests that most all systems on public networks are vulnerable to various attacks from intrusion to simple denial of service. 2) networking knowledge is of the highest priority. Each year thousands of wanna-be's collect in Vegas to test their skills at system intrusions at Defcon. The sheer number indicates yes the skills are both common and teachable and this is JUST in the US. (as a note, no year has had an uncrackable system yet) 3) YES. Off the shelf can includes simple unix systems such as Linux, freebsd cds (my local store has them The recent Dod and PcWeek tests were both defeated from OLD 386 based linux boxes. Tools acquired freely on the internet, and web pages referenced for known issues. 4) AH! Finally an excellent question! Mostly civilian targets, with a few military research and logistic systems being vulnerable. Most important military systems are offline to the average CyberTerrorist. 5) Recovery depends on the type of attack. Denial of service recovery is quite simple, stop the attack and re-assert any system issues. Instrusions are much more troublesome. The attacker may still be around, the CT may have accessed other locations, systems,etc. Tedious work must be done to shore up holes, the method of intrusion and re-evaluate the system for trojans, backdoors, timebombs,etc,etc. 6) Is it likely to improve? No. (see above) our increasing reliance on "being connected" as a global and tribal village will only make this worse. Group dynamics and psychology have shown as a population increases, so does what can be considered abnormal behavior. More reliance on computers and networks and the beginnings of global computer literacy will have its correct effect in that more crimes and terrorist attacks will occur based on IT. 7) Whew, a VERY tall order. All "systems" that require a risk assesment need to be reviewed for consequences. Information access is made worse by the human element (see above) so training and review are intergral parts of the equation. This is a VERY broad question. Various treatises on IT security have already been written on the subject. Ed Wahl wahl@iwaynet.net -worked for various large civilian and gov sites, IBM,AT&T,Cray,USN,etc...
First off CBRN and Cyber attacks should not be lumped together, they are fundamentally different.
:).
For CBRN the terrorist must have motivation and equipment.
It takes a certain kind of person to pull the trigger on a tactical nuclear weapon.
You must also have the plutonium to make the weapon.
Technical expertise is not always necessary. You can buy a vile of anthrax and release it with no prior knowledge of how it kills people
Cyber attacks, on the other hand, have different requirements.
Motivation is less important. Indirectly killing someone on life support by cutting the power is morally easier than blowing up the building.
You don't need any special restricted hardware. All hardware is bought or made with off the shelf equipment.
A high level of technical knowledge is required. Most software will be hand made and you will not be able to use it without knowing much of the underlying concepts.
Cyber attacks have not been very prevalent because it has not been a "high profile" target. Until recently most people did not know the Internet existed. Information was not seen as a useful target.
CBRN terrorists will often need state support because of the high cost or high restrictions on needed hardware. You can't set up a nuclear refining facility in your basement, the power use alone would draw attention.
Cyber terrorists main need is training. I imagine that such training is not the type state terrorist facilities regularly conduct. It is very easy to find training by legitimate means, such as sending personnel to public universities to get CS degrees. There is no real need for a cyber terrorist to ally with a state.
For this paper I will define a cyber attack as an action that significantly disrupts information or information flow. This does not include web defacements, small scale DoS, and other nucance attacks.
The primary goal will be to disrupt information flow.
There are two types of Cyber attacks. Attack on the physical infrastructure, and attack on the logical infrastructure.
Physical attacks:
An example would be cutting a transatlantic data line. We saw the effects of this recently when a construction company accidentally cut a major backbone. The major problem with this attack is the fact that the Internet was designed with this in mind. There are many routes between destinations. However, a coordinated attack can still do major damage. A terrorist could cut several major lines, and blow up a couple important buildings at roughly the same time. You could effectively cut the information link between the west and east coast. Satellites do not have the bandwidth to handle all the communication if all the landlines are down.
These types of attack will come from classic terrorist organizations. It provides immediate results, and instills a great fear in the entire country.
Logical attacks:
These are attacks directly on the information. These are much harder to pull off. You will not be able to crash a single computer and cause mass chaos and fear. The only truly effective attack will be a slow stealthy takeover.
The most basic would be to cause a massive crash. A terrorist would gain access to many critical servers and organizations. He may crack several bank networks, TRW, Yahoo, CNN... There would be mass confusion if all these were to suddenly disappear at the same time. This may be used as a diversionary tactic to make a classic terrorist attack more effective or easier. It would be easier to smuggle a nuke near the capital building if the power were out.
The main goal is not usually to destroy information, but to disrupt information flow. Any information worth destroying will have a backup off site.
The terrorist organization that undertakes this type of cyber attack is much different. They must be patient, and have a high degree of intelligence. They do not need to be physically close. Their motivations will also be different. A logical attack does not directly kill people. It will not strike the kind of terror a bomb does. This attack is designed to cost the target money and time. Therefore it will usually be used when your goal is the destruction of the target government or organization, not to strike fear into its people. The standard "cell" organizational method may be altered. It will consist of iCells. The cells communicate as in a standard model. The personnel in each iCell are only connected by the Internet. Their meeting places are chat rooms. They can be located anywhere in the world. Each person is anonymous.
If the target is something like a power grid you will need an overlap. You will need to physically gain access to the network. The most important networks can not be reached by the Internet. The organization may have several clasic Cells. These will physically gain access to the network. Then there will be one or more iCells, which take over the network and bring it down.
I don't see cyber terrorism growing for a few years still. A coordinated attack is very difficult to accomplish. Though an evil L0pht may be out there right now. Slowly taking over every critical server in the country. Waiting for the day they are told to corrupt every hard drive under their control.
I'll stop now, I think I've made this long enough
Not 100% sure of this, but I remember reading about a German plot to destabilize England during the war by infiltrating expert forgers and engravers via submarine to produce really good phony banknotes, thereby hyperinflating the pound into worthlessness. So, either it has been tried, or someone wrote a really cool book on the idea. :-/
To understand recursion, you must first understand recursion.
. . . by far is for a trusted system to be unknowingly compromised. The best weapon anyone can have is information.
Actual attacks, whether something simple like defacing a website or more serious like taking down a power grid, are cute but have no long-lasting impact. Systems can be restored, problems can be fixed.
Much more damaging is for the enemy to know everything about you and your operations.
One thing this article states is that Cyber-Terrorism is on a mass scale where it effects a large group of people, and possibly produces fatalities. Although the threat of fatalities may be far-fetched, effecting large amounts of people are not.
Everyday, more and more people are relying on the net to communicate information and do tasks. The most vulnerable I've come to think is online stock trading. Companies like E*Trade and Ameritrade are booming from their $8/trade deals. As more people rely on such systems and become confident in them, they move their entire day-trading portfolio out of mere convenience and to save money. What then would happen if a single person (because that is all it takes) was able to shutdown the computer systems of such a company for 1 week? At its current state, it would mostlikely have an effect only on its own share value. What if they became the normal means to trade stock? The effects could be temporarily devestating, instilling panic in many. This situation is made possible because online trading is done via insecure online networks. Cryptography secures that your data is not readable except to those who have extremely powerful machines and mathemeticians (No Such Agency), but nothing protects these machines that are handling the online trading with the exception of routers and switches. Not only do such firewalls have vulnerabilities, but they still need to leave a globally accessible port open for anyone to take advantage of (whether legitimate or otherwise). The point here is: Why are we putting systems like this on an internet with known security holes if the pitfall is potentially huge? Military websites hacked by script-kiddie, who cares, thats placed where everyone knows its vulnerable. Major computer systems that have a direct effect on our country's financial systems on such a network? That seems like blasphemy.
Any system can fall victim to a denial of service attack. These attacks can also be traced (over time) and be filtered or terminated. Someone cracking a system through unknown means however, nobody knows if that is 100% detectible.
As someone with a glancing familiarity with the field, I think it's important to note that cyberterrorism is a vastly different thing than your run-of-the-mill cracking. First of all, most cracking involves relatively unknowledgable hackers ("script kiddies") using easily downloadable programs and tools. Think of a kid walking down a hallway, testing doorknobs to see what opens. In general, vulnerabilities for which automated attack programs exist also have patches and fixes available. So, if you have anything important on your systems (such as classified or competitively sensitive information), you will make sure you load those patches -- the equivalent of locking your door. You will also think twice before connecting that system to an external network. When the attacker has a great deal of technological prowess, you will more likely be facing a new vulnerability for which there is no countermeasure. In these cases, your data archival/retrieval programs earn the money you paid for them.
Cyberterrorists are much more likely to possess the in-depth computer skills needed to cause tremendous damage. They have the motivation to study your particular system to analyze it for weaknesses, and the will to exploit them. In general, critical systems are well-protected. One notorious area of poor computer security is hospitals and research labs; this is mainly because these institutions are primarily staffed by scientists with little to no interest in protecting information. When your main concern is sharing data and results, infosec takes a back seat to your mission -- publishing and collaborating. As Machiavelli would say, if someone wants to kill you badly enough, you can be gotten. Every system has weaknesses. If someone wants to crack you badly enough, they'll succeed.
Skills necessary for conducting a destructive and deadly campaign of cyberterrorism are uncommon. In my opinion, this requires an in-depth knowledge of operating systems, internet protocols, encryption, and information security. Such knowledge is more common in highly-educated individuals educated in the U.S. and western Europe, though someone with enough intelligence and time might pick it up without formal schooling. For the easily defendable automated attacks, little knowledge is required past a rudimentary "click here" overview.
In general, we classify threats to computer systems in four major divisions, internal/external and structured/unstructured. Cyberterrorism would be classified as a structured threat.
External Threats
Internal threats come from employees or other elements within an organization. Structured attacks would most likely involve extortion or fraud; unstructured attacks might feature a disgruntled programmer installing a backdoor into a system. Internal threats have historically been the most prolific, though with the advent of the web and the necessity of external connectivity, more and more companies have become vulnerable to external threats.Unstructured attacks are relatively organized. These are your midnight bedroom crackers, usually exploiting common vulnerabilities. It could be a single cracker, or a loosly knit group.
Structured attacks are generally goal-oriented and organized. They target sensitive technical data, proprietary data, military data, and financial information. These are technically sophisticated -- not your ordinary script kiddie. Structured threats are well organized and funded, as you would find with a terrorist organization. They could be fronted by foriegn government intelligences, or by competing companies.
The United States has been extremely fortunate thus far. Because so many of our critical systems are computer-dependent, we present the #1 target for cyberterrorism. Can you imagine the effect of the Melissa virus with a deadly payload? Thousands of systems crippled, many with no backups available. The surprise was not that Melissa was so virulent but that it was so harmless. Imagine a version which would allow itself to spread silently, triggering on a certain date. The ability for terrorists to blackmail and extort would be enormous.
My point is that all systems are vulnerable -- do the best you can and have a backup ready.
We want endless gardens of data, where the bits can flower, flourish and reproduce. -- Andy Mueller-Maguhn
Your best bet is to work with an operating system your familure with. A lot of people prefer Linux in this mannor as it is easyer to get to know the internals of Linux just by looking at the source code. This dosn't mean Linux is the best choice but that it's the best choice for a lot of people.
:)
:) Just an ex Sysop during a time when every 15 year old kid wanted to be a "cool hacker"
Clearly a person familure with the internal behavure of Windows NT would be better off. The problem being it is hard to get your hands on such information. While a cracker CAN do the research and get the information if you don't allready know the security defects a cracker may discover then your lunch.
A diffrent tactic is security by obscurity. This isn't 100% perfect sence the art of cracking is 90% research so all they need is to uncover what your using and the defects you don't know about.
Obscurity and limited access is a better tactic.
By using a Mac or a Dos system instead of a Windows or Unix system you get obscurity and limited access.
Mac and Dos are not server operating systems and as such you don't have to worry about preinstalled internet services you don't use sence the only services that exist are the ones you personally install. The biggest security holes come from neglected services and incompatable services.
With Mac you need only make shure what you install isn't installed in a way that leaves open a back door or dosn't interact with something else you installed to create a back door.
Dos makes this whole process even easyer as Dos only runs one task. Sence the pacage your using is the only program running you don't have to worry about a program creating a back door. You still have to install the service correctly to prevent a random cracker from doing something like accessing a service that someone forgot to give a password or protect from the outside world.
Ohh I forgot Dos "door" programs can also be a problem. If the main program passes control off to annother program you have to be shure THAT program is aware of it's position. Some dos programs allow users to "shell to dos" creating HUGE back doors just by using a dos program online that was not made to be used online. This same problem shows up when ever you use a program to handle internet services that was made with cute features not expecting the program would be used for remote or automated services.
The biggest worry of all is authers personal back door. Again research is 90% of the cracker game and thies back doors do not remain secret forever.
Sadly obscurity is accually counter productive here sence an obscure pacage hasn't been looked over like well known pacages so thies back doors can remain unknown to the majority for years.
With a closed source solution you may use a hexmap editor to look over the program and see if you can find any secret passwords or anything unusuall. Douptlessly a cracker would do the same.
With open source you should look over the source code. It's easyer to find a backdoor in source code than in binarys. But be careful with binarys and source code the auther will at least try to hide his backdoor from prying eyes so a careful inspection is needed if your going to find a backdoor.
With binarys you can hope that if you can't find it nither can a cracker but rember some crafty crackers can read binary. The good news is most crackers arn't crafty or even that good.
The best bet against crackers is keep an eye on the system.
I got most of my understanding of crackers from being a BBS System operator or SysOp. The hobby version of being a System Admin
I cought most of my crackers just by watching the screen when I was bored.
I guess it boils down to the less thats involved the easyer it gets and the more effort put into securing the system the better. Know the software that is involved and remove anything you won't be using.
BTW I'm not a security expert I'm an incredable simulation
I don't actually exist.
This article is not about information warfare. It's about atomic/biological/chemical warfare, and has subsequently had the word "Cyber" inserted early and often.
Let me attempt to address the editor's questions:
The common view is that most utility companies are
relatively undefended, relying on obscurity rather than security. If your vital systems are already exposed, you are at the mercy of every script-kiddy on the planet.
(flamebait)
Wow, are real anarchist. Anybody got a magnifying glass to study this remarkable specimen with?
(/flamebait)
In many ways, the security teams are their own worst enemies.
A few years ago I was an on-site contractor for NOAA, and we were deploying a prototype system at another federal agency which provides a critical service. (For obvious reasons I won't provide further details in this forum.) For some reason we needed to access the prototype system, and we knew that our computer was on their network but they had moved it from the initial IP address for some reason and hadn't told us its new address. They also changed the name for some unknown reason. (This wasn't related to security, it felt much more like a low-level pissing contests between the two agencies.)
We *really* needed to access that computer, and most people had already gone home from both sites, so I pinged all of the addresses in the subnet and attempted to telnet to each responsive address in turn. Within half an hour or so I found our lost sheep, fixed some files, and the government employee who asked for my help went home happy.
Unfortunately I had a problem. I discovered that they had their router on one of the ports, with absolutely no password. Anyone who discovered this IP address could change a few numbers and take down this site and possibly a second site. If it happened at the right time it could easily make the national news. I reported my discovery to the only network person still around, and he was clearly agitated by the perceived dilemma of needing to report this to the proper security group and the expected pain of the subsequent inquisition and torture. The fact that this was at a sister agency clearly didn't help his mood.
I don't know if the reputation was warranted, or if he was ever subsequently contacted in any way. I know that some subsequent comments about my "hacking" skills were grossly unwarranted. I do know that the reputation of the security team was such that most security breaches will go unreported out of the fear that the investigation will focus on how the person learned about the breach, not the breach itself.
(Sidenote for _Janes_: many geeks will immediately recognize this as a concrete example of Hagbard Celine's observations in the Illuminatus Trilogy. People with (perceived) power tend to see only what the people under them think they want to see. This makes it difficult to impossible to get an accurate view of your current state from within the organization. I think CT is a very real possibility, but I am also extremely skeptical that anyone above a GS-12 has the faintest clue where the real threats lie.
(If I had to pick one thing to start with, I would focus on Melissa. I'm sure every potential cyberterrorist noted how quickly Melissa took down large corporations and is wondering what would happen if it carried a malicious payload. Trivial example: what would happen if every Melissa victim started to ping www.victim.mil? Why do the same people who readily recall the Morris Internet Worm (which quickly resulted in significant changes in the Unix infrastructure to prevent a recurrence) remain silent despite a pandemic of Microsoft Macro Viruses?)
Bear Giles (bgiles@coyotesong.com)
Cyberterrorism is a completely different paradigm than CBRN warfare. With CBRN or even conventional warfare, costs are much higher: weapons and training for weapons usage are extremely expensive. However, Cyberwarfare does not necessarily require sophisticated computer equipment - it simply requires sufficient knowledge. There is no real "Commercial, off-the-shelf" software that is directly used for cracking computers or attacking C3I targets. However, if a person or group is motivated, and has the necessary computer knowledge, such attacks are entirely possible. The means by which this would be done varies from case to case; it depends on the target, and how its network is set up. Most critical systems are not directly connected to the Internet, but that does not mean that they are impervious to attack: unless they are completely un-networked, with no means for remote access are they truly safe, assuming that there is adquate physical security. The US, as it depends on computers far more than other nations, is especially vulnerable to attack. As President Clinton recently validated the use of cyberwarfare in our dealings in eastern Europe, that opens the door to us being attacked. We can recover from attacks - any computer system can be restored. But we need to focus on improving security to prevent attacks from being successful. The knowledge and motivation for terrorists exist - it is simply a matter of time. That said, I would still argue that terrorists are more likely to want to use conventional means of attack - such attacks provide a more pointed and direct (and perhaps symbolic) attack against their perceived enemy. Using cyberwarfare would only be motivated by the desire to display power and technical prowess.
Skill doesn't cost very much in terms of money to aquire.
The people who can bring down systems are the same people needed to protect them. It's in a way kind of like the wild west, but there are no black hats and white hats only dark and light grey.
The difference between a hacker, and a cracker is what they do with their skills. One man with a rifle is a hunter, another man with an identical rifle is a murderer. What you do is more important than what you are capable of doing.
6 months from now when the l0p(Lords of Pudding) cracks Jello's web site for publicity it won't be a well funded attack. It'll be a couple of rinky dink high school kids who allowed their talent to be used for non-productive ends.
Hacking has nothing to do with who's the best funded. It's about getting done what you need to get done no matter how you need to do it.
I'm sure that every hacker here has done some things that at least border on cracking at one time or another. Not that there was necessarily any malicious intent, it's just doing what needs to get done.
It's the script kiddies who've (at least in recent years) given us a bad name. It's the assholes WhO TyP3 3v3rY7hiNg LiK3 7hIs who make us look like a bunch of pimple faced rejects before the masses.
One thing that makes many hackers fertile recruiting ground is the total lack of respect for the ability and value of a good hacker. When a hacker has to stand by and watch a brainless marketting suit make millions for sitting around and thinking up crap like "Got Milk?" and "Think Different" it can make him want to make an undeniable statement and force people to recognize him. Also how many of us would be willing to pass up a pile of cash if someone offered it in exchange for getting access to Company X's fincancial records?
I've never caused any damage to any company's computer systems, just like the vast majority of my fellow slashdotters, but in a materialistic society how many of us would pass up the chance to make big pay checks if we did?
LK
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
Using CT, how easy or otherwise is it to bring down or attack vital systems?
It depends. If they're well guarded, as most important stuff is these days (look at all US Govt. servers - and it's by and large not really important at all), not easy. If not, well, they're fair game.
What sort of skills would be needed to do so, and are they common/teachable?
Lots of experience is about the gist of it. So not really teachable - more self-teachable. But it helps to have a friend "in the know". An insider would be invaluable to a potential CyberTerrorist.
Commercial-off-the-shelf software: can it really do CT?
Yes... and no. It's not really off the shelf, it's out of somebody's back room. There exist programs that will enable a user to exploit various back doors, but they're not as easily found as the media would have you believe. Serious people cook up their own code, anyway.
Which systems are actually attackable?
Those in countries where security has not been taken seriously in recent years, that is, everywhere but the US, Australia and much of Europe.
Can a recovery be made from such attacks?
Can a recovery be made from NBC attacks? Sure can, and in the case of CT it will be a lot quicker than for NBC... It's not really apocalyptic until the world ends and we're all dead. Someone who can fix it will likely survive.
Is it likely to improve/get worse?
Neither. I believe security will increase at the same rate as proliferation of CT in the short term, and outgrow CT in the long term. Which doesn't mean it will disappear - it will be just as unheard of as NBC terrorism is now.
What sort of preventitive work would you recommend them to carry out?
Multi layered firewalls is about the gist of it. There's not much better protection... besides unplugging your computer.
- Using CT, how easy or otherwise is it to bring down or attack vital systems?
- What sort of skills would be needed to do so, and are they common/teachable?
- Commercial-off-the-shelf software: can it really do CT?
- Which systems are actually attackable?
- Can a recovery be made from such attacks?
- Is it likely to improve/get worse?
- What sort of preventitive work would you recommend them to carry out?
Anyway, that's my rant on the article. You'll notice most of this information is just systems best practices, and more general information systems, not weapon systems specific. Mainly because I have not dealt with weapon systems, but you'll find software is the same everywhere. Also, 13 year old kid could reference any person of human intelligence and inclination, regardless of nationality, religion, and moral vocation.It really depends on how the system was devised. There are a couple factors here, a who is attacking, a why, and a how.
There has been a recent profiliation of machines that are 'automagic', where the user plugs the machine in, and it works. As this becomes more common-place, there will be more attacks of the 'script-kiddie' mentality. These are the more common-place, and usually more destructive attacks. A good example would be the Cold-Fusion exploit released not too long ago. It was written up into a nice package that someone could give to a 13 year old kid. That 13 year old could go burn down a machine in some place he's never heard of, and he wouldn't care. Someone who researched this exploit might actually have some ethics about destroying someone else's virtual property.
Then there is the why question. In the beginning, cracking was mostly used as a 'I was interested in how it worked' explination. In the future, I think we will see more infiltration attacks, where people just want to get onto the system to listen, gather, and desiminate information. This could be to gather personal information, financial information, share a virus, or to expose your political views. The system will continue to work, but an incorrect manner. As these become more sophisicated, I think they will become harder to detect. It's only when we relax our guard do we get hurt by an attack
Then there is a how. The discussion of potentially harmful weapon systems is a matter of exposure. Networking is a useful thing, but think of it in another light. You have a gun cabinet in your office, forget why, but would you really want this expose? So you put it behind a secret door, only certain people know how to go up and press on the door in the right way to open it. But someone visiting might press all your walls in several ways, and still find it. Security via oscurity does not work. So you put a master lock on it. However, a nice pair of bolt cutters work quickly. So you put it in a true safe, making it difficult to get to. People complain, so you are forced to make the combination something simple like '1 2 3'. This again, breaks the system. You run into the common brick wall of security versus ease of use. As our society seemed centered on easing our lives, we tend to focus more on the ease of use. Good example are the web forms out on the web, to make our lives easier, but could also break our security policy.
So you are looking at more information is being distributed, it is becoming easier to find this information to infiltrate a host, and we are moving towards a looser definition of neccessary security. Is it easy to attack systems? Yes, and it's becomign easier all the time.
Many of the skills can be learned from reading on the web. Most are commonly found out. But the most useful are taught in a student/mentor relationship. While root exploits can now be thought of as easier to figure out on your own, it usually takes an experienced person to point the newbie in the right direction, to wade through the bullshit. As we migrate to a more networked envirionment, these requirements will become less, and become a more 'click here!' security risk.
Two issues, the offense versus the defense. As far as products go, COTS will never be as good as what can be obtained by an experienced professional. and all experienced professionals have a cost. Also, would you include COTS to have web-based and free software? Because it's all out there for the taking. Remember that COTS lag behind the speed of the rest of the world, especially security related products. For instance, ISS security product still checks for certain accounts when trying to check a unix system. However, ISS knows nothing about nmap and it's use as a port scanner. (well, last I checked)
On the defensive side, with proper design COTS can protect your data.. Many companies think of security last, it's an afterthought of a 3rd level VP who says 'BTW Bob, is this system secure?' 'No it isn't Ted, You said you didn't want to put in your password on every new screen' 'Well make it secure, mmmkay?' However there are some products that are designed off the shelf with security in mind, these would be more of the unix systems as they have a better chance to mature. Just the fact that there is a root account where a user can do anythign they want has to remind the designer not to let people get there. For an example, the BSD security audit that took 10 people a year and a half is what I would considered to be an ideal.
All networked systems are attackable. You must assume that. Just as no fortress can be completely safe, no data can truely be secure. There is a sliding scale of usabilty versus security, so set your thresholds high.
This is why backups and data integrity plans are a must. Everyone should have a buisness continutity plan. This can also be associated with an extended cracker attack. If a weapon system is compromised, we will simply have to face the consequences of that weapon being used on ourselves. Some philosopher once stated that man will not be happy until he has devised a weapon that is able to scare even himself.
It is most likely going to get only worse, until a light turns on in the mind of software developers that it is bad to have a product that a 13 year old can walk in and take over at any time. Those types of attacks are the true threat in the growing sea of information.
Get the best people you can to manage your systems and your software. The risk of having a new administrator to manage your credit-card-number-heavy network is much higher than the price to find a good administrator. While you can never bank on the security of your software, your security is only as good as your administrator. An aware adminstrator will be able to fix the major flaws in your security.
Feel free to publish any of this, I do work for Collective Technologies, but these are my own opinions.
--
Gonzo Granzeau
Gonzo Granzeau
"Nothing the god of biomechanics wouldn't let you into heaven for.." -Roy Batty
To lead in, I will repeat a truism: If a computer is connected to the internet, it is not secure. End of story. Someone *will* find a hole to sneak in, eventually. The question then becomes one of speed. Who can find the security hole or exploit first, the defenders or the attackers?
A cyberterrorist would probably sacrifice large portions of his/her anatomy to have the talent to crack the systems of a rival agency. In addition to the intelligence this might gain them, there would be a psychological effect, both for their own organization and against the victim's organization.
To defend against these attacks, governmental antiterrorist and intelligence agencies can centralize to some extent, providing data choke points to make such efforts more difficult. Underground terrorist organizations do not have this luxury. By centralizing geographically, they create a risk of discovery by the authorities.
The author of the article semi-correctly states "... particularly in the age of the Internet when terrorist operatives can be dispersed geographically yet are able to communicate with each other by using their own secured communications networks." I do, however, question the phrase "secured communications network." If the author means a truly separate network, then he is not referring to the Internet, per se. Such infrastructure would require a significant resources on the part of the terrorist agency or agencies. If, however, the author was referring to virtual private networks, or encrypted communication on the Internet, this is something different. Due to the nature of TCP/IP, even encrypted packets can be traced from source to destination. The existence of semi-anonymous mail services, such as Hotmail, make this effort somewhat more difficult, since the number of steps to be traced increases. For example, the tracing of a person via packet sniffing would require the discovery of the mail service's IP address, the IP addresses from which the mail service received the messages, and the phone number from which the computer assigned the aforementioned IP addresses connected.
This can be summarized in the following way. The existence of the Internet and cheap, easily obtainable encryption software gives any terrorist group superior C3 capabilities. This advantage is offset by the nature of the Internet. A counter-terrorist organization, simply by knowing of the existence of the terrorist group and its use of the internet, can monitor the activity level and rough geographic limits to the groups activity. The factor that determines the effectiveness of either side in this case is the understanding the strengths and limitations of the utility of the Internet.
The previous analysis covers organization vs. organization on the Internet. What, then, of opportunities for a terrorist organization to "bring down or attack vital systems," as Jane's editor phrased it.
The answer to that question, it seems to me, lies in the definition of "vital systems." The most common answer to that questions nowadays includes the power distribution system and the financial networks that drive our economy. I would be surprised if, given the attention this has been getting, these systems haven't been "hardened" with nice firewalls, VPNs. etc. Such measures will defeat all but the most sophisticated intruders, assuming they are installed and configured correctly (this is not trivial!) and that the systems are not vulnerable to "on-site" tampering.
If you consider vital systems to include the federal government's email servers, you are talking about a different set of problems. There is probably nothing that can currently be done to protect these systems from "anti-productivity" attacks, such as mail-flooding or virus dissemination, short of measures that would also limit their utility. This can be done if the loss of utility due to the attacks is higher than the loss of utility from defensive measures.
My intuition of the problem is that the issue of the vulnerability of vital systems is limited to denial of internet resources. This may not be a trivial issue in a few years, given our current propensity to "dot-com" everything that moves. The ability of cyberterrorism to disrupt "real world" services at this point in time seems limited, but could grow if the dependence upon the shared resources of the Internet grows without a commensurate increase in awareness of security issues.
One could almost write a book on this. I'm surprised someone hasn't. The issue isn't one on which you can just throw a report together. I would suggest that Jane's consider contracting a group of network security professionals to consult with on this article. By consulting three or four exceptionally qualified people, a more comprehensive study could be done that would be more useful than a broad brush type of article.
If there are any budding Hacker/Crackers that think they can make some easy money working for terrorists just remember....
They will set down a briefcase full of cash next to your keyboard when you start your crack, and put a bullet in your head when you're done.
Just remember, they are zelots and probably sociopaths, not reasonable men.
Only a select number of terrorist groups and few state sponsors are likely to possess the necessary motivation and capability in the spheres of
i have to say that cyber attacks can be performed by various peole and organisations with various level of damage and with various level of requirements on attackers side (as many alredy pointed out).
how can be attack performed
as mentioned earlier, to perform attack, attacker need some sort of connection to victim's system.
host conected to Internet can be attacked by anyone which too have connection to Internet.
host serving as dial-in server can be attacked by anyone who has modem and know phone numbers to such server.
etc. etc.
another step is what attacker wants to do with target system. it strongly depends and what is the target machine (is it PC? which OS it runs? which services are running? who's (and how good/bad) is the administrators? ...).
generaly, attacker can disable (or try to disable) target system - this is called DOS (denial of service) attack. it can lead for example to unoperational aerial defence or disabled communication between enemy's units or just less performance of system in which target machine is utilized.
another thing is to gain control of target machine. in this case, taget system can be used for further attacks, can intercept enemy's operations (like taking gun from enemy's soldier and the using it too shoot him and his colegues), steal information or make some other interception.
hany
This assumption has limited validity. It is certainly true that some systems are constructed to be much harder to penetrate than others. However any system can be made insecure by improper installation or use. A classic example is the recent Linux box crack. The crack exploited an insecure CGI script instead of the underlying operating system.
This leads to a situation where attacks are single-use weapons with irregular effects. Think of the Federation encountering the Borg: a phaser works on the first borg, but not the second because the second one had learned what killed the first. Attacks on computers have this nature: you may be able to penetrate many computers at first, but when the attack becomes known the hole will be closed. If the defensive structure is good then this will happen fast and universally. This is what CERT is about.
Much has been made here of the "script kiddy" phenomenon. This does not seem a realistic concern for real national infrastructure or military issues. Sure there are plenty of insecure systems around, but the attacks the script kiddies use are generally known and they can be locked out.
This means that against a well-defended target you are going to have to devise fresh attacks. This is not a trivial exercise. Its easier if you can get hold of the source code, but either way expect to have to fund a team of good techies sitting down with sample systems looking at how to take them down. The result will not be an armoury so much as a mixed bag of ad-hoc tricks, each of which will have a very narrow window of use. Also you can't stockpile these attacks because at any time someone else could discover the same crack, use it, and get you locked out.
Even a successful cyber attack will be little use on its own. It would have to be co-ordinated with other actions. At this point it gets hairy. The effects of your actions when you actually try to take down or penetrate a system are difficult to predict. Maybe it will work, or maybe the defenders are on to you and will be duly warned. And the mixed bag of tricks will be hard to integrate into the rest of the strategy.
All this points to the need for a proper defensive posture. This makes the entire infrastructure much more robust. Use operating systems and applications which are known to be reasonably secure. Keep up with CERT bulletins and other sources of information. If a computer is worth guarding physically then it is worth guarding "informationally", and for critical assets this might well extend to a continuous human auditor looking for discrepancies and odd patterns, just as a human guard is used to check people in and out of a base instead of relying on barbed wire and key cards.
Finally, it is important not to let these threats get out of proportion. If I was a terrorist and wanted to bring down the national power grid I'd go for a few pounds of plastic attached to strategic pylons and transformers. Much more certain, and much longer lasting effects (aside, why did the IRA never realise this?). A defence system is only as strong as its weakest point, and that point is rarely a computer.
Paul.
You are lost in a twisty maze of little standards, all different.
Only a select number of terrorist groups and few state sponsors are likely to possess the necessary motivation and capability in the spheres of
i have to say that cyber attacks can be performed by various peole and organisations with various level of damage and with various level of requirements on attackers side (as many alredy pointed out).
attack requirements
- network connection or physical access to target system
- computer (PC or whatever with some software) and connection device (modem, ethernet card,
...) - knowlege (either attackers own (which is most dangerous) or borrowed (in case of script kiddies))
- luck (sometimes?)
everythink else (like traitor, back-doors in target,hany
I really would not worry about the CyberTerrorists with computers. I would worry about the terrorists whith a few backhoes who could rip out LARGE sections of wire (read backbone) thereby eliminating the Cyber system as we know it.
Case in point - some misguided utility worker did how much damage with a simple misreading of a map?
The physical world threat to computers is far more dangerous than the computer threat to the real world.
- We dream of the stars. Now let us return to them.
whereas cyber terrorism utilizes information technology (IT) devices to inflict mass disruption of an opponent's critical IT infrastructure
Cyber terrorism doesn't (necessarily) utilize IT devices to disrupt critical IT infrastructure. A backhoe to a set of OC-192 circuits works just as well at disrupting critical IT infrastructure. I also wouldn't really categorize social exploits as "utilizing IT devices".
Here's a hint that might help the American government a little in its fight against terrorists:
/. is like a steer's horns, a point here, a point there and a lot of bull in between.
If there are any cyberterrorists out there, they already have cryptography!
On a more serious note, the article is definetly making a mistake in bunching together Cyber threats and CBRN. They are different (as rde wrote above) in all possible ways except in that they are a relatively new threat. IMHO cyber terrorism is mostly an excuse to harrass punks who deface webpages, while CBRN really worries me.
Also, the article looses a lot of credibility when it starts listing Bin Ladens use of email as examples of cyber-terrorism. My grandmother uses email for gods sake, it happens to be a good way to communicate.
-
He claims "Only a select number of terrorist groups ..." are of concern. We all know that this is not the case. A couple of host located at disperate locations on the network with a handful of people who can read L0pht and BugTraq are plenty to mount a serious threat to any 'cyber' orginization.
One question I have of computer systems in general is the inherent security of them. If I remember correctly the US Navy was using Windows NT as a platform for some sort of usage. In my opinion relying on something like Windows NT which is not auditable in source. Is a probably and definite security hole. I'm not saying that open source is the key. But I believe that at least for military usage the software and operating systems specificaly should have to go through some realistic sort of source code auditing. I realy would not like my air defense systems crashing because of a buffer overflow.
(---- The public is merely a multiplied "me". -- Mark Twain
Read "The Cuckoo's Egg" by Clifford Stoll or "Takedown" by Shimomura for accounts of cyber "terrorism" (such as they are).
Using Open Source software gives you better protection against attacks: you can audit the source code, and bugs usually get fixed faster (you can patch it yourself if necessary).
Really important computer systems should be protected by brute force: isolation. :) I.e, don't put them on the Internet, but on a private network.
Just my 2$c.
Roland
Never ascribe to malice that which is adequately explained by incompetence.
Gee, we all get to be national defense analysts for a day? Cool! How are we doing so far? Anyway, here are my two bits into the stew of already very insightful discussion out there. I composed this "Jane-speak" rather quick, so go easy on me. I can go deeper if you want, but this will get you started:
;)
---
Cyberwarfare is a realistic byproduct of the rapid digitalization of the world economy. In the endless quest of greater speed, reliability and volume, we have (since about the late 1970's) started to turn a large part of our physical and economic infrastructure over to autonomous digital machines. From the perspective of espionage and terrorism, many of our formally human-controlled critical assets are now in much colder hands - hands that are a void of emotion or ethics.
Unlike other forms of terrorist attack, the technology and the resources required to perform cyber terrorism exist mostly in the public sector, and are unclassified. The only limited exception to this has been in the realm of cryptography, where national governments in some cases have stepped in. Unfortunately this technology is "dual-use" and it therefore difficult (or to some activists, unlawful) to control.
A terrorist group who wished to attempt an effective cyberwarfare campaign will most likely find that cyberwarfare a technically demanding tool, but relatively inexpensive and covert one. The diversity of information technology employed in today's society is a logistical nightmare, as well as the rapidity of its change. The advantages of cyberwarfare is that compared to other forms of terrorist activity, it is extremely cheap and low-profile, as had been demonstrated by dedicated individuals with high expertise in the field of electronic intrusion.
(blah... blah... blah - Let's jump to the end...)
In conclusion, the continued security of national infrastructure is primarily secured by passive action and strict security vigilance of the information community at large. Strong electronic security must now be properly incorporated along with human and physical security in order to keep potentially devastating incursions to a minimum. This represents a fundamental shift of our national security policies, and it is this shift the will ultimately determine our future reliance on electronic communication technology.
---
Can I have the position now?
The best way to prevent CT is to have a good staff of administrators and a good set of tools. By far, the two most stable and secure operating systems are OpenBSD and OpenVMS. Use them. Also make sure your staff knows how to administrate them properly.
Also make sure you are always running with the most up to date patches for your software (not just the OS, but all of it). Read Bugtraq to find out what the latest problems are and follow through on the suggestions given for securing a system.
Don't get too proud. Just as soon as you think you've gotten the crackers beat, they'll find a new way in. Never let your guard down.
Disable non-estential services. If you do not need a service running, why do you have it on?
Remove any tools which could be used against you.
Don't be an easy target. Firewalls are good. Protect yourself at multiple levels.
Anyway, there are plenty of other ways to handle prevention, but I'll let others pick up the slack.
I've never heard of them. they haven't done anything impressive yet. They probably just have a web page somewhere.
by Mike Buddha -- Someday the mountain might get him, but the law never will.
Basically, if the original cracker develops an algorithm to exploit a weakness, he/she may package it for wide-spread distribution.
So, ultimately, the skill requirements is largely based on the redistribution level and user-friendliness of the cracker tool.
Thanks due to widespread distribution, it is possible to jam a specified host over a network with tools like PING, TRACERT, SPRAY, DoS, LAND, TEARDROP.
Shareware (although not exactly a COTS) contributes the lion's share of this capability.
Solutions:
* restrict access to security weaknesses (net censoring/eavesdropping/illegalizing reverse engineering/etc...)
*
All systems are breachable whether they be physical, social-engineering or electronic-based attack. Only true security is an Orange Book A1 in a standalone guarded room with ZERO connections to the Internet.
It seems to me that trying to group CBRN weapons with cracking requires a huge leap.
For CBRN, aquisition of the materials required to implement these weapons is a significant issue. As mentioned in the article, people get arrested for simply trying to buy the materials needed. The acquisition of materials for a cyber attack is a much simpler task.
The level of knowledge required to implement a CBRN weapon is orders of magnitude higher than to implement a cyber attack. Additionally, the CBRN agents must be stored, transported, and potentially disposed of. These are risks to the developer, not the victim.
There are countermeasures for some kinds of CBRN attacks, but in general they are impossible to implement to ensure 100% safety. For other kinds there are no countermeasures. For cyber attacks there are almost always defenses. More often than not these defenses are disabled for the sake of convenience, or due to ignorance.
I have no doubt that crackers can cause significant damage, but to group crackers in with CBRN agents is blowing their capabilities way out of proportion. In order to implement a cyber attack it takes a $500 computer and an internet connection - essentially it can be done by anyone who wants to learn how. It's impossible to prevent because the threshhold is so low and the materials required can server legitimate purposes as well. But the effects can be neutralized if a small portion of the population - the system admins - are kept up to date and are willing to do what's necessary to keep their systems secure.
Recovery is definitely a required study and planned for event. And a definite must.
Most CIOs do not plan very well for fast recovery. Then again, most CIOs would not be able to define MODEM accurately like most 6th graders can.
...is to remove all references to "CBRN/Cyber". They are two different topics. CBRN attacks people (and, sometimes, infrastructure), requires physical delivery by some means, and does not take specialized knowledge or study that is not generally available (one can, for instance, look up the recipe for sarin anonymously on the 'Net or in a well-stocked public - probably university - library, acquire the chemicals, and...). Cyber attacks infrastructure (and, sometimes, people), requires no physical delivery (though this can help in certain cases), and takes specialized knowledge that most people have no clue where to even start looking for (if you're John Q. Public, you would not have even heard of BugTraq, Slashdot, and so forth).
This day's computing infrastructure is too dynamic to determine whether it will get worse or better.
IMHO, it will get worse unless some of the following occurs.
1. Thorough Recovery planning
2. Proactive security checks
3. Preemptive strike (largely non-existant)
Preemptive strike is non-existant due to the fact that most everyone do not have the time or energy to go after the perpretrator within the instant the breach occurs.
Until three things happens for EVERYONE, the breach pattern will get worse.
First of all, the article reads as a half-backed introduction to CT and how it relates to other forms of terrorism and the history of related terrorist events in the past decade. Reads too much like a boring history report done by a college freshman... but, to anwer the questions...
:)
Most of the questions are surprisingly elementary, but I'm sure this was done to bring out as many relevant pov's as possible
"Using CT, how easy or otherwise is it to bring down or attack vital systems?"
It is either easy or hard. The real question, how are the vital systems in question prepared to stand up to said attacks. Like a question on how well armored tanks can stand up to gunfire, it depends on which tank is in question.
"What sort of skills would be needed to do so, and are they common/teachable?"
They aren't common in the sense that Joe Blow knows how to hack into the pentagon, but they can definitely be teached. Though skill and talent are considerable factors, they aren't neccesary...
"Commercial-off-the-shelf software: can it really do CT?"
Like it says in question one, yes, but it depends on how well the targeted systems are prepared. And if they run NT, well....
"Which systems are actually attackable?"
If it exists, it can be attacked. Most vulnerable are those connected to mainstream communication systems such as the internet. Also, you must keep in mind that there are many different types of attacks availibale to your modern cyber-terrorists, including futile ones.
"Can a recovery be made from such attacks?"
Yes, and no. Data can always be backed up and restored on virtually any computer system. What is more dangerous is when terrorists defeat system security measures and retrieve privlidged data. There is no way to "steal it back".
"Is it likely to improve/get worse?"
Rhetorical question. As computer systems become more complex and the world keeps getting smaller, the more insecure that computer systems will become or at least seem to become...
The contents of the article can be divided in two categories: Stuff that is new and stuff that is old. The stuff that is old is a compilation of articles and reports from the mainstream media - in that respect it has not much added value. The stuff that is new is all wrong. Finding the examples in the text is left to the reader as a simple exercise. It's a bunch of could and woulds. Naah
I really don't think there are any COTS software apps dedicated to CT, (ie. MS LoopHole Exploiter 2000 or some such thing). There are, however, many, many people out there who devote their lives to finding ways around security. Many of them are all to proud to show off their newest exploits or workarounds.
Astalavista and sister sites take great pride in allowing you to do things you shouldn't. However, most of these tricks, scripts, and cracks are relativly harmless compared to a single man placing a pipebomb at the nearest telephone switching station.
There is no such thing as "security" as most people like to think about it. The best you can do is stop the incompetent (they weren't a threat anyway) and slow down the professionals (who you will never be able to stop).
CT can, and probably will be a problem, but I don't think we have reached that critical point yet.
Computers can only simulate determinism. ~Hermetic.
Open source in this instance means non-classified material. The parallel is interesting, though.
Only a select number of terrorist groups and few state sponsors are likely to possess the necessary motivation and capability in the spheres of
at the end of comments on 3rd paragraph i want to say, that "cyber terrorism" is not only case in military subject (attacking enemy's infrastructure during war, ...). it is also economical (attacking competitor, stealing information from competitor, ...) subject and also social (strealing private data of citizen, causing wide spread fear (like recent mellisa virus - IMHO it is security related), ...).
so after all i think that using term "cyber terorism" is not very correct. better will be term "computer security" - it maybe do not sounds that "cool" but is more correct
hany
One of the main problems is that it doesn't specifically define CT and why it is dangerous.
This is indeed the crux of the issue IMHO. In all of the debate and hysteria being bandied about regarding "cyberterrorism", I have yet to see a coherent, reasonable definition of just what cyberterrorism is? The absurd example of using Bin Laden's use of email and chatrooms to communicate with others as a form of cyberterrorism is clearly alarmist and silly, while the notion of remotely ordering a nuclear powerstation to melt down (hardly realistic perhaps, but an effective image) would certainly be included in any reasonable definition of cyberterrorism. On the other hand, a cracker shutting down the power gird of an entire city or multi-state area appears to fall somewhere in between (disruption and quite possibly mayhem is caused, but no life is directly attacked as such). What about public defacement of web pages? Terrorism? IMHO I hardly think so -- not a single life is threatened or directly attacked. It smacks more of vandalism or graffiti, yet such attacks are consistently used as "examples" of cyberterrorism.
Until reasonable definitions are agreed upon, and adhered to, as to what constitutes cyberterrorism vs., say, cyberwarfare, cybervandalism, cybertresspass, or cyber(information)theft, discussions and articles about this subject will continue to be offpoint, confused, and ultimately of little use in forming coherent policies to combat the threats that these and other criminal (cyber)activity pose. Perhaps the one thing that can be learned from such confusion is just how dangerous it is to allow one's propoganda and misuse of language (as evidenced by the extreme hype and demonization surrounding cracking and such loaded words as "cyberterrorism" all out of proportion to the actual damage or potential damage done) to define one's own thinking when trying to establish responsible and effective public policy.
The Future of Human Evolution: Autonomy
Basically, the author says that because terrorists are bad... and since people use computers for e-mail, irc, etc that terrorists might use computers too. Wow, oh gee, really?
Then he tries to relate the fact that terrorists try to cause terror with car-bombs and such and since they might get nukes that we need to be preparing for an attack on our computers.
No logic to link them together.
I read the entire article because I started it and said I would, otherwise I would just ignore this article.
I suggest that the only thing to be done with this article is to trash it and start over.
Kill the spin and get some facts, this article is more of and editorial than a news story.
Sincerely,
Lando
PS, I saw wording I didn't like in the beginning so I stated that I was being a little critical, but I didn't expect this type of article with no facts and lots of spin. Sarcasm starts 2 paragraphs into this story.
I'm just writing down random remarks about the article as I work my way through it. Just wanted to make sure we are clear that this is not bashing , but the way I read an article.
Now that cyberwarfare has become an accepted fact
I don't believe that it is an accepted fact, I think that is a lot of spin generated by the media. If you agree with that spin then might I point out the computer viruses were being used in the 80's which were much more destructive in nature and were targeted as well. Hacking a website and having a physical battle as recently reported for some reason don't really seem to be the same. There are special units for intelligence gathering, etc which are definitely components of war, however those have always been with us. Labeling this cyberwar is just spin to create hype...
Joshua Sinai examines the requirements for anti-state groups to employ this and chemical, biological, radiological and nuclear weaponry
What the heck is Radiological? CBR is chemical, biologic and radiation. I don't remember radiological from my time in the military, more spin?
I'm willing to give the benefit of the doubt to CBRN, I am unfamiliar with the term though.
whereas cyber terrorism utilizes information technology
Wait a second, why are you introducing cyberterrorism here, you said that you were going to talk about cyberwarefare.
Nevertheless, there is sufficient reporting of activities by terrorist groups and their state sponsors in the CBRN/Cyber realm
How about intelligence communities, what the heck is CBRN/Cyber realm?
acquiring a CBRN/Cyber capability requires extensive funding, an overt or covert acquisition capability, a technological research and development program to produce, weaponise and stockpile CBRN materiel (or the capability to purchase or steal ready-made weapons), and a level of technical expertise and logistical infrastructure that is appropriate to launch successful CBRN attacks. This is beyond the technical capability or motivation of most terrorist groups.
False, a couple of million dollars with the right people could cause problems, the cost though is a lot higher for the attacker than the defender with no guarantee that your attack will succeed.
On the other hand, the information revolution ushered in by the Internet allows terrorists to access articles and documents from the World Wide Web about the manufacture or acquisition of BW or CW agents, and commercial-off-the-shelf (COTS) software products can easily be obtained to conduct cyberterrorism, making CBRN/Cyber attacks much more feasible to launch than hitherto.
Spin, spin, spin, sensationalism is fine and all, but I prefer facts. Dropping this information in between two facts attempts to prod the reader into believing the statement. What you should be saying is that conducting cyberterrorism attacks against off the shelf commercial software is what makes cyberterrorism possible.
One of the things you need to realize is that obscure code is generally hard to break and that open source by it's very nature tends to find security holes quickly and patch them. When you start using obscure code in a wide production area, ie commercial off the shelf software is when you enable systems to be cracked on a wholesale level. I have the ability to take administrator access from a NT machine in 9 minutes if I can get to the box via an ethernet connection. Unless the latest patch has fixed security problems that NT has had for years. UNIX systems tend to be a little more secure forcing you to crack the shell to get inside the machine.
I am not saying that UNIX/Linux is good and Windows is bad, it should not be taken like that. I have fixed a number of security errors under UNIX over the years and more continue to pop up, however when you have open-source which because of the way AT&T 'sold' UNIX, Berkley and others got the code, you tend to have people beating on that code all the time. Only when you use security through obscurity do you have major holes sitting open for years.
Although such cost/benefit considerations may limit the majority of terrorist operations to the realm of conventional warfare in the 21st century, recent WMD- related events and reports indicate increasing activity by certain terrorist groups and state sponsors in the CBRN/Cyber arena
Just wanted to point out that this is really getting on my nerves, trying to create a new word? Let me see, "I made up the word so I must be the expert!!!" Nope, sorry just doesn't cut it.
There have already been several instances of CBRN/Cyber operations by terrorist groups. Chemical attacks have been mounted by the Aum Shinrikyo cult, such as the March 1995 sarin nerve gas attack on the Tokyo subway system, killing 12 people and injuring 5,500. Chemical cyanide was included with explosives in the February 1993 bombing attack by Islamic militants of the World Trade Center. In the mid-1980s, the Tamil secessionist group, LTTE (which provides its operatives with a cyanide pill in the event of capture) threatened to carry out a BW attack by spreading pathogens to infect humans and crops in Sri Lanka. Aum Shinrikyo also attempted, albeit unsuccessfully, on at least 10 occasions to disperse biological warfare agents in aerosol form, and in October 1992 its members attempted to acquire Ebola virus samples in then Zaire for future use in biological attacks. In mid-1997, an American white supremacist faction plotted to attack the New York City subway system with biological weapons. Reportedly, Hizbullah and Hamas operatives have acquired chemical and biological components, although they have so far refrained from carrying out such attacks.
Wait a second... What are we talking about here? First we are talking about cyber-warfare, then we are talking about cyber-terrorism and now we are talking just plan terrorism... Unless, you are using these examples to talk about cyber-terrorism and just trying to create spin with violent examples. Let me see what would that do? Umm, some person that doesn't really understand computers and how they work, maybe a little frightened of them, sees this paragraph and is struck by the visual pictures that are implied, but doesn't quite realize that none of these situations involved cyber-anything. However he/she now associates cyber-terrorism with these images. Spin, spin, spin.
And then we get the nuke worry into the picture and then finally we hit the cyber-terrorism. Hmmm, let's look at it.
One of the first known instances of cyberterrorism occurred in 1997 when the LTTE launched cyber attacks against Sri Lankan government sites, including hacking into a government web site and altering it to transmit their own political propaganda.
Oh my goodness, they actually spoke out and people could see what they wrote!!!!! To the death chamber with them.
Supporters of the Mexican Zapatista rebels have jammed Mexican government web sites
Oh my goodness, censorship only news-media and governments should be able to do this!!!! To the death chamber with them!
The American terrorist group, the Christian Patriot movement, is active in the Internet.???
Oh my goodness, Americans using? active? on the internet? Dang, I never knew. Obviously they are gathering information and disseminating propaganda. Just who do they think they are??? To the death chamber with them!!!!!!!
The Osama Bin Laden group utilises an extensive network of computers, disks for data storage, and Internet for e-mail and electronic bulletin boards to exchange information.
Oh no, someone other than the American team is doing more than web-browsing, they are running a web-server!!!!!! To the death chamber with them!!!
Hamas operatives in the Middle East and elsewhere use Internet chat rooms and e-mail to coordinate activities and plan operations.
Chat rooms and e-mail anyone else care to point out just how insecure these formats are with Echolon around?
Oh no!!! People are talking to one another, just when will this stop?!!? To the death chamber with them!!!!!!!!!!!!
Other Middle Eastern terrorist groups, such as Lebanon's Hizbullah and Algeria's Armed Islamic Group, also utilise computers and the Internet for communications and propaganda.
Jeez!!! They are speaking their own minds... This has got to stop!!!!
TO THE DEATH CHAMBER WITH THEM ALL!!!!!!
Just in case any of the readers forgot about what we are talking about. Just in the case that the computer talk has gotten a little boring, let's throw in some good wholesome slaughter to get back some attention and pump up those hormones.
Terrorists have also targeted critical infrastructure. Thus, for example, in the Summer of 1998, the LTTE bombed state-owned and private telecommunications facilities in Sri Lanka, damaging buildings and disrupting telephone service.
Look it has bombing and telephones in it, definitely couldn't do that without a computer.
Motivation concerns the psychological, political and strategic factors that are likely to serve as incentives or disincentives for terrorist groups to resort to CBRN/Cyber warfare, particularly the decision to embark on a higher lethality and disruption in targeting
Rather than taking over websites, they will start sending SPAM!!!!!
There are no fixed organisational prerequisites for attaining CBRN/Cyber capability, particularly in the age of the Internet when terrorist operatives can be dispersed geographically yet are able to communicate with each other by using their own secured communications networks
Sorry jumped a couple of paragraphs here, it was just getting a little deep for me. Then I come across this. Of course it's bad for the terrorists to use encryption because the government can't read their messages. I don't know if I even want to touch this one, but let me just ask a question... Okay, encryption and talking is required but organization isn't knowledge isn't. Sounds like you throw in a little willpower and you can start casting spells. Are we talking about a game? I thought this was a serious article...
At one end of the organisational spectrum, the technological complexities involved in acquiring CBRN/Cyber capability require a well organised, hierarchical organisation, with a command and control apparatus staffed by professional terrorists, a highly- developed R&D apparatus staffed by scientists and technicians, production and storage facilities, a transnational logistics network to clandestinely acquire the necessary technology from external sources, and business activities (either legitimate or illegitimate) to generate the necessary income to fund the acquisition of CBRN/Cyber operational capability.
Did anyone realize you can make money working with computers? Hmm, let's see time to pay my bills, $1000 to the IRS, $150.00 to state, $300 dollars for my education bill, $400.00 for my car, oh and let's not forget my $15.00 to insert terrorist group of your choice
A terrorist group might also train its members in not just a single weapon but a variety of CBRN/Cyber weapons for which different sets and levels of technological expertise are required in order to attain operational capability in each of these weapons. Thus, for example, terrorist groups, such as Aum Shinrikyo, have provided their members with extensive training and education in a variety of CBRN/Cyber weapons, including studying uranium enrichment and laser technology, with at least one of their members working on the staff of a Russian nuclear physics laboratory, while another contingent traveled to Africa to study the Ebola virus. Cyberwarfare involves a different set of training requirements that is also more readily available. Thus, training in computer science is now widely prevalent among terrorist groups.
Two comments, first how does a Russian nuclear physics lab and the Ebola virus relate to computers??? Beats me I thought you would know. Second, I'll be danged if those pesky terrorists aren't getting trained in computers. I mean heck it'll be easy to catch the terrorists now, since no one else is getting computer training...
Skipping again...
terms of technological hurdles, CBRN weapons and Cyber devices vary in the levels of technological sophistication required for their development, weaponization and deployment. There is also a clear distinction between CBRN weapons and Cyber devices
Which, let me guess, is why the article points out bombing, nuclear attack and biological agents and never points out anything remotely dangerous to do with cyber-warfare or cyber-terrorism? Hmmm interesting, but then why are we lumping them together through the entire article? Guess I must just be plain stupid not to understand...
This is getting rather boring, let's skip to the end...
CBRN/Cyber terrorist warfare is likely to pose a significant threat in the 21st century as a result of the confluence of motivation, technical capabilities, and involvement by state sponsors. Just take my word for it since I haven't shown any relevant information in this article. This analysis is intended to highlight some of the internal and external factors, requirements and hurdles that need to be considered in assessing a terrorist group's current and future development status and operational capability to conduct CBRN/Cyber warfare. But somehow I forgot to include any facts and just used spin to create that impression Correlating these internal and external factors and hurdles would make it possible to forecast , something I didn't do, which terrorist groups and state sponsors are likely to embark on CBRN/ Cyber warfare, the types of adaptations since I have no idea what a terrorist group is much less which ones if any are actually planning on some type of cyber-campaign, and changes they would require to transition to such warfare, the types of weapons and targeting they are likely to pursue (including the possible resort to single or multiple CBRN/Cyber weapons and devices), the timelines for such attacks, and vulnerabilities that could be exploited by foreign intelligence and counterterrorism agencies to constrain terrorist groups--and, when applicable, state sponsors--from embarking on such warfare.
Sheesh can you look at that last line? This is a conclusion??? Not only doesn't the author close up his arguments about what the article is about, but he basically says that this needs to be researched. Hmmm, needs to be researched? and definitely a threat? If you haven't done any research how do you know there is a threat?
Lando
/* TODO: Spawn child process, interest child in technology, have child write a new sig */
I don't know about this deranged chemist thing. With all these monocultures in agriculture it wouldn't take that much to put together a pretty nasty attack on the food supply.
Taking out a power grid is much less impressive.
Question: Using CT, how easy or otherwise is it to bring down or attack vital systems?
Answer: it depends on the skill of the cracker and how well setup the systems are. 2 things to keep in mind:
1) a lot of near-essential systems will have few cyber-defenses, and could be easily brought down. Though this might not result in the loss of life that is commonly desired by a terrorist group, it will serve to decrease moral in the populace, something any terrorist group should want.
2) any networked system is potentially vulnerable. no matter what. It might be really, really tough, but some random person in a random part of the world can take it down.
Question: What sort of skills would be needed to do so, and are they common/teachable?
Answer: You need to know about the OS of the system you wish to attack. you also need to know about networking. go to the bookstore and buy the appropriate books, go to your local community college, or read the appropriate docs online to learn this.
You need to know common exploits for systems. There are maillists and websites full of info on how to bring down NT and Unix machines. read bugtraq.
You need to know how to develop your own buffer overflows trojans, virii, etc. This requires a level of programming knowledge and intricate OS details. Again, buy books or refer to docs online.
If you have a really smart terrorist, s/he could learn all this in a few really intensive months by only reading docs found online.
Question: Commercial-off-the-shelf software: can it really do CT?
Answer: There's no need to buy commercial software, though yes, it can do CT. Use Linux or a BSD variant. other OS's are easily gotten from WAREZ sites. all the software you need is open source, see http://www.freshmeat.net also see the warez sites if you really need MS Word for some reason.
The utilities you'll need are packet sniffers, telnet clients, some compilers (C, Perl, Cobol, others?), text editor, oh, i guess an OS would be good (use OpenBSD !) all these are free.
Question: Which systems are actually attackable?
Answer:heck if i know, that ain't my bag. but if i did know, i probly wouldnt say. that would just be plain wrong.
Question: Can a recovery be made from such attacks?
Answer: If the system is setup correctly, yes. Generally, consider your disaster preparedness. a Serious terrorist cyberattack will be no worse than a major earthquake. If all your computer systems are destroyed, how readily can you recover?
Question: Is it likely to improve/get worse?
Answer: The faster we move to computerize/internet everything, the worse it will get. Once the average intelligence of sysadmins/programmers has a chance to catch up, it will get better.
Question: What sort of preventitive work would you recommend them to carry out?
Answer: Read the various docs on security for the systems you are running.
Don't allow internet access to your most important systems. not through a firewall, not through triple encrypted vpn's, not through special dialups, networking procedures, or anything at all.
use ultra paranoid techniques, like surrounding your most valuable systems with copper/lead rooms (keep in mind TEMPEST and EMP's) and not trusting any one person with full access to anything. Keep up to date on all new technologies and emergent ones, as well as new exploits - read bugtraq.
Keep backups, and keep some in secure locations off-site.
Perform security reviews on a regular (monthly or more) basis.
and, of course, BE PARANOID
Finally, keep the Simple techniques in mind:
one person with a backhoe can fuck shit up bigtime. Three coordinated people in different parts of the country can do worse.
Cost of attack:
Rent 3 backhoes for a few hours: $900
Determine where to hoe: 10 hours research time
and it would be easy to get away with as well.
This is based on a real incident where some workers accidentally tore up a fibre optic cable and put a bunch of ppl/companies off the net.
-f
frisco@peruano.org
http://www.perauno.org/
such tools (software for cracking systems) is mostly not commercial because cracking systems is in almost every country illegal thus firm can't make officialy money from it.
such tools are mostly exploits created by hackers (to help hunt bugs in software to finaly fix them - such exploits are mostly widely shared (see bug-traq mailing list as example) to speed up process of fixing the bug) rewriten/"enhanced" by crackers to help them crack. exploits can be also developed by crackers entirely and such exploits can be keps in "secret" so inventor can use them for a long time (such exploit uses hole in system which is unknown to anyone else).
so to sum it up: cracking tools are mostly for free and publicaly available on internet. it is also common that source code of such tools is also available.
hany
Threats of cyberterrorism are so overblown it is ridiculous. It should come as no surpise that the people most pushing this are military types angling for more funding and more powers of everyone (no strong crypto, tap everything, etc) under the guise of stopping "terrorists". If you want to read the truth, then stop by and visit the Crypt Newsletter.
BTW: Speaking of Jane's, there's a nice reference to "Jane's Market Forces" in Ken MacLeod's latest "The Sky Road". Another great in-joke that is one reason MacLeod is damn near the best thing going is science fiction today.
The recent slowdown of net traffic due to simultaneous, widespread damage to MCI's backbone seemed rather ominous to me.
Attacks on communication systems don'thave to change content to be effective. (Just shoot the pigeon). If done simultaneously with a physical attack something as simple as an organized ping-flood between widespread servers could bring traffic over public-accessible backbones to a crawl.
As I'm having trouble submitting this it appears that Slashdot has been `Slashdotted'.
IIRC, it was 3 kids. and they didn't directly deal with the mafia. that was only mentioned in the article b/c it is sensational saurus
If a nuke goes of in the middle of the Australian Outback its pretty meaningless (except to Kangaroos), same as if somebody shuts down the powergrid (everywhere important has generators).
True CT could include confusing military computers into recognising friendlies as hostiles and starting combat automatically, or otherwise gaining remote access to weapon systems (especially CBRN). This form of CT would require extreme knowledge of the target systems and would validate all claims made in Jane's (V. good Finance and skilled personnel would be needed). e.g. Getting someone to run your program on a secure system for 1 million dollars is easy, getting the 1 million dollars isn't.
Proper CT is presumably vary hard to acheive and would require much more skill than is available to the average hacker/cracker (I am neither and have very little knowledge of that 'world') since indepth knowledge of the target would be necessary and the skill to find and exploit NEW security weaknesses.
My prediction is CT might become more widespread for nuisance attacks (changing web pages, etc.) but true Terrorism using computers is very unlikely since the sheer size of the systems works against the 'attacker' more than the 'defender' (no one person can understand programs over 1 million lines of code especially if they didn't write it and the 'defender' has more people available (or at least a larger hiring pool))
I also wouldn't really categorize social exploits as "utilizing IT devices".
altho that makes sense, any discussion of IT vulnerability needs to include a mention of social engineering and even IMHO backhoes. the power grid vulnerability everyone is mentioning is because someone at L0pht did a search on public utility webpages. this isn't cracking per se, but crucial to defend against.
saurus
What the government needs to protect itself against a 'cyberterrorist' attack is exactly the same thing as what a major corporation needs. The government needs well-trained security experts to make sure the networks are secure. A government is no different from a high-profile corporation in this sense. There is no law which congress can pass and enforce that will prevent people from attacking government computers. And why should the government try? If some kid cracks a government web site or computer, his primary goal is going to be to say to the world 'I did it! Look at me!'. Think of it as a free security audit. Patch the hole and let the kid try again.
-RN
Perhaps I'm naive, but I view crackers mainly as a way to keep sysadmins on their toes, not as some sort of world-destroying threat. OK, so somebody nails a sendmail box I'm running -- I'll just overwrite the HD with a backup & secure it from there. Big deal.
I'm much more concerned that someone will use real-world weaponry against the net. For example, using a couple truck-bombs against MAE-West and other NAPs simultaneously. A sufficiently coordinated attack of this nature could do real damage to the global economy just in terms of panic and disruption (massive stock sell-off, etc.). Plus, since it's a real-world attack, the damage is harder to contain/repair. I mean, anyone got a backup tape that'll rebuild MAE-West?
As far as I can tell, the main thing we have going for us is that most terrorists are pretty stupid people. They're ALWAYS going after ineffectual targets, like innocent civilians, and they do it in a half-assed manner. Most terrorist groups just seem to be places for losers to hang out and bitch about life; if they were more intelligent they'd be doing other things with their time.
I dunno; most terrorists just remind me of the Columbine losers grown up. Any half-wit could have managed to kill more people.
Cyber-attacks are inherently unsexy; there's no big boom, there's no glory in dying for a cause, just a bunch of nerds in a closet. Terrorists want to die with glory, to strike the big blow, and they're too dim to realize what an effective attack means.
Perhaps more importantly, anyone with enough skill to launch serious cyberattacks is probably going to be making serious $$$ in legitimate industry. After all, what world-class computer nerd wants to spend his/her time in some dirt-poor corner of the world, surrounded by psychopathic gun-toting losers? Osama Bin-Laden, for all his supposed clout, lives like an animal in a hole in the ground. What programmer wants to spend their time that way? You can make a bomb in a cave lit by candlelight -- you can't launch a cyber attack that way.
Have you seen the title to their main page?
"Jane's Intelligence Review, the world's leading open source defence, security risk and threat analysis for the professional intelligence and defense analyst"
Obviously this means anyone can copy and redistribute copies of Jane's Intelligence Review as long as they make any modifications they make to the text publically accessible...
Gerv
It's always occured to me that, in a war, the country/party that runs out of funds first, loses. Thus, the objective of war isn't to (per se) do as much physical damage as you are capable of inflicting, it's to cause just enough damage that the "enemy" is unable to recover financially.
This suggests, in this time of cyber-warfare that we live in, that attacking a stock market or other primary financial institution is the most effective means of accomplishing your goal. Much more damage would be accomplished by taking the NY Stock Exchange offline for a couple of days, than an attempt to attack of the "food supply" (which be up and running again within hours from backup tapes, or replacement hardware).
I see no mention of this financial aspect of war in the article, yet it seems the most vulnerable in my mind.
Ken
> Using CT, how easy or otherwise is it to bring down or attack vital systems?
It depends entirely on the system under attack. If it is not connected, it's fairly safe. If i'net connected, then it depends on how hard the system is to crack.
> What sort of skills would be needed to do so, and are they common/teachable?
Basic computer skills are common and teachable. More advanced cracking skills are dependant on analytical ability, and may not be teachable. But the threat from 1000 script kiddies is very different from the threat from one/few skilled crackers.
> Commercial-off-the-shelf software: can it really do CT?
AFAIK, there is no commercial off-the-shelf CT software. But there are lots of ready-made free kiddie scripts that would do much the same thing.
> Which systems are actually attackable?
Anything programmable. Anything with connectivity is easier to attack because physical presence is not required. Anything with inet connectivity is still easier because it's easier for the attacker to establish a connection, and that connection is more predictable.
> Can a recovery be made from such attacks?
Depends on the system. Depends on the skill of the sysadmin. Backup tapes are usually advised. For real-time systems, fallback to simple control is essential.
> Is it likely to improve/get worse?
A judgement call. More systems are being made vulnerable as users want the advantages of inet connectivity. Security awareness is also increasing. IMHO, no net change.
> What sort of preventitive work would you recommend them to carry out?
Good sysadmin work customizing installations, not accepting anything out of the box. Risk analysis (probability & consequence).
-- Robert redelm@ev1.net
The author speaks of financing being a major hurdle to terrorist groups interested in CW. Nothing could be further from the truth. Not that most of Commercial-Off-the-Shelf Software is all that great for CW, there are plenty of scripts to download for free off any of the "cracker" sites.
Additionally, large organizations are cited as being required. A single, motivated terrorist, amatuer or professional, can take out several "mission critical" systems with nothing more than a net connection and a free evening.
Why have a critical computer system exposed to
the world? Defacing a web page never killed
anybody.
Other terrorism ideas: find and read
"A Higher Form of Killing"
this book explains how the CIA tested the spread
of toxins in the NY subway system.
from the Jane's article
"In mid-1997, an American white supremacist faction plotted to attack the New
York City subway system with biological weapons."
Thanks CIA
This artice looks like a sales pitch for funding. To answer some of your questions: Using CT, how easy or otherwise is it to bring down or attack vital systems? This can't be answered in a blanket statement. It's case-by-case. What sort of skills would be needed to do so, and are they common/teachable? Common? not really. Teachable? Yes. Commercial-off-the-shelf software: can it really do CT? In a vrey limited scope they can, assuming the exploits they operate on are doable on target systems. No form of AI that I'm aware of would be used by these groups to carry out infiltrations. AI is too stupid. Which systems are actually attackable? Any system that has direct or indirect physical connectivity to the station being used to carry out the attack is attackable. Can a recovery be made from such attacks? Well yes, but it's usually too late if the attack is successful. Is it likely to improve/get worse? Definately worse. What sort of preventitive work would you recommend them to carry out? Put in place a transaction tracking mechanism. Hardware token, one time authentication using proprietary, cycling protocols. Every truly critical service should have absolutely no connection to the outside world. All connectivity devices should be running secure loads with whole network port to port managerial trust relationships. You could use the unused 802.10 protocol for in house purposes, and a variation of 802.1s on connectivity devices to create an obscure logical maze that the attacker must first figure out before gaining easy access to the doorsteps of critical systems. It is key that these devices ignore influence from end stations. Management _must_ be done at the console. There's lots more you can do. If you do not already know, or can't find someone who does, good luck. It's amazing how lazy people are. Someone somewhere is almost certain to make the cracker's job easy because they're too lazy to get off their ass and _walk_ over to the servers in the next room. The weakest link in any security project or procedure is the point where an administrator comes into play.
Or the more typical biological warfare,the spreading of dangerous bacteria or viruses, such as anthrax. For some reason ABC news has been talking about this a lot lately, and they have a poll up now.
In the same spirit, killing a few thousand people with anthrax would be alot more impressive than taking out their power, but would take alot more funding and organization as some have pointed out.
Juln
well i'll address the points you want covered in order: >Using CT, how easy or otherwise is it to bring >down or attack vital systems? simple if you have the basic skills. >What sort of skills would be needed to do so, >and are they common/teachable? easily teachable all it takes is a willingness to learn and an ability to read. there are plenty of documents available thru various sources with information on how to deny some of the more basic services. while the potential is unlimited most people probably wont attempt anything that will hurt themselves as well. IE who would take out all of AT&T if it would disrupt their only ability to dial out? >Commercial-off-the-shelf software: can it really >do CT? no not really some of the "off-the-shelf" software can make certain tasks easier but they cant actually do it all by themselves. it still requires a live being on the other end of the keyboard to accomplish anything. >Which systems are actually attackable? anything ... if it can be accessed by either power water air phone person ... it can be attacked. this really is where the motivation comes in. if someone was motivated enough they could find a way to do things even if it meant their own loss of life. >Can a recovery be made from such attacks? gradually given enough time anything can be repaired. >Is it likely to improve/get worse? it will more than likely get worse. as the common person becomes more educated there are more possible terrorist threats. typically the facilities to protect against threats are already overworked, over time more attackers than defenders are born leaving the scale definately overbalanced. >What sort of preventitive work would you >recommend them to carry out? there is no real preventative work other than increasing the defensive manpower.
Overall, I agree with another respondant that the article as written is about
as informative as an (overly long) abstract. With editting to bring focus to the piece, it
would be of value as either an introduction to a longer, more technical piece,
or as an executive overview.
Introductory paragraphs:
Author loses focus addressing CBRN and CT issues together. The technical,
logistical, and organizational hurdles have little in common. At the present
time, the result of attacks will be far different.
Modivation:
Modivational thresholds used for CBRN are crossed quickly if used when planning
CT attack. An additional threshold may be the perceived lack of punch in a CT
atttack. In addition, a CT attack leaves a greater likelihood for discovery of
the source, if it doesn't successfully deal with the number of access logs and other tracing
methods built into the telecommunications and I.T. systems an attacker must
work through.
Organization:
Setting aside my previous cultural bias, I find that the crucial element
for successful CT, expertise, seems to be widely available in the
developing world. Organizations in almost any nation can come in contact with a
number of trained local programmers and system engineers. By focussing on the
use of I.T. for normal and secure comm by organizations when planning CBRN attacks, the author may cause
decision makers to ineffectually concentrate on controlling public access to
cryptology, rather than on the issues regarding CT attacks themselves.
Funding:
Unlike CBRN, little capital is required to obtain and situate a CT "lab" or "labs". Hardware
is readily available and inexpensive worldwide. The setting can be innocuous. Office automation and software developmenttools and reference works can be had for little cost, even if purchased
legitimately at retail. The largest potential costs come from connecting
to a local telecommunications provider. This can be mitigated by a) isolating
training and rehersal exercises within a closed lab network, and illegally
tapping into off-site telecom trunk systems where the opportunity presents
itself, and/or b) state telecom subsidies.
State Sponsors:
As with CBRN, a state sponsor can provide telecom advisors with detailed knowledge of typical
trunking systems. The state can provide ready access to high bandwidth
connections to the Internet, although this leads to traceability/deniability issues
after
executing an attack. The state may provide a more realistic
training ground, if it allows rehersal attacks within the national I.T. network.
External Hurdles:
Given wide disemination of programming and telecom knowledge, and the
dispersion of expatriot technical professionals, there are few technical
hurdles to CT, even if the organization that desires CT capability is based in
an area with few technical resources. The main hurdles would remain perception:
"does CT do anything for us?"; and security, in that it is more difficult to
cover one's tracks.
Q: Using CT, how easy or otherwise is it to bring down or attack vital systems?
A: This has been addressed elsewhere.
Q: What sort of skills would be needed to do so, and are they common/teachable?
A: This requires a more detailed response, which will be posted
separately.
Q: Commercial-off-the-shelf software: can it really do CT?
A: The most common s/w used for attacking I.T. systems is a terminal
emulator. Value is added by the operator typing into it. An attack
using a terminal emulator can be automated using the built-in
programmability of most widely-used operating systems.
There are a number of s/w packages that are available for free
download, which are starting to provide COTS ease-of-use with built-in
CT capabilities. At the moment, the vast majority of these only search
for or create a security breach in an I.T. system ('Back Orifice',
'nmap'). An experienced operator is still required to exploit such a breach.
Q: Which systems are actually attackable?
A: Any system directly or indirectly connected to a public network can be
attacked. Any such system is vulnerable to denial of service (can't get
out or in) attacks or
spoof (network traffic intercept) attacks. UNIX-based or Windows-based systems
are most susceptable to penetration attacks because of the large number
individuals familiar with methods of penetration, which are then widely
published.
Q: Can a recovery be made from such attacks?
A: This has been addressed elsewhere.
Q: Is it likely to improve/get worse?
A: This has been addressed elsewhere.
Q: What sort of preventitive work would you recommend them to carry out?
A: This has been addressed elsewhere.
Luke, help me take this mask off
What the government needs to protect itself against a 'cyberterrorist' attack is exactly the same thing as what a major corporation needs. The government needs well-trained security experts to make sure the networks are secure. A government is no different from a high-profile corporation in this sense. There is no law which congress can pass and enforce that will prevent people from attacking government computers. And why should the government try? If some kid cracks a government web site or computer, his primary goal is going to be to say to the world 'I did it! Look at me!'. Think of it as a free security audit. Patch the hole and let the kid try again.
While widescale CT by the hands of Bin Laden or Aum Shinrikyo certainly deserve our attention the author fails to recognize that the majority of CT will come from smaller organizations that will find CT a cheap, safe, and increasingly effective way to draw attention to their cause. The true power of CT is its ability to undermine civilian confidence in an world increasily reliant on technology. A relatively unskilled cyberterrorist can crash a computer server that is responsible for anything from publishing content to the WWW to monitoring transactions on a bank network. These small relatively harmless acts of terror receive intense media coverage and serve to undermine the confidence of a public that for the most part is just beginning to grasp the technology. More organized CT organizations are currently launching widescale attacks against the world banking industry and according to some estimates, these CT organizations can hijack upwards of 10 million dollars ($USD) a month from the banking industry. These types of attacks go generally unreported mainly because there is a fear that civilians will panic if they believe there money is not safe -- but these attacks will not go unreported much longer. The media is always searching for new CT to report. IT is incredibly powerful and offers great features to the consumer but at the same time it takes more control away from the consumer and places that control in the hands of an elite group of people with the savvy to control the technology. People are aware that IT is costing them control of their lives and their privacy but they seem to be willing to give up some privacy for what is perceived to be a "better life." The true power of CT is that it can take advantage of citizens concerned with control by exploiting the inherent insecurity of IT. When a government is faced with a citizenry that can no longer trust the backbone of the economy, that government will be more likely than ever to succumb to the demands of terrorists. Never before has it been so easy for a terrorist to get the attention of the audience.
Is this the best that Janes can do ? The tone is not necessarily over-alarmist, but it's incredibly simplistic. The Economist would be ashamed to run this piece, and I doubt if even USA Today would be exactly proud of it.
The content is almost devoid of useful facts, or even well-grounded opinions. Apart from the duplication of almost every point (do you have an editor ?), it's vague and wooly in a way that really isn't what I expect from a publication like Janes.
The most glaring issue is the CBRN / Cyber confusion. Is the article's point the very reasonable one that IT terrorism is a whole new ballgame ? - in which case, why are the two opposing circumstances lumped together as if they were the same thing ?
On the specifics:
> Using CT, how easy or otherwise is it to bring
> down or attack vital systems?
As is very old news to anyone close to the scene, hacking is NOT about gaining some sort of wizardly superpowers that allow one to access anything, anytime. It's much more like stealing cars by walking through a carpark and trying the door handles. As this industry still hasn't learnt to make a robust doorlock, and most new drivers haven't yet learned where the keys are, then this process will net an awful lot of exposed IT assets. Remember too that automatic scripting / searching techniques let you try an awful lot of door handles without much walking.
Very few expert hackers are expert on more than a small niche of the problem, an operating system or a communications technique. Sometimes they accept that deep skills simply cn't be gained over such a broad area, sometimes it's disguised as the Unix nerd whowouldn't "dirty their hands" on an NT box.
> What sort of skills would be needed to do so,
> and are they common/teachable?
The skillset needed is more of a lifestyle than a specific skill - the adolescent boy's obsessional devotion to a particular niche, despite its lack of utility to all aspects of normal life. Some of us collect baseball cards, others analyse protocols.
The skills are unteachable, as they aren't skills as such. Those who could be taught, probably already taught themselves. Encouragement, provision of a conducive environment and peer pressure (especially over ethical issues) is much more significant.
The real danger in recent years has been the rise of the Script Kiddie, an ignorant upstart with access to powerful tools like L0phtcrack or Back Orifice. These tools are far more freely available now than, say, 5 years ago. This obviously increases the exposure of "those who would" to "those who can", but it also removes much of the previous generation's "hacker ethic". When exploiting a hole required skill and dedication, it increased both the exploiter's sense of identification with those being exploited and also the sense of reward felt at its successful completion. Now the instant acccess of a script tool presents a system "on a plate", encouraging its perception as a thing of low value and also leaving the exploiter still unsatisfied by the mere task of gaining access.
Mountain climbers don't vandalise mountain tops, because they're hard to reach and appreciated as such. Graffiti sprayers will happily spray a wall, because it's "just a wall".
>Commercial-off-the-shelf software: can it really do CT? All armies rely on mundane items like food and boots. Neither of these need to "military", just available when you need them. It's the same with IT tools for access - it's knowing where to send the bytes that matters, not having some flashy gimmick to do it for you. Hackers don't need radical tools that escape from secret laboratories - Microsoft Word can build you the CIH virus and Frontpage can take over an insecure site with FPSE.
>Which systems are actually attackable? All systems (IT hardware, software, wetware and management practice) may be attacked. If the hardware has no security whatsoever, the OS is widely understood and frequently penetrated, then your security is entirely reliant on good working practices amongst the admins. Custom crypto boxes, olive drab computers and the like make things more secure because they reduce this single point failure mode, more than any inherent magic. If a careless sysadmin mis-enters the value on just one or two checkboxes, then I (or a million others) could enter their Wintel box, because we already know them inside out. If I had the same depth of knowledge on Racal / Marconi kit, then I'd probably be just as dangerous -- but how many people have experience on those mil-only platforms, compared to the vast numbers who intimately understand Wintel ?
>Can a recovery be made from such attacks?
We're not yet at a stage where it's practical to do real life-threatening damage on a large scale, on a regular basis. A denial of service attack that closes a stock exchange for a day is hideously expensive, but it's still a DoS, not an irrevocable maiming or killing. In terms of body count, a totally psychopathic hacker is still going to do better(sic) with a crowded post office.
Recovering from a specific attack is easy - burn the computer and reinstall the backups. After all, hardware is cheap and the real damage (to your prestige, or loss of trading etc.) has already been done.
>Is it likely to improve/get worse?
It will get better, but only slowly and after it gets a whole lot worse first. Expect to lose the London Stock Exchange for a day, or have Nike mis-deliver an entire shipload of trainers (or something on that scale) before the real money takes things seriously enough to mandate security, and to ask the right people for advice on how to do it. The big consultancy houses certainly aren't the best people to do this, nor is their current track record particularly impressive.
computer programs these days are so bloated, sloppy, and buggy that it is inevitable that systems have many many holes for people to pry into. if people have the motivation and resources i see no reason why any system cannot be brought to its knees. cyberterrorism is not like nuclear warfare or chemical warfare. if somebody reads a book on how to make nerve gas, it will raise a lot more suspicion than somebody reading a unix manual. besides attacking systems, the basic infrastructure of the internet can be easily broken imho. just cut a dozen strategic high bandwidth lines and watch how large amounts of internet traffic will break servers, create packet loss, and cost trillions in damages. im sure with the right amount of money, that information can be obtained. look what happened when that stupid ohio utility cut only 4 oc192 lines. i remember somebody telling me that if the entire "internet" went down in the US for 20 mins, it would cause a global depression. pretty sobering eh?
>... to shut down vital parts of the computer >infrastructure of a country. As we have seen, a backhoe
>is enough. Or a faulty software upgrade
Wow. Economic terrorism the cheap and easy way.
10 people with backhoes at the right locations, down goes alot of the bandwidth and alot of the net based economic activity with it.
"The best part? I became an ordained minister while not wearing pants." -- CleverNickName
To make this a more specific post about CT, I will skip all the previous corrections other ./ers have made, but I fully agree with the separation of CRBN and CT as two entirely different forms of attack.
CyberTerrorism is not about physically damaging a nation's infrastructure. It is about, temporarily, reducing a nation's core support infrastructure (power, telephone/data lines, travel (train/air)) in order to 'soften up' a nation before physically attacking them.
It is quite possible for a terrorist group to hire a capable cracker group to shut down the power grid of a major city prior to a physical attack, whether it's conventional bombings/explosives or more scary biochem/chem warfare. This combined CT/physical attack would not only increase the likelihood of the terrorist's success, but it would also create a sense of panic and fear among the populace.
Communication helps to disperse fear and panic in almost any situation. Once one's communication is physically or 'softly' cut, it doesn't matter whether a backhoe or a sophisticated CT program was used. The only difference is that of the duration and timing. Thus said, the only use of a CT attack would be to properly time it in accordance with a separate, more physical attack..one that has more duration. Nevertheless, a CT attack is not necessarily less powerful. The ability to shut down an entire nation's power infrastucture is something no tactical nuke can do. Thus, while CT may have a wider, more effective 'soft' area of successful attack, its duration may be short and its multiple-use effectiveness may be limited.
CyberTerrorism is also not a target specific attack usually. Elite hackers may well be able to infiltrate specific targets looking for specific information or to cause 'soft damage', but in terms of warfare, these acts are not as effective as a loss of one's core infrastructure. In attacking a nation's data/power infrastructure, it is very possible that some systems may be attackable while others are more secure due to their OS, configuration, and connectivity to outside invaders. For CT to be more than an annoyance to lazy, insecure banks and improperly run govt. sites there has to be the threat of a national loss of infrastructure for a long duration, happening at a specific time, simultaenously. CT just doesn't cut it when making it your primary method of attack.
As for the ability required to make a CT attack: Once an exploit in an OS or configuration is found by an able cracker, the cracker can code a program to reproduce his ability to exploit the hole and allow any ol' 'script kiddie' to take advantage of that exploit without having prior knowledge of how the exploit allows access or how to regain access once the exploint is fixed. Anyone can do it.
Favorite
If you are really going to crack a facility, you can often do so from the inside. The most important skill needed to compromise such a facility is "social engineering"; basically the ability to lie through your teeth to other people. This sort of thing can get you inside your target's security with no computer skill whatsoever, and then you only need the skills required to cause the computers to do whatever it is you want them to do.
Let me list a few SE gambits. The first, which takes a bit of time but is usually safest, is to get yourself hired. You will need some computer skill even to do an attack from the inside, and that skill will get you hired in America's techie-hungry job market. This gives you building access and a computer account. If you have sysadmin skills, all the better: you will get a root password, the equivalent to an all-access pass.
The second gambit is simply to sneak into the physical facility in broad daylight, by pretending that you belong there. Low-security facilities may use badge-locking, but often one employee will hold the door open for someone who forgot their badge. Just about any facility will let people in if the security is lax at all. I remember a story (verified) about someone showing up at a 20-person company dressed as a delivery person. People let him in and out, and he made several trips carrying boxed printers out every time.
Another gambit that someone could try with enough time would be to infiltrate the development branch of a commercial security software company (or better yet, get a few terrorists together and form one), and put a back door into the software. The facility is rare that fails to trust shrink-wrapped software. If the software is a hit, you can hit multiple targets at will without anyone putting the pieces together.
Hopefully, the above tactics would not work in places like military facilities or nuclear plants, where paranoia should be a way of life. However, a creative mind can cause a lot of damage by infiltrating a facility not known for its paranoia. Hospitals and food-processing plants would likely be prime targets. Such attacks would not necessarily be "real" terrorism, but would look a lot like accidents (until, of course, somebody claimed responsibility for them).
--The basis of all love is respect
From reading the comments here, and a guess at most of our demographics, including mine, we're concentrating on how people can use the internet to co-ordinate or attack systems. This, in my view, is wrong.
The internet is a communtications and research tool, and yes operating system vunerabilities are available on-line, as well as off-line (as an aside I remember trawling through VAX manuals at Liverpool Polytechnic, finding the default usernames and passwords for Vax clusters and wandering across JANET and sending messages to MIT operators from a VAX cluster in their nuclear physics department which they hadn't locked down.)
But how many sensitive or critical systems are this easy to get at?
The article states "Similarly, in terms of cyberwarfare, terrorist groups may have little need for state sponsors because much of the applicable software and hardware are available commercially and targeting can be accomplished from a computer terminal hundreds of miles away from the intended targets.". This is frankly unrealistic.
Having worked in banking, goverernment, and soon UK military intranets these are attached to anything outside their own network.
I would see the main risks as follows
- Physical destruction of infrastructure.
- Destruction from within
If we define cyber terrorism as using a computer to attack another company, without concentrating on mode of delivery thenA well placed bomb in a communtications hub is a low tech solution to destroying a high tech system. A few well placed bombs in the City of London would stop the UK finance market for 2-3 days, and it would take months to recover. If you were a small state, and someone took out your communtications network, forget recovering.
I'm sure we've all heard urban legends of disgrunteled programmers leaving back doors, RAS accounts, viruses etc. This is a more likely mode of attack. Infilitrate who you want to attack, and pop a low lying virus onto the network, custom build to avoid the virus scanners. With the proliferation of virus authors (and lets face it, it's not difficult) you could take out a PC based network quite easily. But what sensitive information is held on PCs?
In my opinion, doubtful. How many sensitive networks are open enough to attack? You would need easy access, eletronically or physically and this just doesn't exist.
Everything is teachable. Virus writing code is common, and some is even automated. A lot of security holes are publically available on the internet or on BBSes. However getting access to use this information is, of course, more difficult.
No.
Web sites, which aren't critical. Perhaps WANs which pipe through the net, although with VPNs this is becoming more and more difficult, however the possibility for DOS attacks exists. Any system connected to a public network.
I would assume that critical systems are backed up. So yes, but the amount of time to recover depends on the attack.
Stay the same, for critical systems people will need physical access, and as long as companies/governments restrict this then it's not going to be a major worry.
Don't hook up a critical system to a public network. Keep up to date on security issues, don't rely on your vendor for information. Get rid of floppy drives on PC based networks. Code review source. Do not allow introduction of untrusted software.
Comparing web site vandalism with cyber terrorism is wrong. Comparing CNB attacks with cyber terrorism is wrong. I have yet to see one instance of a hack that I would consider cyber terrorism.
Personally I would worry more about infrastructure and communications attacks than I would over information secuirty attacks.
Rant over, lemsip and bed :)
Barry
please excuse typos and grammar: i'm hurrying and i'm not native english speaker
hany
I wonder if the real problem is not CyberTerrorists attacking computer infrastructure but using the computers to manage other more conventional attacks. I've commented before that a denial of service is not a real attack - I can't get to a web site, oh well! I guess I'll have to get some real work done.=] Even a power outage isn't a real problem unless you can take the plant off line for several days or cause a meltdown at a nuke plant although I suspect that there are several failsafes you have to over come (remember Homer Simpson mans his post most of his sober hours.)
I think the greater threat in the Information Age is the terrorists using computer systems to manage their attacks, things like coordination of the strikes, development of new weapons and interception of communications of antiterrorist response teams could all make the terrorists more effective using more conventional forms of terrorism.
It's been said in previous posts that its probably a given that terrorist already have crypto, and we all know that off the shelf hardware is extremely powerful in the right hands. So attempting to deny computer power is not the solution. Increased intelligence of terrorists would help, but if they already have the crypto...
I'm not sure the best defense against this type of threat, but I wonder if sharing technology isn't a better approach that denying it. If terrorist are motivated because that don't think their group/race/sect/branch/nation is getting a fair shake in this world, I wonder what would happen if we gave them a fair shake.
anywho that just my $.02
"Karma can only be portioned out by the cosmos." -- Homer Simpson
The hacker community at large, in my opinion, should and will keep all relevant information to ourselves. Why deliver what we know to Jane's, so that every cold war leftover can sit in their cushy office deciding which group of people can become the next villain?
Here is some advice to the readers of Jane's:
1. The best form of defense against anti-state terrorism would probably be to decrease the terror that the state itself causes. "Terrorist" seems to be the word you use to describe a group of aggressors intent on terrorizing another group into doing what they want. Slap a U.S. Flag on them and all of a sudden they become a legitimate "peacekeeping force".
2. Hackers are about freedom of information, and decentralized forms of power and governance. Jane's readership is mostly about control of information, and centralized forms of rigid authority.
3. Many hackers hope to live in a world like ST:TNG, where your concepts of nationhood and military aggression are antiquated and outmoded.
4. Instead of focusing on terrorizing hackers through the state's power, maybe Jane's could risk losing some of those defense department kickbacks and run a truly journalistic piece on the U.S. government's use of force to promote U.S. economic viability.
In other words, hackers, technoanarchists, and subversive geeks from the world around: tell Jane's where to stick it. You don't help your enemies when you're at war.
Using CT, how easy or otherwise is it to bring down or attack vital systems?
What sort of skills would be needed to do so, and are they common/teachable?
It depends on whether one was conducting physical or mental terrorism. While a system like a dam or a power plant has, at the very least, specialised control systems and may not be externally connected (and probably require training), "vandalistic" terrorism, to create discontent and fear among the population, or temporary "denial of service", is very easy and there are many tools for those.
Commercial-off-the-shelf software: can it really do CT?
It depends on the amount of skill of the user, with those skilled able to use utilities like "telnet" and "ping" included with any modern operating system. However, although less-skilled users may use specialised programs and scripts, those are available for the taking online, so...
Which systems are actually attackable?
Anything hooked to a network can be attacked from anywhere else on that network. However, even having an unconnected system still leaves open the possibilities of an insider job, an EMP or HERF generator (blockable by a Faraday cage), or actual physical sabotage.
Can a recovery be made from such attacks?
It depends. For proprietary and specialised systems, such as, say, an electric plant's controls, it's usually hard to rebuild a proprietary system quickly. For normal systems, all one needs to do is restore from backup. Thje main concern is not so much "Will it run again?", as "What are the results of it not running?". An ISP say, with 20000 customers, can easily afford to replace a $15000 machine, but will find it much harder to deal with customers angry about the loss of services temporarily. The same for the military, who may have backup systems but still suffers from the momentary loss of navigation or targeting or whatever systems.
Is it likely to improve/get worse?
The amount of attacks is likely to increase, but the amount of affective attacks may decrease as provention measures are worked on. In particular, operating systems are becoming more secure as the easy holes are found. However, this may have the side effect of filtering out "John Q. Hacker" who just wants to look around while merely requiring more effore for a dedicated terrorist.
What sort of preventitive work would you recommend them to carry out?
If it doesn't need a network connection, don't hook it to a network. Use strong crypto. And keep track of the lists of bugs and holes.
... to shut down vital parts of the computer infrastructure of a country. As we have seen, a backhoe is enough. Or a faulty software upgrade in a power grid or phone control point.
Also, what crackers (and cyberterrorists, if they actually exist) do is utilizing remotely exploitable bugs in current software. That is, they use tolsl and techniques which are roughly identical with normal debugging techniques, but apply them a bit more creatively. The creative application may have spectacular effects, but that does not change the fact that the basic techniques used are actually routine debugging techniques.
The bottom line is: As long as current production software is as bad and immature as it is, there is no cyberterrorism. Just applied stupidity.
Too buzzwordy, doesn't really say much on the topic of CT, or NBC for that matter. We know it's serious. It's not like nobody's doing anything about it.
"... super, ultra, and macro-type catastrophic terrorism"?! Wow. That... doesn't really say much. Sounds pretty biblical, actually.
No example of the depths to which it could be utilised. Think stock exchange. Think power grid. Don't do the missile defence/"War Games" stuff.
Also think about the level of security already in place in the first world, and the amount of security being put in as we speak by the Z80 and Commodore 64 generation. Who made it necessary.
I wouldn't publish that in JIR in present form. More likely Readers Digest.
-j
Only a select number of terrorist groups and few state sponsors are likely to possess the necessary motivation and capability in the spheres of organisation, funding, acquisition, technology, storage and stockpiling, logistics, and other overt and covert resources to be able to make the transition from conventional to CBRN/Cyber warfare. For many, the numerous internal and external tasks and hurdles involved in acquiring, storing and deploying such sophisticated weaponry and devices are simply too much. Moreover, few terrorist groups and state sponsors are sufficiently motivated to carry out mass casualty or mass disruption warfare.
Well the necessary means of cyber disruption are verys simple 33K modem, an old 486 running Linux or BSD and a brain. It is true that few terrorists have the necessary knowledge but this does not mean that they may not hire someone. And this will be cheaper then bying and smuggling explosives and weaponry.
On the other hand, the information revolution ushered in by the Internet allows terrorists to access
articles and documents from the World Wide Web about the manufacture or acquisition of BW or CW
agents, and commercial-off-the-shelf (COTS) software products can easily be obtained to conduct
cyberterrorism, making CB/Cyber attacks much more feasible to launch than hitherto. Radiological and
nuclear weapons, however, are far more difficult for terrorist groups to acquire or to develop
indigenously, to weaponise and deploy, or to provide storage for.
Commercial and off the shelf solutions are mostly applicable after a breakin has been commited - i.e. for maintianing access, deciphering data, etc. So they come to play after the breaking which once again requires few resources and some brain.
Significant financial resources are required for terrorist groups to develop an indigenous CBRN/Cyber
operational capability unless a group succeeds in weaponising a crude, low-technology device, or
stealing or hijacking such a device.
Yet another dumb statement.
Overall very very very bad article with the following bad implications hidden between the lines:
The availability of security related information on the internet is _BAD_
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
CBRN warfare is an advanced method of warfare - cyberwarfare isn't. The resources needed to achieve this aren't expensive, all it needs it some knowledge and a little cheap equipment.
There are examples of this already, including L0pht's research into the vunerability of the US electricity network. They gather data from public websites and once the data is correlated a good image of the security of the network is found. This can then be explotied. Cyberterrorism is about this type of research.
This article concentrates more on the conventional side of terrorism, but attention should be paid to the groups that use IT for gathering and co-ordination of intelligence rather than for warfare.
Cyberwarfare is where tomorrows terrorists will attack. Terrorism is part destruction/part publicity. Several terrorist groups attacked targets to generate publicity, not to kill people. Similarily cyberwarface attacks are about the same: posting web pages, taking over known servers. The next level is the hardest one to guard against. This is the hacker in the system that doesn't destroy or alter data, just reads things and leaves.
The author groups cyberwarfare along with "script kiddies". Cyberwarfare is not only about damaging systems, it is also about intelligence gathering and information processing.
This is essential to terrorists. Hacking into a government server and posting a new webpage looks good and generates publicity, but hacking into a government server and reading the documents in peoples email directories is much more valuable to terrorists. This gives cyber terrorists valuable details about the thinking and opposition to thier movement, and can aid in planning conventional attacks.
The next generation cyber-terrorism won't just be about invading and crashing control computers or servers, it will also be used for spying and sabotage.
Cyberwar like all other forms of war is not just about damage and destruction but also is about spying and intelligence gathering.
These areas are where most consideration will have to be given.