Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Jane's Intelligence Review Needs Your Help With Cyberterrorism

Roblimo posted more than 14 years ago | from the your-turn-to-teach-the-experts dept.

News 256

Jane's Intelligence Review, a famous "in group" publication read by political, military and intelligence honchos the world over, has an article on Cyberterrorism scheduled to run in its next issue. But Jane's editor Johan J Ingles-le Nobel believes Slashdot readers may (ahem) actually know more about potential Cyberterrorism tactics than the article's author, and would like you to comment on his work - for publication. The article is up on a private preview page. Please read it, then post your comments. Johan will read them, here on Slashdot, and will select some of them for publication in Jane's alongside the original article. Before you post, please read a message from the Jane's editor (below).

These are the specific questions Jane's wants answered:

  • Using CT, how easy or otherwise is it to bring down or attack vital systems?
  • What sort of skills would be needed to do so, and are they common/teachable?
  • Commercial-off-the-shelf software: can it really do CT?
  • Which systems are actually attackable?
  • Can a recovery be made from such attacks?
  • Is it likely to improve/get worse?
  • What sort of preventitive work would you recommend them to carry out?
For our part, we'll make an article based on your replies. Please try to give examples and evidence, keep it clean and stay objective - this is not a 'military-bashing' exercise. When we publish the article (17 November), if you'd like to be contactable on this issue use your real email address and we'll attribute your comments, otherwise use 'anonymous coward' .

Many thanks,
Johan J Ingles-le Nobel,
London, England.
johan.ingles@janes.co.uk

cancel ×

256 comments

Sorry! There are no comments related to the filter you selected.

ISP's are weak points. (2)

richnut (15117) | more than 14 years ago | (#1640419)

The biggest threat with cyber terrorism is not so much direct attacks, but as a tool to gather information on organisations for other purposes. If a cyberterrorist attacks an ISP succesfully they can gain access to many more networks belonging to the global customers, Manufacturing concerns, Government agencies, Lobbies, Financial institutions. The ISP is the passageway for all of its customers and a large reputable ISP can have direct access to all sorts of customer resources. Monitoring a central router an an ISP can be the ultimate wiretap. ISP's often have financial and personal data of customers warehoused for disaster recovery reasons, these resources are often stored on Internet connected machines.

Worse yet ISP's do not necessarily want to cooperate with officials. They do not want to be slammed with liabilities for their transmission of dangerous material. ISP's (last I checked) are not immune to this sort of legal attack like telcos are.

-Rich

Re:CBRN != Cyber (3)

jsm2 (89962) | more than 14 years ago | (#1640420)

In my opinion, the fundamental difference is that Cyber attacks are utterly unlike any other form of attack because they do not involve the delivery of large amounts of energy to the enemy (unless you would call EMP or HERF attacks "Cyber", which IMO would be wrong -- a HERF gun aimed at a computer terminal is really the same sort of thing as a grenade thrown at same.)

Cyber attacks, therefore, are aimed at the information, which is much less easy to destroy because of the possibility of making qualitatively and functionally identical copies. I'd divide cyber attacks into two species: "Destruction of information" (erasing) and "Corruption of information" (spoofing).

Erasing is very difficult to carry out because any system worth attacking is also worth backing up. I know that UK and US interbank transactions are backed up daily, with multiple remote backup tapes. Any Cyber attacker wanting to "destroy" the interbank market will cause the loss of at most one day's worth of transactions. Erasing attacks can be straigthforwardly guarded against through multiple, remote (in both geopgraphy and network topology) backups, taken at sufficient frequency that the maximum possible loss is bearable for the system (the "safe frequency"). Any system for which the safe frequency is too low for the backup defense to be practical (for example, a power grid) should be kept remote from networks; although this does not defend against attacks from insiders, network seclusion should allow the terminals of the vulnerable network to be physically guarded.

Spoofing is much more difficult to guard against. This kind of attack comes in two flavours; attempts to create phony records, or phony messages in a system (such as creating false bank accounts), or attempts to create phony instructions to the processing system, causing a failure of the system which is as bad as an erasing attack.

The easiest way to defend against non-destructive spoofing would be to use backups once more, and to operate a kind of "double-entry book-keeping" which traces every record to its creation and requires consistency between numerous (again, preferably topologically remote) sources. This multiplies the difficulty of a Cyber attack, as the attacker now has to break several systems instead of just one.

Destructive spoofing aimed at the processor rather than its records is a different matter. Causing the processor to execute phony instructions could allow the Cyber attacker to erase records, transmit phony messages and, potentially, to "cover its tracks" well enough to escape consistency checks. Of course, this kind of attack is more difficult than any other -- usually the only way to get another machine to execute rogue instructions is to exploit buffer overflows.

I have no particular suggestions for defense against the final kind of attack, except for the rather obvious advice not to create situtations in which buffer overflows can happen. The use of non-standard operating systems or instruction sets could, in principle, make it harder for an attacker to work out what to do with a buffer overflow once discovered, but to me, this seems too much like security through obscurity to be recommended.

I'd add that using the Internet as it is currently designed to communicate between members of a terrorist organisation would not be a good idea -- it goes against the "cell" concept which is known to be the best way to organise. Even messages on private bulletin boards carry enough information in the headers to allow substantial information about the whole network to be deduced for any security agency which can gain access to the routers.

Just some idle thoughts

jsm

"CT" in combination w/CBRN (0)

Anonymous Coward | more than 14 years ago | (#1640421)

As mentioned above, electronic warfare and conventional (including chemical, bio, etc) weapons have different aims. However, sooner or later some group will wise up and use them in combination. This is most likely to happen in a country like the US, initially, where we rely very heavily on electronics and computers for our communications.

Imagine, for example, a terrorist group with a skilled cracker included. They bomb a large public building, and then, at the same time, they knock out a section of the power grid around that building. Perhaps on a town/city level. How much would this hamper rescue efforts? How many more people would die due to insufficient response ability? And, perhaps most importantly, how much more effective at terrorising people would this be? The terrorists send the message "not only can we blow you up with impunity, but we can also take away things you depend on, like electricity."

Now, to be effective, electronic warfare must be carried out by someone who really knows what they are doing. A lot of people keep mentioning bugtraq and lopht advisories, but really, to be able to predictably and reliably cause serious havoc with this information, you need to have a large amount of clue. I do not count web page vandalism as "cyberterrorism" in any way. It's a lot more akin to spraypainting on walls. (Article hint: get rid of that part about terrorists altering web pages. That's just silly.)

The real short-term threat from electronic warfare, as I see it, is that when it is used in concert with other tactics, it can sharply magnify the effects of the attack. It will not be long before some group realizes and exploits this, and it will be ugly.

Prevention... (1)

mackga (990) | more than 14 years ago | (#1640442)

Well, the thing is most companies and some govt agencies don't really think about secuirty until theirs has been compromised.

That said, ANY company or govt agency with sensitive data needs to have regular security audits. Tiger teams from bonded intrusion testing companies come to mind; four times a year is not a bad schedule. This costs money, but so does loss/corruption/theft of data. Make sure you admins are keeping up with security issues for the OS(es) that's being run on your sensitive server(s).

Also, internal security is often overlooked. If you run a company that uses internet access, and you have sensitive data, strictly limit internal users' access to the big bad net. Firewalls and NAT are a good start. Use anti-virus scanners on your email server. Keep access to internal servers at a minimum. Use internal firewalls to protect sensitive departments.

Well, just some basic suggestions.

skills needed, difficulty, random thoughts (1)

db48x (92557) | more than 14 years ago | (#1640443)

It has been my experience that the skills needed to successfully conduct CT are quite teachable, given that the person whishing to learn the nessecary skills is motivated, has a minimum profiency with computers and network technology in general, and has access to the information required. There is also the additional requirement that they posses the correct hardware.

Motivation doesn't seem to be much of a problem with most terrorist groups, unfortunatly.

Contrary to popular belief, it does not take a genius to hack into a system. The genious factor only determines how quickly he is caught. However, at a minimum, a hacker must be able to think cleverly and be somewhat devious in order to be a successful hacker. Someone who can only follow the instructions of others won't be able to come up with a new solution when he encounters something new. It should also present an aspect of fun for the hacker. (Is a terrorist allowed to have fun? Does this make their crimes more heinous?) However, I think that this is fairly widespread knowledge.

In order to become a proficient hacker, you also need access to information about the inner workings of the systems you are attacking. A lot of this information can be found on the web, but nothing beats having a good Perl book or the users guide to the operating system by your side, in print. This is an area where a foriegn terrorist group may have trouble. Can they get the information they need? It is almost impossible to pay cash at an online bookstore, and many books are not available from your corner bookstore. I suppose it is again just a matter of motivation - these books can be purchased, you might just have to jump some hoops to get them.

As for hardware, this is relatively easy to get, because you can run Linux on nearly anything these days. The real problem is connectivity. In order to successfully mount an attack, your machine has to be physically connected to your victim's machine (obvoiusly). I really dont know how good connectivity is in most areas in the world (how easy is it to get connected to the net in Uzbekistan anyone?), but it seems that in many parts of the world, it might approach near impossibility. However, state sponsership could very easily ease this. The only other option is to actually base your operation in a country like the US where you can get connected for cheap. The only problem with this is that it may be a bit more difficult to remain anonymous.

So, to sum it up, yes, any decent, hardworking terrorist group can set up a CT "department" and succesfully attack virtualy anthing they want.

I'm not sure how help full this will be, because all it really amounts to are my random thoughts on the issue while doing a little "work" in the campus computer lab. If you are going to quote me, at least fix my spelling.

Daniel Brooks - db48x@yahoo.com

Re:Stock Market (0)

Anonymous Coward | more than 14 years ago | (#1640444)

...or, perhaps, *will*. It's arguable that the failure in 'Nam was of will, not of might or resources (troops, funding, what have you).

Actually, hm. That does bring a few additional possibilities to mind.

* Spreading dis-information; spread rumors and watch as they get picked up by conspiracy theorists, activists and so forth. This is aided by the speed and occasional pseudo-anonymity of, say, e-mail/chat/etc.

* Possibly, attacking media outlets and other sources of information. I'm sure CNN.com gets a decent number of hits, and a minor change there might affect things. Exploit a vulnerability in stock trading system (say, one that feeds prices to systems which then apply automated rules for making trades... !) and you might affect a market.

* This isn't quite cyber-, perhaps, but the insecure use of cell phones and so forth has led to incidents. If memory serves, some Secret Service traffic relating to Presidential movements was once publicized, and a certain Chechen leader (now deceased) named Dudayev owes much of his present state to giving his whereabouts to a Russian rocket artillery unit (via cell phone).

My Detailed Analysis (1)

Shanoyu (975) | more than 14 years ago | (#1640445)

Sorry janes, I really wanted to just run thru this after I saw it because it's kind of.. well, bleh, I apologise for the grammar but if i'd had more time I would have written you a shorter letter, as mark twain would say.

The article is really grasping at straws. The problem with the article is that it assumes so many things and points out the obvious far too often to be of any use. Obviously if you damage a country or groups telecommunications they will have a harder time using that network to communicate.

As for using IRC and email, it's alot harder for governments to regulate and sort thru and de-encrypt (where applicable) or even know exist to detect plots brewing, this is diffrent from if they used the telephone which is easily wire-tapped, an ISP could be asked to hold over email but with the proliferation of things like hot mail, the fact that everyone and their brother has eighty or ninety email accounts, and the fact that it's really just impossible to deal with everyone who takes out their agressions online where their speech isn't restricted, so yes, email and IRC and chatrooms are used, but quite sparingly, and quite frankly I see "plotters" on various IRC networks all the time, although usually they are semi-retarded white-supremists in the age group of 15-25 who really, well, they aren't that bright.

On breaking into websites and changing what they say, politically this has little or no effect. I think personally each american might look at a government website once a month, and I don't think any american reads *.gov to learn about political agenda, well not yet although that is what the people over here at /. would love to see. The problem is that most people don't give a crap about politics edgewise, so changing a website to push the agenda oppsite to what the website would normally be saying would be the equivilant of someone putting down a woopie cushion where the UN Secretary General sat, good for a laugh, nothing else.

One part of the article I enjoyed was the political factors that motivate terrorist groups to cause violence. This is very informative and useful.

The article, however, suffers from one tragic flaw that appears to affect many, many articles on the same subject have. It assumes the false truth that all computers on a network are automatically linked to a network. If you do this and a cracker (note the use of the term Cracker, and not hacker. I'm stuck up.) destroys your stock market they will need to have done a few things.

They will need access to the network; this is not a problem if the network is linked to the internet, but most networks are intranets simply because there is no logical pourpose for linking the network to the internet. Governments who do this most tragic error will fall to darwin's theory of natural selection when someone gets lucky. If you have a missle base, and someone who is say on vacation needs to shoot the missile in a pinch because of political actions, then they should have to fly back and do it that way, OR they should have to dial straight into the system via long distance with a protected and undisclosed number that changes often and is only enabled when people who need to get in in a pinch are away from the base. And of course they'd still have to log-in with a funny looking username and password. This is my solution for the problem, there are probaly a thousand others, just about all of them will prevent catastrophe from all but the BEST terrorist organisations.

The best terrorist organisations will capitalise on any oppourtunity given and the fact that they have access to the internet has absoloutely nothing to do with it, except for the intresting recuiting procedures via the internet, which is of course dangerous because if you put up a big sign that says RECUITING TERRORISTS everyone comes to the party just to take a peek.

I think the reason why you haven't seen many extremely tragic cases where people were killed by 'cyberwarfare' is because as terrorists learn about the very intresting buzzword they realise there is essentially jack they can do. I once read a story about a group of terrorists who inflitrated a place where traffic was controlled, the terrorists learned about the program controlling it and almost killed a state offical. However this is fantasy.

You see this is perhaps every networks greatest defense that runs a specific operation. When the software is developed in house, (usually because there is no market for selling such software, like for instance software to drive traffic lights.) you would need to figure out how the program worked how to cause the most havoc (or in a 'surgical' strike, how to kill the one person you want to kill.), when this relates to something so mathematically complex as a series of traffic lights as it relates to one mans path relative to his speed and make a four way stop go all green, sure, it's possible, but only if you already have operatives inside the operation, you can't just run in, learn about the program and the laws behind what it does on the fly and cause havoc. You don't have that much time, unless of course you're an operative inside the operation, in which case i'd find getting the operative in much more impressive than 'cyber terrorism'

I think the more terrorist groups research computer science and cyber warfare the less of it we will see, well, we wont see much that is JUST cyber terrorism, When you put a master of geography and navagation, a physicist, and someone who understands nuclear missles, all with computer science knowledge and knowledge of the system, you've got one frigging scary scenario, But quite frankly, it's not cyber-terrorism, knowledge of computer science just comes with the biz. People who run the things normally have to understand whats going on just to maintain it, people who want to cause havoc REALLY have to understand it.

In conclusion, I think the article needs a major revision, The guy really knows what hes talking about when it comes to politics and thats obviously his forte, but I don't think he knows what hes getting into when he says 'cyber terrorism', it's a remarkably boring (and on it's own, useless) thing.


-[ World domination - rains.net ]-

Re:Misc nitpicks. (1)

dufke (82386) | more than 14 years ago | (#1640446)

>Consider adding the motive 'fear-mongering'

terrorism - thats what the word means!


-

Re:CBRN != Cyber (2)

Anonymous Coward | more than 14 years ago | (#1640447)

Attacks involving cyberwarfare are much easier to carry out than your typical CBRN attack. Depending on the security of the target, an untrained attacker using an exploit found on http://www.rootshell.com can bring down critical servers. I don't believe it is quite that easy to design/construct/use a chemical, biological, or nuclear weapon. On a well implemented system, however, it can be much harder to disrupt with cyberwarfare than with more conventional means of mass destruction. The knowledge required to put forth such cyberattacks is not very common. Anyone can run a script and exploit a fresh Windows NT Web Server, but disrupting a service, especially a non-networked service, is not in the grasp of your average computer user. As far as off-the-shelf software, ummnn... No. There is no magical software which can bring an entire country's infrastructure to it's knees (other than stock Windows ;P). I personally don't know of many attackable systems, but I would generally think it would be systems that have become more computer controlled than not. Power grids, possibly, but unlikely... I have my doubts that anyone can shut down an entire power grid without using some form of non-cyber attack. Telecommunications seems it would be succeptable to a well developed cyber attack. Recovery from such an attack would most likely be quick for a majority, and long lasting for the remaining minority. The problem with cyberterrorism will definitely get worse before it gets better. There are some pretty big information gaps between the well informed "Wizard" of technology, and John Q. Public. I understand that most of the world's infrastructures are not run by total bafoons, but most of them are just normal people with normal jobs who know very little about how the system they work on *REALLY* works. The only thing that can really be done preventatively, is to assess security with a realistic standpoint. Security is more a set of compromises than a true 100% solution. Nothing can be truly secure if it is computerized. Instead, we use the best possible security which still allows the system to function (things can be *too* secure). Many sites may need to reassess their security policies, since many security policies are quite old. This, along with more technical training for John Q. Public (this'll be a while) will help to ensure that cyberterrorism's threat is more limited, since it will never go away. FeeDBaCK

Interesting, but off target. (1)

Kintanon (65528) | more than 14 years ago | (#1640448)

This article seems to be more about using current and future technology to assist in conventional terrorism and warfare than using the technology itself as a weapon. The article focused primarily on the use of the internet as a communication/propoganda medium for terrorists when you can just as easily insert the word 'Telephone' for every instance of 'internet' with almost identical results.

If you want to write about 'Cyberwarfare' then the article should focus more on the abilities and technology needed to bring down the computer based infrastructure of a country. A few hundred script kiddies turned loose with the latest hardware and software could probably cripple most governments simply by destroying the ability to communicate through any means other than Shortwave radio. Given enough knowledge of an opposing system it would seem that a determined group of crackers could knock out Telephone, Electrical, Water, and Gas as most of those are now computerised and the computers are sitting on a network with an access point on the internet somewhere. Many times these systems seem secure and unbreakable, but that is only because no one has yet made a concerted effort to take one down.
As I was saying, this article should focus more on the actual Computer Warfare aspect as opposed to the Conventional Warfare with the aid of computers line that it currently follows.

Kintanon

Cyberwarfare may be fact (1)

skelly (38870) | more than 14 years ago | (#1640449)

The threat of cyber-terrorism is a growing concern for many western governments. I do agree with Johan J. Ingles-le Nobel that it can become a very new method of attack and attention gathering for terrorist groups. Fortunately most groups of terrorists have resorted to conventional methods of operation (physical violence, intimidation). The very nature of using computers to create havoc upon the military or social infrastructure of western nations has and will in the future require large amouts of capital and technical expertise. The only groups with that sort of financial and technological resources are governments and corporations. Terrorist hardly ever have the skills, expertise, or resources to cause massive amounts of damage. They rely on fear and the the intimidation created by press coverage and government crack down.
Historically, very few terrorist organizations have ever overthrown a government or colonial authority. In every case it has taken the backing of another world power or the withdrawl of colonial authority due to morale collapse to facilitate a victory. The American revolution, Sandinista revolution, the Banana Republics of South and Central America were all due to outside financial or political intersts. In Africa and Asia, most former colonies that had insurrection were only "victorious" due to the withdrawl of occupying forces and the collapse of morale. After World War II, it was the loss of status as world powers and the collapse of Europe that allowed the so called success of terrorist and revolutionary movements in colonies.
However in the close of the 20th century, most governments can rest assured that no terrorist group will be able to overthrow the governemt. The only aim of these groups is to create fear so that goverment reprisals will make these regimes unpopular. The underlying fanaticism of these groups is not very strong either. The smarter terrorist organizations uses the poor, religeous, or politically fanatical as martyrs. All decision making is accomplished by secular not religeous people. Look back at recent history to the Middle East and South East Asia. All of the martyrs or dead from those issurrections were among the poor and uneducated. The losses by organizations like the Viet Cong and Hama/Hizbullah were spectacular. Yet these groups kept going. This requires outside political and ecomomic support. The Viet Cong collapsed in the mid 1960's. North Vietnam had to take over and prevent its losing to South Vietnam. By the time of the Tet offensive, all officer and non commisioned officer roles in the Viet cong had been replaced by army regulars.

The cyberwarfare and cyber-terrorism of the coming years will not be any different. The computers and other communications hardware have gotten faster, better, and inexpensive, but are still out of reach to most terrorists. It would take tremendous financial backing by a state or corporate entity to euip this kind of ware. It would be cheaper and more cost effective in personnel to recruit the lower classes as martyrs in conventional terror campaigns than to invest in trying to crack the Pentagon.

It would be prudent for intelligence and police authorities to take safegaurds against this kind of attack. However, the loss of civil liberties or privacy through laws meant to combat this threat would only serve the terrorists intersts of a frightened asd disgruntled public. Another threat is from the governments themselves. It has already been revealed that the CIA/Defense Department used to inflate the military capabilities of the Soviet Union to justify their own budgets. The CIA's budget is still classified. It has also been revealed that the NSA listens to private telephone conversations on the average citizen--Echelon.

I think that great care must be taken to see that goverment does not overstep its bounds and forgert that it is governemt of the people, for the people, and by the people. I do not want me government making me feel like a criminal.

Of course there is a remote "stop burn" (1)

afniv (10789) | more than 14 years ago | (#1640450)

* It would depend upon the vital system, of course. It's unlikely that there's a remote 'stop burn' option for a coal-burning power plant, for instance.

Don't forget though, if all it takes to "throw water on the fire" is a simple text e-mail message signed "Management" asking to shut down the plant, this is a concern. Either the procedure needs to be changed or have secure/reliable communications which can be compromised. In this case any system can have a remote stop burn option.

Anywhere people rely on computers, cyber-terrorism can be a concern. It doesn't have to be completely electronic.

~afniv
"Man könnte froh sein, wenn die Luft so rein wäre wie das Bier"

Dependance Re:Just unplug the computers (1)

Pseudonymus Bosch (3479) | more than 14 years ago | (#1640451)

But we are starting to depend on highly unreliably systems.

What if you use a Hotmail or other free account to receive "important mail"?

What if a page showing say stock quotes or temperatures is altered? Maybe not you and me but there are people who are leaving some decissions to systems this unreliable.

Not life or death (by now).
--

Here's a good opportunity (1)

Laurion (23025) | more than 14 years ago | (#1640459)

A good chance to let people know the differenceetween hacking and cracking..... Laurion

CBRN != Cyber (5)

rde (17364) | more than 14 years ago | (#1640464)

Although the article lumps them together as 'terrorist weapons of mass destruction', cyber attacks are very different from chemical, biological, etc, attacks for a whole bunch of reasons):

Finance. The article implies that major finance is required to implement major attacks; this is not the case for cyber attacks; L0pht bulletins and Phrack are all that's required, along with a script kiddie mentality.

Nature of attack. Cyber attacks in general don't attack people; they attack infrastructure. If properly implemented a lot of people will die, but as a side-effect. Biological attacks, OTOH, attack only wetware and leave infrastructure intact.

Personnel. One deranged chemist can do quite a bit of damage, but an embittered genius nerd can do much, much more. Remember that interview with L0pht? "I can shut down this power grid now."

On the subject of state-sponsored terrorism: I honestly don't believe that this is the problem a lot of people make it out to be. If you're system goes down, it's a lot cooler to say it was the Indonesian Government than a dodgy cgi script. I'm not saying it doesn't happen, but I do believe that it's seriously overhyped.

Finally:defenses. Up to a couple of years ago, people thought of security they way people in the 80s thought of Y2K: it'll probably be a problem some day, but we'll muddle through. Any system put together in the last couple of years was implemented with security in mind (if it wasn't, shoot the sysadmin), but most systems more than a couple of years old are inherently insecure. Ironically, Y2K could prove to be a boon, as audits will give detailed reports on exactly what's in a system, and this information can be used to boost security.

is it possible to protect against? (2)

segfaults (98291) | more than 14 years ago | (#1640467)

The main thing that comes to mind when reading this is the fact that a person with about 1k US$ to spare can go to radioshack and pick up the parts for a machine which will "crash" an unshielded soldid state computer. Things like that are in my opinion the worst threat. Hackers can only do so much, but a terrorist with one some type of EMP, or other such, device could just disable some important facility. Think about air control towers, are those computers shielded? How about 911 dispatches? I could be wrong, if I am tell me.

Re:is it possible to protect against? (1)

Zachary Kessin (1372) | more than 14 years ago | (#1640470)

The problem with EMP is that you have to get close
within a few hundred yrds. A software attack can
be launched from anywhere. But it is worth noting the EMP.

Bravo to Jane (1)

Enoch Root (57473) | more than 14 years ago | (#1640473)

I don't have anything much to say about the article, as I'm sure others will have more pertinent comments for the discussion at hand. I do, however, want to say that it's nice to see serious ventures into the investigation of so-called "cyberattacks" go at the source for information: the hacker community itself.

It's nice to see someone not taking an academic position in regards to the matter, but actually inquire with the people that may know a bit more about the practical realities of hacking or, by association sometimes, cracking.

Now; let's make sure we point out the difference between hacking and cracking, here. :)

"There is no surer way to ruin a good discussion than to contaminate it with the facts."

Hackneyed alarmism (5)

redelm (54142) | more than 14 years ago | (#1640475)

This article is extremely poor. It reads as if the author had done a global search-and-replace of CBNR to CBNR/Cyber, plus added a very few It paragraphs. The tone is unreasonably alarmist.

It make no distinction between cyberterrorism, which is an attack upon C3I (command, control, communications & intelligence) systems, both military and civil, and terrorists using their own cyber C3I.

Worse, it confuses C3I (infosystems) with CBNR (weapons systems).

Jane's editor asks some good questions, but this article cannot even be rewritten to answer them.

-- Robert

Vulnerable systems (2)

Laurion (23025) | more than 14 years ago | (#1640477)

I'd also like to bring up the very good point that your vulnerability is directly related to the systems you are running, and how well they are configured and maintained. For starters, any machine not on a network is almost infinitely more secure than one that is. But if you have to have a computer on a network, you better make sure you have someone who knows what they are doing configure it for security. Or get something that is inherently secure. Not to sound like a fanatic (just a fan), please note the Army's recent decision after counsel with the W3C to switch their web server to a Macintosh. However, it may not be practical or desireable to switch every machine in the operation to something else. The only way to fight knowledge is with knowledge. Fight cyberterrorists by being smarter and better than they are. That alone should take care of most of the script-kiddies. Then you have to worry about those who are smart enough to do it for other reasons...

Misc nitpicks. (3)

Anonymous Coward | more than 14 years ago | (#1640479)

Comments on the specific Q's
* It would depend upon the vital system, of course. It's unlikely that there's a remote 'stop burn' option for a coal-burning power plant, for instance.

* Skills? There has to be somebody available to *write* the original program, and that probably means knowing something about how the target site is operated. If it's done well and does not require user input, it *might* then be possible to hand the program to a 3-year-old with his finger on the 'enter' key, and take the next flight.

* Define CT. Does a denial-of-service count? Did the "Ping of Death" count? Does 'telnet' count?

* The only way to know what's attackable is to know every system. I don't pretend to be omniscient, but common sense should apply; my refrigerator is not running a Telnet server, for instance. My bank probably uses encrypted communications and a journaling filesystem with transaction logging. A web guestbook might not have been written w/ an eye towards preventing filling-up-the-disk. Etc.

* Recovery? It depends. If one gets "rooted" and the attacker simply wipes all files, it's time to go get the mag tape. If the attacker simply uses your machine to go on online chats and doesn't actually *do* much, that's a different story. Of course, many will point out that you can't *really* know unless you were watching the entire session, and should therefore reach for the mag-tape.

* It's a continuing race. Those who neglect security have more to lose, however.

* Advice? Use your head. Use systems by people who actually care 'bout security. Follow principles 'bout least-privilege and so forth. And don't bring your box online before searching for relevant docs -- but also don't believe that the sky is going to fall as soon as you plug in that cable.

Misc notes --

* (minor) Possibly, the full name of the LTTE -- the Liberation Tigers of Tamil Elam -- should be used. {shrug}

* Similar minor nitpick: Is is 'bin Laden' or 'Bin Laden'? I've seen both in print.

* Something to note: a 'Cyber' attack, as the article terms it, would most probably not incur nearly as harsh retalliation as a CBRN attack would.

* As was noted above and no doubt below, substitute 'cracking' for 'hacking.

* Consider adding the motive 'extortion'. This may or may not be plausible based on the difficulty of getting the money...

* Consider adding the motive 'fear-mongering'; that is, to a population to be unduly alarmed at the alleged possibility that their banks will be raided or that malicious crackers will down a jetliner or so forth.

Re:Big Differences... (1)

revnight (8980) | more than 14 years ago | (#1640480)

while i'm dubious that cyberterrorism itself could lead to a massive loss of life, it would make one fine distraction for a CBRN attack.

it wouldn't even take an attack on financial/government servers...the trucking industry, for instance, is every bit as important to everyday workings of the country as being able to use the atm. how much of a distraction was it when that satellite (whose name just dissolved from my pitiful excuse of a memory) went down?

for that matter, i wouldn't imagine it would be difficult redirect any shipment enroute if the company uses satellites to track shipments/inform drivers. "hey joe, those bins of auto parts we picked up don't go to the saturn factory, we're taking them to a warehouse in downtown Nashville now."

"Defence Consultants" (0)

Anonymous Coward | more than 14 years ago | (#1640481)

So, basically, our tax dollars go for you to help governments be more effective in beating their discontent population, or strengthening the domestic military (police), or who knows what, maybe killing someone about to make a legitimate scientific advance in the name of national security.

And you expect a group of people who believe in something greater than the primitive nation-state to assist you in doing so.

My advice for your article (that was written by a 5-year-old, it appears) is to produce some journalistic integrity, prove that you do not use all of your "intelligence" to make yourselves richer and shady government institutions stronger, and then come back and maybe we'll be nice enough not to hack your website.

Jane's and "Cyberterrorism" (1)

rjh (40933) | more than 14 years ago | (#1640482)

(Permission is granted to JANE'S and/or others, as designated by JANE'S, to reprint this posting, in whole or in part, provided that any editing is made clear in the final printed result and that Robert J. Hansen, rjhansen@inav.net, is attributed as the original author. If anyone wishes to contact me regarding information warfare issues, please feel free to use the abovementioned EMail address. My public key is available at the usual keyservers, and also here on Slashdot.)

Q: What's the accepted terminology -- "cyberterrorism"?
A: Most hackers avoid anything "cyber" like the plague; I prefer "information security" for what I do, which is defending systems from information warfare. Besides, "chemical, biological, radiological and information warfare" sounds better than using "cyberterrorism".

Q: Using CT/Information Warfare, how easy or otherwise is it to bring down or attack vital systems?
A: It depends a great deal. A lot of it depends on whether an attacker wishes to target a specific vital system/subsystem, or whether an attacker is going after targets of opportunity. Many vital targets are inappropriate for information warfare. For instance, although an IW attack against a sewer-treatment system could devastate entire cities with plague and disease, very few sewer-treatment systems have their vital components hardwired into the Net. Unfortunately, a great many systems are both appropriate and not in any substantial way secured against IW. The telephone network, for instance, is a prime example of a system which substantially under-secured.

Q: What sort of skills would be needed to do so, and are they common/teachable?
A: Bruce Schneier (schneier@counterpane.com, public-key available from the usual servers) once said that "only the first person has to be smart, everyone else can just use software". The skills needed to invent and/or discover new attacks against networks are substatial, somewhat rare, and are very demanding to learn. However, once the attack has been invented/discovered, software can be written to vastly simplify the task of executing this attack. It took Cult of the Dead Cow months of hard work to develop Back Orifice and Back Orifice 2000, but after they developed this software it was available to the community at large. CDC are ethical hackers who released Back Orifice as a way to embarass Microsoft into patching their awful security model, but there are thousands of wanna-bes who are now attempting to use Back Orifice for unethical and criminal ends.

Q: Commercial-off-the-shelf software: can it really do CT?
A: It's not sold at Fry's or Best Buy, so it's not exactly "commercial, off-the-shelf software". There is a significant software black market, though, and software to conduct IW can easily be found on this market. There's no real guarantee of software quality, though; for every skilled engineer who designs a tool, there are a dozen half-trained monkeys who think they can do the same thing. That's true in both the commercial and underground software markets.

Q: Which systems are actually attackable?
A: If it's got a connection to the Net, it's attackable. Some systems are just more attackable than others.

Q: Can a recovery be made from such attacks?
A: Sure. Hiroshima is a booming, bustling city today. If Hiroshoma can recover from the savage insult of The Bomb, then I'd have a hard time believing that a community, state or nation couldn't recover from an IW attack.

Q: Can a recovery be made quickly from such attacks?
A: In theory, absolutely. But you need to prepare for post-incident recovery before you're actually attacked. Most places don't have any kind of post-incident procedure in place, and those that do frequently forget all about their post-incident procedures.

Q: Is it likely to improve/get worse?
A: I think it's going to get a lot worse before it gets better. People tend to view computers as magic boxes; you plug them in and they go. Very few people really want to think about how many individual components go into a computer, and how much more complex a computer network is than a single computer. You wouldn't dream of driving your car 10,000 miles without changing the oil; we've been taught that this is a Bad Thing. Many people lack the technological savvy to realize when they're doing the technological equivalent of driving 10,000 miles without an oil change.

Q: What sort of preventative work would you recommend them to carry out?
A: There are some very good computer security firms out there. Hire these outside, independent contractors to perform audits of your security. When they talk, listen -- don't fall into the trap of "we didn't come up with it, therefore, it's inferior". Secondly, only use open, peer-reviewed protocols, algorithms and operating systems. Many people think that if a system is open it's insecure, since an attacker can see how it's put together and determine how to best attack it. This logic is faulty. Open systems are designed to be secure even if the attacker has perfect knowledge of the system; closed systems are designed to be secure only if the attacker has minimal knowledge of the system. And any attacker worth his salt is going to have intimate knowledge of the system he's attacking, which means that closed systems operate at a distinct disadvantage.

Q: Any last words?
A: Yes. Please, please, please do the hacker community a favor. Please learn the distinction between "hacker" and "cracker", and bring up this distinction in your publication. Jane's is an esteemed, respected publication, and I would be delighted to see some well-known source explain to its readers that, contrary to media usage, hackers are usually ethical individuals with a high degree of technological savvy; crackers -- criminal hackers -- are fiends and malcontents who deserve nothing but condemnation and scorn from society.

Re:Hackneyed alarmism (0)

Anonymous Coward | more than 14 years ago | (#1640483)

Ditto. The article says virtually nothing about the real risks involved in "cyber warfare", and putting them in the same context as chemical, biological, and radiological attacks is beyond ignorant. I have already heard enough of this stuff from U.S. domestic intelligence figureheads to last a lifetime. I only hope that the Jane's readership has sense enough to see through this BS.

It looks like the author summarized a few widely available sources on the potential use of weapons of mass destruction by terrorist groups and their sponsor States, and tacked on references to "cyber" and "Internet" just for the sake of fashion.

The article is not fit to print in a respectable outlet, and I don't see how to fix it without removing all references to information warfare.

Intellectual Property (0)

Anonymous Coward | more than 14 years ago | (#1640484)

One of the things I thought is:
what benefits can a Slashdot reader get from getting posts republished in commercial press like Jane's?

Isn't it just "work for me for free"? (Apple PSL)

Remember:
"All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-99 Andover.Net."

Re:CBRN != Cyber (2)

oneiros27 (46144) | more than 14 years ago | (#1640485)

I'd definately have to agree on this one. What is the reason for lumping together the two types of attacks?

There are significantly different resources behind the two, defenses, and in my opinion, different motives. (I mean, you don't have someone spreading some minor disease everywhere, 'just to see if it would kill someone', yet you have script kiddies download exploit scripts and running them against every last machine they can find, hoping to get a kill)

That's not to say that at times, the motivations may be the same, but you don't often get some prankster deciding that it'd be cool to show someone a hole in their security by cultivating anthrax, and dropping it inside a building.

The article seemed to be missing quite a few important points (but then again, I got bored with it, and skimmed a few sections, so it might be my fault). All that's really needed for a computer hacker is someone who understand how/why things work, and has a good ability for problem solving.

There's quite a few good precautions to take... one is simply creating good policy on how to deal with perceived threats, especially internal.


Here's a real life example, as it happened to me:

I once put something on a web site discusing how a faculty member was using university equiptment to start up his own company (mind you, purchased tax exempt), and had given us inferior equiptment to use, with 'Property of NASA' stickers on it (where he also worked). Well, I also happened to use the word 'fuck' in reference to him and some others on the site in a few locations, which was a breach of the Code of Computer Conduct, so I got called to the dean's office, and they threatened to have me expelled (I wasn't aware at that time that they were getting a few mil in grant money from Ford for some other research the teacher was doing, and the school as more than willing to let me go rather than lose their funding). Anyway, in the course of the discussion (which I really should transcribe, along with the faculty member threatening me in the hallway afterwards, as I have it all on tape), they threatened to have me removed from my job at the university.

That was a really bad move, as had I really been pissed off at them (which well, I admit, I hold grudges), I would have immediately gone to the system, and given myself a few backdoors in (as I worked in academic computing, and had root access on the 20k+ user mail server). So anyway, either fire people, or don't. If you've got a computer person whom you think is a problem, don't give them any warning. Lock them out as best you can, and begin a full audit of the system to see if they've left in any back doors. Never even hint at firing someone, or they could put a few hooks in there, just for the fun of it. (eg, something that would trigger should their account ever be removed, etc.)

Most places that are even reasonaly sensitive should already have protocols such as this, but I don't know the intended audiences for this article.

For certain values of "Open Source"... (2)

Paul Crowley (837) | more than 14 years ago | (#1640486)

This is the other meaning of the phrase "open source" mentioned on the opensource.org [opensource.org] Web pages: in intelligence/surveillance circles, an "open source" is one openly available, like a newspaper or magazine you can just buy anywhere, as opposed to a source that's handing you information that not just anyone can get. The two communities may be closer than we'd guessed!
--

Re:Hackneyed alarmism (1)

revnight (8980) | more than 14 years ago | (#1640487)

robin,

i'm curious, how'd he find this place? i'm well aware it's not secret, just curious why he chose /.

maybe you can get him some week for the Q&A session. ;)

Re:how to avoid CT? (0)

Anonymous Coward | more than 14 years ago | (#1640488)

>net censoring/eavesdropping/illegalizing reverse engineering/etc

i hope you are being sarcastic...!

Human Engineering (0)

Anonymous Coward | more than 14 years ago | (#1640489)

I have to agree entirely. When I was reading the Jane article I kept on waiting for something original or insightful but it was just too shallow. Compare this to the description of the PCweek server crack last week. (Jane does have a different audience but still its a boring read.)

One of the main problems is that it doesn't specifically define CT and why it is dangerous.

>Using CT, how easy or otherwise is it to bring down or attack vital systems?
>which systems are actually attackable?

Every system can be attacked/shutdown.
Assumption:Every system requires an organization to support it or has access to the physical hardware. E.g. Banking IT departments, Telecommunications Consulting firms.

All a terrorist group has to do is to plant an agent into these groups and then, maybe during an major company re-org or Dec 31, 1999, attack the physical hardware. These computers are located in a secure room but how many are built to withstand a C4 explosion? How about stealing backup tapes, alter them with hostile program, replace the tape then cause the system to have to restore the tape?

Hell, how about infiltrate Bell/Lucent/Citicorp/IBM, rise up the ranks of management, then cripple the institutions by making PointHairBosses decisions to weaken the systems from within?

My point here is that human engineering can go farther than any software/cracker if a dedicated organization sets its mind to it.

Human Engineering (2)

GoofyBoy (44399) | more than 14 years ago | (#1640510)


I have to agree entirely. When I was reading the Jane article I kept on waiting for something original or insightful but it was just too shallow. Compare this to the description of the PCweek server crack last week. (Jane does have a different audience but still its a boring read.)

One of the main problems is that it doesn't specifically define CT and why it is dangerous.

>Using CT, how easy or otherwise is it to bring down or attack vital systems?
>which systems are actually attackable?

Every system can be attacked/shutdown.
Assumption:Every system requires an organization to support it or has access to the physical hardware. E.g. Banking IT departments, Telecommunications Consulting firms.

All a terrorist group has to do is to plant an agent into these groups and then, maybe during an major company re-org or Dec 31, 1999, attack the physical hardware. These computers are located in a secure room but how many are built to withstand a C4 explosion? How about stealing backup tapes, alter them with hostile program, replace the tape then cause the system to have to restore the tape?

Hell, how about infiltrate Bell/Lucent/Citicorp/IBM, rise up the ranks of management, then cripple the institutions by making PointHairBosses decisions to weaken the systems from within?

My point here is that human engineering can go farther than any software/cracker if a dedicated organization sets its mind to it.

My comments (2)

proberts (9821) | more than 14 years ago | (#1640511)

I think it's an injustice to lump information warfare in with "traditional" NBC-type warefare.

The problems of INFOSEC today are the infrastructure of tomorrow. Power grids, water treatment plants, telecommunications infrastructure, etc. are all quite vulnerable in at least several instances. Don't forget that it doesn't take an anonymous long-distance attack to get "in." A virus on a demo CD, a trojan in an executable "greeting card", etc. Timebombed code can be left by a temporary employee, cleaning person with physical access...

Today, employers, even those who are running critical infrastructure are hard-pressed to not give employees Web access (401k plans, health insurance plans and others are starting to _mandate_ it) Most of those employees are on inseucre, poorly administered, untrusted desktop operating systems. Add SSL and VPNs to make tunneling next-to-impossible to detect and you've got a recepie for serious electronic mayhem.

The barrier to entry here isn't very high. If you look at the number of viruses and compromised hosts on the Internet, and see if you can get hold of the statistics for telephone fraud that relate to compromised PBX's. You'll see that the knowlege is already fairly easy to gain. It's fairly easily transferable too. But *there's no need to transfer it*. Recruiting people who are already good at it should be trivial for most either well-funded organizations or organizations with a strong "appeal" to either a targeted individual, or a member of the target's preferred sex group. Ideologies tend to be better draws, but it wouldn't be difficult in either case, nor would extraction of several unwilling potential accomplices. One sympathetic organization member with competence would probably have a trivial time recruiting as well.

Some of the people who have the skillsets aren't socially very far evolved, don't necessarily have access to material things they'd like and are under age. All of those groups are easily targeted.

It's all software and easily gained knowlege, and testing is trivial and not necessarily dangerous. Unlike most traditional weapons, it's fairly simple to test out information attacks without anyone detecting it because you can do it on your own systems.

Until infrastructure vendors start making secure-by-default infrastructure (switches and hubs predominantly) and it becomes widespread in the install base, things like hospitals, power plants, water and waste treatment facilities, telephone exchanges, banks, etc. will be good targets of oppertunity.

While some places practice good security, not all do. It's becomming quite trivial to place a small 2" square machine onto a LAN port. Wireless networking on the back side and you're in. For less than USD$1000 you could build such systems and disguise them as appliances like lamps.

Not many places outside of the national security arena even do RF sweeps. Infrared is starting to make even that less useful.

Look at what the failed S&L industry cost, it's possible to disrupt commerce in key segments enough to cause millions of dollars of damage today, and billions over the next 5-10 years, not all electronic terrorism need be traditonal warfare, economic warfare is just as valid.

We're "used" to terrorists who directly cause terror, now we're building the capability for them to set events in motion that have longer-term effects and aren't first-order effects.

Finally, the combination of electronic and unconventional warfare, since they need not be exclusive, is a new one. False SNMP trap, compromised phone switch and a ready to deploy "customer engineer" is just one example that springs immediately to mind.

I could go on and on, but that's probably enough for now.

Paul

Cyberterrorism (2)

fizban (58094) | more than 14 years ago | (#1640512)

There are a couple of points that need to be stressed in this article.

  • CT is easy to do
The hurdles faced by a cyberterrorist are much, much lower than those faced by a CBRN terrorist, from financial needs to technical know-how. Because of this, the possibility that cyberterrorism can be a threat is much greater than that of CBRN terrorism, and there is a definite need for strong anti-terrorist programs.
  • CT will become a more significant threat in the future
Although most of the CT attacks that we see today are merely
fluff attacks on websites and involve purely propaganda-related intentions, the threat of these attacks will become more dangerous and will hit many more critical systems as we move into a future. As our infrastructures rely more and more heavily upon networks and communication to stay alive, they will become more susceptible to attack and will suffer heavier damages if that attack occurs.
  • CT is both an internal as well as external threat.
Although we may currently be more worried about external attacks upon our systems, the future will bring a greater possibility of attacks from the inside as a result of members of our own community becoming frustrated and disillusioned with the government and other power figures. Anarchy is the ethical norm in the Cracker
and Hacker communities and the possibility that lone rogues may take matters into their own hands is quite strong.
  • CT in addition to CBRN attacks will become the norm.
As terrorists add CT to their list of tools for destruction, we will see more and more cases where CT becomes an
essential step in their attack plans. Defeating a security system through CT, then attacking with conventional life-threatening weapons will likely become the most common means by which an attacker operates.

In essence, CyberTerrorism should be taken as a serious threat and should be treated as such, now and in the future. We should instill in our children a sense of technical know-how and understanding of how to combat these threats as well as a moral obligation to fight the elements of our society who threaten to destroy us.

----
Lyell E. Haynes

Re:Hackneyed alarmism (1)

jsm2 (89962) | more than 14 years ago | (#1640513)

Well, Johan should certainly be talking to the people at APACS [apacs.org.uk] , the UK payments system and to the Federal Reserve Board of Governors, who run Fedwire [frb.fed.us] . They have had cause to think about this thing for a while.

I'll add that, for fairly obvious reasons, there is no technical security information on either of those websites, but I would guess that Jane's would be able to get an in to the people who know.

jsm

Re:Infrastructure (1)

Anonymous Coward | more than 14 years ago | (#1640514)

I'm much more concerned that someone will use real-world weaponry against the net. For example, using a couple truck-bombs
against MAE-West and other NAPs simultaneously. A sufficiently coordinated attack of this nature could do real damage to the
global economy just in terms of panic and disruption (massive stock sell-off, etc.). Plus, since it's a real-world attack, the
damage is harder to contain/repair. I mean, anyone got a backup tape that'll rebuild MAE-West?


This ort of thing is a huge huge worry. I once spoke with a consultant who worked with a major telco who told me that a fire that destroyed a central office taught them more about vunerability than they evern wanted to know. The example he gave was how banks were not able to trigger remote alarms because of destroyed equipment.

This sort of attack could be devastating on the net. Taking out a few NAPs would devastate the Internet. The fault tolerance is not there. Worse yet an attack to the main NAPs could force traffic through smaller less-secure nodes where monitoring has already been put in place because security may be lax.

Perhaps more importantly, anyone with enough skill to launch serious cyberattacks is probably going to be making serious $$$ in
legitimate industry.


Why cant they both? If someone is motivated by the same agenda, helping via cyberattack is a very low profile way to take part in the jihad. Those folks at the Dept. of Energy selling secrets to China were making good money I'm sure.

Anyone know... (1)

Demona (7994) | more than 14 years ago | (#1640515)

the history of the name "Jane's"? I've always been curious why all these combat simulators, military intelligence thingies, etc., were produced under this name. Is the female connotation supposed to make it seem less threatening?

Thoughts and comments (2)

TBone (5692) | more than 14 years ago | (#1640516)

As one of the other readers commented, this article just about looks like they are replacing Terorism with CT, and rehashing a previous article. The two really have nothing to do with each other, outside of the fact that both are disruptive to the intended target. In addition, there is nothing in this article that goes into any kind of depth; I'd expect to get this article back out of an academic article abstract database, like ERIC or PSYLIT, or something similar. At least include references for additional reading.

Standard terroristic attacks are designed to physically disrupt or injure the target. CT attacks are intended to logistically disrupt or subversively capture sources of information, communications, or other lines of non-physical infrastructure. Because of this, it is much harder to identify from the inside what you are trying to defend against (would you think to secure your "recent documents" list on a computer that regularly handles sensitive material that may include logistical data?)

  • How easy is it to bring down vital systems depends on how vital those systems are considered by the owners/administrators, and how secure they attempt to make these systems. If you run your company's payroll and general ledger system on a computer that has a wide-open link to the Internet, and don't consider that information very vital ("I can restore that any time I need to if it crashes..."), then you can expect that even commonly known points to hack into systems will be vulnerable.
  • Basically, all that's needed is a good set of programs that can identify systems and, equipped with a knowledge base of vulnerabilities, start hammering away at them. In reality, being able to crack systems is all in a way of thinking that most people don't manage. Just as some people can't "get" math and some people seem to breathe it, some people just "get" cracking.
  • If you mean "Can I buy Microsoft Hacker 2000", no. But the tools and means are readily available to anyone who knows how to read, has a dialup connection of some sort, and knows how to either download already-written program snippets or can program themselves.
  • Any system that can be accessed in some way by someone who does not explicitly need access to the system is attackable. If you touch the internet, you may be attackable (DoS, various service attacks, etc). If the machine is physically accessible by someone who doesn't need access to it, it can be attacked (I don't need to blow up your data center, I just need to hit the big red button on the wall to shut you down). It all comes down to whether or not the system is available to someone who doesn't need it to be available to them.
  • Recovery can be made, but is the window acceptable? How fast do you need to recover the computer that controls the ballast tanks and external hatches on a submarine? How long does it take someone who gains access to a satellite to get the image of the local layout of your building/utilities/people? If you have to "recover", you didn't properly perform your job at hand, which is to secure your systems.
  • CT wil probably get worse as time goes on. More devices are being connected to the world, more information is flowing between them, and we are becoming more dependent on these devices and the imformation they provide. The bigger the mountain, the more places to drill into it and cause an avalanche.
  • As far as preventative work, you should look at everything as a potential target. Once you start seeing your technology in that light, you will begin to see holes in it's existence. Why is that essential server just sitting in a common room with no limits to it's access? How come we designed our phone system to trunk every line we use through this closet? How vital is this data that we are broadcasting to possible millions of people; could it end up being subversively intercepted, edited, and redirected?

Reading back on this, it sounds alarmist, but I've worked in both the financial and transportation industries, and have seen points in the companies that, given the right circumstances and the right time, could cause irreparable harm to the operations.

This is really the point of CT; if I blow up a bridge, you can wade through the river, or go around to the next one; or build another command center, or have another one available. However, if I have access to your computer systems, or have the ability to alter your data, you may never be able to tell your people about the blown bridge, and half of them will walk right off of it.

Re:CBRN != Cyber (2)

Anonymous Coward | more than 14 years ago | (#1640517)

Here in the US, there is currently a roundup going on of a fairly major criminal organization of people who made their living by computer crime. They cracked virtually every phone company's record system, for instance, and sold calling card information for $2 a card. They played games with the FBI's computers, redirected phone bills (the FBI got a $200,000 phone bill for a dial-a-porn service), and the like. They were welling info from the FBI's criminal data base to the Sicilian mafia. They had also wandered through virtually all of our major public utilities, major corporations, etc.

These individuals lacked directed leadership, and generally had second class equipment--they were basically a bunch of losers who found something interesting to them to do, and a way to make a living. They are reputed to have been in a position to take out our power grid, shutdown our phone service, and mess with a lot of other things (water here, natural gas there) we need everyday to maintain a civilized existence. Given a lot of the things we have learned preparing for Y2K problems, this could potentially be very serious (e.g., although the nuclear reactors themselves are very secure, loss of circulation of coolant to a many spent fuel recovery ponds could potentially lead to a Chernobyl type of event after a week or so, and these were not backed up and secure).

Our infrastructure will never be secure without wide availability of the type of strong encryption encryption our government is dead set against us having. Anything which is networked is insecure (as our government recognizes in its security protocols), but by insisting that phone companies, utilities, etc., keep their files secure by encryption would not only save them a ton of money they loose to fraud every year, but would go a long way towards placing their infrastructure systems beyond the reach of attack by any but the best equipped of nations. I.e., if instead of a $600 used computer and a $50 modem to gain access through some ungaurded side door on another system, you need an additional miniature NSA to work on the encrypted files you find inside, then you have placed the game beyond the reach of the sociopath next door and made it a game for sociopaths running nations. There are resources sufficient to watch the other nations of the world, but the Oklahomma city bombings (for instance) showed you cannot catch all the local nuts in time.

I would not waste a nuke (1)

Jimhotep (29230) | more than 14 years ago | (#1640518)

If I had 1 nuke to work with, I'd put it in a
plane and EMP Washington.

Lots of cheaper ways to kill people.

Where's the evidence? (2)

attila_the_pun (40379) | more than 14 years ago | (#1640519)

The article starts with the assertion that CyberWarfare is an accepted fact. The evidence for this seems to consist of a few web pages being replaced with propaganda and a physical attack by the LTTE on telecommunications facilities. Neither of these count for much as CyberWarfare. Changing web pages does not cause significant disruption and bombing telecommunication facilities has been a feature of warfare since before the internet.

Cyberwarfare/cyberterrorism is usually taken to mean causing disruption of communications or physical damage using electronic means. This article presents no evidence of either. There is a risk, but don't get carried away in the hype.

Re:Here's a good opportunity .. I agree. (0)

Anonymous Coward | more than 14 years ago | (#1640540)

It's time to tell people that hackers are people that use what is available to them via other software, and make their own changes to 'hack' into systems. And crackers are people who bust software protection, run password attackers, which they often 'hack' to their specific needs.

Might also want to point out that when a web site is hacked, it is just like any other college hack. Most infamous is when they turned that one building into R2D2. Now THAT was done by some truely awesome hackers.

Coders are still the worst, people who write their own, instead of hacking other peoples.

Some comments (2)

Gleef (86) | more than 14 years ago | (#1640541)

In the article, Jane's discounts the benefits of state sponsorship to cyberterrorism, since tools are commonly available. This is misguided.

Most of the recorded cyberterrorist attacks have been either defacement of a website, or crashing a system on the internet. I would call this the "car bomb" level of cyberterrorism. It causes a little mayhem, gets a little publicity, but doesn't make a big wave in the scheme of things.

A cyberterrorist can do a lot more with a full scale infiltration of a key system. Assuming social engineering [netmeg.net] doesn't work to get sufficient access, crypto might be required to ensure access. That requires a lot of CPU time, something a terrorist organization won't have without help from the big boys.

Lastly, if the goal of a cyberterrorist is to disrupt electronic systems, there's nothing that does it better than an EMP. "EMP Guns", that is a portable device that can produce a localized or directed EMP without human or property damage, are a persistant urban legend that clearly has some kernel in fact. With over the counter hardware, you can build a HERF gun [slashdot.org] able to produce a trivial EMP. Is it that far fetched to think that the big governments have the technology to do better than that, considering they've been researching EMP for the past three decades? One could possibly find its way into the hands of terrorists. The midwest millitias seem to be very proficient at obtaining US military hardware.

Regardless, it's not an urban myth that an airburst nuclear weapon can produce a substantial EMP with little human or property damage. In fact, here's some congressional testimony detailing this [fas.org] . The biggest problem facing a terrorist who wants a nuclear weapon isn't figuring out how to build it, it's obtaining the fissionable material. Here again, government sponsorship of a terrorist organization could become key. China has shown itself very willing to supply governments that might sponsor terrorists with nuclear materials.

A terrorist with a nuclear weapon might well decide that a country-wide EMP would be a better use of it than blowing up a piece of a city. It would be easy to implement too, just place the weapon on an airplane and time it properly.

In all, cyberterrorism is in its infancy, and in order to determine an appropriate response to or defence against it, you need to look at what's possible, and not what happened so far.

It's also worth noting that the FBI's requests for additional computer tapping rights and restrictions on encryption "to protect against terrorism" would not do anything against such a terrorist. Any computer savvy terrorist will use strong encryption (easily available on foreign websites), and communicate on a server that is in a country where the US would have enforcement problems. The FBI's requests do not defend against either of these.

----

no such thing as cyberterrorism (0)

Anonymous Coward | more than 14 years ago | (#1640542)

No such thing as cyberterrorism. If the power goes out, I'm not 'terrified.' If my cell phone dies, I'm not 'terrified.' If someone hacks a web site and changes the content, I'm not 'terrified.' Isn't that sort of the idea of 'terror'-ists? Kind of hard to make a shocking political statement if one only annoys people. Is the blue screen of death cyberterrism? ;-)

Problems with the Article (1)

HerbieTMac (17830) | more than 14 years ago | (#1640543)

In this article, Mr. Sinai purports to set down minimum requirements for a terrorist organization to acquire the capability to perpetrate wide-spread, disrupting cyberterrorism. We should first make a distinction that Mr. Sinai neglects: physical vs. non.

For many reasons, non-physical, cyber attacks on an IT infastructure are likely to fail or fall far short of causing chaos or damage. First, such an attack would need to exploit a security hole prevalent throughout the network or located in a key area such as a router. For this, information acquired over the internet, because it is common knowledge to the manufacturer of the intended target as well as to the terrorist becomes useless. The cyberterrorist would need to discover the security hole themselves and exploit it quickly and correctly before the manufacturer has a chance to close the hole. Judging by the industry response to such attacks as the 'ping-of-death,' potential terrorists would have approximately 24-48 from the time they initiated their attack to bring down their target before a patch is released that would subvert their efforts.
Second, in the world today, large security holes (the ones that would allow you to damage a network) are hard to find. Most holes are exposed by accident (i.e. the internet 'worm') or are found and fixed by the manufacturer before a product is shipped. This means that even with the smartest people in the industry working as cyberterrorists, their chances of success are minimal when pitted against the combined power of an entire industry.
The physical attacks on IT infrastructure are much more likely. This would include things like destroying routers, cutting backbones, etc. The cheapest, most effective way for a cyberterrorist to inflict chaos on the US internet would be to use 2-3 conventional bombs is Chicago, St. Louis and Austin, taking out MCI and SprintLink hubs, causing a massive re-routing of information over inferior lines and thereby effectively killing the network through overload. Or perhaps save the bombs to take out the satellite communication relay centers and simply use a backhoe to clip the backbones which crisscross the US.
The other mistake that Mr. Sinai makes is in setting the requirements for an attack by cyberterrorists. The external hurdles mentioned include: "acquisition of the necessary technologies, cooperation by foreign suppliers, creation of a logistics network for acquisition and deployment, obtaining state sponsorship, and also detection, penetration, and deterrence by foreign intelligence and counter terrorism agencies." In the non-physical realm, very little other than time is required. Computers can be purchased by anyone for a petty sum of money. Internet connections are not hard to come by. All told, a cyberterrorist could, for a few thousand dollars, set up a complete base from which to work from within the US in little under a week. A physical attack, while requiring more planning, is just as easy to carry out again without a large capital outlay. Small bombs can be created by almost anyone and renting a backhoe does not require proof of citizenship or intent. All that is required is the information about the location of the targets. This can be easily obtained from county planners' offices, gas companies, electric companies, anyone who digs will know where the off-limits lines lie.
For none of the above attacks is state sponsorship a requirement. It could be perpetrated by a single individual with a few thousand dollars. Moreover, this type of terrorism is not succeptible to conventional counter terrorism efforts. Terrorists can operate in a closed environment, testing their methods on their own dummy network before releasing it upon the general population. In addition, there is nothing to say that a computer could not be set to run a script itself, giving human perpetrators plenty of time to distance themselves from a crime scene.
Due to the conventional nature of physical terrorist attacks, I would dispute Mr. Sinai's conclusion that through correlation of factors and hurdles, one could predict which group would embark on cyberterrorism. Without doubt, it will be a non-technically oriented group which reads an article saying that Internet traffic was cut accidentally for half the nation by a farmer digging a new ditch.

Physical attack on communications infrastructure (0)

Anonymous Coward | more than 14 years ago | (#1640544)

The article ignores physical attacks on our communications infrastructure... Anyone with a railroad map can do significant damage to the communications network in the United States. Most of the fiber that has been installed follows the railroad lines across bridges and is buried less than six feet. There are plenty of remote areas where a train schedule would make it unlikely that someone would observe a terrorist planting timed explosives on these vital communcations lines. The financial impact of a systematic attack would be devastating because companies are becoming more depend on communications across these lines. In many cases you might as well send your employees home if they cannot use their computers to modify/view data off of remote servers. Ask a question: What would I do if I can't get to may atm for a week?

part two: answers to the questions (2)

CormacJ (64984) | more than 14 years ago | (#1640545)

Can a recovery be made from such attacks?

Unless the machine is physically destroyed, and assuming that you are efficient about your off-line backup storage a recovery is always possible. Curing the holes takes longer, but a good admin is always able to do something that fixes problems.


Is it likely to improve/get worse?

My belief is that things will stay pretty much static. As attack methods get more isoteric, the security methods used become more complex as a result. The number of attacks will always increase in line with the number of people using computer systems.


What sort of preventitive work would you recommend them to carry out?

Really important machines should be on a private network and no computer system that has access to this network should have access to any other network.
Less important machines should be setup to use only the bare minimum of resources to lessen the chance that some module is vunerable to attack.
Regular audits and checksum comparison of code is always a good idea.
Regular user audits are needed too. Any user thats not recognised to a staff member is suspect. Any user that you don't have paperwork (not computer files) on is suspect.
Regular reading of security/bugtraq lists are always a good idea too. If you have a piece of software that appears on these as vunerable, apply a patch within hours or less.

Good security is easy to do, but harder to maintain, and no matter how many levels of security you have, one moment of stupidity always can break all the security you have, so be very careful about what you install, and code audit if you have to.

my comments (1)

hany (3601) | more than 14 years ago | (#1640546)

while i will have more comments. i will split them into more pieces by replying to this comment :)

Using CT (2)

Q*bert (2134) | more than 14 years ago | (#1640547)

Using CT, how easy or otherwise is it to bring down or attack vital systems?

I have found that CmdrTaco can bring down almost any system with ease, given a Perl interpreter and a mod_perl enabled Web server.
Beer recipe: free! #Source
Cold pints: $2 #Product

To answer your questions... (1)

JimStoner (93831) | more than 14 years ago | (#1640548)

Using CT, how easy or otherwise is it to bring down or attack vital systems?
Varies from easy to impossible, depending on:

The level of system security

The attacker's knowledge and desired result

An administrator can only control the level of system security. Therfore they should prepare as per their required level of security.

What sort of skills would be needed to do so, and are they common/teachable?
Again this varies depending on what you wish to achieve. Runs from:

Lowest levels: An ability to browse the web and follow instructions.

Highest levels: Years of experience.

Commercial-off-the-shelf software: can it really do CT?
Not if Microsoft wrote it *smiles*. Seriously though, I don't personally know of any commercial hacking software. I take commercially to mean "available and useable by my Dad". It would make for an interesting office assistant though.

Which systems are actually attackable?
In theory, the possibility of infiltration exists for any network connected to rest of the world**. Of course this probability can be prohibitively small.
** - This is why networks requiring high security generally have an airgap between them and the rest of the world. They also have sealed off buildings and men with guns. Think CIA. Think extreme predudice.

Can a recovery be made from such attacks?
The level of damage can run from none through to complete wiping of the entire system. The chance for recovery is inversely proportional!

Is it likely to improve/get worse?
I think it will get worse.

What sort of preventitive work would you recommend them to carry out?
The following:

Assume the worst is possible, and plan and setup your system accordingly. If it is important back it up. If it is secret don't put it on a "public" system. Follow those easily obtainable instructions on basic security that you usually never get around to. Lock down the users. Take it seriously. BUT don't buy jack boots, a bright lamp, and start saying "I vil ask ze questions". Well at least not for work anyway *smiles*.

Ask, listen to then TRUST whitehat hackers.

Raise your awareness. Start reading slashdot?

CT, the totally non-definitive answer (2)

jd (1658) | more than 14 years ago | (#1640549)

I'll answer the questions in the order they're given.

1. Depends on the system. Anything computer-controlled, where the controlling system is networked, it's likely to be easy. Security is often neglected, or a last-minute consideration.

2. The skills are basically the same for system admin, and are not only teachable, they're common. That's why system admins are paid amongst the lowest salaries in the computer industry. They're a dime a dozen.

3. Doesn't even have to be COTS. The "SATAN" program caused a huge stir, when it was released. But, yes, there are plenty of COTS packages which could be used for CT.

4. Any system that is both physically AND logically on a virtual public network is vulnerable to CT across that network. (Mere physical connection is not enough. If the s/w rejects everything sent to it, it is effectively not there. Also, you can have multiple virtual public networks on the same physical network, none of which interact.)

5. Yes. If you have HA, some kind of intrusion detection, and automatic restore, then you can just fail-over everything but the connection, restore the compromised system, and continue.

6. It's likely to get worse. As computers become increasingly wide-spread, and as civil dissatisfaction increases, the problem is likely to escalate. There is likely to be a spike of CT around the year 2000, as doomsday cults try to create their scenarios, and other groups try to take advantage of the psychological issues surrounding Y2K.

7. There are a great many things you can do to secure your systems against CT. Here are some that I'd recommend as worth doing:

  • Firewall your network. PROPERLY! Sieves are for the kitchen.
  • Install IPSEC or SKIP on critical or highly confidential networks.
  • Ban telnet and .rhost files. If you need terminal connections, use SSH or Kerberos.
  • Enforce strong passwords, and install the shadow password kit and the mcrypt library.
  • Portscan servers AND clients for vulnerabilities on a regular basis.
  • If you are connecting two or more centers together over a public network (such as the Internet), use a non-standard protocol (such as IPv6) at the very least - if you can connect to the other centre, so can someone else. A non-standard protocol makes this considerably more complex.
  • Encrypt filesystems! This is a must, especially for networks with sensitive data.
  • Tripwire your system, to detect for altered programs.
  • Monitor connections with public networks for signs of portscanning.
  • Monitor login attempts and points-of-origin, for evidence of hackers.
  • Check CERT regularly for security bulletins and advisories. ACT ON THESE! If an advisory exists, be aware that this means there's a good chance someone knows how to take advantage of it.
  • Install tcpwrappers and deny access to all hosts to all services. Specifically enable access to any service, by name and requestor.
  • Check file permissions, to ensure that people can only access what they're supposed to.
  • Never, EVER, run a service as "root", unless you have to. And if you do, find an alternative that doesn't need this.
  • If a system is known to be vulnerable to attack (eg: Windows NT), don't put it somewhere where attacks can reach it.
  • Don't be afraid of using proxies. If your corporate web server needs to be accessed by the outside world, stick a proxy on the outside and relay everything through the firewall. Your data will thank you for it. If necessary, use a double proxy (one on the firewall itself, eg: SOCKS) and one on the outside (eg: Squid). It won't hurt your image, and you're not a wimp if you do this, but not even the best cracker can deface a web page they can't reach.

Re:skills needed, difficulty, random thoughts (1)

Anonymous Coward | more than 14 years ago | (#1640551)

The skills needed can easily be taught. I knew a guy in college who went from computer idocy to cracking proficiency in about a year. He silently watched us talk about how things could be exploited (we were always to afraid to try it, in fear of getting kicked out of school) or watch us use IRC as a tool to manipulate people, and before we knew it he had amasssed a large toolbox of effective utilities to use against systems. Thankfully his intentions were nothing more than a prankster so no real damage was done to anyone, but others that he was loosly associated with ended up coming under federal scrutiny for their acts. Most of these people could barely log into a UNIX machine when I met them.

Re:Anyone know... (1)

Nass (96235) | more than 14 years ago | (#1640553)

Hi, The name 'Jane's' comes from Fred T. Jane, an eccentric Englishman who started a sketchbook of warships, which he called "Ironclads of the World." More at http://www.janes.com/company/about/about_home.html Regards, Johan J Ingles-le Nobel, Jane's, England.

CT does not need to be mass destructive. (1)

kevlar (13509) | more than 14 years ago | (#1640578)

One thing this article states is that Cyber-Terrorism is on a mass scale where it effects a large group of people, and possibly produces fatalities. Although the threat of fatalities may be far-fetched, effecting large amounts of people are not.
Everyday, more and more people are relying on the net to communicate information and do tasks. The most vulnerable I've come to think is online stock trading. Companies like E*Trade and Ameritrade are booming from their $8/trade deals. As more people rely on such systems and become confident in them, they move their entire day-trading portfolio out of mere convenience and to save money. What then would happen if a single person (because that is all it takes) was able to shutdown the computer systems of such a company for 1 week? At its current state, it would mostlikely have an effect only on its own share value. What if they became the normal means to trade stock? The effects could be temporarily devestating, instilling panic in many. This situation is made possible because online trading is done via insecure online networks. Cryptography secures that your data is not readable except to those who have extremely powerful machines and mathemeticians (No Such Agency), but nothing protects these machines that are handling the online trading with the exception of routers and switches. Not only do such firewalls have vulnerabilities, but they still need to leave a globally accessible port open for anyone to take advantage of (whether legitimate or otherwise). The point here is: Why are we putting systems like this on an internet with known security holes if the pitfall is potentially huge? Military websites hacked by script-kiddie, who cares, thats placed where everyone knows its vulnerable. Major computer systems that have a direct effect on our country's financial systems on such a network? That seems like blasphemy.
Any system can fall victim to a denial of service attack. These attacks can also be traced (over time) and be filtered or terminated. Someone cracking a system through unknown means however, nobody knows if that is 100% detectible.

From the Trenches (1)

meersan (26609) | more than 14 years ago | (#1640579)

As someone with a glancing familiarity with the field, I think it's important to note that cyberterrorism is a vastly different thing than your run-of-the-mill cracking. First of all, most cracking involves relatively unknowledgable hackers ("script kiddies") using easily downloadable programs and tools. Think of a kid walking down a hallway, testing doorknobs to see what opens. In general, vulnerabilities for which automated attack programs exist also have patches and fixes available. So, if you have anything important on your systems (such as classified or competitively sensitive information), you will make sure you load those patches -- the equivalent of locking your door. You will also think twice before connecting that system to an external network. When the attacker has a great deal of technological prowess, you will more likely be facing a new vulnerability for which there is no countermeasure. In these cases, your data archival/retrieval programs earn the money you paid for them.

Cyberterrorists are much more likely to possess the in-depth computer skills needed to cause tremendous damage. They have the motivation to study your particular system to analyze it for weaknesses, and the will to exploit them. In general, critical systems are well-protected. One notorious area of poor computer security is hospitals and research labs; this is mainly because these institutions are primarily staffed by scientists with little to no interest in protecting information. When your main concern is sharing data and results, infosec takes a back seat to your mission -- publishing and collaborating. As Machiavelli would say, if someone wants to kill you badly enough, you can be gotten. Every system has weaknesses. If someone wants to crack you badly enough, they'll succeed.

Skills necessary for conducting a destructive and deadly campaign of cyberterrorism are uncommon. In my opinion, this requires an in-depth knowledge of operating systems, internet protocols, encryption, and information security. Such knowledge is more common in highly-educated individuals educated in the U.S. and western Europe, though someone with enough intelligence and time might pick it up without formal schooling. For the easily defendable automated attacks, little knowledge is required past a rudimentary "click here" overview.

In general, we classify threats to computer systems in four major divisions, internal/external and structured/unstructured. Cyberterrorism would be classified as a structured threat.

External Threats
Unstructured attacks are relatively organized. These are your midnight bedroom crackers, usually exploiting common vulnerabilities. It could be a single cracker, or a loosly knit group.
Structured attacks are generally goal-oriented and organized. They target sensitive technical data, proprietary data, military data, and financial information. These are technically sophisticated -- not your ordinary script kiddie. Structured threats are well organized and funded, as you would find with a terrorist organization. They could be fronted by foriegn government intelligences, or by competing companies.

Internal threats come from employees or other elements within an organization. Structured attacks would most likely involve extortion or fraud; unstructured attacks might feature a disgruntled programmer installing a backdoor into a system. Internal threats have historically been the most prolific, though with the advent of the web and the necessity of external connectivity, more and more companies have become vulnerable to external threats.

The United States has been extremely fortunate thus far. Because so many of our critical systems are computer-dependent, we present the #1 target for cyberterrorism. Can you imagine the effect of the Melissa virus with a deadly payload? Thousands of systems crippled, many with no backups available. The surprise was not that Melissa was so virulent but that it was so harmless. Imagine a version which would allow itself to spread silently, triggering on a certain date. The ability for terrorists to blackmail and extort would be enormous.

My point is that all systems are vulnerable -- do the best you can and have a backup ready.

Some ways to close the "cracks" in a system (1)

Felinoid (16872) | more than 14 years ago | (#1640580)

Your best bet is to work with an operating system your familure with. A lot of people prefer Linux in this mannor as it is easyer to get to know the internals of Linux just by looking at the source code. This dosn't mean Linux is the best choice but that it's the best choice for a lot of people.
Clearly a person familure with the internal behavure of Windows NT would be better off. The problem being it is hard to get your hands on such information. While a cracker CAN do the research and get the information if you don't allready know the security defects a cracker may discover then your lunch.

A diffrent tactic is security by obscurity. This isn't 100% perfect sence the art of cracking is 90% research so all they need is to uncover what your using and the defects you don't know about.
Obscurity and limited access is a better tactic.
By using a Mac or a Dos system instead of a Windows or Unix system you get obscurity and limited access.
Mac and Dos are not server operating systems and as such you don't have to worry about preinstalled internet services you don't use sence the only services that exist are the ones you personally install. The biggest security holes come from neglected services and incompatable services.
With Mac you need only make shure what you install isn't installed in a way that leaves open a back door or dosn't interact with something else you installed to create a back door.
Dos makes this whole process even easyer as Dos only runs one task. Sence the pacage your using is the only program running you don't have to worry about a program creating a back door. You still have to install the service correctly to prevent a random cracker from doing something like accessing a service that someone forgot to give a password or protect from the outside world.
Ohh I forgot Dos "door" programs can also be a problem. If the main program passes control off to annother program you have to be shure THAT program is aware of it's position. Some dos programs allow users to "shell to dos" creating HUGE back doors just by using a dos program online that was not made to be used online. This same problem shows up when ever you use a program to handle internet services that was made with cute features not expecting the program would be used for remote or automated services.

The biggest worry of all is authers personal back door. Again research is 90% of the cracker game and thies back doors do not remain secret forever.
Sadly obscurity is accually counter productive here sence an obscure pacage hasn't been looked over like well known pacages so thies back doors can remain unknown to the majority for years.
With a closed source solution you may use a hexmap editor to look over the program and see if you can find any secret passwords or anything unusuall. Douptlessly a cracker would do the same.
With open source you should look over the source code. It's easyer to find a backdoor in source code than in binarys. But be careful with binarys and source code the auther will at least try to hide his backdoor from prying eyes so a careful inspection is needed if your going to find a backdoor.
With binarys you can hope that if you can't find it nither can a cracker but rember some crafty crackers can read binary. The good news is most crackers arn't crafty or even that good.
The best bet against crackers is keep an eye on the system.
I got most of my understanding of crackers from being a BBS System operator or SysOp. The hobby version of being a System Admin :)
I cought most of my crackers just by watching the screen when I was bored.

I guess it boils down to the less thats involved the easyer it gets and the more effort put into securing the system the better. Know the software that is involved and remove anything you won't be using.

BTW I'm not a security expert I'm an incredable simulation :) Just an ex Sysop during a time when every 15 year old kid wanted to be a "cool hacker"

This is not an article on "CT". (1)

-dsr- (6188) | more than 14 years ago | (#1640581)

This is going to be long. Bear with me.


This article is not about information warfare. It's about atomic/biological/chemical warfare, and has subsequently had the word "Cyber" inserted early and often.


Let me attempt to address the editor's questions:

  • Using CT, how easy or otherwise is it to bring down or attack vital systems? First you will have to note that every organization has it's own definition of "vital systems". An attack on email servers at any of the larger corporations could cost millions in repair work and lost productivity; turning off electricity for an entire grid could cost millions and kill hundreds.
    The common view is that most utility companies are
    relatively undefended, relying on obscurity rather than security. If your vital systems are already exposed, you are at the mercy of every script-kiddy on the planet.
  • What sort of skills would be needed to do so, and are they common/teachable? The minimum skill-set needed to be a script-kiddy is the ability to read English and follow directions. To launch a sophisticated attack against a hardened target, you'll need some imagination, some raw native talent, and 3-4 years of practice in C, C++, Perl, general UNIX and NT systems administration, and a lot of free time. Chances are there's a college-dropout in your town with all of these prerequisites.
  • Commercial-off-the-shelf software: can it really do CT?That's an odd question. Do you mean, is there a Microsoft CyberTerrorist package, all shrinkwrapped and with a nice GUI that will let you select attacks off a menu and point them at targets? Not commercial, no, but that's because setting up shop and doing it commercially exposes you too much. You can put together a set of tools and scripts to analyze a target and probe for weaknesses, but you still need that reasonably clever human to interpret the results and supply the right insights.
  • Which systems are actually attackable? All nontrivial systems can be attacked. A sufficiently determined and patient attacker, working against an unprepared target, will usually succeed.
  • Can a recovery be made from such attacks? It depends on what damage is done. If you have hooked all of your hospital monitoring equipment to a set of NT servers that centrally control the systems, the damage will be counted in human lives - not something I'd call recoverable. If you make regular offsite backups and practice recovery scenarios, you'll probably survive the loss of your accounting and inventory databases and be back in business in a few days.
  • Is it likely to improve/get worse? Security is a compromise between ease of use and protection from attack. Open Source software presents the opportunity for peer review and communal bug-checking, traits which are accepted practice in the cryptography community. Once you have bug-free software, you then have to ensure that it is used in the right way -- and that is nigh impossible. As software environments grow more complex, the opportunity for misuse increases.
  • What sort of preventitive work would you recommend them to carry out?Every organization should have a realistic security policy. Those policies are highly customized affairs, and reflect the needs and priorities of each org. All-purpose advice is useless.

Re:Hackneyed alarmism (1)

Nass (96235) | more than 14 years ago | (#1640582)

Ditto.

Johan.

Re:Why would there be anti-state groups? (0)

Anonymous Coward | more than 14 years ago | (#1640583)

(flamebait)
Wow, are real anarchist. Anybody got a magnifying glass to study this remarkable specimen with?
(/flamebait)

security teams own worst enemy (2)

Anonymous Coward | more than 14 years ago | (#1640584)

In many ways, the security teams are their own worst enemies.

A few years ago I was an on-site contractor for NOAA, and we were deploying a prototype system at another federal agency which provides a critical service. (For obvious reasons I won't provide further details in this forum.) For some reason we needed to access the prototype system, and we knew that our computer was on their network but they had moved it from the initial IP address for some reason and hadn't told us its new address. They also changed the name for some unknown reason. (This wasn't related to security, it felt much more like a low-level pissing contests between the two agencies.)

We *really* needed to access that computer, and most people had already gone home from both sites, so I pinged all of the addresses in the subnet and attempted to telnet to each responsive address in turn. Within half an hour or so I found our lost sheep, fixed some files, and the government employee who asked for my help went home happy.

Unfortunately I had a problem. I discovered that they had their router on one of the ports, with absolutely no password. Anyone who discovered this IP address could change a few numbers and take down this site and possibly a second site. If it happened at the right time it could easily make the national news. I reported my discovery to the only network person still around, and he was clearly agitated by the perceived dilemma of needing to report this to the proper security group and the expected pain of the subsequent inquisition and torture. The fact that this was at a sister agency clearly didn't help his mood.

I don't know if the reputation was warranted, or if he was ever subsequently contacted in any way. I know that some subsequent comments about my "hacking" skills were grossly unwarranted. I do know that the reputation of the security team was such that most security breaches will go unreported out of the fear that the investigation will focus on how the person learned about the breach, not the breach itself.

(Sidenote for _Janes_: many geeks will immediately recognize this as a concrete example of Hagbard Celine's observations in the Illuminatus Trilogy. People with (perceived) power tend to see only what the people under them think they want to see. This makes it difficult to impossible to get an accurate view of your current state from within the organization. I think CT is a very real possibility, but I am also extremely skeptical that anyone above a GS-12 has the faintest clue where the real threats lie.

(If I had to pick one thing to start with, I would focus on Melissa. I'm sure every potential cyberterrorist noted how quickly Melissa took down large corporations and is wondering what would happen if it carried a malicious payload. Trivial example: what would happen if every Melissa victim started to ping www.victim.mil? Why do the same people who readily recall the Morris Internet Worm (which quickly resulted in significant changes in the Unix infrastructure to prevent a recurrence) remain silent despite a pandemic of Microsoft Macro Viruses?)

Bear Giles (bgiles@coyotesong.com)

31337 hAx0r dOoDz (4)

Lord Kano (13027) | more than 14 years ago | (#1640587)

Skill doesn't cost very much in terms of money to aquire.

The people who can bring down systems are the same people needed to protect them. It's in a way kind of like the wild west, but there are no black hats and white hats only dark and light grey.

The difference between a hacker, and a cracker is what they do with their skills. One man with a rifle is a hunter, another man with an identical rifle is a murderer. What you do is more important than what you are capable of doing.

6 months from now when the l0p(Lords of Pudding) cracks Jello's web site for publicity it won't be a well funded attack. It'll be a couple of rinky dink high school kids who allowed their talent to be used for non-productive ends.

Hacking has nothing to do with who's the best funded. It's about getting done what you need to get done no matter how you need to do it.

I'm sure that every hacker here has done some things that at least border on cracking at one time or another. Not that there was necessarily any malicious intent, it's just doing what needs to get done.

It's the script kiddies who've (at least in recent years) given us a bad name. It's the assholes WhO TyP3 3v3rY7hiNg LiK3 7hIs who make us look like a bunch of pimple faced rejects before the masses.

One thing that makes many hackers fertile recruiting ground is the total lack of respect for the ability and value of a good hacker. When a hacker has to stand by and watch a brainless marketting suit make millions for sitting around and thinking up crap like "Got Milk?" and "Think Different" it can make him want to make an undeniable statement and force people to recognize him. Also how many of us would be willing to pass up a pile of cash if someone offered it in exchange for getting access to Company X's fincancial records?

I've never caused any damage to any company's computer systems, just like the vast majority of my fellow slashdotters, but in a materialistic society how many of us would pass up the chance to make big pay checks if we did?

LK

Just how easy (2)

GoNINzo (32266) | more than 14 years ago | (#1640589)

Okay, because I don't feel anyone has addressed these issues seperately, or treated this as something that will get published (even if they don't differentiate between CBRN and IS machines), I feel it neccessary to write up a short bit on each of these points. Feel free to flame me if you disagree, but I don't feel they are getting what they asked for.

  • Using CT, how easy or otherwise is it to bring down or attack vital systems?

    It really depends on how the system was devised. There are a couple factors here, a who is attacking, a why, and a how.

    There has been a recent profiliation of machines that are 'automagic', where the user plugs the machine in, and it works. As this becomes more common-place, there will be more attacks of the 'script-kiddie' mentality. These are the more common-place, and usually more destructive attacks. A good example would be the Cold-Fusion exploit released not too long ago. It was written up into a nice package that someone could give to a 13 year old kid. That 13 year old could go burn down a machine in some place he's never heard of, and he wouldn't care. Someone who researched this exploit might actually have some ethics about destroying someone else's virtual property.

    Then there is the why question. In the beginning, cracking was mostly used as a 'I was interested in how it worked' explination. In the future, I think we will see more infiltration attacks, where people just want to get onto the system to listen, gather, and desiminate information. This could be to gather personal information, financial information, share a virus, or to expose your political views. The system will continue to work, but an incorrect manner. As these become more sophisicated, I think they will become harder to detect. It's only when we relax our guard do we get hurt by an attack

    Then there is a how. The discussion of potentially harmful weapon systems is a matter of exposure. Networking is a useful thing, but think of it in another light. You have a gun cabinet in your office, forget why, but would you really want this expose? So you put it behind a secret door, only certain people know how to go up and press on the door in the right way to open it. But someone visiting might press all your walls in several ways, and still find it. Security via oscurity does not work. So you put a master lock on it. However, a nice pair of bolt cutters work quickly. So you put it in a true safe, making it difficult to get to. People complain, so you are forced to make the combination something simple like '1 2 3'. This again, breaks the system. You run into the common brick wall of security versus ease of use. As our society seemed centered on easing our lives, we tend to focus more on the ease of use. Good example are the web forms out on the web, to make our lives easier, but could also break our security policy.

    So you are looking at more information is being distributed, it is becoming easier to find this information to infiltrate a host, and we are moving towards a looser definition of neccessary security. Is it easy to attack systems? Yes, and it's becomign easier all the time.

  • What sort of skills would be needed to do so, and are they common/teachable?

    Many of the skills can be learned from reading on the web. Most are commonly found out. But the most useful are taught in a student/mentor relationship. While root exploits can now be thought of as easier to figure out on your own, it usually takes an experienced person to point the newbie in the right direction, to wade through the bullshit. As we migrate to a more networked envirionment, these requirements will become less, and become a more 'click here!' security risk.

  • Commercial-off-the-shelf software: can it really do CT?

    Two issues, the offense versus the defense. As far as products go, COTS will never be as good as what can be obtained by an experienced professional. and all experienced professionals have a cost. Also, would you include COTS to have web-based and free software? Because it's all out there for the taking. Remember that COTS lag behind the speed of the rest of the world, especially security related products. For instance, ISS security product still checks for certain accounts when trying to check a unix system. However, ISS knows nothing about nmap and it's use as a port scanner. (well, last I checked)

    On the defensive side, with proper design COTS can protect your data.. Many companies think of security last, it's an afterthought of a 3rd level VP who says 'BTW Bob, is this system secure?' 'No it isn't Ted, You said you didn't want to put in your password on every new screen' 'Well make it secure, mmmkay?' However there are some products that are designed off the shelf with security in mind, these would be more of the unix systems as they have a better chance to mature. Just the fact that there is a root account where a user can do anythign they want has to remind the designer not to let people get there. For an example, the BSD security audit that took 10 people a year and a half is what I would considered to be an ideal.

  • Which systems are actually attackable?

    All networked systems are attackable. You must assume that. Just as no fortress can be completely safe, no data can truely be secure. There is a sliding scale of usabilty versus security, so set your thresholds high.

  • Can a recovery be made from such attacks?

    This is why backups and data integrity plans are a must. Everyone should have a buisness continutity plan. This can also be associated with an extended cracker attack. If a weapon system is compromised, we will simply have to face the consequences of that weapon being used on ourselves. Some philosopher once stated that man will not be happy until he has devised a weapon that is able to scare even himself.

  • Is it likely to improve/get worse?

    It is most likely going to get only worse, until a light turns on in the mind of software developers that it is bad to have a product that a 13 year old can walk in and take over at any time. Those types of attacks are the true threat in the growing sea of information.

  • What sort of preventitive work would you recommend them to carry out?

    Get the best people you can to manage your systems and your software. The risk of having a new administrator to manage your credit-card-number-heavy network is much higher than the price to find a good administrator. While you can never bank on the security of your software, your security is only as good as your administrator. An aware adminstrator will be able to fix the major flaws in your security.

Anyway, that's my rant on the article. You'll notice most of this information is just systems best practices, and more general information systems, not weapon systems specific. Mainly because I have not dealt with weapon systems, but you'll find software is the same everywhere. Also, 13 year old kid could reference any person of human intelligence and inclination, regardless of nationality, religion, and moral vocation.

Feel free to publish any of this, I do work for Collective Technologies [colltech.com] , but these are my own opinions.
--
Gonzo Granzeau

Re:Grossly underestimated and wrongly accented (0)

Anonymous Coward | more than 14 years ago | (#1640591)

It is true that few terrorists have the necessary knowledge but this does not mean that they may not hire someone. And this will be cheaper then bying and smuggling explosives and weaponry.

If there are any budding Hacker/Crackers that think they can make some easy money working for terrorists just remember....

They will set down a briefcase full of cash next to your keyboard when you start your crack, and put a bullet in your head when you're done.

Just remember, they are zelots and probably sociopaths, not reasonable men.

doesn't require IT devices (2)

kaisyain (15013) | more than 14 years ago | (#1640598)

whereas cyber terrorism utilizes information technology (IT) devices to inflict mass disruption of an opponent's critical IT infrastructure

Cyber terrorism doesn't (necessarily) utilize IT devices to disrupt critical IT infrastructure. A backhoe to a set of OC-192 circuits works just as well at disrupting critical IT infrastructure. I also wouldn't really categorize social exploits as "utilizing IT devices".

Cyberterrorists... (4)

Hobbex (41473) | more than 14 years ago | (#1640599)

Here's a hint that might help the American government a little in its fight against terrorists:

If there are any cyberterrorists out there, they already have cryptography!

On a more serious note, the article is definetly making a mistake in bunching together Cyber threats and CBRN. They are different (as rde wrote above) in all possible ways except in that they are a relatively new threat. IMHO cyber terrorism is mostly an excuse to harrass punks who deface webpages, while CBRN really worries me.

Also, the article looses a lot of credibility when it starts listing Bin Ladens use of email as examples of cyber-terrorism. My grandmother uses email for gods sake, it happens to be a good way to communicate.


-
/. is like a steer's horns, a point here, a point there and a lot of bull in between.

Overestimates the qualifications of players (1)

Ocibu (60442) | more than 14 years ago | (#1640600)

He claims "Only a select number of terrorist groups ..." are of concern. We all know that this is not the case. A couple of host located at disperate locations on the network with a handful of people who can read L0pht and BugTraq are plenty to mount a serious threat to any 'cyber' orginization.

operating systems and military craft (1)

segfaults (98291) | more than 14 years ago | (#1640601)

One question I have of computer systems in general is the inherent security of them. If I remember correctly the US Navy was using Windows NT as a platform for some sort of usage. In my opinion relying on something like Windows NT which is not auditable in source. Is a probably and definite security hole. I'm not saying that open source is the key. But I believe that at least for military usage the software and operating systems specificaly should have to go through some realistic sort of source code auditing. I realy would not like my air defense systems crashing because of a buffer overflow.

Re:Vulnerable systems (2)

Anonymous Coward | more than 14 years ago | (#1640603)

What if the script-kiddies are guided by somebody more knowledgable?

Say, for instance, that I were a foreign agent interested in finding out how secure a governmental system was.

Why couldn't I just write some tools, pass them off to some 3leet wannabe lusers in an IRC channel, and later (under a different 'nick from a different site) monitor the same or similar channels waiting for the lusers to brag about "their" exploits? Somebody has to have a clue, but it need not be the attackers themselves.

Prevention (3)

howardjp (5458) | more than 14 years ago | (#1640605)

The best way to prevent CT is to have a good staff of administrators and a good set of tools. By far, the two most stable and secure operating systems are OpenBSD and OpenVMS. Use them. Also make sure your staff knows how to administrate them properly.

Also make sure you are always running with the most up to date patches for your software (not just the OS, but all of it). Read Bugtraq to find out what the latest problems are and follow through on the suggestions given for securing a system.

Don't get too proud. Just as soon as you think you've gotten the crackers beat, they'll find a new way in. Never let your guard down.

Disable non-estential services. If you do not need a service running, why do you have it on?
Remove any tools which could be used against you.

Don't be an easy target. Firewalls are good. Protect yourself at multiple levels.

Anyway, there are plenty of other ways to handle prevention, but I'll let others pick up the slack.

Re:is it possible to protect against? (0)

Anonymous Coward | more than 14 years ago | (#1640607)

See:

this skeptical link [niu.edu]

Also, think 'Faraday cage', and look up current TEMPEST ELINT guidelines for governmental machines.

Re:CBRN != Cyber (1)

UtSupra (16971) | more than 14 years ago | (#1640609)

Yes, the lumping of CBRN with CT gives a certain slant to the article.
I believe CT is fairly easy to achieve. Some resources are needed, but they do not compare with the visibility/difficulty of making a CBRN attack.
In particular, any 3rd world govertment could manage to get the equipment neccessary. The only missing part would be the capable personnel. But most of these countries have more than enough scientist that are highly retrainable and capable of conducting research in the area of CT. Secrecy could be a problem (particulrly, if the military is already infiltrated in these countries).
I found curious that they do not include Mathematician in the list of "dangerous professionals" (I am a Mathematician, so this is a very subjective comment), must Math people could develop abilities in CS, Bio, Chem or Physics with a short training.
I think the problem will get worse. Recomendations are hard to give...

how to avoid CT? (1)

oka (32496) | more than 14 years ago | (#1640611)

Situation:
  1. most systems have weak security
  2. exploit info is widely available (Phrack/L0pht/etc)

    Solutions:
    * restrict access to security weaknesses (net censoring/eavesdropping/illegalizing reverse engineering/etc...)
    *

Big Differences... (2)

helver (36342) | more than 14 years ago | (#1640613)

It seems to me that trying to group CBRN weapons with cracking requires a huge leap.

For CBRN, aquisition of the materials required to implement these weapons is a significant issue. As mentioned in the article, people get arrested for simply trying to buy the materials needed. The acquisition of materials for a cyber attack is a much simpler task.

The level of knowledge required to implement a CBRN weapon is orders of magnitude higher than to implement a cyber attack. Additionally, the CBRN agents must be stored, transported, and potentially disposed of. These are risks to the developer, not the victim.

There are countermeasures for some kinds of CBRN attacks, but in general they are impossible to implement to ensure 100% safety. For other kinds there are no countermeasures. For cyber attacks there are almost always defenses. More often than not these defenses are disabled for the sake of convenience, or due to ignorance.

I have no doubt that crackers can cause significant damage, but to group crackers in with CBRN agents is blowing their capabilities way out of proportion. In order to implement a cyber attack it takes a $500 computer and an internet connection - essentially it can be done by anyone who wants to learn how. It's impossible to prevent because the threshhold is so low and the materials required can server legitimate purposes as well. But the effects can be neutralized if a small portion of the population - the system admins - are kept up to date and are willing to do what's necessary to keep their systems secure.

Re:"Defence Consultants" (0)

Anonymous Coward | more than 14 years ago | (#1640618)

Yes, yes. The preponderance of real violence that we will see in our lifetime in the cyber sphere will be "inside" government jobs that are blamed on the bin Laden's of the world while the CIA & Mossad split the cash and run. Knocking out a server or pulling down a network are the *least* invidious forms of attack. To do *real* damage would require inside knowledge of practice, doctrine and scheduling. I would suggest you contact Winn Schwartau; he's good at contriving scenario's to scare laymen.

Cyber-warfare HOW-TO (3)

Rahga (13479) | more than 14 years ago | (#1640619)

First of all, the article reads as a half-backed introduction to CT and how it relates to other forms of terrorism and the history of related terrorist events in the past decade. Reads too much like a boring history report done by a college freshman... but, to anwer the questions...

Most of the questions are surprisingly elementary, but I'm sure this was done to bring out as many relevant pov's as possible :)

"Using CT, how easy or otherwise is it to bring down or attack vital systems?"
It is either easy or hard. The real question, how are the vital systems in question prepared to stand up to said attacks. Like a question on how well armored tanks can stand up to gunfire, it depends on which tank is in question.

"What sort of skills would be needed to do so, and are they common/teachable?"
They aren't common in the sense that Joe Blow knows how to hack into the pentagon, but they can definitely be teached. Though skill and talent are considerable factors, they aren't neccesary...

"Commercial-off-the-shelf software: can it really do CT?"
Like it says in question one, yes, but it depends on how well the targeted systems are prepared. And if they run NT, well....

"Which systems are actually attackable?"
If it exists, it can be attacked. Most vulnerable are those connected to mainstream communication systems such as the internet. Also, you must keep in mind that there are many different types of attacks availibale to your modern cyber-terrorists, including futile ones.

"Can a recovery be made from such attacks?"
Yes, and no. Data can always be backed up and restored on virtually any computer system. What is more dangerous is when terrorists defeat system security measures and retrieve privlidged data. There is no way to "steal it back".

"Is it likely to improve/get worse?"
Rhetorical question. As computer systems become more complex and the world keeps getting smaller, the more insecure that computer systems will become or at least seem to become...

The article is bogus (0)

Anonymous Coward | more than 14 years ago | (#1640620)

The contents of the article can be divided in two categories: Stuff that is new and stuff that is old. The stuff that is old is a compilation of articles and reports from the mainstream media - in that respect it has not much added value. The stuff that is new is all wrong. Finding the examples in the text is left to the reader as a simple exercise. It's a bunch of could and woulds. Naah

Points (2)

Hermetic (85784) | more than 14 years ago | (#1640621)

I really don't think there are any COTS software apps dedicated to CT, (ie. MS LoopHole Exploiter 2000 or some such thing). There are, however, many, many people out there who devote their lives to finding ways around security. Many of them are all to proud to show off their newest exploits or workarounds.
Astalavista [astalavista.box.sk] and sister sites take great pride in allowing you to do things you shouldn't. However, most of these tricks, scripts, and cracks are relativly harmless compared to a single man placing a pipebomb at the nearest telephone switching station.
There is no such thing as "security" as most people like to think about it. The best you can do is stop the incompetent (they weren't a threat anyway) and slow down the professionals (who you will never be able to stop).

CT can, and probably will be a problem, but I don't think we have reached that critical point yet.

Re:Jane's Goes Open Source (1)

aetius2 (96018) | more than 14 years ago | (#1640622)

Open source in this instance means non-classified material. The parallel is interesting, though.

Re:Bravo to Jane (0)

Anonymous Coward | more than 14 years ago | (#1640623)

Yes, let's be sure of that.

Hackers intrude into computer systems.

Crackers defeat copy protection schemes.

Lack of definitions disabling the entire debate (2)

FreeUser (11483) | more than 14 years ago | (#1640625)

One of the main problems is that it doesn't specifically define CT and why it is dangerous.

This is indeed the crux of the issue IMHO. In all of the debate and hysteria being bandied about regarding "cyberterrorism", I have yet to see a coherent, reasonable definition of just what cyberterrorism is? The absurd example of using Bin Laden's use of email and chatrooms to communicate with others as a form of cyberterrorism is clearly alarmist and silly, while the notion of remotely ordering a nuclear powerstation to melt down (hardly realistic perhaps, but an effective image) would certainly be included in any reasonable definition of cyberterrorism. On the other hand, a cracker shutting down the power gird of an entire city or multi-state area appears to fall somewhere in between (disruption and quite possibly mayhem is caused, but no life is directly attacked as such). What about public defacement of web pages? Terrorism? IMHO I hardly think so -- not a single life is threatened or directly attacked. It smacks more of vandalism or graffiti, yet such attacks are consistently used as "examples" of cyberterrorism.

Until reasonable definitions are agreed upon, and adhered to, as to what constitutes cyberterrorism vs., say, cyberwarfare, cybervandalism, cybertresspass, or cyber(information)theft, discussions and articles about this subject will continue to be offpoint, confused, and ultimately of little use in forming coherent policies to combat the threats that these and other criminal (cyber)activity pose. Perhaps the one thing that can be learned from such confusion is just how dangerous it is to allow one's propoganda and misuse of language (as evidenced by the extreme hype and demonization surrounding cracking and such loaded words as "cyberterrorism" all out of proportion to the actual damage or potential damage done) to define one's own thinking when trying to establish responsible and effective public policy.

Deranged Chemist (2)

the eric conspiracy (20178) | more than 14 years ago | (#1640627)

I don't know about this deranged chemist thing. With all these monocultures in agriculture it wouldn't take that much to put together a pretty nasty attack on the food supply.

Taking out a power grid is much less impressive.

Answers to the Questions. (0)

Anonymous Coward | more than 14 years ago | (#1640628)

Hi Johan, here are my answers.

Question: Using CT, how easy or otherwise is it to bring down or attack vital systems?
Answer: it depends on the skill of the cracker and how well setup the systems are. 2 things to keep in mind:
1) a lot of near-essential systems will have few cyber-defenses, and could be easily brought down. Though this might not result in the loss of life that is commonly desired by a terrorist group, it will serve to decrease moral in the populace, something any terrorist group should want.
2) any networked system is potentially vulnerable. no matter what. It might be really, really tough, but some random person in a random part of the world can take it down.

Question: What sort of skills would be needed to do so, and are they common/teachable?
Answer: You need to know about the OS of the system you wish to attack. you also need to know about networking. go to the bookstore and buy the appropriate books, go to your local community college, or read the appropriate docs online to learn this.
You need to know common exploits for systems. There are maillists and websites full of info on how to bring down NT and Unix machines. read bugtraq.
You need to know how to develop your own buffer overflows trojans, virii, etc. This requires a level of programming knowledge and intricate OS details. Again, buy books or refer to docs online.
If you have a really smart terrorist, s/he could learn all this in a few really intensive months by only reading docs found online.

Question: Commercial-off-the-shelf software: can it really do CT?
Answer: There's no need to buy commercial software, though yes, it can do CT. Use Linux or a BSD variant. other OS's are easily gotten from WAREZ sites. all the software you need is open source, see http://www.freshmeat.net [freshmeat.net] also see the warez sites if you really need MS Word for some reason.
The utilities you'll need are packet sniffers, telnet clients, some compilers (C, Perl, Cobol, others?), text editor, oh, i guess an OS would be good (use OpenBSD !) all these are free.

Question: Which systems are actually attackable?
Answer:heck if i know, that ain't my bag. but if i did know, i probly wouldnt say. that would just be plain wrong.

Question: Can a recovery be made from such attacks?
Answer: If the system is setup correctly, yes. Generally, consider your disaster preparedness. a Serious terrorist cyberattack will be no worse than a major earthquake. If all your computer systems are destroyed, how readily can you recover?

Question: Is it likely to improve/get worse?
Answer: The faster we move to computerize/internet everything, the worse it will get. Once the average intelligence of sysadmins/programmers has a chance to catch up, it will get better.

Question: What sort of preventitive work would you recommend them to carry out?
Answer: Read the various docs on security for the systems you are running.
Don't allow internet access to your most important systems. not through a firewall, not through triple encrypted vpn's, not through special dialups, networking procedures, or anything at all.
use ultra paranoid techniques, like surrounding your most valuable systems with copper/lead rooms (keep in mind TEMPEST and EMP's) and not trusting any one person with full access to anything. Keep up to date on all new technologies and emergent ones, as well as new exploits - read bugtraq.
Keep backups, and keep some in secure locations off-site.
Perform security reviews on a regular (monthly or more) basis.
and, of course, BE PARANOID

Finally, keep the Simple techniques in mind:
one person with a backhoe can fuck shit up bigtime. Three coordinated people in different parts of the country can do worse.
Cost of attack:
Rent 3 backhoes for a few hours: $900
Determine where to hoe: 10 hours research time
and it would be easy to get away with as well.
This is based on a real incident where some workers accidentally tore up a fibre optic cable and put a bunch of ppl/companies off the net.

-f
frisco@peruano.org
http://www.perauno.org/ [peruano.org]

Cyberterrorism == Bogeyman (1)

Aaron M. Renn (539) | more than 14 years ago | (#1640631)

Threats of cyberterrorism are so overblown it is ridiculous. It should come as no surpise that the people most pushing this are military types angling for more funding and more powers of everyone (no strong crypto, tap everything, etc) under the guise of stopping "terrorists". If you want to read the truth, then stop by and visit the Crypt Newsletter [niu.edu] .

BTW: Speaking of Jane's, there's a nice reference to "Jane's Market Forces" in Ken MacLeod's latest "The Sky Road". Another great in-joke that is one reason MacLeod is damn near the best thing going is science fiction today.

Infrastructure (2)

Anonymous Coward | more than 14 years ago | (#1640638)

Frankly, I'm more concerned about attacks against the physical infrastructure of the net than I'm worried about "cyber attacks".

Perhaps I'm naive, but I view crackers mainly as a way to keep sysadmins on their toes, not as some sort of world-destroying threat. OK, so somebody nails a sendmail box I'm running -- I'll just overwrite the HD with a backup & secure it from there. Big deal.

I'm much more concerned that someone will use real-world weaponry against the net. For example, using a couple truck-bombs against MAE-West and other NAPs simultaneously. A sufficiently coordinated attack of this nature could do real damage to the global economy just in terms of panic and disruption (massive stock sell-off, etc.). Plus, since it's a real-world attack, the damage is harder to contain/repair. I mean, anyone got a backup tape that'll rebuild MAE-West?

As far as I can tell, the main thing we have going for us is that most terrorists are pretty stupid people. They're ALWAYS going after ineffectual targets, like innocent civilians, and they do it in a half-assed manner. Most terrorist groups just seem to be places for losers to hang out and bitch about life; if they were more intelligent they'd be doing other things with their time.

I dunno; most terrorists just remind me of the Columbine losers grown up. Any half-wit could have managed to kill more people.

Cyber-attacks are inherently unsexy; there's no big boom, there's no glory in dying for a cause, just a bunch of nerds in a closet. Terrorists want to die with glory, to strike the big blow, and they're too dim to realize what an effective attack means.

Perhaps more importantly, anyone with enough skill to launch serious cyberattacks is probably going to be making serious $$$ in legitimate industry. After all, what world-class computer nerd wants to spend his/her time in some dirt-poor corner of the world, surrounded by psychopathic gun-toting losers? Osama Bin-Laden, for all his supposed clout, lives like an animal in a hole in the ground. What programmer wants to spend their time that way? You can make a bomb in a cave lit by candlelight -- you can't launch a cyber attack that way.

Jane's Goes Open Source (2)

Gerv (15179) | more than 14 years ago | (#1640639)

Have you seen the title to their main page [janes.com] ?

"Jane's Intelligence Review, the world's leading open source defence, security risk and threat analysis for the professional intelligence and defense analyst"

Obviously this means anyone can copy and redistribute copies of Jane's Intelligence Review as long as they make any modifications they make to the text publically accessible...

Gerv

Stock Market (2)

kid (3373) | more than 14 years ago | (#1640640)

It's always occured to me that, in a war, the country/party that runs out of funds first, loses. Thus, the objective of war isn't to (per se) do as much physical damage as you are capable of inflicting, it's to cause just enough damage that the "enemy" is unable to recover financially.

This suggests, in this time of cyber-warfare that we live in, that attacking a stock market or other primary financial institution is the most effective means of accomplishing your goal. Much more damage would be accomplished by taking the NY Stock Exchange offline for a couple of days, than an attempt to attack of the "food supply" (which be up and running again within hours from backup tapes, or replacement hardware).

I see no mention of this financial aspect of war in the article, yet it seems the most vulnerable in my mind.

Answers for Jane's editor (1)

redelm (54142) | more than 14 years ago | (#1640641)

> Using CT, how easy or otherwise is it to bring down or attack vital systems?
It depends entirely on the system under attack. If it is not connected, it's fairly safe. If i'net connected, then it depends on how hard the system is to crack.

> What sort of skills would be needed to do so, and are they common/teachable?
Basic computer skills are common and teachable. More advanced cracking skills are dependant on analytical ability, and may not be teachable. But the threat from 1000 script kiddies is very different from the threat from one/few skilled crackers.

> Commercial-off-the-shelf software: can it really do CT?
AFAIK, there is no commercial off-the-shelf CT software. But there are lots of ready-made free kiddie scripts that would do much the same thing.

> Which systems are actually attackable?
Anything programmable. Anything with connectivity is easier to attack because physical presence is not required. Anything with inet connectivity is still easier because it's easier for the attacker to establish a connection, and that connection is more predictable.

> Can a recovery be made from such attacks?
Depends on the system. Depends on the skill of the sysadmin. Backup tapes are usually advised. For real-time systems, fallback to simple control is essential.

> Is it likely to improve/get worse?
A judgement call. More systems are being made vulnerable as users want the advantages of inet connectivity. Security awareness is also increasing. IMHO, no net change.

> What sort of preventitive work would you recommend them to carry out?
Good sysadmin work customizing installations, not accepting anything out of the box. Risk analysis (probability & consequence).

-- Robert redelm@ev1.net

Re:Hackneyed alarmism (3)

Roblimo (357) | more than 14 years ago | (#1640642)

Johan, the Jane's editor, agrees with you. That's why he's soliciting comments from Slashdot readers - and is going to write a whole new article based on them that'll run alongside the original clueless piece. This is a great exercise in showing the difference between "official" thinking (which generated the original story) and the "grass roots, hands on" style of thinking common among Slashdot readers (and authors and editors too, come to think of it).

- Robin "roblimo" Miller

Re:operating systems and military craft (1)

Mawbid (3993) | more than 14 years ago | (#1640643)

If the US Navy wants to look at NT source code, I'm sure they can. They can't put as many eyealls on it as there are on the Linux kernel sources, however.
--

Financing is a non-entity for CW (1)

DD Harriman (14006) | more than 14 years ago | (#1640644)

The author speaks of financing being a major hurdle to terrorist groups interested in CW. Nothing could be further from the truth. Not that most of Commercial-Off-the-Shelf Software is all that great for CW, there are plenty of scripts to download for free off any of the "cracker" sites.

Additionally, large organizations are cited as being required. A single, motivated terrorist, amatuer or professional, can take out several "mission critical" systems with nothing more than a net connection and a free evening.

Re:is it possible to protect against? (1)

Anonymous Coward | more than 14 years ago | (#1640645)

you don't even necessarily need emp to bring down 911.

during hurricane floyd, the port orange police department was ready to shut down their brand new shiny as/400 (pretty sure that's what they installed) computer system because their generator was having problems handling the load of the 6 airconditioning units some yahoo had wired into it, rather than the one needed. "the computer system is drawing too much power" indeed.

i'm sure this isn't a common problem, but i'm also sure that it's not an isolated situation. most of the time even the vital systems are ultimately under the control clueless beaurocrats and/or underpaid, overstressed people who have no idea what they are using.

posting anonymously as i'd not like my source to be fired. :)

Just unplug the computers (2)

Jimhotep (29230) | more than 14 years ago | (#1640646)

Why have a critical computer system exposed to
the world? Defacing a web page never killed
anybody.




Other terrorism ideas: find and read
"A Higher Form of Killing"

this book explains how the CIA tested the spread
of toxins in the NY subway system.

from the Jane's article
"In mid-1997, an American white supremacist faction plotted to attack the New
York City subway system with biological weapons."

Thanks CIA

A few thoughts. (0)

Anonymous Coward | more than 14 years ago | (#1640647)

This artice looks like a sales pitch for funding. To answer some of your questions: Using CT, how easy or otherwise is it to bring down or attack vital systems? This can't be answered in a blanket statement. It's case-by-case. What sort of skills would be needed to do so, and are they common/teachable? Common? not really. Teachable? Yes. Commercial-off-the-shelf software: can it really do CT? In a vrey limited scope they can, assuming the exploits they operate on are doable on target systems. No form of AI that I'm aware of would be used by these groups to carry out infiltrations. AI is too stupid. Which systems are actually attackable? Any system that has direct or indirect physical connectivity to the station being used to carry out the attack is attackable. Can a recovery be made from such attacks? Well yes, but it's usually too late if the attack is successful. Is it likely to improve/get worse? Definately worse. What sort of preventitive work would you recommend them to carry out? Put in place a transaction tracking mechanism. Hardware token, one time authentication using proprietary, cycling protocols. Every truly critical service should have absolutely no connection to the outside world. All connectivity devices should be running secure loads with whole network port to port managerial trust relationships. You could use the unused 802.10 protocol for in house purposes, and a variation of 802.1s on connectivity devices to create an obscure logical maze that the attacker must first figure out before gaining easy access to the doorsteps of critical systems. It is key that these devices ignore influence from end stations. Management _must_ be done at the console. There's lots more you can do. If you do not already know, or can't find someone who does, good luck. It's amazing how lazy people are. Someone somewhere is almost certain to make the cracker's job easy because they're too lazy to get off their ass and _walk_ over to the servers in the next room. The weakest link in any security project or procedure is the point where an administrator comes into play.

Why would there be anti-state groups? (0)

Anonymous Coward | more than 14 years ago | (#1640668)

The hacker community at large, in my opinion, should and will keep all relevant information to ourselves. Why deliver what we know to Jane's, so that every cold war leftover can sit in their cushy office deciding which group of people can become the next villain?

Here is some advice to the readers of Jane's:

1. The best form of defense against anti-state terrorism would probably be to decrease the terror that the state itself causes. "Terrorist" seems to be the word you use to describe a group of aggressors intent on terrorizing another group into doing what they want. Slap a U.S. Flag on them and all of a sudden they become a legitimate "peacekeeping force".

2. Hackers are about freedom of information, and decentralized forms of power and governance. Jane's readership is mostly about control of information, and centralized forms of rigid authority.

3. Many hackers hope to live in a world like ST:TNG, where your concepts of nationhood and military aggression are antiquated and outmoded.

4. Instead of focusing on terrorizing hackers through the state's power, maybe Jane's could risk losing some of those defense department kickbacks and run a truly journalistic piece on the U.S. government's use of force to promote U.S. economic viability.

In other words, hackers, technoanarchists, and subversive geeks from the world around: tell Jane's where to stick it. You don't help your enemies when you're at war.

... Hmm... thoughts. (1)

Mandoric (55703) | more than 14 years ago | (#1640669)

Using CT, how easy or otherwise is it to bring down or attack vital systems?
What sort of skills would be needed to do so, and are they common/teachable?
It depends on whether one was conducting physical or mental terrorism. While a system like a dam or a power plant has, at the very least, specialised control systems and may not be externally connected (and probably require training), "vandalistic" terrorism, to create discontent and fear among the population, or temporary "denial of service", is very easy and there are many tools for those.
Commercial-off-the-shelf software: can it really do CT?
It depends on the amount of skill of the user, with those skilled able to use utilities like "telnet" and "ping" included with any modern operating system. However, although less-skilled users may use specialised programs and scripts, those are available for the taking online, so...
Which systems are actually attackable?
Anything hooked to a network can be attacked from anywhere else on that network. However, even having an unconnected system still leaves open the possibilities of an insider job, an EMP or HERF generator (blockable by a Faraday cage), or actual physical sabotage.
Can a recovery be made from such attacks?
It depends. For proprietary and specialised systems, such as, say, an electric plant's controls, it's usually hard to rebuild a proprietary system quickly. For normal systems, all one needs to do is restore from backup. Thje main concern is not so much "Will it run again?", as "What are the results of it not running?". An ISP say, with 20000 customers, can easily afford to replace a $15000 machine, but will find it much harder to deal with customers angry about the loss of services temporarily. The same for the military, who may have backup systems but still suffers from the momentary loss of navigation or targeting or whatever systems.

Is it likely to improve/get worse?
The amount of attacks is likely to increase, but the amount of affective attacks may decrease as provention measures are worked on. In particular, operating systems are becoming more secure as the easy holes are found. However, this may have the side effect of filtering out "John Q. Hacker" who just wants to look around while merely requiring more effore for a dedicated terrorist.

What sort of preventitive work would you recommend them to carry out?
If it doesn't need a network connection, don't hook it to a network. Use strong crypto. And keep track of the lists of bugs and holes.

You do not need a terrorist... (3)

kris (824) | more than 14 years ago | (#1640670)

... to shut down vital parts of the computer infrastructure of a country. As we have seen, a backhoe is enough. Or a faulty software upgrade in a power grid or phone control point.

Also, what crackers (and cyberterrorists, if they actually exist) do is utilizing remotely exploitable bugs in current software. That is, they use tolsl and techniques which are roughly identical with normal debugging techniques, but apply them a bit more creatively. The creative application may have spectacular effects, but that does not change the fact that the basic techniques used are actually routine debugging techniques.

The bottom line is: As long as current production software is as bad and immature as it is, there is no cyberterrorism. Just applied stupidity.

my $.02 (1)

jart fishicken (55896) | more than 14 years ago | (#1640671)

Too buzzwordy, doesn't really say much on the topic of CT, or NBC for that matter. We know it's serious. It's not like nobody's doing anything about it.

"... super, ultra, and macro-type catastrophic terrorism"?! Wow. That... doesn't really say much. Sounds pretty biblical, actually.

No example of the depths to which it could be utilised. Think stock exchange. Think power grid. Don't do the missile defence/"War Games" stuff.

Also think about the level of security already in place in the first world, and the amount of security being put in as we speak by the Z80 and Commodore 64 generation. Who made it necessary.

I wouldn't publish that in JIR in present form. More likely Readers Digest.


-j

Re:CBRN != Cyber (1)

Anonymous Coward | more than 14 years ago | (#1640672)

On the subject of state-sponsored terrorism: I honestly don't believe that this is the problem a lot of people make it out to be. If you're system goes down, it's a lot cooler to say it was the Indonesian Government than a dodgy cgi script. I'm not saying it doesn't happen, but I do believe that it's seriously overhyped.

Ref: First Virtual War [slashdot.org] , Slashdot, 27 Jan 1999. Also, a statement [freedom.tp] from Connect Ireland [connect.ie]

Grossly underestimated and wrongly accented (2)

arivanov (12034) | more than 14 years ago | (#1640673)

This artcile is a very bad piece of work. The authro did not do her homework properly

Only a select number of terrorist groups and few state sponsors are likely to possess the necessary motivation and capability in the spheres of organisation, funding, acquisition, technology, storage and stockpiling, logistics, and other overt and covert resources to be able to make the transition from conventional to CBRN/Cyber warfare. For many, the numerous internal and external tasks and hurdles involved in acquiring, storing and deploying such sophisticated weaponry and devices are simply too much. Moreover, few terrorist groups and state sponsors are sufficiently motivated to carry out mass casualty or mass disruption warfare.


Well the necessary means of cyber disruption are verys simple 33K modem, an old 486 running Linux or BSD and a brain. It is true that few terrorists have the necessary knowledge but this does not mean that they may not hire someone. And this will be cheaper then bying and smuggling explosives and weaponry.

On the other hand, the information revolution ushered in by the Internet allows terrorists to access
articles and documents from the World Wide Web about the manufacture or acquisition of BW or CW
agents, and commercial-off-the-shelf (COTS) software products can easily be obtained to conduct
cyberterrorism, making CB/Cyber attacks much more feasible to launch than hitherto. Radiological and
nuclear weapons, however, are far more difficult for terrorist groups to acquire or to develop
indigenously, to weaponise and deploy, or to provide storage for.


Commercial and off the shelf solutions are mostly applicable after a breakin has been commited - i.e. for maintianing access, deciphering data, etc. So they come to play after the breaking which once again requires few resources and some brain.


Significant financial resources are required for terrorist groups to develop an indigenous CBRN/Cyber
operational capability unless a group succeeds in weaponising a crude, low-technology device, or
stealing or hijacking such a device.


Yet another dumb statement.

  • You can make a microwave cannon in your garage. No point of stealing it. And you can knock out an enitre stock exchange with it.
  • It takes a modem and a unix box to break in in a remote machine. It is neither stolen no expensive.


Overall very very very bad article with the following bad implications hidden between the lines:

The availability of security related information on the internet is _BAD_

part one: cyberterrorism - a definition (2)

CormacJ (64984) | more than 14 years ago | (#1640674)

CBRN warfare is an advanced method of warfare - cyberwarfare isn't. The resources needed to achieve this aren't expensive, all it needs it some knowledge and a little cheap equipment.

There are examples of this already, including L0pht's research into the vunerability of the US electricity network. They gather data from public websites and once the data is correlated a good image of the security of the network is found. This can then be explotied. Cyberterrorism is about this type of research.

This article concentrates more on the conventional side of terrorism, but attention should be paid to the groups that use IT for gathering and co-ordination of intelligence rather than for warfare.

Cyberwarfare is where tomorrows terrorists will attack. Terrorism is part destruction/part publicity. Several terrorist groups attacked targets to generate publicity, not to kill people. Similarily cyberwarface attacks are about the same: posting web pages, taking over known servers. The next level is the hardest one to guard against. This is the hacker in the system that doesn't destroy or alter data, just reads things and leaves.

The author groups cyberwarfare along with "script kiddies". Cyberwarfare is not only about damaging systems, it is also about intelligence gathering and information processing.

This is essential to terrorists. Hacking into a government server and posting a new webpage looks good and generates publicity, but hacking into a government server and reading the documents in peoples email directories is much more valuable to terrorists. This gives cyber terrorists valuable details about the thinking and opposition to thier movement, and can aid in planning conventional attacks.

The next generation cyber-terrorism won't just be about invading and crashing control computers or servers, it will also be used for spying and sabotage.

Cyberwar like all other forms of war is not just about damage and destruction but also is about spying and intelligence gathering.

These areas are where most consideration will have to be given.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?