Slashdot Mirror
Jane's Intelligence Review Needs Your Help With Cyberterrorism
Jane's Intelligence Review, a famous "in group" publication read by political, military and intelligence honchos the world over, has an article on Cyberterrorism scheduled to run in its next issue. But Jane's editor Johan J Ingles-le Nobel believes Slashdot readers may (ahem) actually know more about potential Cyberterrorism tactics than the article's author, and would like you to comment on his work - for publication. The article is up on a private preview page. Please read it, then post your comments. Johan will read them, here on Slashdot, and will select some of them for publication in Jane's alongside the original article. Before you post, please read a message from the Jane's editor (below).
These are the specific questions Jane's wants answered:
- Using CT, how easy or otherwise is it to bring down or attack vital systems?
- What sort of skills would be needed to do so, and are they common/teachable?
- Commercial-off-the-shelf software: can it really do CT?
- Which systems are actually attackable?
- Can a recovery be made from such attacks?
- Is it likely to improve/get worse?
- What sort of preventitive work would you recommend them to carry out?
Many thanks,
Johan J Ingles-le Nobel,
London, England.
johan.ingles@janes.co.uk
The biggest threat with cyber terrorism is not so much direct attacks, but as a tool to gather information on organisations for other purposes. If a cyberterrorist attacks an ISP succesfully they can gain access to many more networks belonging to the global customers, Manufacturing concerns, Government agencies, Lobbies, Financial institutions. The ISP is the passageway for all of its customers and a large reputable ISP can have direct access to all sorts of customer resources. Monitoring a central router an an ISP can be the ultimate wiretap. ISP's often have financial and personal data of customers warehoused for disaster recovery reasons, these resources are often stored on Internet connected machines.
Worse yet ISP's do not necessarily want to cooperate with officials. They do not want to be slammed with liabilities for their transmission of dangerous material. ISP's (last I checked) are not immune to this sort of legal attack like telcos are.
-Rich
In my opinion, the fundamental difference is that Cyber attacks are utterly unlike any other form of attack because they do not involve the delivery of large amounts of energy to the enemy (unless you would call EMP or HERF attacks "Cyber", which IMO would be wrong -- a HERF gun aimed at a computer terminal is really the same sort of thing as a grenade thrown at same.)
Cyber attacks, therefore, are aimed at the information, which is much less easy to destroy because of the possibility of making qualitatively and functionally identical copies. I'd divide cyber attacks into two species: "Destruction of information" (erasing) and "Corruption of information" (spoofing).
Erasing is very difficult to carry out because any system worth attacking is also worth backing up. I know that UK and US interbank transactions are backed up daily, with multiple remote backup tapes. Any Cyber attacker wanting to "destroy" the interbank market will cause the loss of at most one day's worth of transactions. Erasing attacks can be straigthforwardly guarded against through multiple, remote (in both geopgraphy and network topology) backups, taken at sufficient frequency that the maximum possible loss is bearable for the system (the "safe frequency"). Any system for which the safe frequency is too low for the backup defense to be practical (for example, a power grid) should be kept remote from networks; although this does not defend against attacks from insiders, network seclusion should allow the terminals of the vulnerable network to be physically guarded.
Spoofing is much more difficult to guard against. This kind of attack comes in two flavours; attempts to create phony records, or phony messages in a system (such as creating false bank accounts), or attempts to create phony instructions to the processing system, causing a failure of the system which is as bad as an erasing attack.
The easiest way to defend against non-destructive spoofing would be to use backups once more, and to operate a kind of "double-entry book-keeping" which traces every record to its creation and requires consistency between numerous (again, preferably topologically remote) sources. This multiplies the difficulty of a Cyber attack, as the attacker now has to break several systems instead of just one.
Destructive spoofing aimed at the processor rather than its records is a different matter. Causing the processor to execute phony instructions could allow the Cyber attacker to erase records, transmit phony messages and, potentially, to "cover its tracks" well enough to escape consistency checks. Of course, this kind of attack is more difficult than any other -- usually the only way to get another machine to execute rogue instructions is to exploit buffer overflows.
I have no particular suggestions for defense against the final kind of attack, except for the rather obvious advice not to create situtations in which buffer overflows can happen. The use of non-standard operating systems or instruction sets could, in principle, make it harder for an attacker to work out what to do with a buffer overflow once discovered, but to me, this seems too much like security through obscurity to be recommended.
I'd add that using the Internet as it is currently designed to communicate between members of a terrorist organisation would not be a good idea -- it goes against the "cell" concept which is known to be the best way to organise. Even messages on private bulletin boards carry enough information in the headers to allow substantial information about the whole network to be deduced for any security agency which can gain access to the routers.
Just some idle thoughts
jsm
Phone rings. "I'm Bob in IT support. I'm having trouble with the modem bank. Can you check the modem to make sure it's turned on? Also, can I have the number to make sure I'm using the right one?" Of course, being the deligent and helpful worker that he/she is, they are happy to help. Just got finished watching "Hackers"?? HEHE jk Accually your senerio can and does happen, just for some reason couldn't quite get the scene out of hackers out of my mind while reading your comment. I'm not insulting, just chuckling:) (or the sushi I just ain't could be talking.. who knows)
Or whoever Jane has do that...
... He just quit? Shoot. I was hoping he could get something for me ..."
The key to a lot of cracking attempts lies in getting specific information. Names of key servers. Names of people who have user accounts. Passwords. Descriptions of security provisions. That kind of thing.
Much of this is easiest to get on the phone. The same techniques that a real journalist uses to get at information that is not public knowledge, is the information that crackers use to break into systems. So stop and think about whether you manged to (or could have) obtain information that would help you break into the system. Said information can be as innocuous as knowing who the employees are, personal tidbits about current employees, that sort of thing.
Don't believe me? Well a common technique is to call someone up, pretending to be another employee. Pretending to be a real person that they person on the line is likely to have heard of is more likely to get you in. For instance you could call up and say, "Hey, this is Greg Watson over in accounting. I am looking for Bill Smith. Do you know where he is?
See? By knowing the name of someone who just left, someone who is still there, and someone in another department, you have an excellent chance of getting information that you should not have.
As for security, no, not all systems can be easily broken. Of course there are some people who if they want in, will get in. You have to expect that. But most of what you have to worry about are common yet easily exploitable holes. For instance a lot of companies trust Microsoft's VPN implementation. In fact it is about as secure as swiss cheese and cracks are fairly readily available.
As long as easy targets are readily available in large numbers, I would be more worried about terrorist attacks on them than I would about anything else. (Attacks against information sources can be very profitable as well. Infilterate a VPN. Sell the information to someone else...)
Cheers,
Ben
My usual seat in the cluetrain is at A HREF="http://pub4.ezboard.com/biwethey.ht
Attacks involving cyberwarfare are much easier to carry out than your typical CBRN attack. Depending on the security of the target, an untrained attacker using an exploit found on http://www.rootshell.com can bring down critical servers. I don't believe it is quite that easy to design/construct/use a chemical, biological, or nuclear weapon. On a well implemented system, however, it can be much harder to disrupt with cyberwarfare than with more conventional means of mass destruction. The knowledge required to put forth such cyberattacks is not very common. Anyone can run a script and exploit a fresh Windows NT Web Server, but disrupting a service, especially a non-networked service, is not in the grasp of your average computer user. As far as off-the-shelf software, ummnn... No. There is no magical software which can bring an entire country's infrastructure to it's knees (other than stock Windows ;P). I personally don't know of many attackable systems, but I would generally think it would be systems that have become more computer controlled than not. Power grids, possibly, but unlikely... I have my doubts that anyone can shut down an entire power grid without using some form of non-cyber attack. Telecommunications seems it would be succeptable to a well developed cyber attack. Recovery from such an attack would most likely be quick for a majority, and long lasting for the remaining minority. The problem with cyberterrorism will definitely get worse before it gets better. There are some pretty big information gaps between the well informed "Wizard" of technology, and John Q. Public. I understand that most of the world's infrastructures are not run by total bafoons, but most of them are just normal people with normal jobs who know very little about how the system they work on *REALLY* works. The only thing that can really be done preventatively, is to assess security with a realistic standpoint. Security is more a set of compromises than a true 100% solution. Nothing can be truly secure if it is computerized. Instead, we use the best possible security which still allows the system to function (things can be *too* secure). Many sites may need to reassess their security policies, since many security policies are quite old. This, along with more technical training for John Q. Public (this'll be a while) will help to ensure that cyberterrorism's threat is more limited, since it will never go away. FeeDBaCK
> I'd add that using the Internet as it is
:-)
> currently designed to communicate between
> members of a terrorist organisation would not
> be a good idea -- it goes against the "cell"
> concept which is known to be the best way
> to organise.
Au contraire. Using the internet the way most people do (i.e. only believing they're anonymous) would certainly defeat the concept of private terrorist cells, but on the other hand there are infrastructure like double-blind anonymous remailers, "onion routing", etc, which can be used to implement true anonymity (at some cost, up-front and ongoing).
These kinds of infrastructure already exist publicly, and I have no doubt that there are similar networks of a more underground nature in existence.
One hears rumours every now and then of "super-cracks"..some of them have made it here - spooky stuff which Should Not Have Been Possible. A lot of it (undoubtedly most of it) is fantasy, of course, but it makes you wonder..
I've often thought about what it would be possible for a well-funded agency to achieve in terms of penetration tools; a lot of systems (in fact, according to studies, most systems on the public internet) are vulnerable to really stupid holes, but the tougher nuts (probably the most individually interesting nuts) require more sophistication to attack.
However, given some decent programming expertise and resources, I'm sure it would be possible to create an intelligent automaton which contains a vast repertoire of cracker tricks, from the subtle to the overt, which could be pointed at a network (with suitable background research) and throw its bag of tricks at it until it gets inside, and from there rapidly subverting the connected trusted hosts. Giving the worm a wide variety of "stealth tools" to allow it to hide once inside would make it in practise almost invulnerable once entrenched.
This is not far removed from the "counter-ICE" intelligent tools of cyberpunk lore.
Obviously, this is not easy to do, but on the other hand the rewards for anyone who was able to create such a beast would be immense.
Some possibilities:
* Given that most networks on the internet are vulnerable (Reference: the folks who did the study using BASS recently - URL not handy at present), you could take down a goodly proportion of the hosts on the internet with a concerted attack (subvert widely-distributed systems for a while as a platform, then on D-day use them to launch all hell onto the internet). While this wouldn't have much effect on the Real World, it would cause an enormous resource committment to repair the damage, generate huge publicity, and even bigger "fear factor" among the people you don't penetrate. It would probably hit the economy pretty hard, actually..all a result of some aberrant ones and zeros - neat, huh?
* Variation: covert agent X injects the worm into the private (non-internet) network of a target - e.g. a foreign military network, or the operations management system of emergency services. Used in conjunction with other forms of attack, like frontal, obvious, "direct assault" electronic attacks to divert attention to the real attack, and ("conventional") physical attacks like bioweapons, this would create mass confusion, and potentially, mass destruction.
* Corporate blackmail: your worm finds its way into the network of a company you find politically objectionable, and then releases all security measures (deactivates firewalls, installs backdoors, alternate passwords, etc), and publishes them to the world, or to a competitor. Result: potential devastation of the company (loss of intellectual property, exposure of business secrets and practises, skeletons in the corporate closet, etc).
The internet worm of 198x was solved by people who were able to coordinate rapidly to analyse, solve and fix the entry mechanism. That (like more recent variants, like Melissa), was a one-track, stupid pathogen which was correspondingly easy to defeat once the vector was known.
Now imagine a worm which selectively exploits all known remote buffer overflows, many unknown (publicly) ones, denial of service attacks, TCP sequence spoofing, network sniffing, breaking of insecure protocols, ad infinitum, can hide stealthily within an operating system and network so the system's tools do not show its presence, which contains binary code that runs on every major OS, which responds to detected attempts to "capture" it by death and/or retaliation, etc etc.
How do you even begin to deal with that kind of thing on an enterprise level? You'd have to assume every machine is infected, and low-level wipe everything, being careful to distrust the existing data when you put it back. Then you'd have to patch every possible entrance mechanism onto the machine (difficult, given that Windows 9x machines are fundamentally unsecurable), and if you miss just ONE access hole then your machine is under again. Of course, this assumes you even know what you're dealing with, which is unlikely for the first few iterations, and you know about every vulnerability the worm is exploiting on your machine.
In principle, there's nothing stopping you from writing such a beast - individually the components are all well understood (except perhaps the "intelligence" behaviour which would have to be abstracted from human knowledge). In the face of an attack like this, the confusion would be enormous, when finally discovered and believed: "My solaris system got rooted by a RPC exploit". "That's okay, I don't run solaris. Hmm...my NT box is acting funny, though. Probably just needs a reboot..damn script kiddies".
This should be enough to make people very, very worried..given the notorious complacency of management towards security policy and implementation, and the continued daily proliferation of new remote exploits, it's a problem which is only growing in size, and it's a matter of time before Something Happens.
Sooner or later, someone is going to write this so-far (I hope) mythical ueber-worm, and when the Cybercalypse happens it's going to be a long week indeed for all of the professional sysadmins out there (and at the end of it, all they've got to look forward to is being fired for building a bad network, even if it wasn't their fault).
I only hope that once the network rebuilds, people learn to do better next time
[This descent into paranoia sponsored by the Judean People's Front, that guy sitting on the computer behind you, and the number FNORD]
Finance. The article implies that major finance is required to implement major attacks; this is not the case for cyber attacks; L0pht bulletins and Phrack are all that's required, along with a script kiddie mentality.
Nature of attack. Cyber attacks in general don't attack people; they attack infrastructure. If properly implemented a lot of people will die, but as a side-effect. Biological attacks, OTOH, attack only wetware and leave infrastructure intact.
Personnel. One deranged chemist can do quite a bit of damage, but an embittered genius nerd can do much, much more. Remember that interview with L0pht? "I can shut down this power grid now."
On the subject of state-sponsored terrorism: I honestly don't believe that this is the problem a lot of people make it out to be. If you're system goes down, it's a lot cooler to say it was the Indonesian Government than a dodgy cgi script. I'm not saying it doesn't happen, but I do believe that it's seriously overhyped.
Finally:defenses. Up to a couple of years ago, people thought of security they way people in the 80s thought of Y2K: it'll probably be a problem some day, but we'll muddle through. Any system put together in the last couple of years was implemented with security in mind (if it wasn't, shoot the sysadmin), but most systems more than a couple of years old are inherently insecure. Ironically, Y2K could prove to be a boon, as audits will give detailed reports on exactly what's in a system, and this information can be used to boost security.
The main thing that comes to mind when reading this is the fact that a person with about 1k US$ to spare can go to radioshack and pick up the parts for a machine which will "crash" an unshielded soldid state computer. Things like that are in my opinion the worst threat. Hackers can only do so much, but a terrorist with one some type of EMP, or other such, device could just disable some important facility. Think about air control towers, are those computers shielded? How about 911 dispatches? I could be wrong, if I am tell me.
(---- The public is merely a multiplied "me". -- Mark Twain
This article is extremely poor. It reads as if the author had done a global search-and-replace of CBNR to CBNR/Cyber, plus added a very few It paragraphs. The tone is unreasonably alarmist.
It make no distinction between cyberterrorism, which is an attack upon C3I (command, control, communications & intelligence) systems, both military and civil, and terrorists using their own cyber C3I.
Worse, it confuses C3I (infosystems) with CBNR (weapons systems).
Jane's editor asks some good questions, but this article cannot even be rewritten to answer them.
-- Robert
I'd also like to bring up the very good point that your vulnerability is directly related to the systems you are running, and how well they are configured and maintained. For starters, any machine not on a network is almost infinitely more secure than one that is. But if you have to have a computer on a network, you better make sure you have someone who knows what they are doing configure it for security. Or get something that is inherently secure. Not to sound like a fanatic (just a fan), please note the Army's recent decision after counsel with the W3C to switch their web server to a Macintosh. However, it may not be practical or desireable to switch every machine in the operation to something else. The only way to fight knowledge is with knowledge. Fight cyberterrorists by being smarter and better than they are. That alone should take care of most of the script-kiddies. Then you have to worry about those who are smart enough to do it for other reasons...
"Is this not a rare fellow, my lord? He's as good at any thing, and yet a fool." -from "As You Like It", Act 5,
The intense focus on "shut down the power grid" scenarios, and tight analogies with physically violent techniques (unlike CBRN, "Cyber" warfare is not inherently violent/destructive), serve only to ignore much more potentially effective uses of IT in terrorist warfare - intelligence-gathering, counterintelligence, and disinformation. The article does not touch on these points *at all*, and quite frankly is worthless sensationalism without them.
In warfare as well as in business, IT is "the great equalizer". Its low financial barrier to entry, relative to heavy industry, allows even the poorest organizations an IT effectiveness equal (or nearly equal) to the richest, most powerful nations and corporations. The greatest advantage the covert warfare arms of major nation-states (CIA, Mossad, etc) have over small terrorist organizations is the financial wherewithal to develop massive intelligence networks, and to easily spread disinformation via access to public media and an enemy's internal communication channels. IT very much levels the playing field in this regard.
If a terrorist group can penetrate the security of an enemy organization's computer networks, they do not need to do any damage to be militarily effective. Rather, they can quietly copy information to process at their leisure, without having to physically smuggle it out of secure facilities. In particular, this approach, combined with automated "data mining" techniques, can be used to search for useful patterns in vast stores of insecure and apparently unrelated data (c.f. Stoll, Clifford: _The Cuckoo's Egg_ (a very well documented example of state-sponsored computerized intelligence gathering)).
Another use for this access is disinformation. False or misleading information can be planted in (or deleted from) databases, undermining the effectiveness of organizations relying on that information. And in our current world, where authentication via strong encryption is still rare and nonstandard, IT can make forgery easy. Credentials can be forged to fool authorities or the media for purposes of disinformation, or to enhance covert physical activities.
Encryption also provides effective counterintelligence for very low cost, both maintaining information secrecy and providing authentication for otherwise anonymous data. Public key encryption can allow a network of intelligence to communicate secretly, without direct contact, and with sophisticated tools for obsoleting compromised keys and secrets. The major governments, who have long depended on spying on civilians, have good reason to fear this technology.
Another use for IT is the copying and *publication* of encriminating information. For an example, consider an environmentalist "terrorist" organization uncovering and publishing secret corporate or government documents on toxic waste spills, or covering up the hazards of a project. No physical violence need be performed to do terrific practical damage. Remember the Pentagon Papers? Their publication was instrumental in turning the tide of public sentiment against the Vietnam War. Yet those had to be delivered as physical copies by an internal spy to a major media group, and the government nearly succeeded in supressing the evidence in court. With electronic copying and widespread distibution, governments no longer have any power to stop such publications.
Of course, we could go into much greater detail, with more specific examples, but I think the point has been made. The article ignored the most effective uses of IT for terrorists, while simultaneously advancing unrealistic and undocumented doomsday scenarios (shutting down the power grid), and blowing normal organizational activity out of proportion (bin Laden's use of email, for example). Rather than a Slashdot-driven rebuttal, the editors would do well to reconsider publication of the article altogether, until a more comprehensive and realistic article can be written.
---
Maybe that's just the price you pay for the chains that you refuse.
Hand me that airplane glue and I'll tell you another story.
Comments on the specific Q's
* It would depend upon the vital system, of course. It's unlikely that there's a remote 'stop burn' option for a coal-burning power plant, for instance.
* Skills? There has to be somebody available to *write* the original program, and that probably means knowing something about how the target site is operated. If it's done well and does not require user input, it *might* then be possible to hand the program to a 3-year-old with his finger on the 'enter' key, and take the next flight.
* Define CT. Does a denial-of-service count? Did the "Ping of Death" count? Does 'telnet' count?
* The only way to know what's attackable is to know every system. I don't pretend to be omniscient, but common sense should apply; my refrigerator is not running a Telnet server, for instance. My bank probably uses encrypted communications and a journaling filesystem with transaction logging. A web guestbook might not have been written w/ an eye towards preventing filling-up-the-disk. Etc.
* Recovery? It depends. If one gets "rooted" and the attacker simply wipes all files, it's time to go get the mag tape. If the attacker simply uses your machine to go on online chats and doesn't actually *do* much, that's a different story. Of course, many will point out that you can't *really* know unless you were watching the entire session, and should therefore reach for the mag-tape.
* It's a continuing race. Those who neglect security have more to lose, however.
* Advice? Use your head. Use systems by people who actually care 'bout security. Follow principles 'bout least-privilege and so forth. And don't bring your box online before searching for relevant docs -- but also don't believe that the sky is going to fall as soon as you plug in that cable.
Misc notes --
* (minor) Possibly, the full name of the LTTE -- the Liberation Tigers of Tamil Elam -- should be used. {shrug}
* Similar minor nitpick: Is is 'bin Laden' or 'Bin Laden'? I've seen both in print.
* Something to note: a 'Cyber' attack, as the article terms it, would most probably not incur nearly as harsh retalliation as a CBRN attack would.
* As was noted above and no doubt below, substitute 'cracking' for 'hacking.
* Consider adding the motive 'extortion'. This may or may not be plausible based on the difficulty of getting the money...
* Consider adding the motive 'fear-mongering'; that is, to a population to be unduly alarmed at the alleged possibility that their banks will be raided or that malicious crackers will down a jetliner or so forth.
This is the other meaning of the phrase "open source" mentioned on the opensource.org Web pages: in intelligence/surveillance circles, an "open source" is one openly available, like a newspaper or magazine you can just buy anywhere, as opposed to a source that's handing you information that not just anyone can get. The two communities may be closer than we'd guessed!
--
Xenu loves you!
1. Using CT, how easy or otherwise is it to bring down or attack vital systems?
This depends on the level/quality of security measures and goals of the attackers. "Attacks" against computers and networks most likely don't have a goal to perform actual destruction -- access to "enemy's" computers and networks is much more valuable for gathering information while those systems are considered to be secure rather than for performing actual acts of destruction and very likely exposing the insecurity. Well-known cases of successful unauthorized access to computers are more at the level of high-visibility pranks (defacing web pages, demonstrating the access to private information stored on some company's servers, etc.), and even though they can be used to threaten companies and governments, there is no evidence that it ever was done.
However if the goal is to actually perform something destructive, the possibilities are abundant -- everything that is controlled by computers theoretically can be vulnerable to some kind of computer-based attack. The possibility of attack depends on the possible ways, computer and/or network can be accessed.
2. What sort of skills would be needed to do so, and are they common/teachable?
Basic skills are very common, and are available to every person with basic understanding of computers and networks. Pre-made scripts, kits, etc. (software-only) are widely available, and skills, necessary to apply them are at the "advanced computer user" level. Some of them are targeted for gaining unauthorized access to some kind of systems, some are designed to temporarily disable some functions (denial of service attacks) however none of them are specifically targeted to perform actual destruction of something in particular (phone systems, banks, military, etc.) -- some more advanced knowledge is required to actually perform an attack with noticeable consequences beyond the level of shutting random computers down, disabling parts of networks, disrupting email and file transfer services and gaining unauthorized access to various information.
Skills necessary to design software for sophisticated attack, perform the attack while unknown obstacles are present, and establish monitoring of compromised systems or networks are less common, however still widespread. In most of cases they are at the college student level.
Skills, necesary to establish an outside link from the closed network or standalone computer, with communication equipment present, are basic skills necessary for any work with computer/communication equipment, however it does not include the ability to perform those actions secretly.
3. Commercial-off-the-shelf software: can it really do CT?
Both commercial and noncommercial software can be used for all kinds of attacks. Software specifically designed to be used for such attacks is available as well as various kinds of security probes, monitoring software, etc. that are not specifically designed for such a goal yet can be used for it. However more important is that large amount of software that is used in various systems is vulnerable to attacks because of poor design, bugs or unrealistic expectation of secure environment, the software is supposed to work in.
4. Which systems are actually attackable?
Obviously, system that is not connected to any kind of communications is only vulnerable to the direct physical attack, and if physical access is gained, attack can't be stopped by any means other than disabling the access and recovering the system. However the goal of the physical access to that kind of computer may be to establish some kind of communications between those kinds of machines and something else instead of performing destructive actions or copying the data directly -- for example, by attaching some kind of communication equipment, by the use of existing but disabled equipment, etc. Usual physical security measures and restricted access to this kind of computers can prevent all kinds of physical attacks, and measures that restrict the use of communication equipment, shielding, etc. can prevent unauthorized links.
Computers, connected to some closed local network (with no physical links outside the secure environment -- not systems that have networks with physical connections outside, restricted by some kind of firewalls or gateways), or have long console links are vulnerable to attacks that originate from within the network. The difference from true standalone system is that those networks already have large number of communication equipment working, and their size and accessibility allow more possibilities to establish "invisible" links. In most of cases there is some possibility to attach something that establishes this kind of link without bringing any additional equipment, and even in the case when external communications are severely restricted (no phone lines) it's possible to add some wireless device, powerline communications, etc.
Computers, connected to some restricted local network (with connections outside, restricted by some kind of firewalls and gateways) are vulnerable to various kinds of attacks, originated both from within and from outside. Attack from outside may be started from using some service, accessible from outside for some reason, or from directly compromising a firewall, accessible from outside. Attack from inside can be everything mentioned above plus compromising firewall or installing some software or hardware that establishes connections from something outside by mimicking a legitimate use of the firewall, and attack from outside very likely can have a goal of installing a software of this kind. After firewall is compromised, this configuration can remain inactive for a long time without being detected by any reasonable means. The service, used for initial attack can be something innocent-looking enough to be allowed by the firewall and vulnerable enough to be used for its compromise -- email with vulnetable mailreaders, HTTP with vulnerable browsers, etc.
Virus or trojan programs can be used for initial attack if the computing environment in such a network allows them to be viable.
If a restricted network allows some computers outside to access some "privileged" services that can be used for an attack, those computers can be the initial target, and once compromised, can be used to access the restricted network even if the means for communications between those outside computers and restricted network are secure. If the means of access are in some way insecure, they can be attacked instead of computers with the goal of spoofing communications with those computers and gaining access on their behalf.
Stand-alone computer with dial-out or dial-in modems, or closed local networks with such computers are in the same category as restricted local networks.
Restricted network after the firewall compromise are either in the same state as unrestricted networks, or, most likely, unrestricted and compromised in some way.
Computers, connected to unrestricted local networks or "directly to the Internet" (what is basically the same thing) can be vulnerable to various attacks, with vulnerability depending on the secure configuration of the Internet" (what is basically the same thing) can be vulnerable to various attacks, with vulnerability depending on the secure configuration of the system software and applications running on it. Vulnerabilities can be divided into two classes -- "local" and "remote". Local vulnerabilities allow various kinds of access to data and functions (up to absolute control of the system) to users that already have some restricted access to the system. Remote vulnerability allow users that have absolutely no access to the system except possibly the use of services, available to the "public" -- such as sending email to the system, accessing HTTP server, etc. to gain some access, and often absolute control of the system. Note that "local" in this case does not mean that user is physically present anywhere near the computer -- it means that user has to perform some action while logged into his account on the computer, as opposed to "remote" user that may have no accounts at all. Protection against attacks directed against such computers include proper configuration of security features, provided by applications and operating systems and disabling unnecessary or known to be vulnerable software and services.
All kinds of computers, including ones that are connected to restricted or closed networks, should be protected against attacks of this kind, even if restrictions placed on the networks are supposed to prevent them. This is important because networks, despite being protected, often have large number of point of failures from the security standpoint, and attack may originate from within the network. Networks that have computers, using software known to lack security features, should have those computers separated from the rest into subnets, with firewalls, configured to prevent exposing those vulnerabilities to all other, even "friendly" computers.
Networks can be compromised to allow an intruder to read, disable or spoof traffic through them, thus allowing the possibilities to attack computers attached to them. In general, once one computer or router is compromised, and attacker gained the complete control over it (root, administrator, etc), part of the network is compromised with it. In different network configurations such compromise may be limited to the traffic to/from the host, some local group of computers, local subnet, group of sumnets before some firewall, or the whole organization.
Computer, connected to non-compromised local network or "directly to the Internet" is in most of cases more secure than computer, connected to compromised network, unless it uses unencrypted or poorly encrypted communications to pass sensitive data through parts of the network that can be compromised. Computer, connected to compromised network can remain secure if it only uses sufficiently encrypted communications, and does not depend on other computers that are already compromised.
5. Can a recovery be made from such attacks?
In most of cases once something is compromised, it can't be trusted until all potentially corrupted data/prograns are replaced. This means use of backups, loss of some data and potential risk of restoring compromised data.
Recovery from denial of service attacks is easy however temporary, unless the vulnerability is eliminated.
6. Is it likely to improve/get worse?
With the increase of software quantity, lack of increase of software quality from security standpoint, vulnerability in general will increase. With the adoption of computers in various activities the possible harm from successful attack will increase.
7. What sort of preventitive work would you recommend them to carry out?
1. Competent sysadmins (with sufficient education to understand the threats, design and implement security measures for every particular situation -- this is beyond usual sysadmin training programs).
2. Physical security and no-connection policy on standalone systems, use of secure software everywhere else, minimal configuration of users and services on all security-sensitive computers, use of sufficient encryption in all sensitive communications, separation of secure and insecure parts of the networks with minimal insecure traffic between them, distrust of any protection provided by firewalls except against minor denial-of-service problems, security-aware backups policy.
Contrary to the popular belief, there indeed is no God.
I like this one, so let's pull it this apart some more.
This example highlights another problem: the sheer variety of targets. Information technology touches so much of modern post-industrial society that just about anything you can think of has some form of vulnerability. We cannot patch all those holes - we cannot even identify them all.
Yeah. There are so many levels you can go after, with various levels of effectiveness. Most of the obvious industries (Computers, Telephony) have developed at least rudimentery levels of security, but what about your local power company? There already such a massive IT shortage as it is without involving mostly non high tech industries.
This raises another issue, which is competence. So called "script kiddies" may be able to take out a public web site, but it takes a lot more knowledge and effort to bring down critical infrastructure pieces (communications networks, power networks, banking networks) that are not connected to public networks, have some experience being attacked, and have the money to pay for better defense.
It has always been said that that there is no defense againt stopping the truely modivated, and in technology this is especially true. Just like in robbery, you are most likely going to be able to catch up with the intruder only after you have been robbed.
What sort of preventative work would you recommend them to carry out?[...]
I'd like to add general public awareness. Sooner or later, every person on this earth will need to learn good electronic security habits, such as logging off when they leave a terminal, or when choosing passwords.
1) Log on to the following address
http://skyscraper.fortunecity. com/gpfault/134/dloads FYI, this is not a hacking site.
2) Click on any of the first array of names. Either something will reply 'Bad File Type', or pop up 'Pick App'. If 'Pick App', browse and find any file you want to run, Click.
WARNING!: I accept NO responsibility for anyone using this technique, however, I can provide the cure for this, as a consultant. If I am going to be branded a threat thank-you-very-much, I would like you good folks to accuse me of being a white hat.
UWMilwaukee Golda Meir Library ran me off, calling me a pornagrapher, for no reason other than finding their mistakes, and that they hire incompetent people, unable to stop this. I offered to fix their flaws, and they'd rather fix me. They might be able to ban me from the entire UW system, depending on how court goes(yes!) Also, Marquette University has some of the same flaws, but minor. I would check your systems, sysadmins. This one will work BEHIND a firewall!
Email me, I could use some help myself. =(
This mind intentionally left blank.
The KKK a bunch of sheetheads? You decide!
Some of us who were around for the Morris Internet Worm have been screaming about the need for better Software Quality Assurance (SQA). Bad SQA was the proximate cause of the fingerd buffer overflow that Morris exploited.
Much more worrisome is the proliferation of proper, Turing-complete interpreted languages in unsafe contexts, e.g. Microsoft Word Macros, JavaScript and ActiveX in web pages, etc. We should not be designing and deploying programs which allow for execution of "foreign" code from untrusted sources without prior, explicit permission from the computer user, each time!
Unfortunately, the pull of additional functionality has been greater than the pushback of potential security flaws in the basic model, so these incredibly dangerous systems get deployed, and those of us who speak out against them as decried as alarmists.
And do I need to mention that the vast majority of desktop Operating Systems (e.g. MacOS, Microsoft Windows) do not use the MMUs for any kind of application address space protection, which makes any incursion that much more serious?
I have to agree entirely. When I was reading the Jane article I kept on waiting for something original or insightful but it was just too shallow. Compare this to the description of the PCweek server crack last week. (Jane does have a different audience but still its a boring read.)
One of the main problems is that it doesn't specifically define CT and why it is dangerous.
>Using CT, how easy or otherwise is it to bring down or attack vital systems?
>which systems are actually attackable?
Every system can be attacked/shutdown.
Assumption:Every system requires an organization to support it or has access to the physical hardware. E.g. Banking IT departments, Telecommunications Consulting firms.
All a terrorist group has to do is to plant an agent into these groups and then, maybe during an major company re-org or Dec 31, 1999, attack the physical hardware. These computers are located in a secure room but how many are built to withstand a C4 explosion? How about stealing backup tapes, alter them with hostile program, replace the tape then cause the system to have to restore the tape?
Hell, how about infiltrate Bell/Lucent/Citicorp/IBM, rise up the ranks of management, then cripple the institutions by making PointHairBosses decisions to weaken the systems from within?
My point here is that human engineering can go farther than any software/cracker if a dedicated organization sets its mind to it.
The surprise isn't how often we make bad choices; the surprise is how seldom they defeat us.
I think it's an injustice to lump information warfare in with "traditional" NBC-type warefare.
The problems of INFOSEC today are the infrastructure of tomorrow. Power grids, water treatment plants, telecommunications infrastructure, etc. are all quite vulnerable in at least several instances. Don't forget that it doesn't take an anonymous long-distance attack to get "in." A virus on a demo CD, a trojan in an executable "greeting card", etc. Timebombed code can be left by a temporary employee, cleaning person with physical access...
Today, employers, even those who are running critical infrastructure are hard-pressed to not give employees Web access (401k plans, health insurance plans and others are starting to _mandate_ it) Most of those employees are on inseucre, poorly administered, untrusted desktop operating systems. Add SSL and VPNs to make tunneling next-to-impossible to detect and you've got a recepie for serious electronic mayhem.
The barrier to entry here isn't very high. If you look at the number of viruses and compromised hosts on the Internet, and see if you can get hold of the statistics for telephone fraud that relate to compromised PBX's. You'll see that the knowlege is already fairly easy to gain. It's fairly easily transferable too. But *there's no need to transfer it*. Recruiting people who are already good at it should be trivial for most either well-funded organizations or organizations with a strong "appeal" to either a targeted individual, or a member of the target's preferred sex group. Ideologies tend to be better draws, but it wouldn't be difficult in either case, nor would extraction of several unwilling potential accomplices. One sympathetic organization member with competence would probably have a trivial time recruiting as well.
Some of the people who have the skillsets aren't socially very far evolved, don't necessarily have access to material things they'd like and are under age. All of those groups are easily targeted.
It's all software and easily gained knowlege, and testing is trivial and not necessarily dangerous. Unlike most traditional weapons, it's fairly simple to test out information attacks without anyone detecting it because you can do it on your own systems.
Until infrastructure vendors start making secure-by-default infrastructure (switches and hubs predominantly) and it becomes widespread in the install base, things like hospitals, power plants, water and waste treatment facilities, telephone exchanges, banks, etc. will be good targets of oppertunity.
While some places practice good security, not all do. It's becomming quite trivial to place a small 2" square machine onto a LAN port. Wireless networking on the back side and you're in. For less than USD$1000 you could build such systems and disguise them as appliances like lamps.
Not many places outside of the national security arena even do RF sweeps. Infrared is starting to make even that less useful.
Look at what the failed S&L industry cost, it's possible to disrupt commerce in key segments enough to cause millions of dollars of damage today, and billions over the next 5-10 years, not all electronic terrorism need be traditonal warfare, economic warfare is just as valid.
We're "used" to terrorists who directly cause terror, now we're building the capability for them to set events in motion that have longer-term effects and aren't first-order effects.
Finally, the combination of electronic and unconventional warfare, since they need not be exclusive, is a new one. False SNMP trap, compromised phone switch and a ready to deploy "customer engineer" is just one example that springs immediately to mind.
I could go on and on, but that's probably enough for now.
Paul
http://www.pauldrobertson.com
There are a couple of points that need to be stressed in this article.
In essence, CyberTerrorism should be taken as a serious threat and should be treated as such, now and in the future. We should instill in our children a sense of technical know-how and understanding of how to combat these threats as well as a moral obligation to fight the elements of our society who threaten to destroy us.
----
Lyell E. Haynes
+1 Insightful, -1 Troll. What can I say, I'm an Insightful Troll.
As one of the other readers commented, this article just about looks like they are replacing Terorism with CT, and rehashing a previous article. The two really have nothing to do with each other, outside of the fact that both are disruptive to the intended target. In addition, there is nothing in this article that goes into any kind of depth; I'd expect to get this article back out of an academic article abstract database, like ERIC or PSYLIT, or something similar. At least include references for additional reading.
Standard terroristic attacks are designed to physically disrupt or injure the target. CT attacks are intended to logistically disrupt or subversively capture sources of information, communications, or other lines of non-physical infrastructure. Because of this, it is much harder to identify from the inside what you are trying to defend against (would you think to secure your "recent documents" list on a computer that regularly handles sensitive material that may include logistical data?)
Reading back on this, it sounds alarmist, but I've worked in both the financial and transportation industries, and have seen points in the companies that, given the right circumstances and the right time, could cause irreparable harm to the operations.
This is really the point of CT; if I blow up a bridge, you can wade through the river, or go around to the next one; or build another command center, or have another one available. However, if I have access to your computer systems, or have the ability to alter your data, you may never be able to tell your people about the blown bridge, and half of them will walk right off of it.
This space for rent. Call 1-800-STEAK4U
The article starts with the assertion that CyberWarfare is an accepted fact. The evidence for this seems to consist of a few web pages being replaced with propaganda and a physical attack by the LTTE on telecommunications facilities. Neither of these count for much as CyberWarfare. Changing web pages does not cause significant disruption and bombing telecommunication facilities has been a feature of warfare since before the internet.
Cyberwarfare/cyberterrorism is usually taken to mean causing disruption of communications or physical damage using electronic means. This article presents no evidence of either. There is a risk, but don't get carried away in the hype.
Hmmph. Article was full of crap -- it was trying to draw on 'big fears' and tie a couple together (cyberattacks + weapons of mass destruction in the hands of terrorists! lions&tigers&bears! oh-my!). More importantly, a terrorist is not likely to use weapons of mass destruction because they are such a pain in the ass to deal with (conventional bombs are cheaper -- both in terms of money and opportunity costs). A terrorist organization blows a lot of money and time on THE-ONE-BIG-SHOT, and then fucks it up somehow, then they've taken themselves out of the game. Large-scale cyber-attacks [say, i don't know, trying to crash a train track switching network with a virus, or something), even more than WMD, requires you to raise your signature to find out a lot of information before you've even done anything [i.e. is a big pain in the ass to try and put together and has a potential for failure that is intimidating]. The weaknesss in the approach is that it relies to heavily on *one* method of attack. However, a small scale cyber attack -- when coupled with a small scale physical attack like a conventional explosion -- could be a very effective force-multiplier. For instance, a really large conventional explosion at [or even near] a nuclear power plant, when coupled with a massive spamming (by phone and e-mail) of news organizations, radio stations, 911, with a follow-on crashing/bombing of the local phone network switching centers (and maybe jam some police and emergency vehicle radio communications while we're at it?) right at the point where a lot of rumour has spread but no truth has been reported, has the potential to create an *incredible* panic at very little cost or risk. You have to think of cyber-attacks as things that do not stand in-themselves; once they are coupled with physical methods of attack, they can be extremely powerful. But you combine the attack, AND keep both the physical and cyber attack *simple*. At least, that's what I would look for if I were a terrorist. [disclaimer: be advised, I am not advocating any activity that I've talked about in my post. I am merely using notional examples to make some points about terrorism.]
Regards, Paul Cox --------------- "It is right to be taught, even by an enemy." -Ovid
The web address of The Hacker Crackdown, ISBN 0-553-08058-X Copyright (C) 1992 by Bruce Sterling
http://www.mit.edu/hacker/hacker.html
Probertly the best (abait a little dated)information on/about hackers
1. It depends on what systems you are talking about. Defacing websites, and other publicly acessible systems requires a minimal amount of technical know-how, taking down a section of the national power grid would most likely require months of careful research and planning... 2. Knowledge of LAN/WAN theory, remote access, common security protocols,current exploits for UNIX/Linux/NT, C++, Perl, Java, etc... Beyond the nuts and technical bolts however, their are certain acquired skills ie social engineering, system penatration and take down, that one must acquire within the cracker community. These tricks of the trade are also difficult to practice for most individuals, for fear of involvement with law enforcement or other authorities. 3. Certain system tools, SAINT(satan), as well as other security diagnostics, and cracker script tools can significantly automate the process of cracking less secure systems. I feel that that best use of these script based tools would be to masquerade a more serious attack under the barage of multiple automated, script based attacks. 4. Anything. If you make it, someone will crack it. However, the most secure O/S. out is, IMHO, is OpenBSD. However, even OpenBSD can be made insecure. OpenBSD is the only O/S I know of that has had a complete, line by line audit of the source to spot security errors. 5. Yes, however the speed of recover will depend on the whether or not an attack was prepared for in a proper manner. 6. Most likely, as computer technology continues to intertwine itself into our everyday lives, the threat will grow. 7. If you care about your data, keep a computer security specialist on staff. Impliment wide spread encryption. Also, the most important things is to educate the end users about security. Let's face it. Nobody is going to dive into the sewers, splice into a piece of telco fiber, and spend months decoding that spiffy RSA-512 crypto you've got on your WAN lines to protect you data. They're going to ask Joe sixpacks for the RAS number, and if he could *please* readback his username and password for "validation with our databases".
As a number of other posters have pointed out, the article, as is, is on CBNR terrorism, with a global search and replace to add "cyber". Much, if not most, of the article is unrelated to "cyberwarfare" (CW).
For one thing, there is *no* recognition of the direct relation of corporate espionage and warfare to CW. Just last week, for example, a letter was posted by Iambe on the userfriendly web site concerning a sr. IT manager requesting that the co. security & sysadmin perform what, were it done by a political group, instead of a company, would be CW (btw, the author of the letter resigned rather than comply). Clearly, any company is capable of serious CW, and individuals are only slightly less capable. Yet in the article, there is no discussion of corporate CW, both as a training ground for CW agents, and as an instigator of CW. Let us also not forget that merely having been exposed to the idea that it was do-able by ordinary people, *and* *acceptable* *as* *a* *tactic* by socially-acceptable companies, the population of people who would be able and willing to do it is increased dramatically.
Another part of what is wrong with the article is the failure to assimilate the lesson of the Rodney King affair: that a few years after high tech is available, it's old tech, and available on the street, which will find its own uses for it, even as it was suggested in the novels of the cyberpunk genre. Note that, in many cases, those uses will be the same as the "official" uses...just from a different viewpoint.
Refusal to recognize this, while it leads to a terminology that Jane's regular users are familiar with, and perhaps does not cause heart attacks among them, does a great disservice to them, since it does not make clear the real logistical and tactical situation they find themselves in, and with which they may have to deal someday. We do not need another Maginot Line.
Note that "training" is not that important in CW, since any college will provide this, and it is, instead, the intellegence and viewpoint of the people performing the CW.
Consider how easy it is for people to write virii and worms, and that they come from second and third world countries as, or more frequently, as from the first world. Now consider a revolutionary or terrorist group member writing a virus or worm with a timer, which does nothing until the day of their Big Event. All this scenario needs, for the CW side of this, is one college student with net access and any old PC.
Yet another serious issue in security is the dilemma of security vs. inconvenience and obstructionism. Do you force peole to go through all sorts of contortions every time they log on to a machine, or access a file (as in B2 security), all of which slows things down, or do you make it easy for them to do their work, and spend less time in time-waisting contortions?
I also had a problem with the article in the section concerning motivation. What I did *not* notice was anything beyond what I'd hear on tv news. For example, *why* does Hammas have as much support as they do in the West Bank and Gaza? A few years ago, I heard on a news story that Hammas provides half, or more than half, of all the schooling and medical care in those areas.
CW *is* a form of guerilla warfare. The article does not appear to realize this, nor point it out to its readers. I suggest to you that the only real and effective way to counter terrorism, as in any guerilla war, is to reduce the support the local community provides. By doing that, you wind up with a larger base of computer-oriented people who are less willing to perform CW actions, and more willing to fight it on a personal programming and security level.
mark roth-whitworth
whitroth@wwa.com
In the article, Jane's discounts the benefits of state sponsorship to cyberterrorism, since tools are commonly available. This is misguided.
Most of the recorded cyberterrorist attacks have been either defacement of a website, or crashing a system on the internet. I would call this the "car bomb" level of cyberterrorism. It causes a little mayhem, gets a little publicity, but doesn't make a big wave in the scheme of things.
A cyberterrorist can do a lot more with a full scale infiltration of a key system. Assuming social engineering doesn't work to get sufficient access, crypto might be required to ensure access. That requires a lot of CPU time, something a terrorist organization won't have without help from the big boys.
Lastly, if the goal of a cyberterrorist is to disrupt electronic systems, there's nothing that does it better than an EMP. "EMP Guns", that is a portable device that can produce a localized or directed EMP without human or property damage, are a persistant urban legend that clearly has some kernel in fact. With over the counter hardware, you can build a HERF gun able to produce a trivial EMP. Is it that far fetched to think that the big governments have the technology to do better than that, considering they've been researching EMP for the past three decades? One could possibly find its way into the hands of terrorists. The midwest millitias seem to be very proficient at obtaining US military hardware.
Regardless, it's not an urban myth that an airburst nuclear weapon can produce a substantial EMP with little human or property damage. In fact, here's some congressional testimony detailing this. The biggest problem facing a terrorist who wants a nuclear weapon isn't figuring out how to build it, it's obtaining the fissionable material. Here again, government sponsorship of a terrorist organization could become key. China has shown itself very willing to supply governments that might sponsor terrorists with nuclear materials.
A terrorist with a nuclear weapon might well decide that a country-wide EMP would be a better use of it than blowing up a piece of a city. It would be easy to implement too, just place the weapon on an airplane and time it properly.
In all, cyberterrorism is in its infancy, and in order to determine an appropriate response to or defence against it, you need to look at what's possible, and not what happened so far.
It's also worth noting that the FBI's requests for additional computer tapping rights and restrictions on encryption "to protect against terrorism" would not do anything against such a terrorist. Any computer savvy terrorist will use strong encryption (easily available on foreign websites), and communicate on a server that is in a country where the US would have enforcement problems. The FBI's requests do not defend against either of these.
----
----
Open mind, insert foot.
Can a recovery be made from such attacks?
Unless the machine is physically destroyed, and assuming that you are efficient about your off-line backup storage a recovery is always possible. Curing the holes takes longer, but a good admin is always able to do something that fixes problems.
Is it likely to improve/get worse?
My belief is that things will stay pretty much static. As attack methods get more isoteric, the security methods used become more complex as a result. The number of attacks will always increase in line with the number of people using computer systems.
What sort of preventitive work would you recommend them to carry out?
Really important machines should be on a private network and no computer system that has access to this network should have access to any other network.
Less important machines should be setup to use only the bare minimum of resources to lessen the chance that some module is vunerable to attack.
Regular audits and checksum comparison of code is always a good idea.
Regular user audits are needed too. Any user thats not recognised to a staff member is suspect. Any user that you don't have paperwork (not computer files) on is suspect.
Regular reading of security/bugtraq lists are always a good idea too. If you have a piece of software that appears on these as vunerable, apply a patch within hours or less.
Good security is easy to do, but harder to maintain, and no matter how many levels of security you have, one moment of stupidity always can break all the security you have, so be very careful about what you install, and code audit if you have to.
I have found that CmdrTaco can bring down almost any system with ease, given a Perl interpreter and a mod_perl enabled Web server.
Beer recipe: free! #Source
Cold pints: $2 #Product
1. Depends on the system. Anything computer-controlled, where the controlling system is networked, it's likely to be easy. Security is often neglected, or a last-minute consideration.
2. The skills are basically the same for system admin, and are not only teachable, they're common. That's why system admins are paid amongst the lowest salaries in the computer industry. They're a dime a dozen.
3. Doesn't even have to be COTS. The "SATAN" program caused a huge stir, when it was released. But, yes, there are plenty of COTS packages which could be used for CT.
4. Any system that is both physically AND logically on a virtual public network is vulnerable to CT across that network. (Mere physical connection is not enough. If the s/w rejects everything sent to it, it is effectively not there. Also, you can have multiple virtual public networks on the same physical network, none of which interact.)
5. Yes. If you have HA, some kind of intrusion detection, and automatic restore, then you can just fail-over everything but the connection, restore the compromised system, and continue.
6. It's likely to get worse. As computers become increasingly wide-spread, and as civil dissatisfaction increases, the problem is likely to escalate. There is likely to be a spike of CT around the year 2000, as doomsday cults try to create their scenarios, and other groups try to take advantage of the psychological issues surrounding Y2K.
7. There are a great many things you can do to secure your systems against CT. Here are some that I'd recommend as worth doing:
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Johan J Ingles-le Nobel is wise to wonder about the credibility of this article. The author is trying to link two entirely different spheres (cyber-terrorism and weapons of mass destruction) into a single subject--he even goes so far as to coin the phrase "weapons of mass disruption." Which is to say, you can draw a parallel between getting nuked and getting a busy signal.
The writer doesn't seem to grasp the impact of computers and technology on terrorism. And the writer also doesn't seem to grasp the concept that terrorists act intelligently--within their own world view. And so the writer focuses inordinately on the feats of prowess of Aum Shinrikyu, a cult of Shinshinto extremists who bumbled their way through a sarin gas attack on the Kasumigaseki and Kamiyacho subway stations in Tokyo in 1995. If Aum Shinrikyu, using a World War I sarin recipe, is the best the new breed of terrorists have to offer we can all rest easy. Would that it were that simple.
The fatal flaw of this article is the writer's complete ignorance of the principle impact of technology on terrorism: computer technology makes the up-to-date (and up-to-speed) terrorist vastly more productive.
Let's examine the writer's linkage of chemical, biological, radiological, and nuclear terrorism with cyber-terrorism. There's no correlation at all: CBRN warfare involves significant scientific achievement, a fairly high order of precision in manufacturing, a means of storing extremely hazardous materials, finding an anonymous--or at least deniable--means of delivering those weapons, and (for most terrorists) finding an exit strategy for any agents in the vicinity of the attack. As this article points out, there is a lot to it--manufacturing facilities, storage facilities, and testing facilities to start with. There are significant issues involved in transporting the weapons and triggering them. And there is the enormous difficulty of keeping the effort a secret--an oft-repeated maxim in suspense novels is that the likelihood of a secret's being blown is equal to the square of the number of people in on the plot. You can't even try to build a nuclear bomb, store it, and test it without hundreds (even thousands) of staff who have to be housed and fed to stand around in the dark on rainy nights trying to remember why they volunteered for this great assignment. If nothing else, CBRN terrorism pretty much requires having a sympathetic Saudi prince just to bankroll the scheme.
Cyber-terrorism, on the other hand, involves writing a program and running it. One graduate student, Robert Morris, accidentally launched a "worm" virus that shut down most of the Unix-based computers in the U.S. in the 1980s. While such an attack is more difficult today, any such attack would not take any significant amount of manpower. "DOS" (denial of service) attacks are a good example: it is relatively trivial to write a program that will attempt to connect to a remote server, asking for responses to an Internet address that does not exist. Each request takes a certain amount of time to process--you can flood that server with a large number of requests, effectively preventing anybody else from getting in. With the vast increase in affordable Internet bandwidth available today ($169/month for 192kpbs dedicated bandwidth in a residential suburb of New York, for example) it is a relatively trivial exercise for a "cyber-terrorist" with a thousand bucks and three or four talented high school students to become, at the very least, a cyber-annoyance.
But computer technology offers much more to the would-be terrorist. Just as an editor for Jane's can find expert criticism of an article on cyber-terrorism (amidst a stream of childish ranting, one expects) by searching the World Wide Web, a terrorist can find all sorts of useful information. The terrorist can also take advantage of the commercialization of high-end technologies (such as the U.S. Defense Department's vaunted Global Positioning System [GPS]). And the terrorist can take advantage of the computerization of toys (particularly the growth of robotics such as Lego Mindstorms, or radio-controlled cars).
Were I a would-be terrorist, particularly one with a political agenda based on hatred of the Western World, I wouldn't waste my time with nuclear weapons or World War I sarin recipes. Instead I would have a cadre of recruits developing expertise with the most commonly available explosive in the U.S.--the barbeque grill propane cylinder. With very, very little technological sophistication one could fabricate the poor man's Fuel Air Explosive [FAE]: program a Palm Pilot to set off a task on a specified date and time, create a robotic hand with Lego Mindstorms, attach it to the valve on the cylinder, and put the "package" inside a closed room. The Mindstorm "hand" opens the valve and vents the cylinder; a second Mindstorms device sets off a spark, and, well, you get the picture. You can mass produce what little specialized technology you need and transport it on airliners with no worry at all--you will buy the Palm computers at an office supply store, the Lego Mindstorms kits at Toys 'R Us, and the propane cylinder at the nearest convenience store.
I would begin my terrorism campaign by publicly asking the Great Satan to have greater regard for its poor--with all the usual verbiage about the terror inflicted upon the Third World by greedy Wall Street speculators. I would then follow up by using my propane packages at various convenient locations around Wall Street--despite the World Trade Center bombing a few years ago, it is child's play to leave a propane "package" anywhere in the vicinity. (If I had the budget, I'd fabricate brightly-colored trash cans with the "packages" inside. I'd distribute the trash cans, conspicuously empty them for several days, then set them all off at once. Press release: "the garbage of the world, that you throw away like yesterday's sandwich wrappers, will rise up to smite you.")
Then I'd go after the New York transit system, focusing particularly on those parts of it that are heavily-used by the financial community (continuing my Third World Liberation theme). So I'd use Mindstorms robots and GPS units to "crawl" packages into the PATH tubes under the Hudson River. The propane cylinders wouldn't be powerful enough to burst the tunnels and flood them--but that enclosed space would focus the effect of the explosions and do an awful lot of damage. And scare the entire NYC populace out of the subways for a generation. (Press release: "Financial swine, you are not free from the wrath of the people wherever you go--even into holes in the ground.")
Then I'd go after the Internet. It isn't rocket science--all it requires is some skill at title and deed work. Identify the rights of way of AT&T, MCI WorldCom, etc., to identify trunk lines. Most of those lines are on poles--right there along the side of the road. Even the "secure" lines that are buried underground have to surface to cross bridges, railway lines, etc. Spend some time, do a little traveling. The locations of the five major interconnect points in the U.S. are widely known (just look on the World Wide Web). In a month or two you can probably find key trunk lines for a good portion of the major Internet carriers. More propane cylinders, more packages. (Press release: "Witlings of the imperialists--now you have some glimmer of understanding of how your brothers in the Third World must live. Free yourselves from their oppression!")
Want to go whole hog? Really do it right? OK--we'd have to do a little prototyping by testing a package or two against some targets. Aum Shinrikyu tested sarin in the Australian outback for months without arousing undue suspicion. Blowing things up "just for fun"--particularly with a can of beer in hand--is considered Manly Recreation in many parts of the U.S. Then we'd do some planning (using PCs and Microsoft Project, of course) to identify the tasks at hand and the time it will take to plant all of our packages. We could identify task dependencies (frankly, the biggest difficulty would be getting an adequate supply of Lego Mindstorms kits--they are in very short supply) and we could distribute Gantt charts to the entire team. We distribute our packages across a relatively small area in the eastern U.S., and wait for them all to go off. At once. Kill hundreds of people, shut down the NYC transit system, cripple the Great Satan's telecommunications, and prevent a nation full of office workers from downloading pornography; all in one single, simple, coordinated attack. (Press release: "Now do we have your attention, big boy?")
If you're keeping score at home, here's what we're talking about: A Mindstorms kit ($200); a Palm Pilot ($500); a barbeque propane cylinder ($30); and related hardware (wire, spark, etc., figure $20). Add another $250 for boxes and other decoy containers (and to keep the math simple) and you're talking about $1000 per package. For $100,000 to $150,000, including airfare, hotels, meals, and gratuities, you and three or four comrades could conduct a terrorism campaign that would make the FALN and the PIRA look like amateurs.
The economics are undeniable: the ability to create bombs that combine software and robotics for chump change completely alters the question of terrorism. What we might term "legacy" terrorists (understand: in the parlance of computer programmers that is a punishing insult) are trying to win funding from bankrupt former First World spy agencies and hoping to score plutonium on the open market. The avant garde terrorist is the fellow in line in front of you at Toys 'R Us.
The security is undeniable: your chances of finding these guys before they strike is zero. This only requires one person. If the plot involves more than four or five people it gets overly complicated. None of the components can be characterized as a weapon--so even if you are questioned by the police ("you're correct, officer--I do not have a license for this Lego kit") there's no rational basis for suspicion. And once you do wreak havoc on the target country you will be practically impossible to find: just the kind of simple precaution you learn from reading John Le Carre novels (wipe the propane cylinders for fingerprints) is enough to prevent anybody from ever finding you.
And the politics are undeniable as well: the legacy terrorists help fund the day-to-day payroll by running guns, smuggling drugs, and generally operating like gangsters. It is difficult to gain the support of the oppressed when the selfsame oppressed also recognize you as the local drug dealers. Our high-tech robot-wielding terrorist, on the other hand, doesn't need to support a huge payroll--so he doesn't need to run guns, smuggle drugs, rob banks, or anything else. With some creativity and perhaps a slightly smaller budget he could literally do the entire project on credit cards.
Press release: "We have smote the Great Satan in his lair--we have left him wounded, bleeding, alone, and in the dark. We have deprived him of his filthy pictures of oppressed women. And we have done it with the products of his own depravity--the computer toys of his pampered children and the office toys of his fattened bourgoisie, fueled by explosives from his so-called convenience stores. And we financed the entire operation using the Evil Oppressor's own credit cards."
This writer is totally wrong: the impact of technology on terrorism doesn't mean that we have to add a new letter or suffix to the "CBRN" acronym. The impact of technology radically changes how productive, and how anonymous, the would-be terrorist can be. Ultimately, technology obviates CBRN terrorism--the terrorist doesn't need to be that extravagant, and doesn't need to take the risks of handling those materials. With a little bit of applied thought, and off-the-shelf technology (and off of shopping mall shelves at that), the avant garde terrorist can scare the daylights out of any country on the face of the earth.
To contact me by email, use the address above, but do not include the "nospam" entry in the address.
In many ways, the security teams are their own worst enemies.
A few years ago I was an on-site contractor for NOAA, and we were deploying a prototype system at another federal agency which provides a critical service. (For obvious reasons I won't provide further details in this forum.) For some reason we needed to access the prototype system, and we knew that our computer was on their network but they had moved it from the initial IP address for some reason and hadn't told us its new address. They also changed the name for some unknown reason. (This wasn't related to security, it felt much more like a low-level pissing contests between the two agencies.)
We *really* needed to access that computer, and most people had already gone home from both sites, so I pinged all of the addresses in the subnet and attempted to telnet to each responsive address in turn. Within half an hour or so I found our lost sheep, fixed some files, and the government employee who asked for my help went home happy.
Unfortunately I had a problem. I discovered that they had their router on one of the ports, with absolutely no password. Anyone who discovered this IP address could change a few numbers and take down this site and possibly a second site. If it happened at the right time it could easily make the national news. I reported my discovery to the only network person still around, and he was clearly agitated by the perceived dilemma of needing to report this to the proper security group and the expected pain of the subsequent inquisition and torture. The fact that this was at a sister agency clearly didn't help his mood.
I don't know if the reputation was warranted, or if he was ever subsequently contacted in any way. I know that some subsequent comments about my "hacking" skills were grossly unwarranted. I do know that the reputation of the security team was such that most security breaches will go unreported out of the fear that the investigation will focus on how the person learned about the breach, not the breach itself.
(Sidenote for _Janes_: many geeks will immediately recognize this as a concrete example of Hagbard Celine's observations in the Illuminatus Trilogy. People with (perceived) power tend to see only what the people under them think they want to see. This makes it difficult to impossible to get an accurate view of your current state from within the organization. I think CT is a very real possibility, but I am also extremely skeptical that anyone above a GS-12 has the faintest clue where the real threats lie.
(If I had to pick one thing to start with, I would focus on Melissa. I'm sure every potential cyberterrorist noted how quickly Melissa took down large corporations and is wondering what would happen if it carried a malicious payload. Trivial example: what would happen if every Melissa victim started to ping www.victim.mil? Why do the same people who readily recall the Morris Internet Worm (which quickly resulted in significant changes in the Unix infrastructure to prevent a recurrence) remain silent despite a pandemic of Microsoft Macro Viruses?)
Bear Giles (bgiles@coyotesong.com)
Skill doesn't cost very much in terms of money to aquire.
The people who can bring down systems are the same people needed to protect them. It's in a way kind of like the wild west, but there are no black hats and white hats only dark and light grey.
The difference between a hacker, and a cracker is what they do with their skills. One man with a rifle is a hunter, another man with an identical rifle is a murderer. What you do is more important than what you are capable of doing.
6 months from now when the l0p(Lords of Pudding) cracks Jello's web site for publicity it won't be a well funded attack. It'll be a couple of rinky dink high school kids who allowed their talent to be used for non-productive ends.
Hacking has nothing to do with who's the best funded. It's about getting done what you need to get done no matter how you need to do it.
I'm sure that every hacker here has done some things that at least border on cracking at one time or another. Not that there was necessarily any malicious intent, it's just doing what needs to get done.
It's the script kiddies who've (at least in recent years) given us a bad name. It's the assholes WhO TyP3 3v3rY7hiNg LiK3 7hIs who make us look like a bunch of pimple faced rejects before the masses.
One thing that makes many hackers fertile recruiting ground is the total lack of respect for the ability and value of a good hacker. When a hacker has to stand by and watch a brainless marketting suit make millions for sitting around and thinking up crap like "Got Milk?" and "Think Different" it can make him want to make an undeniable statement and force people to recognize him. Also how many of us would be willing to pass up a pile of cash if someone offered it in exchange for getting access to Company X's fincancial records?
I've never caused any damage to any company's computer systems, just like the vast majority of my fellow slashdotters, but in a materialistic society how many of us would pass up the chance to make big pay checks if we did?
LK
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
- Using CT, how easy or otherwise is it to bring down or attack vital systems?
- What sort of skills would be needed to do so, and are they common/teachable?
- Commercial-off-the-shelf software: can it really do CT?
- Which systems are actually attackable?
- Can a recovery be made from such attacks?
- Is it likely to improve/get worse?
- What sort of preventitive work would you recommend them to carry out?
Anyway, that's my rant on the article. You'll notice most of this information is just systems best practices, and more general information systems, not weapon systems specific. Mainly because I have not dealt with weapon systems, but you'll find software is the same everywhere. Also, 13 year old kid could reference any person of human intelligence and inclination, regardless of nationality, religion, and moral vocation.It really depends on how the system was devised. There are a couple factors here, a who is attacking, a why, and a how.
There has been a recent profiliation of machines that are 'automagic', where the user plugs the machine in, and it works. As this becomes more common-place, there will be more attacks of the 'script-kiddie' mentality. These are the more common-place, and usually more destructive attacks. A good example would be the Cold-Fusion exploit released not too long ago. It was written up into a nice package that someone could give to a 13 year old kid. That 13 year old could go burn down a machine in some place he's never heard of, and he wouldn't care. Someone who researched this exploit might actually have some ethics about destroying someone else's virtual property.
Then there is the why question. In the beginning, cracking was mostly used as a 'I was interested in how it worked' explination. In the future, I think we will see more infiltration attacks, where people just want to get onto the system to listen, gather, and desiminate information. This could be to gather personal information, financial information, share a virus, or to expose your political views. The system will continue to work, but an incorrect manner. As these become more sophisicated, I think they will become harder to detect. It's only when we relax our guard do we get hurt by an attack
Then there is a how. The discussion of potentially harmful weapon systems is a matter of exposure. Networking is a useful thing, but think of it in another light. You have a gun cabinet in your office, forget why, but would you really want this expose? So you put it behind a secret door, only certain people know how to go up and press on the door in the right way to open it. But someone visiting might press all your walls in several ways, and still find it. Security via oscurity does not work. So you put a master lock on it. However, a nice pair of bolt cutters work quickly. So you put it in a true safe, making it difficult to get to. People complain, so you are forced to make the combination something simple like '1 2 3'. This again, breaks the system. You run into the common brick wall of security versus ease of use. As our society seemed centered on easing our lives, we tend to focus more on the ease of use. Good example are the web forms out on the web, to make our lives easier, but could also break our security policy.
So you are looking at more information is being distributed, it is becoming easier to find this information to infiltrate a host, and we are moving towards a looser definition of neccessary security. Is it easy to attack systems? Yes, and it's becomign easier all the time.
Many of the skills can be learned from reading on the web. Most are commonly found out. But the most useful are taught in a student/mentor relationship. While root exploits can now be thought of as easier to figure out on your own, it usually takes an experienced person to point the newbie in the right direction, to wade through the bullshit. As we migrate to a more networked envirionment, these requirements will become less, and become a more 'click here!' security risk.
Two issues, the offense versus the defense. As far as products go, COTS will never be as good as what can be obtained by an experienced professional. and all experienced professionals have a cost. Also, would you include COTS to have web-based and free software? Because it's all out there for the taking. Remember that COTS lag behind the speed of the rest of the world, especially security related products. For instance, ISS security product still checks for certain accounts when trying to check a unix system. However, ISS knows nothing about nmap and it's use as a port scanner. (well, last I checked)
On the defensive side, with proper design COTS can protect your data.. Many companies think of security last, it's an afterthought of a 3rd level VP who says 'BTW Bob, is this system secure?' 'No it isn't Ted, You said you didn't want to put in your password on every new screen' 'Well make it secure, mmmkay?' However there are some products that are designed off the shelf with security in mind, these would be more of the unix systems as they have a better chance to mature. Just the fact that there is a root account where a user can do anythign they want has to remind the designer not to let people get there. For an example, the BSD security audit that took 10 people a year and a half is what I would considered to be an ideal.
All networked systems are attackable. You must assume that. Just as no fortress can be completely safe, no data can truely be secure. There is a sliding scale of usabilty versus security, so set your thresholds high.
This is why backups and data integrity plans are a must. Everyone should have a buisness continutity plan. This can also be associated with an extended cracker attack. If a weapon system is compromised, we will simply have to face the consequences of that weapon being used on ourselves. Some philosopher once stated that man will not be happy until he has devised a weapon that is able to scare even himself.
It is most likely going to get only worse, until a light turns on in the mind of software developers that it is bad to have a product that a 13 year old can walk in and take over at any time. Those types of attacks are the true threat in the growing sea of information.
Get the best people you can to manage your systems and your software. The risk of having a new administrator to manage your credit-card-number-heavy network is much higher than the price to find a good administrator. While you can never bank on the security of your software, your security is only as good as your administrator. An aware adminstrator will be able to fix the major flaws in your security.
Feel free to publish any of this, I do work for Collective Technologies, but these are my own opinions.
--
Gonzo Granzeau
Gonzo Granzeau
"Nothing the god of biomechanics wouldn't let you into heaven for.." -Roy Batty
This assumption has limited validity. It is certainly true that some systems are constructed to be much harder to penetrate than others. However any system can be made insecure by improper installation or use. A classic example is the recent Linux box crack. The crack exploited an insecure CGI script instead of the underlying operating system.
This leads to a situation where attacks are single-use weapons with irregular effects. Think of the Federation encountering the Borg: a phaser works on the first borg, but not the second because the second one had learned what killed the first. Attacks on computers have this nature: you may be able to penetrate many computers at first, but when the attack becomes known the hole will be closed. If the defensive structure is good then this will happen fast and universally. This is what CERT is about.
Much has been made here of the "script kiddy" phenomenon. This does not seem a realistic concern for real national infrastructure or military issues. Sure there are plenty of insecure systems around, but the attacks the script kiddies use are generally known and they can be locked out.
This means that against a well-defended target you are going to have to devise fresh attacks. This is not a trivial exercise. Its easier if you can get hold of the source code, but either way expect to have to fund a team of good techies sitting down with sample systems looking at how to take them down. The result will not be an armoury so much as a mixed bag of ad-hoc tricks, each of which will have a very narrow window of use. Also you can't stockpile these attacks because at any time someone else could discover the same crack, use it, and get you locked out.
Even a successful cyber attack will be little use on its own. It would have to be co-ordinated with other actions. At this point it gets hairy. The effects of your actions when you actually try to take down or penetrate a system are difficult to predict. Maybe it will work, or maybe the defenders are on to you and will be duly warned. And the mixed bag of tricks will be hard to integrate into the rest of the strategy.
All this points to the need for a proper defensive posture. This makes the entire infrastructure much more robust. Use operating systems and applications which are known to be reasonably secure. Keep up with CERT bulletins and other sources of information. If a computer is worth guarding physically then it is worth guarding "informationally", and for critical assets this might well extend to a continuous human auditor looking for discrepancies and odd patterns, just as a human guard is used to check people in and out of a base instead of relying on barbed wire and key cards.
Finally, it is important not to let these threats get out of proportion. If I was a terrorist and wanted to bring down the national power grid I'd go for a few pounds of plastic attached to strategic pylons and transformers. Much more certain, and much longer lasting effects (aside, why did the IRA never realise this?). A defence system is only as strong as its weakest point, and that point is rarely a computer.
Paul.
You are lost in a twisty maze of little standards, all different.
whereas cyber terrorism utilizes information technology (IT) devices to inflict mass disruption of an opponent's critical IT infrastructure
Cyber terrorism doesn't (necessarily) utilize IT devices to disrupt critical IT infrastructure. A backhoe to a set of OC-192 circuits works just as well at disrupting critical IT infrastructure. I also wouldn't really categorize social exploits as "utilizing IT devices".
Here's a hint that might help the American government a little in its fight against terrorists:
/. is like a steer's horns, a point here, a point there and a lot of bull in between.
If there are any cyberterrorists out there, they already have cryptography!
On a more serious note, the article is definetly making a mistake in bunching together Cyber threats and CBRN. They are different (as rde wrote above) in all possible ways except in that they are a relatively new threat. IMHO cyber terrorism is mostly an excuse to harrass punks who deface webpages, while CBRN really worries me.
Also, the article looses a lot of credibility when it starts listing Bin Ladens use of email as examples of cyber-terrorism. My grandmother uses email for gods sake, it happens to be a good way to communicate.
-
The best way to prevent CT is to have a good staff of administrators and a good set of tools. By far, the two most stable and secure operating systems are OpenBSD and OpenVMS. Use them. Also make sure your staff knows how to administrate them properly.
Also make sure you are always running with the most up to date patches for your software (not just the OS, but all of it). Read Bugtraq to find out what the latest problems are and follow through on the suggestions given for securing a system.
Don't get too proud. Just as soon as you think you've gotten the crackers beat, they'll find a new way in. Never let your guard down.
Disable non-estential services. If you do not need a service running, why do you have it on?
Remove any tools which could be used against you.
Don't be an easy target. Firewalls are good. Protect yourself at multiple levels.
Anyway, there are plenty of other ways to handle prevention, but I'll let others pick up the slack.
It seems to me that trying to group CBRN weapons with cracking requires a huge leap.
For CBRN, aquisition of the materials required to implement these weapons is a significant issue. As mentioned in the article, people get arrested for simply trying to buy the materials needed. The acquisition of materials for a cyber attack is a much simpler task.
The level of knowledge required to implement a CBRN weapon is orders of magnitude higher than to implement a cyber attack. Additionally, the CBRN agents must be stored, transported, and potentially disposed of. These are risks to the developer, not the victim.
There are countermeasures for some kinds of CBRN attacks, but in general they are impossible to implement to ensure 100% safety. For other kinds there are no countermeasures. For cyber attacks there are almost always defenses. More often than not these defenses are disabled for the sake of convenience, or due to ignorance.
I have no doubt that crackers can cause significant damage, but to group crackers in with CBRN agents is blowing their capabilities way out of proportion. In order to implement a cyber attack it takes a $500 computer and an internet connection - essentially it can be done by anyone who wants to learn how. It's impossible to prevent because the threshhold is so low and the materials required can server legitimate purposes as well. But the effects can be neutralized if a small portion of the population - the system admins - are kept up to date and are willing to do what's necessary to keep their systems secure.
First of all, the article reads as a half-backed introduction to CT and how it relates to other forms of terrorism and the history of related terrorist events in the past decade. Reads too much like a boring history report done by a college freshman... but, to anwer the questions...
:)
Most of the questions are surprisingly elementary, but I'm sure this was done to bring out as many relevant pov's as possible
"Using CT, how easy or otherwise is it to bring down or attack vital systems?"
It is either easy or hard. The real question, how are the vital systems in question prepared to stand up to said attacks. Like a question on how well armored tanks can stand up to gunfire, it depends on which tank is in question.
"What sort of skills would be needed to do so, and are they common/teachable?"
They aren't common in the sense that Joe Blow knows how to hack into the pentagon, but they can definitely be teached. Though skill and talent are considerable factors, they aren't neccesary...
"Commercial-off-the-shelf software: can it really do CT?"
Like it says in question one, yes, but it depends on how well the targeted systems are prepared. And if they run NT, well....
"Which systems are actually attackable?"
If it exists, it can be attacked. Most vulnerable are those connected to mainstream communication systems such as the internet. Also, you must keep in mind that there are many different types of attacks availibale to your modern cyber-terrorists, including futile ones.
"Can a recovery be made from such attacks?"
Yes, and no. Data can always be backed up and restored on virtually any computer system. What is more dangerous is when terrorists defeat system security measures and retrieve privlidged data. There is no way to "steal it back".
"Is it likely to improve/get worse?"
Rhetorical question. As computer systems become more complex and the world keeps getting smaller, the more insecure that computer systems will become or at least seem to become...
I really don't think there are any COTS software apps dedicated to CT, (ie. MS LoopHole Exploiter 2000 or some such thing). There are, however, many, many people out there who devote their lives to finding ways around security. Many of them are all to proud to show off their newest exploits or workarounds.
Astalavista and sister sites take great pride in allowing you to do things you shouldn't. However, most of these tricks, scripts, and cracks are relativly harmless compared to a single man placing a pipebomb at the nearest telephone switching station.
There is no such thing as "security" as most people like to think about it. The best you can do is stop the incompetent (they weren't a threat anyway) and slow down the professionals (who you will never be able to stop).
CT can, and probably will be a problem, but I don't think we have reached that critical point yet.
Computers can only simulate determinism. ~Hermetic.
One of the main problems is that it doesn't specifically define CT and why it is dangerous.
This is indeed the crux of the issue IMHO. In all of the debate and hysteria being bandied about regarding "cyberterrorism", I have yet to see a coherent, reasonable definition of just what cyberterrorism is? The absurd example of using Bin Laden's use of email and chatrooms to communicate with others as a form of cyberterrorism is clearly alarmist and silly, while the notion of remotely ordering a nuclear powerstation to melt down (hardly realistic perhaps, but an effective image) would certainly be included in any reasonable definition of cyberterrorism. On the other hand, a cracker shutting down the power gird of an entire city or multi-state area appears to fall somewhere in between (disruption and quite possibly mayhem is caused, but no life is directly attacked as such). What about public defacement of web pages? Terrorism? IMHO I hardly think so -- not a single life is threatened or directly attacked. It smacks more of vandalism or graffiti, yet such attacks are consistently used as "examples" of cyberterrorism.
Until reasonable definitions are agreed upon, and adhered to, as to what constitutes cyberterrorism vs., say, cyberwarfare, cybervandalism, cybertresspass, or cyber(information)theft, discussions and articles about this subject will continue to be offpoint, confused, and ultimately of little use in forming coherent policies to combat the threats that these and other criminal (cyber)activity pose. Perhaps the one thing that can be learned from such confusion is just how dangerous it is to allow one's propoganda and misuse of language (as evidenced by the extreme hype and demonization surrounding cracking and such loaded words as "cyberterrorism" all out of proportion to the actual damage or potential damage done) to define one's own thinking when trying to establish responsible and effective public policy.
The Future of Human Evolution: Autonomy
Basically, the author says that because terrorists are bad... and since people use computers for e-mail, irc, etc that terrorists might use computers too. Wow, oh gee, really?
Then he tries to relate the fact that terrorists try to cause terror with car-bombs and such and since they might get nukes that we need to be preparing for an attack on our computers.
No logic to link them together.
I read the entire article because I started it and said I would, otherwise I would just ignore this article.
I suggest that the only thing to be done with this article is to trash it and start over.
Kill the spin and get some facts, this article is more of and editorial than a news story.
Sincerely,
Lando
PS, I saw wording I didn't like in the beginning so I stated that I was being a little critical, but I didn't expect this type of article with no facts and lots of spin. Sarcasm starts 2 paragraphs into this story.
I'm just writing down random remarks about the article as I work my way through it. Just wanted to make sure we are clear that this is not bashing , but the way I read an article.
Now that cyberwarfare has become an accepted fact
I don't believe that it is an accepted fact, I think that is a lot of spin generated by the media. If you agree with that spin then might I point out the computer viruses were being used in the 80's which were much more destructive in nature and were targeted as well. Hacking a website and having a physical battle as recently reported for some reason don't really seem to be the same. There are special units for intelligence gathering, etc which are definitely components of war, however those have always been with us. Labeling this cyberwar is just spin to create hype...
Joshua Sinai examines the requirements for anti-state groups to employ this and chemical, biological, radiological and nuclear weaponry
What the heck is Radiological? CBR is chemical, biologic and radiation. I don't remember radiological from my time in the military, more spin?
I'm willing to give the benefit of the doubt to CBRN, I am unfamiliar with the term though.
whereas cyber terrorism utilizes information technology
Wait a second, why are you introducing cyberterrorism here, you said that you were going to talk about cyberwarefare.
Nevertheless, there is sufficient reporting of activities by terrorist groups and their state sponsors in the CBRN/Cyber realm
How about intelligence communities, what the heck is CBRN/Cyber realm?
acquiring a CBRN/Cyber capability requires extensive funding, an overt or covert acquisition capability, a technological research and development program to produce, weaponise and stockpile CBRN materiel (or the capability to purchase or steal ready-made weapons), and a level of technical expertise and logistical infrastructure that is appropriate to launch successful CBRN attacks. This is beyond the technical capability or motivation of most terrorist groups.
False, a couple of million dollars with the right people could cause problems, the cost though is a lot higher for the attacker than the defender with no guarantee that your attack will succeed.
On the other hand, the information revolution ushered in by the Internet allows terrorists to access articles and documents from the World Wide Web about the manufacture or acquisition of BW or CW agents, and commercial-off-the-shelf (COTS) software products can easily be obtained to conduct cyberterrorism, making CBRN/Cyber attacks much more feasible to launch than hitherto.
Spin, spin, spin, sensationalism is fine and all, but I prefer facts. Dropping this information in between two facts attempts to prod the reader into believing the statement. What you should be saying is that conducting cyberterrorism attacks against off the shelf commercial software is what makes cyberterrorism possible.
One of the things you need to realize is that obscure code is generally hard to break and that open source by it's very nature tends to find security holes quickly and patch them. When you start using obscure code in a wide production area, ie commercial off the shelf software is when you enable systems to be cracked on a wholesale level. I have the ability to take administrator access from a NT machine in 9 minutes if I can get to the box via an ethernet connection. Unless the latest patch has fixed security problems that NT has had for years. UNIX systems tend to be a little more secure forcing you to crack the shell to get inside the machine.
I am not saying that UNIX/Linux is good and Windows is bad, it should not be taken like that. I have fixed a number of security errors under UNIX over the years and more continue to pop up, however when you have open-source which because of the way AT&T 'sold' UNIX, Berkley and others got the code, you tend to have people beating on that code all the time. Only when you use security through obscurity do you have major holes sitting open for years.
Although such cost/benefit considerations may limit the majority of terrorist operations to the realm of conventional warfare in the 21st century, recent WMD- related events and reports indicate increasing activity by certain terrorist groups and state sponsors in the CBRN/Cyber arena
Just wanted to point out that this is really getting on my nerves, trying to create a new word? Let me see, "I made up the word so I must be the expert!!!" Nope, sorry just doesn't cut it.
There have already been several instances of CBRN/Cyber operations by terrorist groups. Chemical attacks have been mounted by the Aum Shinrikyo cult, such as the March 1995 sarin nerve gas attack on the Tokyo subway system, killing 12 people and injuring 5,500. Chemical cyanide was included with explosives in the February 1993 bombing attack by Islamic militants of the World Trade Center. In the mid-1980s, the Tamil secessionist group, LTTE (which provides its operatives with a cyanide pill in the event of capture) threatened to carry out a BW attack by spreading pathogens to infect humans and crops in Sri Lanka. Aum Shinrikyo also attempted, albeit unsuccessfully, on at least 10 occasions to disperse biological warfare agents in aerosol form, and in October 1992 its members attempted to acquire Ebola virus samples in then Zaire for future use in biological attacks. In mid-1997, an American white supremacist faction plotted to attack the New York City subway system with biological weapons. Reportedly, Hizbullah and Hamas operatives have acquired chemical and biological components, although they have so far refrained from carrying out such attacks.
Wait a second... What are we talking about here? First we are talking about cyber-warfare, then we are talking about cyber-terrorism and now we are talking just plan terrorism... Unless, you are using these examples to talk about cyber-terrorism and just trying to create spin with violent examples. Let me see what would that do? Umm, some person that doesn't really understand computers and how they work, maybe a little frightened of them, sees this paragraph and is struck by the visual pictures that are implied, but doesn't quite realize that none of these situations involved cyber-anything. However he/she now associates cyber-terrorism with these images. Spin, spin, spin.
And then we get the nuke worry into the picture and then finally we hit the cyber-terrorism. Hmmm, let's look at it.
One of the first known instances of cyberterrorism occurred in 1997 when the LTTE launched cyber attacks against Sri Lankan government sites, including hacking into a government web site and altering it to transmit their own political propaganda.
Oh my goodness, they actually spoke out and people could see what they wrote!!!!! To the death chamber with them.
Supporters of the Mexican Zapatista rebels have jammed Mexican government web sites
Oh my goodness, censorship only news-media and governments should be able to do this!!!! To the death chamber with them!
The American terrorist group, the Christian Patriot movement, is active in the Internet.???
Oh my goodness, Americans using? active? on the internet? Dang, I never knew. Obviously they are gathering information and disseminating propaganda. Just who do they think they are??? To the death chamber with them!!!!!!!
The Osama Bin Laden group utilises an extensive network of computers, disks for data storage, and Internet for e-mail and electronic bulletin boards to exchange information.
Oh no, someone other than the American team is doing more than web-browsing, they are running a web-server!!!!!! To the death chamber with them!!!
Hamas operatives in the Middle East and elsewhere use Internet chat rooms and e-mail to coordinate activities and plan operations.
Chat rooms and e-mail anyone else care to point out just how insecure these formats are with Echolon around?
Oh no!!! People are talking to one another, just when will this stop?!!? To the death chamber with them!!!!!!!!!!!!
Other Middle Eastern terrorist groups, such as Lebanon's Hizbullah and Algeria's Armed Islamic Group, also utilise computers and the Internet for communications and propaganda.
Jeez!!! They are speaking their own minds... This has got to stop!!!!
TO THE DEATH CHAMBER WITH THEM ALL!!!!!!
Just in case any of the readers forgot about what we are talking about. Just in the case that the computer talk has gotten a little boring, let's throw in some good wholesome slaughter to get back some attention and pump up those hormones.
Terrorists have also targeted critical infrastructure. Thus, for example, in the Summer of 1998, the LTTE bombed state-owned and private telecommunications facilities in Sri Lanka, damaging buildings and disrupting telephone service.
Look it has bombing and telephones in it, definitely couldn't do that without a computer.
Motivation concerns the psychological, political and strategic factors that are likely to serve as incentives or disincentives for terrorist groups to resort to CBRN/Cyber warfare, particularly the decision to embark on a higher lethality and disruption in targeting
Rather than taking over websites, they will start sending SPAM!!!!!
There are no fixed organisational prerequisites for attaining CBRN/Cyber capability, particularly in the age of the Internet when terrorist operatives can be dispersed geographically yet are able to communicate with each other by using their own secured communications networks
Sorry jumped a couple of paragraphs here, it was just getting a little deep for me. Then I come across this. Of course it's bad for the terrorists to use encryption because the government can't read their messages. I don't know if I even want to touch this one, but let me just ask a question... Okay, encryption and talking is required but organization isn't knowledge isn't. Sounds like you throw in a little willpower and you can start casting spells. Are we talking about a game? I thought this was a serious article...
At one end of the organisational spectrum, the technological complexities involved in acquiring CBRN/Cyber capability require a well organised, hierarchical organisation, with a command and control apparatus staffed by professional terrorists, a highly- developed R&D apparatus staffed by scientists and technicians, production and storage facilities, a transnational logistics network to clandestinely acquire the necessary technology from external sources, and business activities (either legitimate or illegitimate) to generate the necessary income to fund the acquisition of CBRN/Cyber operational capability.
Did anyone realize you can make money working with computers? Hmm, let's see time to pay my bills, $1000 to the IRS, $150.00 to state, $300 dollars for my education bill, $400.00 for my car, oh and let's not forget my $15.00 to insert terrorist group of your choice
A terrorist group might also train its members in not just a single weapon but a variety of CBRN/Cyber weapons for which different sets and levels of technological expertise are required in order to attain operational capability in each of these weapons. Thus, for example, terrorist groups, such as Aum Shinrikyo, have provided their members with extensive training and education in a variety of CBRN/Cyber weapons, including studying uranium enrichment and laser technology, with at least one of their members working on the staff of a Russian nuclear physics laboratory, while another contingent traveled to Africa to study the Ebola virus. Cyberwarfare involves a different set of training requirements that is also more readily available. Thus, training in computer science is now widely prevalent among terrorist groups.
Two comments, first how does a Russian nuclear physics lab and the Ebola virus relate to computers??? Beats me I thought you would know. Second, I'll be danged if those pesky terrorists aren't getting trained in computers. I mean heck it'll be easy to catch the terrorists now, since no one else is getting computer training...
Skipping again...
terms of technological hurdles, CBRN weapons and Cyber devices vary in the levels of technological sophistication required for their development, weaponization and deployment. There is also a clear distinction between CBRN weapons and Cyber devices
Which, let me guess, is why the article points out bombing, nuclear attack and biological agents and never points out anything remotely dangerous to do with cyber-warfare or cyber-terrorism? Hmmm interesting, but then why are we lumping them together through the entire article? Guess I must just be plain stupid not to understand...
This is getting rather boring, let's skip to the end...
CBRN/Cyber terrorist warfare is likely to pose a significant threat in the 21st century as a result of the confluence of motivation, technical capabilities, and involvement by state sponsors. Just take my word for it since I haven't shown any relevant information in this article. This analysis is intended to highlight some of the internal and external factors, requirements and hurdles that need to be considered in assessing a terrorist group's current and future development status and operational capability to conduct CBRN/Cyber warfare. But somehow I forgot to include any facts and just used spin to create that impression Correlating these internal and external factors and hurdles would make it possible to forecast , something I didn't do, which terrorist groups and state sponsors are likely to embark on CBRN/ Cyber warfare, the types of adaptations since I have no idea what a terrorist group is much less which ones if any are actually planning on some type of cyber-campaign, and changes they would require to transition to such warfare, the types of weapons and targeting they are likely to pursue (including the possible resort to single or multiple CBRN/Cyber weapons and devices), the timelines for such attacks, and vulnerabilities that could be exploited by foreign intelligence and counterterrorism agencies to constrain terrorist groups--and, when applicable, state sponsors--from embarking on such warfare.
Sheesh can you look at that last line? This is a conclusion??? Not only doesn't the author close up his arguments about what the article is about, but he basically says that this needs to be researched. Hmmm, needs to be researched? and definitely a threat? If you haven't done any research how do you know there is a threat?
Lando
/* TODO: Spawn child process, interest child in technology, have child write a new sig */
I don't know about this deranged chemist thing. With all these monocultures in agriculture it wouldn't take that much to put together a pretty nasty attack on the food supply.
Taking out a power grid is much less impressive.
Perhaps I'm naive, but I view crackers mainly as a way to keep sysadmins on their toes, not as some sort of world-destroying threat. OK, so somebody nails a sendmail box I'm running -- I'll just overwrite the HD with a backup & secure it from there. Big deal.
I'm much more concerned that someone will use real-world weaponry against the net. For example, using a couple truck-bombs against MAE-West and other NAPs simultaneously. A sufficiently coordinated attack of this nature could do real damage to the global economy just in terms of panic and disruption (massive stock sell-off, etc.). Plus, since it's a real-world attack, the damage is harder to contain/repair. I mean, anyone got a backup tape that'll rebuild MAE-West?
As far as I can tell, the main thing we have going for us is that most terrorists are pretty stupid people. They're ALWAYS going after ineffectual targets, like innocent civilians, and they do it in a half-assed manner. Most terrorist groups just seem to be places for losers to hang out and bitch about life; if they were more intelligent they'd be doing other things with their time.
I dunno; most terrorists just remind me of the Columbine losers grown up. Any half-wit could have managed to kill more people.
Cyber-attacks are inherently unsexy; there's no big boom, there's no glory in dying for a cause, just a bunch of nerds in a closet. Terrorists want to die with glory, to strike the big blow, and they're too dim to realize what an effective attack means.
Perhaps more importantly, anyone with enough skill to launch serious cyberattacks is probably going to be making serious $$$ in legitimate industry. After all, what world-class computer nerd wants to spend his/her time in some dirt-poor corner of the world, surrounded by psychopathic gun-toting losers? Osama Bin-Laden, for all his supposed clout, lives like an animal in a hole in the ground. What programmer wants to spend their time that way? You can make a bomb in a cave lit by candlelight -- you can't launch a cyber attack that way.
Have you seen the title to their main page?
"Jane's Intelligence Review, the world's leading open source defence, security risk and threat analysis for the professional intelligence and defense analyst"
Obviously this means anyone can copy and redistribute copies of Jane's Intelligence Review as long as they make any modifications they make to the text publically accessible...
Gerv
It's always occured to me that, in a war, the country/party that runs out of funds first, loses. Thus, the objective of war isn't to (per se) do as much physical damage as you are capable of inflicting, it's to cause just enough damage that the "enemy" is unable to recover financially.
This suggests, in this time of cyber-warfare that we live in, that attacking a stock market or other primary financial institution is the most effective means of accomplishing your goal. Much more damage would be accomplished by taking the NY Stock Exchange offline for a couple of days, than an attempt to attack of the "food supply" (which be up and running again within hours from backup tapes, or replacement hardware).
I see no mention of this financial aspect of war in the article, yet it seems the most vulnerable in my mind.
Ken
Why have a critical computer system exposed to
the world? Defacing a web page never killed
anybody.
Other terrorism ideas: find and read
"A Higher Form of Killing"
this book explains how the CIA tested the spread
of toxins in the NY subway system.
from the Jane's article
"In mid-1997, an American white supremacist faction plotted to attack the New
York City subway system with biological weapons."
Thanks CIA
If you are really going to crack a facility, you can often do so from the inside. The most important skill needed to compromise such a facility is "social engineering"; basically the ability to lie through your teeth to other people. This sort of thing can get you inside your target's security with no computer skill whatsoever, and then you only need the skills required to cause the computers to do whatever it is you want them to do.
Let me list a few SE gambits. The first, which takes a bit of time but is usually safest, is to get yourself hired. You will need some computer skill even to do an attack from the inside, and that skill will get you hired in America's techie-hungry job market. This gives you building access and a computer account. If you have sysadmin skills, all the better: you will get a root password, the equivalent to an all-access pass.
The second gambit is simply to sneak into the physical facility in broad daylight, by pretending that you belong there. Low-security facilities may use badge-locking, but often one employee will hold the door open for someone who forgot their badge. Just about any facility will let people in if the security is lax at all. I remember a story (verified) about someone showing up at a 20-person company dressed as a delivery person. People let him in and out, and he made several trips carrying boxed printers out every time.
Another gambit that someone could try with enough time would be to infiltrate the development branch of a commercial security software company (or better yet, get a few terrorists together and form one), and put a back door into the software. The facility is rare that fails to trust shrink-wrapped software. If the software is a hit, you can hit multiple targets at will without anyone putting the pieces together.
Hopefully, the above tactics would not work in places like military facilities or nuclear plants, where paranoia should be a way of life. However, a creative mind can cause a lot of damage by infiltrating a facility not known for its paranoia. Hospitals and food-processing plants would likely be prime targets. Such attacks would not necessarily be "real" terrorism, but would look a lot like accidents (until, of course, somebody claimed responsibility for them).
--The basis of all love is respect
... to shut down vital parts of the computer infrastructure of a country. As we have seen, a backhoe is enough. Or a faulty software upgrade in a power grid or phone control point.
Also, what crackers (and cyberterrorists, if they actually exist) do is utilizing remotely exploitable bugs in current software. That is, they use tolsl and techniques which are roughly identical with normal debugging techniques, but apply them a bit more creatively. The creative application may have spectacular effects, but that does not change the fact that the basic techniques used are actually routine debugging techniques.
The bottom line is: As long as current production software is as bad and immature as it is, there is no cyberterrorism. Just applied stupidity.
Only a select number of terrorist groups and few state sponsors are likely to possess the necessary motivation and capability in the spheres of organisation, funding, acquisition, technology, storage and stockpiling, logistics, and other overt and covert resources to be able to make the transition from conventional to CBRN/Cyber warfare. For many, the numerous internal and external tasks and hurdles involved in acquiring, storing and deploying such sophisticated weaponry and devices are simply too much. Moreover, few terrorist groups and state sponsors are sufficiently motivated to carry out mass casualty or mass disruption warfare.
Well the necessary means of cyber disruption are verys simple 33K modem, an old 486 running Linux or BSD and a brain. It is true that few terrorists have the necessary knowledge but this does not mean that they may not hire someone. And this will be cheaper then bying and smuggling explosives and weaponry.
On the other hand, the information revolution ushered in by the Internet allows terrorists to access
articles and documents from the World Wide Web about the manufacture or acquisition of BW or CW
agents, and commercial-off-the-shelf (COTS) software products can easily be obtained to conduct
cyberterrorism, making CB/Cyber attacks much more feasible to launch than hitherto. Radiological and
nuclear weapons, however, are far more difficult for terrorist groups to acquire or to develop
indigenously, to weaponise and deploy, or to provide storage for.
Commercial and off the shelf solutions are mostly applicable after a breakin has been commited - i.e. for maintianing access, deciphering data, etc. So they come to play after the breaking which once again requires few resources and some brain.
Significant financial resources are required for terrorist groups to develop an indigenous CBRN/Cyber
operational capability unless a group succeeds in weaponising a crude, low-technology device, or
stealing or hijacking such a device.
Yet another dumb statement.
Overall very very very bad article with the following bad implications hidden between the lines:
The availability of security related information on the internet is _BAD_
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
CBRN warfare is an advanced method of warfare - cyberwarfare isn't. The resources needed to achieve this aren't expensive, all it needs it some knowledge and a little cheap equipment.
There are examples of this already, including L0pht's research into the vunerability of the US electricity network. They gather data from public websites and once the data is correlated a good image of the security of the network is found. This can then be explotied. Cyberterrorism is about this type of research.
This article concentrates more on the conventional side of terrorism, but attention should be paid to the groups that use IT for gathering and co-ordination of intelligence rather than for warfare.
Cyberwarfare is where tomorrows terrorists will attack. Terrorism is part destruction/part publicity. Several terrorist groups attacked targets to generate publicity, not to kill people. Similarily cyberwarface attacks are about the same: posting web pages, taking over known servers. The next level is the hardest one to guard against. This is the hacker in the system that doesn't destroy or alter data, just reads things and leaves.
The author groups cyberwarfare along with "script kiddies". Cyberwarfare is not only about damaging systems, it is also about intelligence gathering and information processing.
This is essential to terrorists. Hacking into a government server and posting a new webpage looks good and generates publicity, but hacking into a government server and reading the documents in peoples email directories is much more valuable to terrorists. This gives cyber terrorists valuable details about the thinking and opposition to thier movement, and can aid in planning conventional attacks.
The next generation cyber-terrorism won't just be about invading and crashing control computers or servers, it will also be used for spying and sabotage.
Cyberwar like all other forms of war is not just about damage and destruction but also is about spying and intelligence gathering.
These areas are where most consideration will have to be given.