Jane's Intelligence Review Needs Your Help With Cyberterrorism

Jane's Intelligence Review, a famous "in group" publication read by political, military and intelligence honchos the world over, has an article on Cyberterrorism scheduled to run in its next issue. But Jane's editor Johan J Ingles-le Nobel believes Slashdot readers may (ahem) actually know more about potential Cyberterrorism tactics than the article's author, and would like you to comment on his work - for publication. The article is up on a private preview page. Please read it, then post your comments. Johan will read them, here on Slashdot, and will select some of them for publication in Jane's alongside the original article. Before you post, please read a message from the Jane's editor (below).

These are the specific questions Jane's wants answered:

• Using CT, how easy or otherwise is it to bring down or attack vital systems?
• What sort of skills would be needed to do so, and are they common/teachable?
• Commercial-off-the-shelf software: can it really do CT?
• Which systems are actually attackable?
• Can a recovery be made from such attacks?
• Is it likely to improve/get worse?
• What sort of preventitive work would you recommend them to carry out?

For our part, we'll make an article based on your replies. Please try to give examples and evidence, keep it clean and stay objective - this is not a 'military-bashing' exercise. When we publish the article (17 November), if you'd like to be contactable on this issue use your real email address and we'll attribute your comments, otherwise use 'anonymous coward' .

Many thanks,
Johan J Ingles-le Nobel,
London, England.
johan.ingles@janes.co.uk

CBRN != Cyber

[rde]

Although the article lumps them together as 'terrorist weapons of mass destruction', cyber attacks are very different from chemical, biological, etc, attacks for a whole bunch of reasons):

Finance. The article implies that major finance is required to implement major attacks; this is not the case for cyber attacks; L0pht bulletins and Phrack are all that's required, along with a script kiddie mentality.

Nature of attack. Cyber attacks in general don't attack people; they attack infrastructure. If properly implemented a lot of people will die, but as a side-effect. Biological attacks, OTOH, attack only wetware and leave infrastructure intact.

Personnel. One deranged chemist can do quite a bit of damage, but an embittered genius nerd can do much, much more. Remember that interview with L0pht? "I can shut down this power grid now."

On the subject of state-sponsored terrorism: I honestly don't believe that this is the problem a lot of people make it out to be. If you're system goes down, it's a lot cooler to say it was the Indonesian Government than a dodgy cgi script. I'm not saying it doesn't happen, but I do believe that it's seriously overhyped.

Finally:defenses. Up to a couple of years ago, people thought of security they way people in the 80s thought of Y2K: it'll probably be a problem some day, but we'll muddle through. Any system put together in the last couple of years was implemented with security in mind (if it wasn't, shoot the sysadmin), but most systems more than a couple of years old are inherently insecure. Ironically, Y2K could prove to be a boon, as audits will give detailed reports on exactly what's in a system, and this information can be used to boost security.

Hackneyed alarmism

[redelm]

This article is extremely poor. It reads as if the author had done a global search-and-replace of CBNR to CBNR/Cyber, plus added a very few It paragraphs. The tone is unreasonably alarmist.

It make no distinction between cyberterrorism, which is an attack upon C3I (command, control, communications & intelligence) systems, both military and civil, and terrorists using their own cyber C3I.

Worse, it confuses C3I (infosystems) with CBNR (weapons systems).

Jane's editor asks some good questions, but this article cannot even be rewritten to answer them.

-- Robert

31337 hAx0r dOoDz

[Lord+Kano]

Skill doesn't cost very much in terms of money to aquire.

The people who can bring down systems are the same people needed to protect them. It's in a way kind of like the wild west, but there are no black hats and white hats only dark and light grey.

The difference between a hacker, and a cracker is what they do with their skills. One man with a rifle is a hunter, another man with an identical rifle is a murderer. What you do is more important than what you are capable of doing.

6 months from now when the l0p(Lords of Pudding) cracks Jello's web site for publicity it won't be a well funded attack. It'll be a couple of rinky dink high school kids who allowed their talent to be used for non-productive ends.

Hacking has nothing to do with who's the best funded. It's about getting done what you need to get done no matter how you need to do it.

I'm sure that every hacker here has done some things that at least border on cracking at one time or another. Not that there was necessarily any malicious intent, it's just doing what needs to get done.

It's the script kiddies who've (at least in recent years) given us a bad name. It's the assholes WhO TyP3 3v3rY7hiNg LiK3 7hIs who make us look like a bunch of pimple faced rejects before the masses.

One thing that makes many hackers fertile recruiting ground is the total lack of respect for the ability and value of a good hacker. When a hacker has to stand by and watch a brainless marketting suit make millions for sitting around and thinking up crap like "Got Milk?" and "Think Different" it can make him want to make an undeniable statement and force people to recognize him. Also how many of us would be willing to pass up a pile of cash if someone offered it in exchange for getting access to Company X's fincancial records?

I've never caused any damage to any company's computer systems, just like the vast majority of my fellow slashdotters, but in a materialistic society how many of us would pass up the chance to make big pay checks if we did?

LK

"Hardness" of systems

[Paul+Johnson]

A common thread running through Johan's questions is the assumption that target computers can be rated by "hardness" in the same way as a military base.

This assumption has limited validity. It is certainly true that some systems are constructed to be much harder to penetrate than others. However any system can be made insecure by improper installation or use. A classic example is the recent Linux box crack. The crack exploited an insecure CGI script instead of the underlying operating system.

This leads to a situation where attacks are single-use weapons with irregular effects. Think of the Federation encountering the Borg: a phaser works on the first borg, but not the second because the second one had learned what killed the first. Attacks on computers have this nature: you may be able to penetrate many computers at first, but when the attack becomes known the hole will be closed. If the defensive structure is good then this will happen fast and universally. This is what CERT is about.

Much has been made here of the "script kiddy" phenomenon. This does not seem a realistic concern for real national infrastructure or military issues. Sure there are plenty of insecure systems around, but the attacks the script kiddies use are generally known and they can be locked out.

This means that against a well-defended target you are going to have to devise fresh attacks. This is not a trivial exercise. Its easier if you can get hold of the source code, but either way expect to have to fund a team of good techies sitting down with sample systems looking at how to take them down. The result will not be an armoury so much as a mixed bag of ad-hoc tricks, each of which will have a very narrow window of use. Also you can't stockpile these attacks because at any time someone else could discover the same crack, use it, and get you locked out.

Even a successful cyber attack will be little use on its own. It would have to be co-ordinated with other actions. At this point it gets hairy. The effects of your actions when you actually try to take down or penetrate a system are difficult to predict. Maybe it will work, or maybe the defenders are on to you and will be duly warned. And the mixed bag of tricks will be hard to integrate into the rest of the strategy.

All this points to the need for a proper defensive posture. This makes the entire infrastructure much more robust. Use operating systems and applications which are known to be reasonably secure. Keep up with CERT bulletins and other sources of information. If a computer is worth guarding physically then it is worth guarding "informationally", and for critical assets this might well extend to a continuous human auditor looking for discrepancies and odd patterns, just as a human guard is used to check people in and out of a base instead of relying on barbed wire and key cards.

Finally, it is important not to let these threats get out of proportion. If I was a terrorist and wanted to bring down the national power grid I'd go for a few pounds of plastic attached to strategic pylons and transformers. Much more certain, and much longer lasting effects (aside, why did the IRA never realise this?). A defence system is only as strong as its weakest point, and that point is rarely a computer.

Paul.

Cyberterrorists...

[Hobbex]

Here's a hint that might help the American government a little in its fight against terrorists:

If there are any cyberterrorists out there, they already have cryptography!

On a more serious note, the article is definetly making a mistake in bunching together Cyber threats and CBRN. They are different (as rde wrote above) in all possible ways except in that they are a relatively new threat. IMHO cyber terrorism is mostly an excuse to harrass punks who deface webpages, while CBRN really worries me.

Also, the article looses a lot of credibility when it starts listing Bin Ladens use of email as examples of cyber-terrorism. My grandmother uses email for gods sake, it happens to be a good way to communicate.


-
/. is like a steer's horns, a point here, a point there and a lot of bull in between.