From reading the comments here, and a guess at most of our demographics, including mine, we're concentrating on how people can use the internet to co-ordinate or attack systems. This, in my view, is wrong.
The internet is a communtications and research tool, and yes operating system vunerabilities are available on-line, as well as off-line (as an aside I remember trawling through VAX manuals at Liverpool Polytechnic, finding the default usernames and passwords for Vax clusters and wandering across JANET and sending messages to MIT operators from a VAX cluster in their nuclear physics department which they hadn't locked down.)
But how many sensitive or critical systems are this easy to get at?
The article states "Similarly, in terms of cyberwarfare, terrorist groups may have little need for state sponsors because much of the applicable software and hardware are available commercially and targeting can be accomplished from a computer terminal hundreds of miles away from the intended targets.". This is frankly unrealistic.
Having worked in banking, goverernment, and soon UK military intranets these are attached to anything outside their own network.
I would see the main risks as follows
Physical destruction of infrastructure.
A well placed bomb in a communtications hub is a low tech solution to destroying a high tech system. A few well placed bombs in the City of London would stop the UK finance market for 2-3 days, and it would take months to recover. If you were a small state, and someone took out your communtications network, forget recovering.
Destruction from within
I'm sure we've all heard urban legends of disgrunteled programmers leaving back doors, RAS accounts, viruses etc. This is a more likely mode of attack. Infilitrate who you want to attack, and pop a low lying virus onto the network, custom build to avoid the virus scanners. With the proliferation of virus authors (and lets face it, it's not difficult) you could take out a PC based network quite easily. But what sensitive information is held on PCs?
If we define cyber terrorism as using a computer to attack another company, without concentrating on mode of delivery then
Using CT, how easy or otherwise is it to bring down or attack vital systems?
In my opinion, doubtful. How many sensitive networks are open enough to attack? You would need easy access, eletronically or physically and this just doesn't exist.
What sort of skills would be needed to do so, and are they common/teachable?
Everything is teachable. Virus writing code is common, and some is even automated. A lot of security holes are publically available on the internet or on BBSes. However getting access to use this information is, of course, more difficult.
Commercial-off-the-shelf software: can it really do CT?
No.
Which systems are actually attackable?
Web sites, which aren't critical. Perhaps WANs which pipe through the net, although with VPNs this is becoming more and more difficult, however the possibility for DOS attacks exists. Any system connected to a public network.
Can a recovery be made from such attacks?
I would assume that critical systems are backed up. So yes, but the amount of time to recover depends on the attack.
Is it likely to improve/get worse?
Stay the same, for critical systems people will need physical access, and as long as companies/governments restrict this then it's not going to be a major worry.
What sort of preventitive work would you recommend them to carry out?
Don't hook up a critical system to a public network. Keep up to date on security issues, don't rely on your vendor for information. Get rid of floppy drives on PC based networks. Code review source. Do not allow introduction of untrusted software.
Comparing web site vandalism with cyber terrorism is wrong. Comparing CNB attacks with cyber terrorism is wrong. I have yet to see one instance of a hack that I would consider cyber terrorism.
Personally I would worry more about infrastructure and communications attacks than I would over information secuirty attacks.
The IRA bomb at Canary Wharf was a good example of this. Quite a few banks had started to shift their share dealing operations to there just at the time they hit. The stock market took a major beating I seem to remember.
Taking out communications resources would be the easiest method to destory a company or government, no matter how hardened your computers are, your communications lines, be they under the ground, microwave or satelitte based are going to be an easier target.
However, picture a "cyber terrorist" (note the quotes) who has wormed his way into a bank/goverment department and introduces a quick spreading, custom made virus onto the network. It sits there for a week, then blam, wipes everything it can get its hands on. Now companies will have backups, but could a goverment in a rebelling country cope without it's computers for 2-3 days till the systems are cleaned?
First off, I'm gonna pick and choose in this thread, so apologies for my kangeroo brain here, flu is macking my head ache.
One of the things that annoys me most is branding terrorists as cyber terrorists just because they use email or bulletin boards. That, to me, comes over as lazy journalism.
Quoting from the article, Supporters of the Mexican Zapatista rebels have jammed Mexican government web sites. The American terrorist group, the Christian Patriot movement, is active in the Internet.??? The Osama Bin Laden group utilises an extensive network of computers, disks for data storage, and Internet for e-mail and electronic bulletin boards to exchange information. Hamas operatives in the Middle East and elsewhere use Internet chat rooms and e-mail to coordinate activities and plan operations. Other Middle Eastern terrorist groups, such as Lebanon's Hizbullah and Algeria's Armed Islamic Group, also utilise computers and the Internet for communications and propaganda.
Now, terrorists have used telephones to communicate, but they don't get branded as telecom terrorists, letters, but they're not postal terrorists, and so on. Simple because people use the net as a better form of communication is not a reason to brand them as cyber criminals.
The bundling of this with CBRN terrorism, again strikes me as lazy. What justification can there be for this, apart from they're both "new" technologies.
Another tangent then (sorry about this). What should count as cyber terrorisms? Growing up in Northern Ireland I have a very narrow minded view of terrorism. Personally I count it as taking of lives, disruption of lives, or destruction of physical property. I don't count web site vandalism anywhere near this.
Lets take bank systems, a subject close to my heart as I wrote some clearing software between the UK and German stock market. The amount of security hoops I went through to get this up and running were stunning. This is not the sort of thing a script kiddie can bounce his way into, lets face it the most sensitive systems, be they government or bank, are not connect to the net, yet journalists consistantly portray cyber terrorism as a bunch of geeks sitting on their AOL accounts, hacking a big bank. Utter bollocks.
The easiest way for a "cyber terrorism" attack to take place, ie. one that disrupts electronic systems is to blow the things up. Cut the communications links to the London Stock Market. You'd have a lot better chance blowing up the telehouses in the City of London than hacking into their systems. And it would be a lot more effective.
You subscribe to the NT security list at www.microsoft.com/security (I think, I'm at home with flu!), and notifications get emailed to you, or you check that page as often as you check the redhat page. Exactly the same.
Or you could install the "desktop" version that comes with the SQL7 distribution.
Runs fine on my little Sony Vaio C1F with only 64Mb and a crappy Pentium 250
Re:Metered telephone calls suck so much
on
ISP War in the UK
·
· Score: 1
Just as an aside on not affording ISDN, the only real cost if you're on-line more than 10 hours a week is the installation, the higher line rental is off-set by a call credit.
After getting Home Highway my quarterly bill dropped by £100. It's still too damned high though
When I worked there I loved it. Relaxed atmosphere, best working environment I ever had, all the hardware I wanted, basically free reign outside project deadlines.
Then the UK culled contractors... booo:(
But my job satisfaction was high, I was proud of the stuff I did with XML as the support was being developed, and I don't care if you all think I worked for the "great satan".
Personally, as someone who grew up in Northern Ireland, has seen a car bomb go off, got the crap beaten out of him for living in Chester with an Irish accent when Warrington happened, I still found it funny.
About 2 months ago when the "NT needs rebooting every day" comment popped up, I gathered and posted stats of my NT WWW servers here, and the cohosted ones we run. The only down time was on 1 server, which had a network card replaced, and reboots for hotfix/SP application (analgous to a kernel rebuild, before you start pointing the finger at that) the rest had been up since installation, including 1 that's been up for a year.
About 15 minutes later, someone had marked it as a troll. And when I commented one that moderation, that was marked as a troll.
As I've said elsewhere, I believe you should be able to see a moderation history for messages, so you can see exactly who is using moderation sanely, and who's running an OS jihad.
I've also been on the receiving end of being marked as a troll, when I felt I was making a valid point (posting uptime for my 8 NT WWW servers, when people were saying NT needed booting once a day).
And what happened when I complained? That got marked as a troll *too*
Personally, after this, I'd like to see some method of seeing who moderated a post, and as what. It may cut down the abuse temptation to moderate things you don't agree with if people can see what you've done.
Well Netscape's rendering of CSS has always been lacking, hopefully the Mozilla engines change this, if it ever gets finished. And of course there is no native XML support in Netscape. Not sure about Opera, don't use it.
Microsoft's rendering of CSS is, well, quite loose. It doesn't reject invalid CSS, but instead tries a best guess attempt. This tends to make you think your CSS sheets are perfect, when they're not.
IE 5's rendering of XML works pretty well when I've used it. The DOM is a little off, but then that wasn't standardised when IE5 was released. I used IE5 from the first non-public beta, mainly using the XML parser for server side rendering, and they were *quick* about fixing bugs/inconsistancies. How long did it take Nitscrape to pull together any sort of decent CSS rendering? Oh it's not there yet, lets all hold our breath for mozilla.
For details of what browsers support which CSS attributes take a look here. For a weighted scoreboard try here which marks Opera as the winner, IE5 as second place, and Netscape way at the bottom.
No idea *grin* I'm just getting pissed off with people saying we can't find the.DOC spec anywhere, when I have it sitting on 6 CD-ROMs and it's on the web based MSDN too.
Basically it will allow downloading of commerical content, and stop transfering of it to other players, or allow downloading of play X number of times mpegs.
And if I say any more I'm breaking a nice big NDA!
Anyway, thats all very well, but for those of us not buying "super computers" it's not useful.
Whats more useful would be exporting of stronger encryption. Lets face it, the US is fighting a lossing battle with encryption. How many of us Europeans have the US version of PGP? How many of use managed to spoof Netscape and Microsoft into giving us the 128bit versions of their browers.
And why isn't the US government looking at this? Because hardware generates more profit, more big business, and thus more taxes and lobbying.
Haven't you seen the security bugs for ICQ's web service? Heheh telnet to it and send a 256 long character string, and oh, watch your PC barf. Add being able to see and get any file you know the name of....:)
* NT has no useful scripting, Linux has everything you can ever need
Then how come I'm using JScript to automate administrative tasks? The Windows Scripting Host allows any ECMA compatable language (VBSCript, JScript (Mozilla still hasn't come up to that standard) and PerlScript from ActiveState are the ones I know off. I've heard rumours of a Rexx plugin too).
* you cannot remote administer NT (Im not talking about fast connections here, (where you could use VNC), try to administer NT over a modem line. Good luck)
Hmm well I develop at home at the weekends and can RAS in and do everything I want, except remote reboots. Stop/Start services, reconfigure the web parameters and so on.
I'll agree on site configuration *grin* But then again once you know the registry, it's easy enough. And thats simple to pick up.
if something goes wrong with IIS, the event log will contain such useful error messages "could not bind instance XXX. The data is the error code. 43 00 00 6c".
The logging entries are defined by the programmers, thats not a fault of NT but the application designers.
Sometimes under NT, the MMC console simply is stuck. Then your only chance to get it running again is to restart the system, simply logging in as a different user does not help. Very annoying.
When that happens to me Task Manager is always able to kill the task.
Yea but if you have any kind of sense what so ever you don't run CGI under NT, you run ASP or ISAPI. That way you lose the overheads concerned with spawning off a new process each time you try to execute CGI.
Delivering dynamic pages depends on lots of things, speed of the database if you're using one, underlying scripting method, if it's Perl/CGI, VBScript/ASP, C/CGI or C/ISAPI.
Dynamic benchmarks would be interesting, but I doubt you could get anywhere near a level playing field on both sides to make them comparable.
Slashdot Mirror
From reading the comments here, and a guess at most of our demographics, including mine, we're concentrating on how people can use the internet to co-ordinate or attack systems. This, in my view, is wrong.
The internet is a communtications and research tool, and yes operating system vunerabilities are available on-line, as well as off-line (as an aside I remember trawling through VAX manuals at Liverpool Polytechnic, finding the default usernames and passwords for Vax clusters and wandering across JANET and sending messages to MIT operators from a VAX cluster in their nuclear physics department which they hadn't locked down.)
But how many sensitive or critical systems are this easy to get at?
The article states "Similarly, in terms of cyberwarfare, terrorist groups may have little need for state sponsors because much of the applicable software and hardware are available commercially and targeting can be accomplished from a computer terminal hundreds of miles away from the intended targets.". This is frankly unrealistic.
Having worked in banking, goverernment, and soon UK military intranets these are attached to anything outside their own network.
I would see the main risks as follows
- Physical destruction of infrastructure.
- Destruction from within
If we define cyber terrorism as using a computer to attack another company, without concentrating on mode of delivery thenA well placed bomb in a communtications hub is a low tech solution to destroying a high tech system. A few well placed bombs in the City of London would stop the UK finance market for 2-3 days, and it would take months to recover. If you were a small state, and someone took out your communtications network, forget recovering.
I'm sure we've all heard urban legends of disgrunteled programmers leaving back doors, RAS accounts, viruses etc. This is a more likely mode of attack. Infilitrate who you want to attack, and pop a low lying virus onto the network, custom build to avoid the virus scanners. With the proliferation of virus authors (and lets face it, it's not difficult) you could take out a PC based network quite easily. But what sensitive information is held on PCs?
In my opinion, doubtful. How many sensitive networks are open enough to attack? You would need easy access, eletronically or physically and this just doesn't exist.
Everything is teachable. Virus writing code is common, and some is even automated. A lot of security holes are publically available on the internet or on BBSes. However getting access to use this information is, of course, more difficult.
No.
Web sites, which aren't critical. Perhaps WANs which pipe through the net, although with VPNs this is becoming more and more difficult, however the possibility for DOS attacks exists. Any system connected to a public network.
I would assume that critical systems are backed up. So yes, but the amount of time to recover depends on the attack.
Stay the same, for critical systems people will need physical access, and as long as companies/governments restrict this then it's not going to be a major worry.
Don't hook up a critical system to a public network. Keep up to date on security issues, don't rely on your vendor for information. Get rid of floppy drives on PC based networks. Code review source. Do not allow introduction of untrusted software.
Comparing web site vandalism with cyber terrorism is wrong. Comparing CNB attacks with cyber terrorism is wrong. I have yet to see one instance of a hack that I would consider cyber terrorism.
Personally I would worry more about infrastructure and communications attacks than I would over information secuirty attacks.
Rant over, lemsip and bed :)
Barry
The IRA bomb at Canary Wharf was a good example of this. Quite a few banks had started to shift their share dealing operations to there just at the time they hit. The stock market took a major beating I seem to remember.
Taking out communications resources would be the easiest method to destory a company or government, no matter how hardened your computers are, your communications lines, be they under the ground, microwave or satelitte based are going to be an easier target.
However, picture a "cyber terrorist" (note the quotes) who has wormed his way into a bank/goverment department and introduces a quick spreading, custom made virus onto the network. It sits there for a week, then blam, wipes everything it can get its hands on. Now companies will have backups, but could a goverment in a rebelling country cope without it's computers for 2-3 days till the systems are cleaned?
First off, I'm gonna pick and choose in this thread, so apologies for my kangeroo brain here, flu is macking my head ache.
One of the things that annoys me most is branding terrorists as cyber terrorists just because they use email or bulletin boards. That, to me, comes over as lazy journalism.
Quoting from the article, Supporters of the Mexican Zapatista rebels have jammed Mexican government web sites. The American terrorist group, the Christian Patriot movement, is active in the Internet.??? The Osama Bin Laden group utilises an extensive network of computers, disks for data storage, and Internet for e-mail and electronic bulletin boards to exchange information. Hamas operatives in the Middle East and elsewhere use Internet chat rooms and e-mail to coordinate activities and plan operations. Other Middle Eastern terrorist groups, such as Lebanon's Hizbullah and Algeria's Armed Islamic Group, also utilise computers and the Internet for communications and propaganda.
Now, terrorists have used telephones to communicate, but they don't get branded as telecom terrorists, letters, but they're not postal terrorists, and so on. Simple because people use the net as a better form of communication is not a reason to brand them as cyber criminals.
The bundling of this with CBRN terrorism, again strikes me as lazy. What justification can there be for this, apart from they're both "new" technologies.
Another tangent then (sorry about this). What should count as cyber terrorisms? Growing up in Northern Ireland I have a very narrow minded view of terrorism. Personally I count it as taking of lives, disruption of lives, or destruction of physical property. I don't count web site vandalism anywhere near this.
Lets take bank systems, a subject close to my heart as I wrote some clearing software between the UK and German stock market. The amount of security hoops I went through to get this up and running were stunning. This is not the sort of thing a script kiddie can bounce his way into, lets face it the most sensitive systems, be they government or bank, are not connect to the net, yet journalists consistantly portray cyber terrorism as a bunch of geeks sitting on their AOL accounts, hacking a big bank. Utter bollocks.
The easiest way for a "cyber terrorism" attack to take place, ie. one that disrupts electronic systems is to blow the things up. Cut the communications links to the London Stock Market. You'd have a lot better chance blowing up the telehouses in the City of London than hacking into their systems. And it would be a lot more effective.
You subscribe to the NT security list at www.microsoft.com/security (I think, I'm at home with flu!), and notifications get emailed to you, or you check that page as often as you check the redhat page. Exactly the same.
I hate to point it out, but remember it was Ebay's sun servers that crashed this year, and not the IIS boxes.
You shouldn't be reassured just because you have "big hardware".
Or you could install the "desktop" version that comes with the SQL7 distribution.
Runs fine on my little Sony Vaio C1F with only 64Mb and a crappy Pentium 250
Just as an aside on not affording ISDN, the only real cost if you're on-line more than 10 hours a week is the installation, the higher line rental is off-set by a call credit.
After getting Home Highway my quarterly bill dropped by £100. It's still too damned high though
Maybe they're doing it because GSM is pretty much everywhere except the US and Canada. You whacky people, starting your own standards up ...
Not what I meant, I meant that I don't care what you think about the companies I work for.
Morality for me is avoiding killing people or polluting, not anything to do with business practices.
Seriously?
When I worked there I loved it. Relaxed atmosphere, best working environment I ever had, all the hardware I wanted, basically free reign outside project deadlines.
Then the UK culled contractors ... booo :(
But my job satisfaction was high, I was proud of the stuff I did with XML as the support was being developed, and I don't care if you all think I worked for the "great satan".
Errr isn't this how the US political advertisements run? Paid for by each party, with pro messages, and slagging the opposition?
Personally, as someone who grew up in Northern Ireland, has seen a car bomb go off, got the crap beaten out of him for living in Chester with an Irish accent when Warrington happened, I still found it funny.
Different strokes for different folks.
I'll disagree loudly here.
About 2 months ago when the "NT needs rebooting every day" comment popped up, I gathered and posted stats of my NT WWW servers here, and the cohosted ones we run. The only down time was on 1 server, which had a network card replaced, and reboots for hotfix/SP application (analgous to a kernel rebuild, before you start pointing the finger at that) the rest had been up since installation, including 1 that's been up for a year.
About 15 minutes later, someone had marked it as a troll. And when I commented one that moderation, that was marked as a troll.
As I've said elsewhere, I believe you should be able to see a moderation history for messages, so you can see exactly who is using moderation sanely, and who's running an OS jihad.
Baz
Up to a point though.
I've also been on the receiving end of being marked as a troll, when I felt I was making a valid point (posting uptime for my 8 NT WWW servers, when people were saying NT needed booting once a day).
And what happened when I complained? That got marked as a troll *too*
Personally, after this, I'd like to see some method of seeing who moderated a post, and as what. It may cut down the abuse temptation to moderate things you don't agree with if people can see what you've done.
And Real isn't proprietary? It belongs to one company, no formats published, runs on 1 player? Thats proprietary to me.
Well Netscape's rendering of CSS has always been lacking, hopefully the Mozilla engines change this, if it ever gets finished. And of course there is no native XML support in Netscape. Not sure about Opera, don't use it.
Microsoft's rendering of CSS is, well, quite loose. It doesn't reject invalid CSS, but instead tries a best guess attempt. This tends to make you think your CSS sheets are perfect, when they're not.
IE 5's rendering of XML works pretty well when I've used it. The DOM is a little off, but then that wasn't standardised when IE5 was released. I used IE5 from the first non-public beta, mainly using the XML parser for server side rendering, and they were *quick* about fixing bugs/inconsistancies. How long did it take Nitscrape to pull together any sort of decent CSS rendering? Oh it's not there yet, lets all hold our breath for mozilla.
For details of what browsers support which CSS attributes take a look here. For a weighted scoreboard try here which marks Opera as the winner, IE5 as second place, and Netscape way at the bottom.
No idea *grin* I'm just getting pissed off with people saying we can't find the .DOC spec anywhere, when I have it sitting on 6 CD-ROMs and it's on the web based MSDN too.
Oh you mean those Office file formats that are documented in the office development kit? In detail?
Those file formats that are on the web at mdsn.microsoft.com?
Yea they're hidden real good.
www.intertrust.com
Basically it will allow downloading of commerical content, and stop transfering of it to other players, or allow downloading of play X number of times mpegs.
And if I say any more I'm breaking a nice big NDA!
Hehe I did part of that web site :)
Hey am I first? :)
Anyway, thats all very well, but for those of us not buying "super computers" it's not useful.
Whats more useful would be exporting of stronger encryption. Lets face it, the US is fighting a lossing battle with encryption. How many of us Europeans have the US version of PGP? How many of use managed to spoof Netscape and Microsoft into giving us the 128bit versions of their browers.
And why isn't the US government looking at this? Because hardware generates more profit, more big business, and thus more taxes and lobbying.
Haven't you seen the security bugs for ICQ's web service? Heheh telnet to it and send a 256 long character string, and oh, watch your PC barf. Add being able to see and get any file you know the name of .... :)
Yea but it's not difficult to find out what web server is running by telnetting to port 80.
* NT has no useful scripting, Linux has everything you can ever need
Then how come I'm using JScript to automate administrative tasks? The Windows Scripting Host allows any ECMA compatable language (VBSCript, JScript (Mozilla still hasn't come up to that standard) and PerlScript from ActiveState are the ones I know off. I've heard rumours of a Rexx plugin too).
* you cannot remote administer NT (Im not talking about fast connections here, (where you could use VNC), try to administer NT over a modem line. Good luck)
Hmm well I develop at home at the weekends and can RAS in and do everything I want, except remote reboots. Stop/Start services, reconfigure the web parameters and so on.
I'll agree on site configuration *grin* But then again once you know the registry, it's easy enough. And thats simple to pick up.
if something goes wrong with IIS, the event log will contain such useful error messages "could not bind instance XXX. The data is the error code. 43 00 00 6c".
The logging entries are defined by the programmers, thats not a fault of NT but the application designers.
Sometimes under NT, the MMC console simply is stuck. Then your only chance to get it running again is to restart the system, simply logging in as a different user does not help. Very annoying.
When that happens to me Task Manager is always able to kill the task.
Barry
Yea but if you have any kind of sense what so ever you don't run CGI under NT, you run ASP or ISAPI. That way you lose the overheads concerned with spawning off a new process each time you try to execute CGI.
Delivering dynamic pages depends on lots of things, speed of the database if you're using one, underlying scripting method, if it's Perl/CGI, VBScript/ASP, C/CGI or C/ISAPI.
Dynamic benchmarks would be interesting, but I doubt you could get anywhere near a level playing field on both sides to make them comparable.
Barry