Jane's Intelligence Review Needs Your Help With Cyberterrorism

Jane's Intelligence Review, a famous "in group" publication read by political, military and intelligence honchos the world over, has an article on Cyberterrorism scheduled to run in its next issue. But Jane's editor Johan J Ingles-le Nobel believes Slashdot readers may (ahem) actually know more about potential Cyberterrorism tactics than the article's author, and would like you to comment on his work - for publication. The article is up on a private preview page. Please read it, then post your comments. Johan will read them, here on Slashdot, and will select some of them for publication in Jane's alongside the original article. Before you post, please read a message from the Jane's editor (below).

These are the specific questions Jane's wants answered:

• Using CT, how easy or otherwise is it to bring down or attack vital systems?
• What sort of skills would be needed to do so, and are they common/teachable?
• Commercial-off-the-shelf software: can it really do CT?
• Which systems are actually attackable?
• Can a recovery be made from such attacks?
• Is it likely to improve/get worse?
• What sort of preventitive work would you recommend them to carry out?

For our part, we'll make an article based on your replies. Please try to give examples and evidence, keep it clean and stay objective - this is not a 'military-bashing' exercise. When we publish the article (17 November), if you'd like to be contactable on this issue use your real email address and we'll attribute your comments, otherwise use 'anonymous coward' .

Many thanks,
Johan J Ingles-le Nobel,
London, England.
johan.ingles@janes.co.uk

Re:CBRN != Cyber

In my opinion, the fundamental difference is that Cyber attacks are utterly unlike any other form of attack because they do not involve the delivery of large amounts of energy to the enemy (unless you would call EMP or HERF attacks "Cyber", which IMO would be wrong -- a HERF gun aimed at a computer terminal is really the same sort of thing as a grenade thrown at same.)

Cyber attacks, therefore, are aimed at the information, which is much less easy to destroy because of the possibility of making qualitatively and functionally identical copies. I'd divide cyber attacks into two species: "Destruction of information" (erasing) and "Corruption of information" (spoofing).

Erasing is very difficult to carry out because any system worth attacking is also worth backing up. I know that UK and US interbank transactions are backed up daily, with multiple remote backup tapes. Any Cyber attacker wanting to "destroy" the interbank market will cause the loss of at most one day's worth of transactions. Erasing attacks can be straigthforwardly guarded against through multiple, remote (in both geopgraphy and network topology) backups, taken at sufficient frequency that the maximum possible loss is bearable for the system (the "safe frequency"). Any system for which the safe frequency is too low for the backup defense to be practical (for example, a power grid) should be kept remote from networks; although this does not defend against attacks from insiders, network seclusion should allow the terminals of the vulnerable network to be physically guarded.

Spoofing is much more difficult to guard against. This kind of attack comes in two flavours; attempts to create phony records, or phony messages in a system (such as creating false bank accounts), or attempts to create phony instructions to the processing system, causing a failure of the system which is as bad as an erasing attack.

The easiest way to defend against non-destructive spoofing would be to use backups once more, and to operate a kind of "double-entry book-keeping" which traces every record to its creation and requires consistency between numerous (again, preferably topologically remote) sources. This multiplies the difficulty of a Cyber attack, as the attacker now has to break several systems instead of just one.

Destructive spoofing aimed at the processor rather than its records is a different matter. Causing the processor to execute phony instructions could allow the Cyber attacker to erase records, transmit phony messages and, potentially, to "cover its tracks" well enough to escape consistency checks. Of course, this kind of attack is more difficult than any other -- usually the only way to get another machine to execute rogue instructions is to exploit buffer overflows.

I have no particular suggestions for defense against the final kind of attack, except for the rather obvious advice not to create situtations in which buffer overflows can happen. The use of non-standard operating systems or instruction sets could, in principle, make it harder for an attacker to work out what to do with a buffer overflow once discovered, but to me, this seems too much like security through obscurity to be recommended.

I'd add that using the Internet as it is currently designed to communicate between members of a terrorist organisation would not be a good idea -- it goes against the "cell" concept which is known to be the best way to organise. Even messages on private bulletin boards carry enough information in the headers to allow substantial information about the whole network to be deduced for any security agency which can gain access to the routers.

Just some idle thoughts

jsm

CBRN != Cyber

Although the article lumps them together as 'terrorist weapons of mass destruction', cyber attacks are very different from chemical, biological, etc, attacks for a whole bunch of reasons):

Finance. The article implies that major finance is required to implement major attacks; this is not the case for cyber attacks; L0pht bulletins and Phrack are all that's required, along with a script kiddie mentality.

Nature of attack. Cyber attacks in general don't attack people; they attack infrastructure. If properly implemented a lot of people will die, but as a side-effect. Biological attacks, OTOH, attack only wetware and leave infrastructure intact.

Personnel. One deranged chemist can do quite a bit of damage, but an embittered genius nerd can do much, much more. Remember that interview with L0pht? "I can shut down this power grid now."

On the subject of state-sponsored terrorism: I honestly don't believe that this is the problem a lot of people make it out to be. If you're system goes down, it's a lot cooler to say it was the Indonesian Government than a dodgy cgi script. I'm not saying it doesn't happen, but I do believe that it's seriously overhyped.

Finally:defenses. Up to a couple of years ago, people thought of security they way people in the 80s thought of Y2K: it'll probably be a problem some day, but we'll muddle through. Any system put together in the last couple of years was implemented with security in mind (if it wasn't, shoot the sysadmin), but most systems more than a couple of years old are inherently insecure. Ironically, Y2K could prove to be a boon, as audits will give detailed reports on exactly what's in a system, and this information can be used to boost security.

Hackneyed alarmism

This article is extremely poor. It reads as if the author had done a global search-and-replace of CBNR to CBNR/Cyber, plus added a very few It paragraphs. The tone is unreasonably alarmist.

It make no distinction between cyberterrorism, which is an attack upon C3I (command, control, communications & intelligence) systems, both military and civil, and terrorists using their own cyber C3I.

Worse, it confuses C3I (infosystems) with CBNR (weapons systems).

Jane's editor asks some good questions, but this article cannot even be rewritten to answer them.

-- Robert

Cyber-intelligence and other applications

The intense focus on "shut down the power grid" scenarios, and tight analogies with physically violent techniques (unlike CBRN, "Cyber" warfare is not inherently violent/destructive), serve only to ignore much more potentially effective uses of IT in terrorist warfare - intelligence-gathering, counterintelligence, and disinformation. The article does not touch on these points *at all*, and quite frankly is worthless sensationalism without them.

In warfare as well as in business, IT is "the great equalizer". Its low financial barrier to entry, relative to heavy industry, allows even the poorest organizations an IT effectiveness equal (or nearly equal) to the richest, most powerful nations and corporations. The greatest advantage the covert warfare arms of major nation-states (CIA, Mossad, etc) have over small terrorist organizations is the financial wherewithal to develop massive intelligence networks, and to easily spread disinformation via access to public media and an enemy's internal communication channels. IT very much levels the playing field in this regard.

If a terrorist group can penetrate the security of an enemy organization's computer networks, they do not need to do any damage to be militarily effective. Rather, they can quietly copy information to process at their leisure, without having to physically smuggle it out of secure facilities. In particular, this approach, combined with automated "data mining" techniques, can be used to search for useful patterns in vast stores of insecure and apparently unrelated data (c.f. Stoll, Clifford: _The Cuckoo's Egg_ (a very well documented example of state-sponsored computerized intelligence gathering)).

Another use for this access is disinformation. False or misleading information can be planted in (or deleted from) databases, undermining the effectiveness of organizations relying on that information. And in our current world, where authentication via strong encryption is still rare and nonstandard, IT can make forgery easy. Credentials can be forged to fool authorities or the media for purposes of disinformation, or to enhance covert physical activities.

Encryption also provides effective counterintelligence for very low cost, both maintaining information secrecy and providing authentication for otherwise anonymous data. Public key encryption can allow a network of intelligence to communicate secretly, without direct contact, and with sophisticated tools for obsoleting compromised keys and secrets. The major governments, who have long depended on spying on civilians, have good reason to fear this technology.

Another use for IT is the copying and *publication* of encriminating information. For an example, consider an environmentalist "terrorist" organization uncovering and publishing secret corporate or government documents on toxic waste spills, or covering up the hazards of a project. No physical violence need be performed to do terrific practical damage. Remember the Pentagon Papers? Their publication was instrumental in turning the tide of public sentiment against the Vietnam War. Yet those had to be delivered as physical copies by an internal spy to a major media group, and the government nearly succeeded in supressing the evidence in court. With electronic copying and widespread distibution, governments no longer have any power to stop such publications.

Of course, we could go into much greater detail, with more specific examples, but I think the point has been made. The article ignored the most effective uses of IT for terrorists, while simultaneously advancing unrealistic and undocumented doomsday scenarios (shutting down the power grid), and blowing normal organizational activity out of proportion (bin Laden's use of email, for example). Rather than a Slashdot-driven rebuttal, the editors would do well to reconsider publication of the article altogether, until a more comprehensive and realistic article can be written.

---
Maybe that's just the price you pay for the chains that you refuse.

Misc nitpicks.

Comments on the specific Q's
* It would depend upon the vital system, of course. It's unlikely that there's a remote 'stop burn' option for a coal-burning power plant, for instance.

* Skills? There has to be somebody available to *write* the original program, and that probably means knowing something about how the target site is operated. If it's done well and does not require user input, it *might* then be possible to hand the program to a 3-year-old with his finger on the 'enter' key, and take the next flight.

* Define CT. Does a denial-of-service count? Did the "Ping of Death" count? Does 'telnet' count?

* The only way to know what's attackable is to know every system. I don't pretend to be omniscient, but common sense should apply; my refrigerator is not running a Telnet server, for instance. My bank probably uses encrypted communications and a journaling filesystem with transaction logging. A web guestbook might not have been written w/ an eye towards preventing filling-up-the-disk. Etc.

* Recovery? It depends. If one gets "rooted" and the attacker simply wipes all files, it's time to go get the mag tape. If the attacker simply uses your machine to go on online chats and doesn't actually *do* much, that's a different story. Of course, many will point out that you can't *really* know unless you were watching the entire session, and should therefore reach for the mag-tape.

* It's a continuing race. Those who neglect security have more to lose, however.

* Advice? Use your head. Use systems by people who actually care 'bout security. Follow principles 'bout least-privilege and so forth. And don't bring your box online before searching for relevant docs -- but also don't believe that the sky is going to fall as soon as you plug in that cable.

Misc notes --

* (minor) Possibly, the full name of the LTTE -- the Liberation Tigers of Tamil Elam -- should be used. {shrug}

* Similar minor nitpick: Is is 'bin Laden' or 'Bin Laden'? I've seen both in print.

* Something to note: a 'Cyber' attack, as the article terms it, would most probably not incur nearly as harsh retalliation as a CBRN attack would.

* As was noted above and no doubt below, substitute 'cracking' for 'hacking.

* Consider adding the motive 'extortion'. This may or may not be plausible based on the difficulty of getting the money...

* Consider adding the motive 'fear-mongering'; that is, to a population to be unduly alarmed at the alleged possibility that their banks will be raided or that malicious crackers will down a jetliner or so forth.

Re:CBRN != Cyber

I would add to the previous poster's bullets that "CBRN" and "Cyber" threats are also different in the following ways:

Radically different logistics: terrorists face reduced logistical barriers to insertion/destruction: physical logistics takes on radically reduced importance when attacks can be relayed remotely over the global telecommunications infrastructure. Logistical-oriented defenses for detection and interception (e.g. borders) become largely irrelevant.

greater freedom of information: certain types of nuclear and biological expertise are closely guarded and narrowly disclosed, while attack tactics and strategies are much more widely available in online communities, largely in hopes of exposing infrastructure flaws so that they can get fixed.

reduced scarcity of precursors: while physical precursors to biological, chemical and nuclear materials can be controlled, at least to a limited extent, controls over precursor material useful for "Cyber" attacks is substantially less effective due to the fluidity of information flow (i.e. ease of dissemination) and availability of encryption for hiding information flows. Restricting information flows runs counter to the information-sharing process that has created existing technological (and economic) progress, not to mention raising problematic civil liberties issues. And restricting encryption technology exposes corporate interests to increased espionage vulnerabilities.

--LP

31337 hAx0r dOoDz

Skill doesn't cost very much in terms of money to aquire.

The people who can bring down systems are the same people needed to protect them. It's in a way kind of like the wild west, but there are no black hats and white hats only dark and light grey.

The difference between a hacker, and a cracker is what they do with their skills. One man with a rifle is a hunter, another man with an identical rifle is a murderer. What you do is more important than what you are capable of doing.

6 months from now when the l0p(Lords of Pudding) cracks Jello's web site for publicity it won't be a well funded attack. It'll be a couple of rinky dink high school kids who allowed their talent to be used for non-productive ends.

Hacking has nothing to do with who's the best funded. It's about getting done what you need to get done no matter how you need to do it.

I'm sure that every hacker here has done some things that at least border on cracking at one time or another. Not that there was necessarily any malicious intent, it's just doing what needs to get done.

It's the script kiddies who've (at least in recent years) given us a bad name. It's the assholes WhO TyP3 3v3rY7hiNg LiK3 7hIs who make us look like a bunch of pimple faced rejects before the masses.

One thing that makes many hackers fertile recruiting ground is the total lack of respect for the ability and value of a good hacker. When a hacker has to stand by and watch a brainless marketting suit make millions for sitting around and thinking up crap like "Got Milk?" and "Think Different" it can make him want to make an undeniable statement and force people to recognize him. Also how many of us would be willing to pass up a pile of cash if someone offered it in exchange for getting access to Company X's fincancial records?

I've never caused any damage to any company's computer systems, just like the vast majority of my fellow slashdotters, but in a materialistic society how many of us would pass up the chance to make big pay checks if we did?

LK

"Hardness" of systems

A common thread running through Johan's questions is the assumption that target computers can be rated by "hardness" in the same way as a military base.

This assumption has limited validity. It is certainly true that some systems are constructed to be much harder to penetrate than others. However any system can be made insecure by improper installation or use. A classic example is the recent Linux box crack. The crack exploited an insecure CGI script instead of the underlying operating system.

This leads to a situation where attacks are single-use weapons with irregular effects. Think of the Federation encountering the Borg: a phaser works on the first borg, but not the second because the second one had learned what killed the first. Attacks on computers have this nature: you may be able to penetrate many computers at first, but when the attack becomes known the hole will be closed. If the defensive structure is good then this will happen fast and universally. This is what CERT is about.

Much has been made here of the "script kiddy" phenomenon. This does not seem a realistic concern for real national infrastructure or military issues. Sure there are plenty of insecure systems around, but the attacks the script kiddies use are generally known and they can be locked out.

This means that against a well-defended target you are going to have to devise fresh attacks. This is not a trivial exercise. Its easier if you can get hold of the source code, but either way expect to have to fund a team of good techies sitting down with sample systems looking at how to take them down. The result will not be an armoury so much as a mixed bag of ad-hoc tricks, each of which will have a very narrow window of use. Also you can't stockpile these attacks because at any time someone else could discover the same crack, use it, and get you locked out.

Even a successful cyber attack will be little use on its own. It would have to be co-ordinated with other actions. At this point it gets hairy. The effects of your actions when you actually try to take down or penetrate a system are difficult to predict. Maybe it will work, or maybe the defenders are on to you and will be duly warned. And the mixed bag of tricks will be hard to integrate into the rest of the strategy.

All this points to the need for a proper defensive posture. This makes the entire infrastructure much more robust. Use operating systems and applications which are known to be reasonably secure. Keep up with CERT bulletins and other sources of information. If a computer is worth guarding physically then it is worth guarding "informationally", and for critical assets this might well extend to a continuous human auditor looking for discrepancies and odd patterns, just as a human guard is used to check people in and out of a base instead of relying on barbed wire and key cards.

Finally, it is important not to let these threats get out of proportion. If I was a terrorist and wanted to bring down the national power grid I'd go for a few pounds of plastic attached to strategic pylons and transformers. Much more certain, and much longer lasting effects (aside, why did the IRA never realise this?). A defence system is only as strong as its weakest point, and that point is rarely a computer.

Paul.

Cyberterrorists...

Here's a hint that might help the American government a little in its fight against terrorists:

If there are any cyberterrorists out there, they already have cryptography!

On a more serious note, the article is definetly making a mistake in bunching together Cyber threats and CBRN. They are different (as rde wrote above) in all possible ways except in that they are a relatively new threat. IMHO cyber terrorism is mostly an excuse to harrass punks who deface webpages, while CBRN really worries me.

Also, the article looses a lot of credibility when it starts listing Bin Ladens use of email as examples of cyber-terrorism. My grandmother uses email for gods sake, it happens to be a good way to communicate.


-
/. is like a steer's horns, a point here, a point there and a lot of bull in between.

Prevention

The best way to prevent CT is to have a good staff of administrators and a good set of tools. By far, the two most stable and secure operating systems are OpenBSD and OpenVMS. Use them. Also make sure your staff knows how to administrate them properly.

Also make sure you are always running with the most up to date patches for your software (not just the OS, but all of it). Read Bugtraq to find out what the latest problems are and follow through on the suggestions given for securing a system.

Don't get too proud. Just as soon as you think you've gotten the crackers beat, they'll find a new way in. Never let your guard down.

Disable non-estential services. If you do not need a service running, why do you have it on?
Remove any tools which could be used against you.

Don't be an easy target. Firewalls are good. Protect yourself at multiple levels.

Anyway, there are plenty of other ways to handle prevention, but I'll let others pick up the slack.

Cyber-warfare HOW-TO

First of all, the article reads as a half-backed introduction to CT and how it relates to other forms of terrorism and the history of related terrorist events in the past decade. Reads too much like a boring history report done by a college freshman... but, to anwer the questions...

Most of the questions are surprisingly elementary, but I'm sure this was done to bring out as many relevant pov's as possible :)

"Using CT, how easy or otherwise is it to bring down or attack vital systems?"
It is either easy or hard. The real question, how are the vital systems in question prepared to stand up to said attacks. Like a question on how well armored tanks can stand up to gunfire, it depends on which tank is in question.

"What sort of skills would be needed to do so, and are they common/teachable?"
They aren't common in the sense that Joe Blow knows how to hack into the pentagon, but they can definitely be teached. Though skill and talent are considerable factors, they aren't neccesary...

"Commercial-off-the-shelf software: can it really do CT?"
Like it says in question one, yes, but it depends on how well the targeted systems are prepared. And if they run NT, well....

"Which systems are actually attackable?"
If it exists, it can be attacked. Most vulnerable are those connected to mainstream communication systems such as the internet. Also, you must keep in mind that there are many different types of attacks availibale to your modern cyber-terrorists, including futile ones.

"Can a recovery be made from such attacks?"
Yes, and no. Data can always be backed up and restored on virtually any computer system. What is more dangerous is when terrorists defeat system security measures and retrieve privlidged data. There is no way to "steal it back".

"Is it likely to improve/get worse?"
Rhetorical question. As computer systems become more complex and the world keeps getting smaller, the more insecure that computer systems will become or at least seem to become...

Re:Hackneyed alarmism

Johan, the Jane's editor, agrees with you. That's why he's soliciting comments from Slashdot readers - and is going to write a whole new article based on them that'll run alongside the original clueless piece. This is a great exercise in showing the difference between "official" thinking (which generated the original story) and the "grass roots, hands on" style of thinking common among Slashdot readers (and authors and editors too, come to think of it).

- Robin "roblimo" Miller

You do not need a terrorist...

... to shut down vital parts of the computer infrastructure of a country. As we have seen, a backhoe is enough. Or a faulty software upgrade in a power grid or phone control point.

Also, what crackers (and cyberterrorists, if they actually exist) do is utilizing remotely exploitable bugs in current software. That is, they use tolsl and techniques which are roughly identical with normal debugging techniques, but apply them a bit more creatively. The creative application may have spectacular effects, but that does not change the fact that the basic techniques used are actually routine debugging techniques.

The bottom line is: As long as current production software is as bad and immature as it is, there is no cyberterrorism. Just applied stupidity.