Jane's Intelligence Review Needs Your Help With Cyberterrorism

Jane's Intelligence Review, a famous "in group" publication read by political, military and intelligence honchos the world over, has an article on Cyberterrorism scheduled to run in its next issue. But Jane's editor Johan J Ingles-le Nobel believes Slashdot readers may (ahem) actually know more about potential Cyberterrorism tactics than the article's author, and would like you to comment on his work - for publication. The article is up on a private preview page. Please read it, then post your comments. Johan will read them, here on Slashdot, and will select some of them for publication in Jane's alongside the original article. Before you post, please read a message from the Jane's editor (below).

These are the specific questions Jane's wants answered:

• Using CT, how easy or otherwise is it to bring down or attack vital systems?
• What sort of skills would be needed to do so, and are they common/teachable?
• Commercial-off-the-shelf software: can it really do CT?
• Which systems are actually attackable?
• Can a recovery be made from such attacks?
• Is it likely to improve/get worse?
• What sort of preventitive work would you recommend them to carry out?

For our part, we'll make an article based on your replies. Please try to give examples and evidence, keep it clean and stay objective - this is not a 'military-bashing' exercise. When we publish the article (17 November), if you'd like to be contactable on this issue use your real email address and we'll attribute your comments, otherwise use 'anonymous coward' .

Many thanks,
Johan J Ingles-le Nobel,
London, England.
johan.ingles@janes.co.uk

ISP's are weak points.

[richnut]

The biggest threat with cyber terrorism is not so much direct attacks, but as a tool to gather information on organisations for other purposes. If a cyberterrorist attacks an ISP succesfully they can gain access to many more networks belonging to the global customers, Manufacturing concerns, Government agencies, Lobbies, Financial institutions. The ISP is the passageway for all of its customers and a large reputable ISP can have direct access to all sorts of customer resources. Monitoring a central router an an ISP can be the ultimate wiretap. ISP's often have financial and personal data of customers warehoused for disaster recovery reasons, these resources are often stored on Internet connected machines.

Worse yet ISP's do not necessarily want to cooperate with officials. They do not want to be slammed with liabilities for their transmission of dangerous material. ISP's (last I checked) are not immune to this sort of legal attack like telcos are.

-Rich

Re:CBRN != Cyber

[jsm2]

In my opinion, the fundamental difference is that Cyber attacks are utterly unlike any other form of attack because they do not involve the delivery of large amounts of energy to the enemy (unless you would call EMP or HERF attacks "Cyber", which IMO would be wrong -- a HERF gun aimed at a computer terminal is really the same sort of thing as a grenade thrown at same.)

Cyber attacks, therefore, are aimed at the information, which is much less easy to destroy because of the possibility of making qualitatively and functionally identical copies. I'd divide cyber attacks into two species: "Destruction of information" (erasing) and "Corruption of information" (spoofing).

Erasing is very difficult to carry out because any system worth attacking is also worth backing up. I know that UK and US interbank transactions are backed up daily, with multiple remote backup tapes. Any Cyber attacker wanting to "destroy" the interbank market will cause the loss of at most one day's worth of transactions. Erasing attacks can be straigthforwardly guarded against through multiple, remote (in both geopgraphy and network topology) backups, taken at sufficient frequency that the maximum possible loss is bearable for the system (the "safe frequency"). Any system for which the safe frequency is too low for the backup defense to be practical (for example, a power grid) should be kept remote from networks; although this does not defend against attacks from insiders, network seclusion should allow the terminals of the vulnerable network to be physically guarded.

Spoofing is much more difficult to guard against. This kind of attack comes in two flavours; attempts to create phony records, or phony messages in a system (such as creating false bank accounts), or attempts to create phony instructions to the processing system, causing a failure of the system which is as bad as an erasing attack.

The easiest way to defend against non-destructive spoofing would be to use backups once more, and to operate a kind of "double-entry book-keeping" which traces every record to its creation and requires consistency between numerous (again, preferably topologically remote) sources. This multiplies the difficulty of a Cyber attack, as the attacker now has to break several systems instead of just one.

Destructive spoofing aimed at the processor rather than its records is a different matter. Causing the processor to execute phony instructions could allow the Cyber attacker to erase records, transmit phony messages and, potentially, to "cover its tracks" well enough to escape consistency checks. Of course, this kind of attack is more difficult than any other -- usually the only way to get another machine to execute rogue instructions is to exploit buffer overflows.

I have no particular suggestions for defense against the final kind of attack, except for the rather obvious advice not to create situtations in which buffer overflows can happen. The use of non-standard operating systems or instruction sets could, in principle, make it harder for an attacker to work out what to do with a buffer overflow once discovered, but to me, this seems too much like security through obscurity to be recommended.

I'd add that using the Internet as it is currently designed to communicate between members of a terrorist organisation would not be a good idea -- it goes against the "cell" concept which is known to be the best way to organise. Even messages on private bulletin boards carry enough information in the headers to allow substantial information about the whole network to be deduced for any security agency which can gain access to the routers.

Just some idle thoughts

jsm

Re:The expanse of CT

[blowdart]

A relatively unskilled cyberterrorist can crash a computer server that is responsible for anything from publishing content to the WWW to monitoring transactions on a bank network

Publishing content to the web is not exactly a crtical system, but I'd love to see your sources for the estimates on bank attacks. Having worked with banking infrastructure before I'd like to see some evidence here. I'm not saying you're a liar, but personally, I find that estimate highly doubtful.

Re:All systems are breachable

[jd]

*BING!* This is only true in part. Any REACHABLE system is breachable. If it cannot be reached, it cannot be breached.

(Unreachable does NOT equate to the scenario you outline, although that would be one way to arrange it. A network of computers, connected via the Internet, using a secure VPN, encrypted with a OTP of equal length to the data stream being transmitted, and per-packet authentication, where each computer was in a public facility but with shielding against radiation leakage or tampering, OTP encrypted non-standard file systems, digital certificate-verified passwords, and where all user applications were verified against security holes, would also be completely secure against attacks.)

To be 100% secure requires not -physical- isolation, but VIRTUAL isolation. It doesn't MATTER if a person can -reach- a machine, by a physical network, in person, or whatever, if they can do nothing with that machine, once they get there.

Physical security, alone, is like a brick wall. Good against casual attacks, but useless against a demolitions expert. Virtual security, on the other hand, is not dependent on the technology or knowledge of the opponent. If it's sound, it's sound against anything, because it's only dependent on it's own integrity, not on what's going on around it.

The military is notorious for thinking solely in terms of physical security, rather than virtual. That's why defences never last. They depend on their opponents, and their opponents are the last people the defenders should be thinking of relying on.

Good on CBRN but misses the point on Infowar.

[faisal]

I thought the article as a whole was fairly good in regards to coverage of CBRN / "weapons of mass destruction" attacks. Unfortunately, it melded Cyberwar (or "Infowar" as it is more commonly known in industry) into the description of CBRN attacks which caused it to miss the point.

Infowar is inherently different from other forms of attacks. As several others have pointed out, Infowar attacks aim to disrupt critical infrastructure by undermining the computational basis of that infrastructure, as opposed to conventional attacks which just blow up the infrastructure, or CBRN attacks which kill all the people in/near the infrastructure.

IMHO, this is not the critical difference, as all these forms of attacks focus on disrupting the infrastructure.

The real difference, then, is in delivery. Conventional weapons must be built at physical locations, then transported (by land, sea or air) and delivered (by hand delivery, shelling, missile, etc.) All of these operations take place in more or less the same fashion regardless of whether the end munitions are explosive, chemical, biological, radioactive, or what have you.

On the other hand, the munitions of Infowar are constructed on computer and delivered by computers, with no transport phase. A competent cracker can understand, create, and deliver an attack without leaving his bedroom. The parts he needs are the same computers and modems that you and I buy off the shelves and the same software development tools (to create the attacking software) that all software developers use.

This raises another issue, which is competence. So called "script kiddies" may be able to take out a public web site, but it takes a lot more knowledge and effort to bring down critical infrastructure pieces (communications networks, power networks, banking networks) that are not connected to public networks, have some experience being attacked, and have the money to pay for better defense.

A country cannot hire a 15 year old off the streets to go take out the credit card networks. On the other hand, they can find some very bright 15 year olds and give them computers and pay them to sit around for five years until the now 20 year olds have the experience to make such an attack. The problem here is that such a strategy would be very hard to notice - satellites and HUMINT will help find a chemical weapons manufacturing facility, but they won't tell you which 6 post-adolescents in a company of millions are browsing amazon.com, which are downloading pornography, and which are preparing to eliminate steal the pension plans of all the toll collectors in the state of New York.

This example highlights another problem: the sheer variety of targets. Information technology touches so much of modern post-industrial society that just about anything you can think of has some form of vulnerability. We cannot patch all those holes - we cannot even identify them. What is vital? What can we live without? How much do we have to defend? A power company can harden its systems all it wants, as can a bank, but if the connection between the two is vulnerable they both suffer, along with all of both their customers. Your security is only as good as your weakest link.

As to specific questions asked:

* Using CT, how easy or otherwise is it to bring down or attack vital systems?

It depends largely on the people involved and the systems involved. Various people claim to be able to knock out vital systems today. An NSA experiment found that a group of trained crackers were able to penetrate the Pacific Fleet's infrastructure within a matter of weeks, without detection.

* What sort of skills would be needed to do so, and are they common/teachable?

For simple attacks against undetected targets on public nets, the skills necessary would be mostly social, and would involve getting access to pre-packaged attack software and using it. These skills can be learned online with very little effort.

For more complex attacks the attacker will need to be proficient in computer programming, computer system designs, and will need to spend time understanding the mechanisms and vulnerabilities in the target system. The attacker will need motivation, intelligence, intellectual curiosity, and will need to be comfortable with computers. The specific skills related to attacking (beyond knowing how to program, etc.) can be learned in months, with the techniques for any given attack needing to be developed on a case-by-case basis.

* Commercial-off-the-shelf software: can it really do CT?

To the best of my knowledge there is no COTS software that is designed for system attacks. However, there are many pieces of software available on the Internet that are used for such attacks, both as detection devices (a security tool that finds holes in your system can also be used against you) and as attack devices (programs which exploit specific features of known systems to attack the system, e.g. the notorious AOHell program for gaining free access to AOL).

* Which systems are actually attackable?

Any and all. There is no such thing as a completely secure system (or if there is, no one I know has ever seen it), only progressively more difficult systems. For modern Infowar the primary concern will be for systems that have some form of outside network access from which they can be attacked (e.g. anything on the Internet). Most intelligence agencies have "physically secure" networks, which indicates that they are never connected to other networks (such as the Internet). Someone attacking the NSA networks would have to actually enter an NSA facility to gain access to one of these networks.

* Can a recovery be made from such attacks?

It depends on the attack. If the attack intends to merely disrupt the quality of information (e.g. corrupt a target database to produce unreliable output) the system can generally be brought back from backup. If the attack triggers a event (such as launching a nuclear missile), recovery means reaction to the event rather than resetting the system to the status-quo ante.

* Is it likely to improve/get worse?

It is likely to get worse and worse and worse as the number of computers in the world continues to increase. It will probably get dramatically better at some point as people finally become security conscious, then continue getting worse again.

* What sort of preventative work would you recommend them to carry out?

The best preventative work will involve security audits for critical systems, improved security measures for those systems, and training and protocol. Some examples of better techniques include:
better training for personnel dealing with computers. 80% of attacks are facilitated by poor security policies at the attacked organization.
ubiquitously available public-key encryption. public-key encryption brings two forms of security: secured transport of information, and authentication of the transmitting parties.

Some quick comments

[Mock]

A well rounded article for the most part.
Some comments:


On the other hand, the information revolution ushered in by the Internet allows terrorists to access articles and documents from the World Wide Web about the manufacture or acquisition of BW or CW agents, and commercial-off-the-shelf (COTS) software products can easily be obtained to conduct cyberterrorism, making CB/Cyber attacks much more feasible to launch than hitherto.

These documents (called anarchy philes for the uninitiate) have been around as long as the modem.
I remember first encountering them in 1989, and even then they had been around for ages. It wasn't until the "Information Revolution" that the media finally clued in to the existance of documents such as the Jolly Rogers Cookbook and the Terrorist's Handbook (the better known of many more documents) and started scaring the public with them. About the best you'd get from these documents are a few stupid pranks from the average idiot. Attempting to control these documents will have no effect whatsoever on any organized force of terrorists.

To launch a cyber attack, a terrorist group could purchase relatively inexpensive commercial-off-the-shelf (COTS) software and hardware, with some weapons of mass disruption software available on hacker bulletin boards and Web sites.

The "weapons of mass destruction software" available online is script kiddie material.
It's like using a handgun. You might be able to kill a soldier, but not a tank.

Most cracking that could do any real damage requires a highly skilled cracker at the wheel. Most skilled crackers make their own tools, and, like any profession, would NEVER release their best tools to anyone.


Always remember: The best protection from cyber attack is not to have the system hooked up to anything external.

Re:Misc nitpicks.

[jmarkham]

It's unlikely that there's a remote 'stop burn' option for a coal-burning power plant, for instance.

Many modern control systems *DO* have a remote access capability. This allows engineers to log in remotely to troubleshoot problems.

Some of these control systems are based on Unix variants such as Solaris. Unfortunately, they are often administered by people that are completely unfamiliar with Unix and network security. At least one vendor that I know of asks that you do NOT change the root password on their system so that their support people can dial in and run system tests occasionally as part of their service contract!

Re:CBRN != Cyber

[Garth Vader]

What is the reason for lumping together the two types of attacks?

I would think it's because they are both terrorist style attacks. Attacks that have the ability to effect a great many people or to great harm to a target, but that can be launched by a small enough organization that no deterrant (ie MAD) would be effective.

CT

[Trousersnake]

Using CT, how easy or otherwise is it to bring down or attack vital
systems?
Any teeny could do this to a improperly implemented system. Some systems are inherantly easier then others.
What sort of skills would be needed to do so, and are they
common/teachable?
Many systems can be "attacked" in one way or another by downloading pre-existing software.

Commercial-off-the-shelf software: can it really do CT?
Some can, yes.Procomm plus could be used to work around call back security.
Which systems are actually attackable?
Anything someone can get access to. Meaning if it is possible for someone to access your system offsite for legit reasons then someone can do it for CT.
Can a recovery be made from such attacks?
Assuming PROPER backup proceders are in place and used then yes. Mission critical apps should have a secure redundency system. Meaning a system that is up-todate but NOT accessible, except onsite.
Is it likely to improve/get worse?
Hard to say, on one hand computers are getting more powerfull, but on the other hand system people are now taking security seriously.
What sort of preventitive work would you recommend them to carry
out?
A sysadmin should always budget some of his/her time to attempt to break their own security by keeping up to date in whats going on in "the underground" in regards to their hardware, and
software.Then trying to implement it against their own system.Carefully.

Personally I believe that anyone who wants true security should have COMPLETE source code control.
If yhou want to do business with a vendor, then they need to give you source code, if the Software is totally in-house then you need a team to double check it. And if you want to really test the system, set a test system up and offer rewards to whom ever can crack it. Greed can work for you as well as against.
As with ALL types of security, it's a balance between how convienant and how secure.

CT 101: How to think like a cyber-terrorist

[Orsmo]

Ok, lets step back for a moment and think about this. 90% of this article is bunk because it fails to slip into the mind of the cyber-terrorist. Let's try to take a little trip into that mindset:

Let's imagine that you are an intelligent, well educated sympathizer with a cause in direct opposition to the aims of your intended CT victim. Note first how general I'm trying to be here. I'm not assuming that you are even attacking a government agency. Perhaps you are a religous zealot that wants to attack the Hollywood entertainment machine because of all the (as you see it) amoral filth it produces each year. It makes no difference to the mode of attack, or the general feel of what your mindest is.

You want to hurt them; show them your right; show themy they're wrong; make them change. So what do you do? Go on a shooting spree? Blow up a movie lot? Poison all the drinking water in southern California? No. You're too squeamish for all that. You don't want to get too close to death and destruction. You want to live to fight another day yourself too. No good getting caught, is it?

But then you see the way... You're good with computers and communications systems, you know electronics, you know networking, and you know how to find out all the particulars of any infrastructural technical system that they could possibly use.

You take your time learning everything you can. You are methodical and keep to yourself most of the time. You don't need an organization, you just need yourself. You can pull it all off yourself and you don't have to get caught.

A little social engineering and you have access to information about what computer systems they use, what communications systems are in place, what trash they throw in the dumpsters. Soon you develop a plan to strike, and you do it with no fanfare. Next thing you know it's Friday night and the latest Tom Cruise/Nicole Kiddman flick pops on three thousand screens accross America and the opening credits have been replaced with an offer to have the Book of Mormon shipped direct, at no cost, to all the viewers. Guess the film's distributor should have secured the email server better... maybe then you wouldn't have been able to forge the request from the CEO that the footage be replaced at the last minute and that the celluloid be shipped to the theaters immediately, without the need for internal review.

Seriously though... My point is that it takes only one person for CT. Anyone with a bone to pick and the time and determination can do it. Most of the time they'll be smart enough to not get caught. All that will be found to track them is the 'AOL coaster' account they used and the number of the pay phone in Salt Lake City they dialed from.

* Note: Please forgive me if you are Mormon, a religious zealot, work for a film distributor, or are a really sexy hollywood bombshell. I like movies, really and some of my best friends are religious zealots. No disrespect intended.

-- Begin thoughtfuly, end insensitively.

Re:All systems are breachable

[Trousersnake]

If a wire carring vital information exits a secure building, REGAURDLESS of encryption CT can occur. ala Wire cutters.

Re:CBRN != Cyber

[HeraldMage]

One of the problems I've noted with the article as I've read it so far is the fact that, throughout much of the article, it talks in terms of "CBRN/cyber" as a single form of attack/device. But the article DOES make a differentiation in "External Hurdles", where the author finally states that "there is a clear distiction between CBRN weapons and cyber devices." Unfortunately, the author continues on the analysis about CBRN weapons, but never explains what that distinction is.

All in all, it seems to me that the idea of "cyber" devices for terrorism was added to the article as an afterthought, and that the analyst was either not knowledgeable or not skilled in incorporating the links between the two types of terrorism.

A more detailed response pending as I do some more reading, and have re-read the article a couple of times.

In the meantime, the article also uses "Thus" waaay too much. Thus this and thus that, and thus, the article sounds way too "rough" to be ready for publication.

Re:CBRN != Cyber

[MindStalker]

Phone rings. "I'm Bob in IT support. I'm having trouble with the modem bank. Can you check the modem to make sure it's turned on? Also, can I have the number to make sure I'm using the right one?" Of course, being the deligent and helpful worker that he/she is, they are happy to help. Just got finished watching "Hackers"?? HEHE jk Accually your senerio can and does happen, just for some reason couldn't quite get the scene out of hackers out of my mind while reading your comment. I'm not insulting, just chuckling:) (or the sushi I just ain't could be talking.. who knows)

Using C3I attacks to suplement a CBRN arsenal

[caezar]

Previous comments in this thread have concentrated on the article author's mistake of adding C3I attacks into CBRN arsenals, as they are fundamentally different. Assuming that the author intended to show what traditional CBRN threats might do in the future, however, leads me to believe that he has a valid point.

If I were a global terrorist in the early 21st century, I would pay a lot of attention to the rampant insecurity of COTS installations at most web sites and ISPs. I would select my intended casualty audience and determine which type of damage (theft, threats, service outages, etc) would best terrorize that population. Then I would make a dynamic map of the C3I needs of that population, extended to include power, and find the most cost effective attack points. Perhaps that means exploiting poor RIP/BGP protocol interactions at the MAE level to disrupt North American Internet traffic during a televised protest, bombing Pamplona's power grid, or jamming AT&T switching equipment on Mother's Day.

The point is that a few Evil Geeks could do some really bad things to internet service if they were reasonably motivated and had attended the right party at DefCon. It seems likely that a terrorist organization willing to unleash Sarin on innocents would be quite interested in causing those bad things to happen.

Caezar

caezar@flashmail.com

Answers to your questions

[Drachs]

>>Using CT, how easy or otherwise is it to bring down or attack vital systems?

Well protected, properly firewalled systems are extremely difficult to break, but government networks are notoriously easy to break. This is partially because their networks are admined by full time military personnel and contractors. The wages the government pays admins are ridiculously low for network admins and thus attract people who just don't have what it takes. From what I've been told, it's extremely unusual for a full time Unix contractor to make more than 45,000 a year in a government job. When working as a contractor for the military it's very usual to find sprawling networks of boxes that haven't been patched since they where put in. Often the security of these boxes is based on strange network topologies that the designers assumed (wrongly) would make them unreachable from the outside. It's amazing to me, but a friend of mine actually worked at a DISA facility where the head Unix admin didn't know how to patch the kernel on their HP-UX boxes.

>> What sort of skills would be needed to do so, and are they common/teachable?

Most exploits now-a-days are packaged in easy to use scripts than can be used by any one who can read English. Minor damage can be caused by any 12 year old who understands what an IP address is. A reasonably experienced Unix admin can use these scripts to slowly leverage as much power as he needs in an improperly secured network. www.rootshell.com has everything a person needs to break into a network as soft as a standard military system. And if the system you want to crack isn't vulnerable right now, all you have to do is wait, somebody will find a bug eventually.

The problem with these scripts is that once they become known it usually only takes a few weeks to a month for a commercial vendor to create a patch to protect the target from them. However, in practice, most patches don't get applied in a timely manner. Especially in a government network where low profile machines assumed to be unreachable from the outside may simply go un-patched.

>> Commercial-off-the-shelf software: can it really do CT?

Reading the Bugtrack list and keeping an eye on sites like www.rootshell.com and http://packetstorm.securify.com/index.shtml are much more effective than any commercial software I've seen. The problem with commercial CT utilities is that they don't have much of a market and by the time you get them on the shelves the bugs they exploit are too rare to be worth buying the software for. Good packet sniffers/port scanners/spoofers are very useful in the general case if you are reasonably adept. These can be bought commercial, but I prefer to get mine from ftp:\\sunsite.unc.edu.

>> Which systems are actually attachable?

All systems will have windows of opportunity. Open source systems have smaller windows because they have faster patch times and fewer bugs. Custom programs have the largest windows of opportunities because they are unlikely to ever get fixed.

>> Can a recovery be made from such attacks?

Complete backups and a rehearsed recovery plan can fix nearly anything I've ever seen unless the attacker has been insidiously poisoning your databases for months (Which is in my opinion the most detrimental type of attack, and also the least likely to be noticed).

>> Is it likely to improve/get worse?

Software and os's are becoming much more complex, feature rich, and flexible which dramatically increases the opportunity for attack. Example: Windows 98 had about 11 million lines of code, Windows 2000 I hear has upwards of 40 million lines. Complexity breads bugs, and flexibility allows attackers to use your systems in ways you never imagined possible.


>> What sort of preventative work would you recommend them to carry out?

1. Hire well paid and intelligent admins with a network penetration background.
2. Have at least one person who's whole job is properly configuring firewalls, another whose is maintaining patch levels.
3. If any of the people in the above teams of people ever have less than a few hours a work day to read web pages then double the size of the teams.
4. Routinely audit the security of every computer and system.
5. Never assume a machine can't be reached from the outside.

I would enjoy fielding any questions you or your readers may have. Contact me if you would like any clarifications. Please forgive my english, I'm an admin, not a writer.

Terrorism/damage for profit

[rlglende]

Poor article in many dimensions.

Jane's article has a statist slant -- one gov against another or individuals against a gov.

Suppose I just want to make a lot of $ with little work. There are lots of ways to profit from advance knowledge of all sorts of damage to infrastructure, civilian factories, ...

No need to reiterate the possibilities, but any engineer worth their salt looks with distain upon such feeble attempts as the World Trade Center bombing, ... Not much damage for a hell of a lot of effort and risk (easy to do better in all dimensions simultaneously), no real damage to the US as an institution or economy, no profit to finance anything else.

Integrated strategy is required 8).


(BTW: Our very own FBI did the WTC bombing via its agent provacateur, Emad Salem. Read the NYT for 19 Oct, 1993, I believe. Salem taped his FBI handlers, and the transcripts were put into the trial records. The FBI's payments of $1M to Salem paid for the bomb, ... Salem proposed substituting inert powder for the ammonium nitrate, FBI nixed it. Salem kept them informed of all plans, including when they were to set the bomb off. Salem was on the scene when the bomb went off. Bomb went off with full afore-knowledge of the FBI.)

Gov terrorism aside, it is pretty scary to think about such efforts getting loose -- some SciFi postulates corporate-scale wars.

We are, as a civilization, balanced on a high needle of technology. Doesn't take much of a jolt to kick it over and plunge us back to, at least, a lot lower standard of living.

Lew Glendenning

CT

[Lord_Rion]

Using CT, how easy or otherwise is it to bring own or attack vital systems?

Define a vital system. If you define a vital system as a hospital, bank, telephone (911), police and C3I, there are much easier and more effective ways then using computers. In most cases the "critical systems" within these orginizations are isolated and have few external components. Sure you can crash the St. Lukes web page, but I doubt it would be nearly that simple to get patient data. That being said, if you can get enough information about how the place, company, or group, operates and does business you can usualy find a way in. Once in you can work on editing, deleteing or destroying data and/or systems. All that being said, I think there are easier ways to disable vital systems, blow up a church will clog up a large number of services, or destroying a power station, relay station, or transmission lines will cut out large amounts of power to an area and are hardly ever guarded or monitored. No skills needed for those.

What sort of skills would be needed to do so, and are they common/teachable?

They aren't common skills, and I'm not sure if they can be taught. To hack/crack you have to have that kind of mind set. You have to be able to think of a problem and then logicaly break it down into steps, or sub problems, and attack those pieces. You often have to be a bit rebelious, and try and do those things which they say can't be done.

Commercial-off-the-shelf software: can it really do CT?

If you consider DoS attacks as CT, sure in some cases.. but mostly no. There is no Commerical off the shelf (CoS) CT kit. Usualy the vital systems are one offs or specialized enough that the vast majority of the people out there won't have seen them, or their design.

Which systems are actually attackable?

Once again, I don't know what you mean by vital systems. Military levl C3I is usually pretty anal about security, so I would say it's not easily attackable from the outside. Most civilian vital systems are fairly vunerable in that they have more access points and fewer physical safeguards. However, anything is attackable from the inside.

Can a recovery be made from such attacks?

Depends on the attack. I've written programs to replace dump and tar that corrupt one random byte in a random amount of data so that even though the backups look good the data is bad. And there is no way of telling unless you recover the whole tape and find the one or two data files that have changed and go threw them with a microscope. Now imagine the problems if someone had 10 weeks of backups each with different bits of bad data and the system got totaly flushed, there would be no way to know which data was good and which wasn't. SO to make a long story short, if done properly, and if they know enough about the system they are attacking, you may not be able to recover from it.

Is it likely to improve/get worse?

As the people who make the decisions get more out of touch with the actualy technology and skill sets of the job the worse it will get.

What sort of preventitive work would you recommend them to carry out?

Train people in security. Have someone on site who's job is security. Make them responsible for any "issues" that come up in regards to security. Force them to notify the decsion makers if there is a breach, or suspected breach. Then give them the budget to make it happen. Not cheap, not quick, but it will work.

Lord_Rion

And while Johan does that...

[tilly]

Or whoever Jane has do that...

The key to a lot of cracking attempts lies in getting specific information. Names of key servers. Names of people who have user accounts. Passwords. Descriptions of security provisions. That kind of thing.

Much of this is easiest to get on the phone. The same techniques that a real journalist uses to get at information that is not public knowledge, is the information that crackers use to break into systems. So stop and think about whether you manged to (or could have) obtain information that would help you break into the system. Said information can be as innocuous as knowing who the employees are, personal tidbits about current employees, that sort of thing.

Don't believe me? Well a common technique is to call someone up, pretending to be another employee. Pretending to be a real person that they person on the line is likely to have heard of is more likely to get you in. For instance you could call up and say, "Hey, this is Greg Watson over in accounting. I am looking for Bill Smith. Do you know where he is? ... He just quit? Shoot. I was hoping he could get something for me ..."

See? By knowing the name of someone who just left, someone who is still there, and someone in another department, you have an excellent chance of getting information that you should not have.

As for security, no, not all systems can be easily broken. Of course there are some people who if they want in, will get in. You have to expect that. But most of what you have to worry about are common yet easily exploitable holes. For instance a lot of companies trust Microsoft's VPN implementation. In fact it is about as secure as swiss cheese and cracks are fairly readily available.

As long as easy targets are readily available in large numbers, I would be more worried about terrorist attacks on them than I would about anything else. (Attacks against information sources can be very profitable as well. Infilterate a VPN. Sell the information to someone else...)

Cheers,
Ben

Prevention...

[mackga]

Well, the thing is most companies and some govt agencies don't really think about secuirty until theirs has been compromised.

That said, ANY company or govt agency with sensitive data needs to have regular security audits. Tiger teams from bonded intrusion testing companies come to mind; four times a year is not a bad schedule. This costs money, but so does loss/corruption/theft of data. Make sure you admins are keeping up with security issues for the OS(es) that's being run on your sensitive server(s).

Also, internal security is often overlooked. If you run a company that uses internet access, and you have sensitive data, strictly limit internal users' access to the big bad net. Firewalls and NAT are a good start. Use anti-virus scanners on your email server. Keep access to internal servers at a minimum. Use internal firewalls to protect sensitive departments.

Well, just some basic suggestions.

skills needed, difficulty, random thoughts

[db48x]

It has been my experience that the skills needed to successfully conduct CT are quite teachable, given that the person whishing to learn the nessecary skills is motivated, has a minimum profiency with computers and network technology in general, and has access to the information required. There is also the additional requirement that they posses the correct hardware.

Motivation doesn't seem to be much of a problem with most terrorist groups, unfortunatly.

Contrary to popular belief, it does not take a genius to hack into a system. The genious factor only determines how quickly he is caught. However, at a minimum, a hacker must be able to think cleverly and be somewhat devious in order to be a successful hacker. Someone who can only follow the instructions of others won't be able to come up with a new solution when he encounters something new. It should also present an aspect of fun for the hacker. (Is a terrorist allowed to have fun? Does this make their crimes more heinous?) However, I think that this is fairly widespread knowledge.

In order to become a proficient hacker, you also need access to information about the inner workings of the systems you are attacking. A lot of this information can be found on the web, but nothing beats having a good Perl book or the users guide to the operating system by your side, in print. This is an area where a foriegn terrorist group may have trouble. Can they get the information they need? It is almost impossible to pay cash at an online bookstore, and many books are not available from your corner bookstore. I suppose it is again just a matter of motivation - these books can be purchased, you might just have to jump some hoops to get them.

As for hardware, this is relatively easy to get, because you can run Linux on nearly anything these days. The real problem is connectivity. In order to successfully mount an attack, your machine has to be physically connected to your victim's machine (obvoiusly). I really dont know how good connectivity is in most areas in the world (how easy is it to get connected to the net in Uzbekistan anyone?), but it seems that in many parts of the world, it might approach near impossibility. However, state sponsership could very easily ease this. The only other option is to actually base your operation in a country like the US where you can get connected for cheap. The only problem with this is that it may be a bit more difficult to remain anonymous.

So, to sum it up, yes, any decent, hardworking terrorist group can set up a CT "department" and succesfully attack virtualy anthing they want.

I'm not sure how help full this will be, because all it really amounts to are my random thoughts on the issue while doing a little "work" in the campus computer lab. If you are going to quote me, at least fix my spelling.

Daniel Brooks - db48x@yahoo.com

My Detailed Analysis

[Shanoyu]

Sorry janes, I really wanted to just run thru this after I saw it because it's kind of.. well, bleh, I apologise for the grammar but if i'd had more time I would have written you a shorter letter, as mark twain would say.

The article is really grasping at straws. The problem with the article is that it assumes so many things and points out the obvious far too often to be of any use. Obviously if you damage a country or groups telecommunications they will have a harder time using that network to communicate.

As for using IRC and email, it's alot harder for governments to regulate and sort thru and de-encrypt (where applicable) or even know exist to detect plots brewing, this is diffrent from if they used the telephone which is easily wire-tapped, an ISP could be asked to hold over email but with the proliferation of things like hot mail, the fact that everyone and their brother has eighty or ninety email accounts, and the fact that it's really just impossible to deal with everyone who takes out their agressions online where their speech isn't restricted, so yes, email and IRC and chatrooms are used, but quite sparingly, and quite frankly I see "plotters" on various IRC networks all the time, although usually they are semi-retarded white-supremists in the age group of 15-25 who really, well, they aren't that bright.

On breaking into websites and changing what they say, politically this has little or no effect. I think personally each american might look at a government website once a month, and I don't think any american reads *.gov to learn about political agenda, well not yet although that is what the people over here at /. would love to see. The problem is that most people don't give a crap about politics edgewise, so changing a website to push the agenda oppsite to what the website would normally be saying would be the equivilant of someone putting down a woopie cushion where the UN Secretary General sat, good for a laugh, nothing else.

One part of the article I enjoyed was the political factors that motivate terrorist groups to cause violence. This is very informative and useful.

The article, however, suffers from one tragic flaw that appears to affect many, many articles on the same subject have. It assumes the false truth that all computers on a network are automatically linked to a network. If you do this and a cracker (note the use of the term Cracker, and not hacker. I'm stuck up.) destroys your stock market they will need to have done a few things.

They will need access to the network; this is not a problem if the network is linked to the internet, but most networks are intranets simply because there is no logical pourpose for linking the network to the internet. Governments who do this most tragic error will fall to darwin's theory of natural selection when someone gets lucky. If you have a missle base, and someone who is say on vacation needs to shoot the missile in a pinch because of political actions, then they should have to fly back and do it that way, OR they should have to dial straight into the system via long distance with a protected and undisclosed number that changes often and is only enabled when people who need to get in in a pinch are away from the base. And of course they'd still have to log-in with a funny looking username and password. This is my solution for the problem, there are probaly a thousand others, just about all of them will prevent catastrophe from all but the BEST terrorist organisations.

The best terrorist organisations will capitalise on any oppourtunity given and the fact that they have access to the internet has absoloutely nothing to do with it, except for the intresting recuiting procedures via the internet, which is of course dangerous because if you put up a big sign that says RECUITING TERRORISTS everyone comes to the party just to take a peek.

I think the reason why you haven't seen many extremely tragic cases where people were killed by 'cyberwarfare' is because as terrorists learn about the very intresting buzzword they realise there is essentially jack they can do. I once read a story about a group of terrorists who inflitrated a place where traffic was controlled, the terrorists learned about the program controlling it and almost killed a state offical. However this is fantasy.

You see this is perhaps every networks greatest defense that runs a specific operation. When the software is developed in house, (usually because there is no market for selling such software, like for instance software to drive traffic lights.) you would need to figure out how the program worked how to cause the most havoc (or in a 'surgical' strike, how to kill the one person you want to kill.), when this relates to something so mathematically complex as a series of traffic lights as it relates to one mans path relative to his speed and make a four way stop go all green, sure, it's possible, but only if you already have operatives inside the operation, you can't just run in, learn about the program and the laws behind what it does on the fly and cause havoc. You don't have that much time, unless of course you're an operative inside the operation, in which case i'd find getting the operative in much more impressive than 'cyber terrorism'

I think the more terrorist groups research computer science and cyber warfare the less of it we will see, well, we wont see much that is JUST cyber terrorism, When you put a master of geography and navagation, a physicist, and someone who understands nuclear missles, all with computer science knowledge and knowledge of the system, you've got one frigging scary scenario, But quite frankly, it's not cyber-terrorism, knowledge of computer science just comes with the biz. People who run the things normally have to understand whats going on just to maintain it, people who want to cause havoc REALLY have to understand it.

In conclusion, I think the article needs a major revision, The guy really knows what hes talking about when it comes to politics and thats obviously his forte, but I don't think he knows what hes getting into when he says 'cyber terrorism', it's a remarkably boring (and on it's own, useless) thing.


-[ World domination - rains.net ]-

Re:Misc nitpicks.

[dufke]

>Consider adding the motive 'fear-mongering'

terrorism - thats what the word means!

-

Re:CBRN != Cyber

[Anonymous Coward]

Attacks involving cyberwarfare are much easier to carry out than your typical CBRN attack. Depending on the security of the target, an untrained attacker using an exploit found on http://www.rootshell.com can bring down critical servers. I don't believe it is quite that easy to design/construct/use a chemical, biological, or nuclear weapon. On a well implemented system, however, it can be much harder to disrupt with cyberwarfare than with more conventional means of mass destruction. The knowledge required to put forth such cyberattacks is not very common. Anyone can run a script and exploit a fresh Windows NT Web Server, but disrupting a service, especially a non-networked service, is not in the grasp of your average computer user. As far as off-the-shelf software, ummnn... No. There is no magical software which can bring an entire country's infrastructure to it's knees (other than stock Windows ;P). I personally don't know of many attackable systems, but I would generally think it would be systems that have become more computer controlled than not. Power grids, possibly, but unlikely... I have my doubts that anyone can shut down an entire power grid without using some form of non-cyber attack. Telecommunications seems it would be succeptable to a well developed cyber attack. Recovery from such an attack would most likely be quick for a majority, and long lasting for the remaining minority. The problem with cyberterrorism will definitely get worse before it gets better. There are some pretty big information gaps between the well informed "Wizard" of technology, and John Q. Public. I understand that most of the world's infrastructures are not run by total bafoons, but most of them are just normal people with normal jobs who know very little about how the system they work on *REALLY* works. The only thing that can really be done preventatively, is to assess security with a realistic standpoint. Security is more a set of compromises than a true 100% solution. Nothing can be truly secure if it is computerized. Instead, we use the best possible security which still allows the system to function (things can be *too* secure). Many sites may need to reassess their security policies, since many security policies are quite old. This, along with more technical training for John Q. Public (this'll be a while) will help to ensure that cyberterrorism's threat is more limited, since it will never go away. FeeDBaCK

Interesting, but off target.

[Kintanon]

This article seems to be more about using current and future technology to assist in conventional terrorism and warfare than using the technology itself as a weapon. The article focused primarily on the use of the internet as a communication/propoganda medium for terrorists when you can just as easily insert the word 'Telephone' for every instance of 'internet' with almost identical results.

If you want to write about 'Cyberwarfare' then the article should focus more on the abilities and technology needed to bring down the computer based infrastructure of a country. A few hundred script kiddies turned loose with the latest hardware and software could probably cripple most governments simply by destroying the ability to communicate through any means other than Shortwave radio. Given enough knowledge of an opposing system it would seem that a determined group of crackers could knock out Telephone, Electrical, Water, and Gas as most of those are now computerised and the computers are sitting on a network with an access point on the internet somewhere. Many times these systems seem secure and unbreakable, but that is only because no one has yet made a concerted effort to take one down.
As I was saying, this article should focus more on the actual Computer Warfare aspect as opposed to the Conventional Warfare with the aid of computers line that it currently follows.

Kintanon

Cyberwarfare may be fact

[skelly]

The threat of cyber-terrorism is a growing concern for many western governments. I do agree with Johan J. Ingles-le Nobel that it can become a very new method of attack and attention gathering for terrorist groups. Fortunately most groups of terrorists have resorted to conventional methods of operation (physical violence, intimidation). The very nature of using computers to create havoc upon the military or social infrastructure of western nations has and will in the future require large amouts of capital and technical expertise. The only groups with that sort of financial and technological resources are governments and corporations. Terrorist hardly ever have the skills, expertise, or resources to cause massive amounts of damage. They rely on fear and the the intimidation created by press coverage and government crack down.
Historically, very few terrorist organizations have ever overthrown a government or colonial authority. In every case it has taken the backing of another world power or the withdrawl of colonial authority due to morale collapse to facilitate a victory. The American revolution, Sandinista revolution, the Banana Republics of South and Central America were all due to outside financial or political intersts. In Africa and Asia, most former colonies that had insurrection were only "victorious" due to the withdrawl of occupying forces and the collapse of morale. After World War II, it was the loss of status as world powers and the collapse of Europe that allowed the so called success of terrorist and revolutionary movements in colonies.
However in the close of the 20th century, most governments can rest assured that no terrorist group will be able to overthrow the governemt. The only aim of these groups is to create fear so that goverment reprisals will make these regimes unpopular. The underlying fanaticism of these groups is not very strong either. The smarter terrorist organizations uses the poor, religeous, or politically fanatical as martyrs. All decision making is accomplished by secular not religeous people. Look back at recent history to the Middle East and South East Asia. All of the martyrs or dead from those issurrections were among the poor and uneducated. The losses by organizations like the Viet Cong and Hama/Hizbullah were spectacular. Yet these groups kept going. This requires outside political and ecomomic support. The Viet Cong collapsed in the mid 1960's. North Vietnam had to take over and prevent its losing to South Vietnam. By the time of the Tet offensive, all officer and non commisioned officer roles in the Viet cong had been replaced by army regulars.

The cyberwarfare and cyber-terrorism of the coming years will not be any different. The computers and other communications hardware have gotten faster, better, and inexpensive, but are still out of reach to most terrorists. It would take tremendous financial backing by a state or corporate entity to euip this kind of ware. It would be cheaper and more cost effective in personnel to recruit the lower classes as martyrs in conventional terror campaigns than to invest in trying to crack the Pentagon.

It would be prudent for intelligence and police authorities to take safegaurds against this kind of attack. However, the loss of civil liberties or privacy through laws meant to combat this threat would only serve the terrorists intersts of a frightened asd disgruntled public. Another threat is from the governments themselves. It has already been revealed that the CIA/Defense Department used to inflate the military capabilities of the Soviet Union to justify their own budgets. The CIA's budget is still classified. It has also been revealed that the NSA listens to private telephone conversations on the average citizen--Echelon.

I think that great care must be taken to see that goverment does not overstep its bounds and forgert that it is governemt of the people, for the people, and by the people. I do not want me government making me feel like a criminal.

Of course there is a remote "stop burn"

[afniv]

* It would depend upon the vital system, of course. It's unlikely that there's a remote 'stop burn' option for a coal-burning power plant, for instance.

Don't forget though, if all it takes to "throw water on the fire" is a simple text e-mail message signed "Management" asking to shut down the plant, this is a concern. Either the procedure needs to be changed or have secure/reliable communications which can be compromised. In this case any system can have a remote stop burn option.

Anywhere people rely on computers, cyber-terrorism can be a concern. It doesn't have to be completely electronic.

~afniv
"Man könnte froh sein, wenn die Luft so rein wäre wie das Bier"

Dependance Re:Just unplug the computers

[Pseudonymus Bosch]

But we are starting to depend on highly unreliably systems.

What if you use a Hotmail or other free account to receive "important mail"?

What if a page showing say stock quotes or temperatures is altered? Maybe not you and me but there are people who are leaving some decissions to systems this unreliable.

Not life or death (by now).
--

Solution to terrorism

[rlglende]

Don't annoy anyone.

Requires limited gov.

Switzerland doesn't have a terrorism problem.

Lew

Motivation and Uses for CT

[James McP]

I apologize for the length of this post in advance.
My military friends call me "the builder of targets" since I'm a civil engineer who does computer work. I have the mindset that everything I do has the distinct possibility of coming under attack and I wish it was a mindset more programmers had.

First: The word "cyber" does not mean what you think. Please have CT mean "Computer Terrorism." Second, a hacker "hacks" code and makes software. A cracker "cracks" security.

The writer does document the type of resources for CNBR but leaves CT out. Let's document the publicly successful crackers' profile and resources:

• White male, teens to twenties with borderline obsessive-compulsive traits.
• Computer of sufficient horsepower (@ $5,000 US. Assume system is useful for 1-2 years)
• Network connection (varies, @ $30/month)
• Basic necessities of life (food, caffiene, shelter) (varies, but about $500/month per person)
• Time.

Cost to a terrorist group for having and equipping self-motivated crackers is on par with that of arming and supporting any other agent. Training could be an issue, but most crackers are largely self-taught. The difficulty is in finding someone with the correct mindset.

CT is not very appealing to many extremist cults. Damage to human life caused by crackers tends to be low and not incredibly flashy (few fireballs or destroyed buildings). Rather, CT is a tool used by forces who target infrastructure: power grids, airports, communications systems. It harasses an entire populace with a low chance of creating martyrs. This is extremely advantageous to native terrorist groups (a.k.a. rebels) who wish to limit the loss of human life.

It is also a counter/intelligence tool. By co-opting something as basic as email a large amount of information can be intercepted. Further, that data can be corrupted and/or altered. Depending on the subtlety of the data damage, it may take long periods of time before it is caught, making restoration of "pristine" data difficult. A simple example would be modifying satellite images on a file server to conceal enemy forces.

Finally, CT can be a source of funding or resources. Many convicted crackers used their skills at some time to purchase items via mail-order, eliminate bills, or steal credit card numbers. This can turn CT from a costly venture to a financial asset used to fund their more conventional terroristic endeavors.

As to the specific questions:

1. Dependent on target system, as always. Some systems, like Microsoft operating systems, were "retrofitted" with security. Naturally they cannot compare to systems with security designed in.
   In certain cases a system can be disabled temporarily with great ease, however most attacks are transitory and should be repairable in 24-48 hours.
2. The skills are common and widespread. Further, weaknesses in systems are widely disseminated to notify people of their vulnerabilities. Slow administrators leave themselves at risk if they do not implement patches.
3. Yes, but it's affect will vary from an annoyance to catastrophic failure.
4. All systems with an active network connection. Even if the software is set to reject all requests, a classic "ping flood" of requests can take so much processor power that the machine ceases to be functional.
5. Typically yes, but some very, very rare attacks can damage hardware; typically drive arrays. This can dramatically slow recovery.
   Second, a long-term program of CT could implement an exploit that waits for weeks or months before being used, meaning that most backups would possess the vulnerability.
6. Both. Well managed systems will become harder to attack but there will be more and more systems available to target increasing the likelihood of finding a poorly secured target.
7. Again, depends on your system. Have external security audits done randomly is the best way to find and secure holes.

-James McPherson kilroy @ ntr . net

WMD vs CT motivations

[Bobzibub]

In my humble opinion,

Any group (be it country, or whatever) which uses WMD will incur serious political costs. Most sophisticated leaders of such groups who have read Mao, etc., will recognize the benefits of external sympathy, and possibly support.

The difference is this: if a group desires to affect change in a target state, WMD or traditional terrorist methods will rarely work. For instance the IRA has done much to unify and solidify England's stance on Ireland--a dismal failure for the IRA. Those Oklohoma dudes, nor the Japanise Terrorists have not affected change either.
A group which is "rational" (eg not waiting for God in a UFO to pick up the chosen, but still willing to use illegal means to alter some government's/corporate policies) will find much more utility in CT.

CT can be targeted to exploit the schisms in any society. In Canada, a group could attact a Bank and gain political support from some quarters--banks are unpopular here. An attack such as this (if the spin was played right) might not force a government to solidify its present policies, because of popular indifference to the victim(s) plight. The "stick it to the Man" effect, if you will.

If the group wants to affect change in a *third* state, then WMD might come into play. Group T destroys something in country A for country WE_HATE_A's support. This only works for a few countries, if at all. Retaliation to supporting states is likely.

As many have said, most companies and states are extremely vulnerable to CT. Though most users cannot check the source of WinNT/Win9X for vulnerabilities, you can bet that there are those hostile to the West who are doing just that.

open source digs appended! : )

Cheers, all.

bobzibub.

Re:CBRN != Cyber

[kkenn]

> I'd add that using the Internet as it is
> currently designed to communicate between
> members of a terrorist organisation would not
> be a good idea -- it goes against the "cell"
> concept which is known to be the best way
> to organise.

Au contraire. Using the internet the way most people do (i.e. only believing they're anonymous) would certainly defeat the concept of private terrorist cells, but on the other hand there are infrastructure like double-blind anonymous remailers, "onion routing", etc, which can be used to implement true anonymity (at some cost, up-front and ongoing).

These kinds of infrastructure already exist publicly, and I have no doubt that there are similar networks of a more underground nature in existence.

One hears rumours every now and then of "super-cracks"..some of them have made it here - spooky stuff which Should Not Have Been Possible. A lot of it (undoubtedly most of it) is fantasy, of course, but it makes you wonder..

I've often thought about what it would be possible for a well-funded agency to achieve in terms of penetration tools; a lot of systems (in fact, according to studies, most systems on the public internet) are vulnerable to really stupid holes, but the tougher nuts (probably the most individually interesting nuts) require more sophistication to attack.

However, given some decent programming expertise and resources, I'm sure it would be possible to create an intelligent automaton which contains a vast repertoire of cracker tricks, from the subtle to the overt, which could be pointed at a network (with suitable background research) and throw its bag of tricks at it until it gets inside, and from there rapidly subverting the connected trusted hosts. Giving the worm a wide variety of "stealth tools" to allow it to hide once inside would make it in practise almost invulnerable once entrenched.

This is not far removed from the "counter-ICE" intelligent tools of cyberpunk lore.

Obviously, this is not easy to do, but on the other hand the rewards for anyone who was able to create such a beast would be immense.

Some possibilities:

* Given that most networks on the internet are vulnerable (Reference: the folks who did the study using BASS recently - URL not handy at present), you could take down a goodly proportion of the hosts on the internet with a concerted attack (subvert widely-distributed systems for a while as a platform, then on D-day use them to launch all hell onto the internet). While this wouldn't have much effect on the Real World, it would cause an enormous resource committment to repair the damage, generate huge publicity, and even bigger "fear factor" among the people you don't penetrate. It would probably hit the economy pretty hard, actually..all a result of some aberrant ones and zeros - neat, huh?

* Variation: covert agent X injects the worm into the private (non-internet) network of a target - e.g. a foreign military network, or the operations management system of emergency services. Used in conjunction with other forms of attack, like frontal, obvious, "direct assault" electronic attacks to divert attention to the real attack, and ("conventional") physical attacks like bioweapons, this would create mass confusion, and potentially, mass destruction.

* Corporate blackmail: your worm finds its way into the network of a company you find politically objectionable, and then releases all security measures (deactivates firewalls, installs backdoors, alternate passwords, etc), and publishes them to the world, or to a competitor. Result: potential devastation of the company (loss of intellectual property, exposure of business secrets and practises, skeletons in the corporate closet, etc).

The internet worm of 198x was solved by people who were able to coordinate rapidly to analyse, solve and fix the entry mechanism. That (like more recent variants, like Melissa), was a one-track, stupid pathogen which was correspondingly easy to defeat once the vector was known.

Now imagine a worm which selectively exploits all known remote buffer overflows, many unknown (publicly) ones, denial of service attacks, TCP sequence spoofing, network sniffing, breaking of insecure protocols, ad infinitum, can hide stealthily within an operating system and network so the system's tools do not show its presence, which contains binary code that runs on every major OS, which responds to detected attempts to "capture" it by death and/or retaliation, etc etc.

How do you even begin to deal with that kind of thing on an enterprise level? You'd have to assume every machine is infected, and low-level wipe everything, being careful to distrust the existing data when you put it back. Then you'd have to patch every possible entrance mechanism onto the machine (difficult, given that Windows 9x machines are fundamentally unsecurable), and if you miss just ONE access hole then your machine is under again. Of course, this assumes you even know what you're dealing with, which is unlikely for the first few iterations, and you know about every vulnerability the worm is exploiting on your machine.

In principle, there's nothing stopping you from writing such a beast - individually the components are all well understood (except perhaps the "intelligence" behaviour which would have to be abstracted from human knowledge). In the face of an attack like this, the confusion would be enormous, when finally discovered and believed: "My solaris system got rooted by a RPC exploit". "That's okay, I don't run solaris. Hmm...my NT box is acting funny, though. Probably just needs a reboot..damn script kiddies".

This should be enough to make people very, very worried..given the notorious complacency of management towards security policy and implementation, and the continued daily proliferation of new remote exploits, it's a problem which is only growing in size, and it's a matter of time before Something Happens.

Sooner or later, someone is going to write this so-far (I hope) mythical ueber-worm, and when the Cybercalypse happens it's going to be a long week indeed for all of the professional sysadmins out there (and at the end of it, all they've got to look forward to is being fired for building a bad network, even if it wasn't their fault).

I only hope that once the network rebuilds, people learn to do better next time :-)

[This descent into paranoia sponsored by the Judean People's Front, that guy sitting on the computer behind you, and the number FNORD]

Here's a good opportunity

[Laurion]

A good chance to let people know the differenceetween hacking and cracking..... Laurion

It's all in the approach.

[Tadghe]

Ok a few points here.

1. You don't have to actually bring a system down or even seriously disrupt it to succeed in CT. All you must do is make the "Other Guy" Think you can. Or will. (see point 4) You must however have enough in the way proof to make the organization believe you can. Uncertainty about thier own security will do much of the work for you.

2. The "skills" neccessary are actually quite slim. You need a bit of experience with the industry you are tying to disrupt, a bit of inside knowledge of the company helps tons (ie: what OS it's running, what's the organization's default Passwd (most companies have them) ) And lastly you just need to know where to look for exploits. (aka "Kode Kiddiez", this is NOT real cracking, but will acomplish the goals you have set forth).

3. Few ties in the organization you are taking down. it's hard to be successful if your the prime suspect.

4. FUD (Fear Uncertainty Deception) can acomplish much, (ie: the Valentine Day's "hack" of AOL a few years ago. AOL responded, and was disrupted even though the "hack" did not take place)

5. Media ties. CT matters little if you can't get the media's attention. Most of the damage to an organization will occur from the public's reaction. (most true of non-traditional (non-brick and mortar) organizations)

Tadghe Djin

Re:Hackneyed alarmism

[llywrch]

I like a lot of the points that neophase makes here, & I'd like to add to a couple of them:

* Motivation. As pointed out elsewhere, any given company or government organization has more to fear from disgruntled employees than politically-motivated terrorists. A disgruntled employee will know the IT weaknesses (& in some cases is disgruntled because no one she/he has reported this to will either fix or let anyone fix these problems), while an external terrorist *has* to learn about them.

* Asset types. I have heard of one US government computer that is (or was -- I heard about this confiugration 4 years ago) secure because not only is it not connected to any network, access is only thru dump terminals, & no user has direct access to any printers or floppy drives. Assuming that this configuration is repeated in a number of other countries, social engineering (e.g., either bribe or blackmail the guards & sysadmins with access) would be the way to compromise this setup.

* IT infrastructure weaknesses. Consider the quality of phone systems outside Europe/North America/Far East. Would *you* want to try to crack a computer over a 2400 baud modem over a static-ridden phone line?

IMSNHO, People will remain the chief weakness in any security arangement for the foreseeable future -- but this does not excuse taking the steps to lock down networked computers.

FWIW, I have little experience with security issues, except for running a few kiddie scripts on NT servers & being appalled at the results.


Geoff

CBRN != Cyber

[rde]

Although the article lumps them together as 'terrorist weapons of mass destruction', cyber attacks are very different from chemical, biological, etc, attacks for a whole bunch of reasons):

Finance. The article implies that major finance is required to implement major attacks; this is not the case for cyber attacks; L0pht bulletins and Phrack are all that's required, along with a script kiddie mentality.

Nature of attack. Cyber attacks in general don't attack people; they attack infrastructure. If properly implemented a lot of people will die, but as a side-effect. Biological attacks, OTOH, attack only wetware and leave infrastructure intact.

Personnel. One deranged chemist can do quite a bit of damage, but an embittered genius nerd can do much, much more. Remember that interview with L0pht? "I can shut down this power grid now."

On the subject of state-sponsored terrorism: I honestly don't believe that this is the problem a lot of people make it out to be. If you're system goes down, it's a lot cooler to say it was the Indonesian Government than a dodgy cgi script. I'm not saying it doesn't happen, but I do believe that it's seriously overhyped.

Finally:defenses. Up to a couple of years ago, people thought of security they way people in the 80s thought of Y2K: it'll probably be a problem some day, but we'll muddle through. Any system put together in the last couple of years was implemented with security in mind (if it wasn't, shoot the sysadmin), but most systems more than a couple of years old are inherently insecure. Ironically, Y2K could prove to be a boon, as audits will give detailed reports on exactly what's in a system, and this information can be used to boost security.

is it possible to protect against?

[segfaults]

The main thing that comes to mind when reading this is the fact that a person with about 1k US$ to spare can go to radioshack and pick up the parts for a machine which will "crash" an unshielded soldid state computer. Things like that are in my opinion the worst threat. Hackers can only do so much, but a terrorist with one some type of EMP, or other such, device could just disable some important facility. Think about air control towers, are those computers shielded? How about 911 dispatches? I could be wrong, if I am tell me.

Cyber terrorism

[_Dogma]

I think the effects of cyber terrorism are being blown out of proportion. Cyber terrorism takes a great deal of technical skill and intuition to carryout with any success. Some 16 year old that spends his time running scripts on any machine he finds is not going to cause a great deal of damage. The only people currently known to have sufficent knowledge, desire and skill tend to have little desire to cause great amounts of damage. One of the first CT events of moderate damage was a programming bug in the first place. This would be the RTM Internet worm. It was only ment to traverse the internet to see how far it would propagate. Unfortunatly it replicated far faster than RTM had envisioned thus causing the massive shutdown.
People such as this are far more interested in aquisition of information or the 'Thrill of the hunt'. If they have access or knowledge of the techniques for breaking into critical systems, then they have little reason to show their presence.

Re:is it possible to protect against?

[Zachary Kessin]

The problem with EMP is that you have to get close
within a few hundred yrds. A software attack can
be launched from anywhere. But it is worth noting the EMP.

Re:I would not waste a nuke

[Isaac-Lew]

Washington DC has plenty of other reasons you'd nuke it (besides being the nation's capital):

• Dept. of Defense headquarters (Pentagon), plus several major military and intelligence installations (a few bases, CIA, NSA and NRO headquarters) and plenty of defense contractors all over the place

• A major chunk of Internet traffic runs through here (MAE-East), not to mention ISPs (MCI, UUNet, GTE, Sprint & AOL are all either headquartered here or have a major presence...and let's not forget InterNIC)
• The local police organizations are woefully unprepared for an emergency of that magnitude (they couldn't keep traffic clear for a football (American) game on a *Sunday* that was scheduled well in advance, what will they do if/when it hits the fan?)

Let me shut up...I just remembered that I live in the area :(.

Security through obscurity does not work

[Rares Marian]

Situation:
most systems have weak security
1.exploit info is widely available (Phrack/L0pht/etc)


Everyone knows the FBI hires people who work on these publications. Anti-virus teams routinely read similar magazines like the old 40h.

Solutions:
* restrict access to security weaknesses (net censoring/eavesdropping/illegalizing reverse engineering/etc...)

Leave the alarmist hype to the media, please.

This only encourages arrogance, which is a serious threat to security and also is the best attack against a country's infrastructure. The net is used by millions of all skills, opinions, cultures, backgrounds, tastes. You cannot expect an internatiopnal organization to finish a product if their biggesat concern is not setting off filters. That does more damage to productivity than taking a porn break during work hours.

Eavesdropping? No one in a position to

Reverse engineering is the most useful teaching tool that exists. Corporastions and independent developers provide such tools to all types of customers, home PC users to companies trying to cut down the cost of fixing Y2K by having machines search through code for trouble spots. Auto mechanics, computer technicians, and hackers (not crackers), take their machines apart and put them back together to learn how they work.

Bravo to Jane

[Enoch Root]

I don't have anything much to say about the article, as I'm sure others will have more pertinent comments for the discussion at hand. I do, however, want to say that it's nice to see serious ventures into the investigation of so-called "cyberattacks" go at the source for information: the hacker community itself.

It's nice to see someone not taking an academic position in regards to the matter, but actually inquire with the people that may know a bit more about the practical realities of hacking or, by association sometimes, cracking.

Now; let's make sure we point out the difference between hacking and cracking, here. :)

"There is no surer way to ruin a good discussion than to contaminate it with the facts."

3rd world computing must be treated differently

[df3]

As noted already, this article erroneously groups a number of threats as one. It also fails to discriminate between how Cyberterrorism would/could be practised in the 3rd world as opposed to the industrialized nations.

Dependance on networks and PCs susceptible to network attack or viruses is much more widely distributed in the west. I suspect that the ability of western computer users to get help or to solve their own problems also going to be quicker and more authoritative.

Although its been a long time since I lived overseas, I can't imagine that things have changed that much. Most of the software is pirated, the support for it is non-existant. Although the staff may be very knowlegable, the knowlege is spread much more thinly. If a tech in an organization is sympathetic to the terrorist cause, there may not be anyone else available to
diagnose the problem introduced. Remember: social engineering is an essential component for many
damaging attacks.

I would imagine that more and more 3rd world organizations are going to regard computer/network presence as a status symbol, without regard to the risk it implies.

Turn-key solutions orginating from the west will include computers where computers were never depended on before in the third world. Do these folks have a generation of folks who have used computers for the last 15 years, and at least know the rules about computer security (but maybe don't always practise.) No - except for the upper echelon of management who may have been sent to college in the West.

Hackneyed alarmism

[redelm]

This article is extremely poor. It reads as if the author had done a global search-and-replace of CBNR to CBNR/Cyber, plus added a very few It paragraphs. The tone is unreasonably alarmist.

It make no distinction between cyberterrorism, which is an attack upon C3I (command, control, communications & intelligence) systems, both military and civil, and terrorists using their own cyber C3I.

Worse, it confuses C3I (infosystems) with CBNR (weapons systems).

Jane's editor asks some good questions, but this article cannot even be rewritten to answer them.

-- Robert

Vulnerable systems

[Laurion]

I'd also like to bring up the very good point that your vulnerability is directly related to the systems you are running, and how well they are configured and maintained. For starters, any machine not on a network is almost infinitely more secure than one that is. But if you have to have a computer on a network, you better make sure you have someone who knows what they are doing configure it for security. Or get something that is inherently secure. Not to sound like a fanatic (just a fan), please note the Army's recent decision after counsel with the W3C to switch their web server to a Macintosh. However, it may not be practical or desireable to switch every machine in the operation to something else. The only way to fight knowledge is with knowledge. Fight cyberterrorists by being smarter and better than they are. That alone should take care of most of the script-kiddies. Then you have to worry about those who are smart enough to do it for other reasons...

Cyber-intelligence and other applications

[Frank Sullivan]

The intense focus on "shut down the power grid" scenarios, and tight analogies with physically violent techniques (unlike CBRN, "Cyber" warfare is not inherently violent/destructive), serve only to ignore much more potentially effective uses of IT in terrorist warfare - intelligence-gathering, counterintelligence, and disinformation. The article does not touch on these points *at all*, and quite frankly is worthless sensationalism without them.

In warfare as well as in business, IT is "the great equalizer". Its low financial barrier to entry, relative to heavy industry, allows even the poorest organizations an IT effectiveness equal (or nearly equal) to the richest, most powerful nations and corporations. The greatest advantage the covert warfare arms of major nation-states (CIA, Mossad, etc) have over small terrorist organizations is the financial wherewithal to develop massive intelligence networks, and to easily spread disinformation via access to public media and an enemy's internal communication channels. IT very much levels the playing field in this regard.

If a terrorist group can penetrate the security of an enemy organization's computer networks, they do not need to do any damage to be militarily effective. Rather, they can quietly copy information to process at their leisure, without having to physically smuggle it out of secure facilities. In particular, this approach, combined with automated "data mining" techniques, can be used to search for useful patterns in vast stores of insecure and apparently unrelated data (c.f. Stoll, Clifford: _The Cuckoo's Egg_ (a very well documented example of state-sponsored computerized intelligence gathering)).

Another use for this access is disinformation. False or misleading information can be planted in (or deleted from) databases, undermining the effectiveness of organizations relying on that information. And in our current world, where authentication via strong encryption is still rare and nonstandard, IT can make forgery easy. Credentials can be forged to fool authorities or the media for purposes of disinformation, or to enhance covert physical activities.

Encryption also provides effective counterintelligence for very low cost, both maintaining information secrecy and providing authentication for otherwise anonymous data. Public key encryption can allow a network of intelligence to communicate secretly, without direct contact, and with sophisticated tools for obsoleting compromised keys and secrets. The major governments, who have long depended on spying on civilians, have good reason to fear this technology.

Another use for IT is the copying and *publication* of encriminating information. For an example, consider an environmentalist "terrorist" organization uncovering and publishing secret corporate or government documents on toxic waste spills, or covering up the hazards of a project. No physical violence need be performed to do terrific practical damage. Remember the Pentagon Papers? Their publication was instrumental in turning the tide of public sentiment against the Vietnam War. Yet those had to be delivered as physical copies by an internal spy to a major media group, and the government nearly succeeded in supressing the evidence in court. With electronic copying and widespread distibution, governments no longer have any power to stop such publications.

Of course, we could go into much greater detail, with more specific examples, but I think the point has been made. The article ignored the most effective uses of IT for terrorists, while simultaneously advancing unrealistic and undocumented doomsday scenarios (shutting down the power grid), and blowing normal organizational activity out of proportion (bin Laden's use of email, for example). Rather than a Slashdot-driven rebuttal, the editors would do well to reconsider publication of the article altogether, until a more comprehensive and realistic article can be written.

---
Maybe that's just the price you pay for the chains that you refuse.

Misc nitpicks.

[Anonymous Coward]

Comments on the specific Q's
* It would depend upon the vital system, of course. It's unlikely that there's a remote 'stop burn' option for a coal-burning power plant, for instance.

* Skills? There has to be somebody available to *write* the original program, and that probably means knowing something about how the target site is operated. If it's done well and does not require user input, it *might* then be possible to hand the program to a 3-year-old with his finger on the 'enter' key, and take the next flight.

* Define CT. Does a denial-of-service count? Did the "Ping of Death" count? Does 'telnet' count?

* The only way to know what's attackable is to know every system. I don't pretend to be omniscient, but common sense should apply; my refrigerator is not running a Telnet server, for instance. My bank probably uses encrypted communications and a journaling filesystem with transaction logging. A web guestbook might not have been written w/ an eye towards preventing filling-up-the-disk. Etc.

* Recovery? It depends. If one gets "rooted" and the attacker simply wipes all files, it's time to go get the mag tape. If the attacker simply uses your machine to go on online chats and doesn't actually *do* much, that's a different story. Of course, many will point out that you can't *really* know unless you were watching the entire session, and should therefore reach for the mag-tape.

* It's a continuing race. Those who neglect security have more to lose, however.

* Advice? Use your head. Use systems by people who actually care 'bout security. Follow principles 'bout least-privilege and so forth. And don't bring your box online before searching for relevant docs -- but also don't believe that the sky is going to fall as soon as you plug in that cable.

Misc notes --

* (minor) Possibly, the full name of the LTTE -- the Liberation Tigers of Tamil Elam -- should be used. {shrug}

* Similar minor nitpick: Is is 'bin Laden' or 'Bin Laden'? I've seen both in print.

* Something to note: a 'Cyber' attack, as the article terms it, would most probably not incur nearly as harsh retalliation as a CBRN attack would.

* As was noted above and no doubt below, substitute 'cracking' for 'hacking.

* Consider adding the motive 'extortion'. This may or may not be plausible based on the difficulty of getting the money...

* Consider adding the motive 'fear-mongering'; that is, to a population to be unduly alarmed at the alleged possibility that their banks will be raided or that malicious crackers will down a jetliner or so forth.

Re:Big Differences...

[revnight]

while i'm dubious that cyberterrorism itself could lead to a massive loss of life, it would make one fine distraction for a CBRN attack.

it wouldn't even take an attack on financial/government servers...the trucking industry, for instance, is every bit as important to everyday workings of the country as being able to use the atm. how much of a distraction was it when that satellite (whose name just dissolved from my pitiful excuse of a memory) went down?

for that matter, i wouldn't imagine it would be difficult redirect any shipment enroute if the company uses satellites to track shipments/inform drivers. "hey joe, those bins of auto parts we picked up don't go to the saturn factory, we're taking them to a warehouse in downtown Nashville now."

Jane's and "Cyberterrorism"

[rjh]

(Permission is granted to JANE'S and/or others, as designated by JANE'S, to reprint this posting, in whole or in part, provided that any editing is made clear in the final printed result and that Robert J. Hansen, rjhansen@inav.net, is attributed as the original author. If anyone wishes to contact me regarding information warfare issues, please feel free to use the abovementioned EMail address. My public key is available at the usual keyservers, and also here on Slashdot.)

Q: What's the accepted terminology -- "cyberterrorism"?
A: Most hackers avoid anything "cyber" like the plague; I prefer "information security" for what I do, which is defending systems from information warfare. Besides, "chemical, biological, radiological and information warfare" sounds better than using "cyberterrorism".

Q: Using CT/Information Warfare, how easy or otherwise is it to bring down or attack vital systems?
A: It depends a great deal. A lot of it depends on whether an attacker wishes to target a specific vital system/subsystem, or whether an attacker is going after targets of opportunity. Many vital targets are inappropriate for information warfare. For instance, although an IW attack against a sewer-treatment system could devastate entire cities with plague and disease, very few sewer-treatment systems have their vital components hardwired into the Net. Unfortunately, a great many systems are both appropriate and not in any substantial way secured against IW. The telephone network, for instance, is a prime example of a system which substantially under-secured.

Q: What sort of skills would be needed to do so, and are they common/teachable?
A: Bruce Schneier (schneier@counterpane.com, public-key available from the usual servers) once said that "only the first person has to be smart, everyone else can just use software". The skills needed to invent and/or discover new attacks against networks are substatial, somewhat rare, and are very demanding to learn. However, once the attack has been invented/discovered, software can be written to vastly simplify the task of executing this attack. It took Cult of the Dead Cow months of hard work to develop Back Orifice and Back Orifice 2000, but after they developed this software it was available to the community at large. CDC are ethical hackers who released Back Orifice as a way to embarass Microsoft into patching their awful security model, but there are thousands of wanna-bes who are now attempting to use Back Orifice for unethical and criminal ends.

Q: Commercial-off-the-shelf software: can it really do CT?
A: It's not sold at Fry's or Best Buy, so it's not exactly "commercial, off-the-shelf software". There is a significant software black market, though, and software to conduct IW can easily be found on this market. There's no real guarantee of software quality, though; for every skilled engineer who designs a tool, there are a dozen half-trained monkeys who think they can do the same thing. That's true in both the commercial and underground software markets.

Q: Which systems are actually attackable?
A: If it's got a connection to the Net, it's attackable. Some systems are just more attackable than others.

Q: Can a recovery be made from such attacks?
A: Sure. Hiroshima is a booming, bustling city today. If Hiroshoma can recover from the savage insult of The Bomb, then I'd have a hard time believing that a community, state or nation couldn't recover from an IW attack.

Q: Can a recovery be made quickly from such attacks?
A: In theory, absolutely. But you need to prepare for post-incident recovery before you're actually attacked. Most places don't have any kind of post-incident procedure in place, and those that do frequently forget all about their post-incident procedures.

Q: Is it likely to improve/get worse?
A: I think it's going to get a lot worse before it gets better. People tend to view computers as magic boxes; you plug them in and they go. Very few people really want to think about how many individual components go into a computer, and how much more complex a computer network is than a single computer. You wouldn't dream of driving your car 10,000 miles without changing the oil; we've been taught that this is a Bad Thing. Many people lack the technological savvy to realize when they're doing the technological equivalent of driving 10,000 miles without an oil change.

Q: What sort of preventative work would you recommend them to carry out?
A: There are some very good computer security firms out there. Hire these outside, independent contractors to perform audits of your security. When they talk, listen -- don't fall into the trap of "we didn't come up with it, therefore, it's inferior". Secondly, only use open, peer-reviewed protocols, algorithms and operating systems. Many people think that if a system is open it's insecure, since an attacker can see how it's put together and determine how to best attack it. This logic is faulty. Open systems are designed to be secure even if the attacker has perfect knowledge of the system; closed systems are designed to be secure only if the attacker has minimal knowledge of the system. And any attacker worth his salt is going to have intimate knowledge of the system he's attacking, which means that closed systems operate at a distinct disadvantage.

Q: Any last words?
A: Yes. Please, please, please do the hacker community a favor. Please learn the distinction between "hacker" and "cracker", and bring up this distinction in your publication. Jane's is an esteemed, respected publication, and I would be delighted to see some well-known source explain to its readers that, contrary to media usage, hackers are usually ethical individuals with a high degree of technological savvy; crackers -- criminal hackers -- are fiends and malcontents who deserve nothing but condemnation and scorn from society.

Re:CBRN != Cyber

[oneiros27]

I'd definately have to agree on this one. What is the reason for lumping together the two types of attacks?

There are significantly different resources behind the two, defenses, and in my opinion, different motives. (I mean, you don't have someone spreading some minor disease everywhere, 'just to see if it would kill someone', yet you have script kiddies download exploit scripts and running them against every last machine they can find, hoping to get a kill)

That's not to say that at times, the motivations may be the same, but you don't often get some prankster deciding that it'd be cool to show someone a hole in their security by cultivating anthrax, and dropping it inside a building.

The article seemed to be missing quite a few important points (but then again, I got bored with it, and skimmed a few sections, so it might be my fault). All that's really needed for a computer hacker is someone who understand how/why things work, and has a good ability for problem solving.

There's quite a few good precautions to take... one is simply creating good policy on how to deal with perceived threats, especially internal.


Here's a real life example, as it happened to me:

I once put something on a web site discusing how a faculty member was using university equiptment to start up his own company (mind you, purchased tax exempt), and had given us inferior equiptment to use, with 'Property of NASA' stickers on it (where he also worked). Well, I also happened to use the word 'fuck' in reference to him and some others on the site in a few locations, which was a breach of the Code of Computer Conduct, so I got called to the dean's office, and they threatened to have me expelled (I wasn't aware at that time that they were getting a few mil in grant money from Ford for some other research the teacher was doing, and the school as more than willing to let me go rather than lose their funding). Anyway, in the course of the discussion (which I really should transcribe, along with the faculty member threatening me in the hallway afterwards, as I have it all on tape), they threatened to have me removed from my job at the university.

That was a really bad move, as had I really been pissed off at them (which well, I admit, I hold grudges), I would have immediately gone to the system, and given myself a few backdoors in (as I worked in academic computing, and had root access on the 20k+ user mail server). So anyway, either fire people, or don't. If you've got a computer person whom you think is a problem, don't give them any warning. Lock them out as best you can, and begin a full audit of the system to see if they've left in any back doors. Never even hint at firing someone, or they could put a few hooks in there, just for the fun of it. (eg, something that would trigger should their account ever be removed, etc.)

Most places that are even reasonaly sensitive should already have protocols such as this, but I don't know the intended audiences for this article.

For certain values of "Open Source"...

[Paul Crowley]

This is the other meaning of the phrase "open source" mentioned on the opensource.org [opensource.org] Web pages: in intelligence/surveillance circles, an "open source" is one openly available, like a newspaper or magazine you can just buy anywhere, as opposed to a source that's handing you information that not just anyone can get. The two communities may be closer than we'd guessed!
--

Re:Hackneyed alarmism

[revnight]

robin,

i'm curious, how'd he find this place? i'm well aware it's not secret, just curious why he chose /.

maybe you can get him some week for the Q&A session. ;)

Distinction: warfare vs. terrorism vs. crime

[petrov]

Warfare is the ability to strike at the military and incapacitate it's ability to fight. I would figure that this is nearly impossible to do. A friend working at the DOE at Sandia described the "air gap" between the classified and unclassified parts *in a single mainframe*. There's no physical method for the information to move between the two parts of this monster computer. I believe that standard procedure on all government computers states that no classified information can be stored on machines connected to the outside world. Similarly, military's have plans to deal with bombs dropping on their communications centers, I don't think that a regular DoS will bother them much.

Terrorism on the other hand, involves striking at civilian targets in an attempt to advance a political agenda. (Which is distinct from war: Clauswitz was wrong, war is not an extension of podlitics, see Keegan, and others). In general, these actions are going to be attempting to disable civilian infrastructure: power plants, power grids, phone networks, etc. I would guess that as these institutions move to exploit the power of modern computing, some will use remote administration tools. Some of these tools will be buggy, some of these bugs will enable attackers to incapacitate the utility. I don't think that these attacks will be common, or effective, as most of these company's are large enough to hire some smart computer security people once the first such attack makes the newspapers.

Crime, on the other hand, is going to be theft or fraud of various kinds. These issues will affect financial institutions, ecommerce, etc. Like terrorism, as these institutions move towards more computing, they will become initially more vulnerable, but eventually they will settle into the same type of security as they currently possess.

Once a failure occurs, Americans (as opposed to say, the Japanese) are usually pretty good at identifying the problem, publicizing it to their peers, and fixing it. I would expect that as society moves more into the information age, various illegal elements will follow us. However, as always, we will have methods of policing them and limiting their damage.

Distinguish between these cases, as the principals have very different motivations and goals. The difference in funding (for attackers of these different classes) is irrelevant as most of these systems are just as vulnerable to a lone kook as to a well funded organization.

btw: the authoritative computer security book is O'Reilly's by Spaf and Garfinkel. It covers most of these threats and more. I'd highly recommend it for anyone interested in computer security.

just my $0.02,
--sam

Answers...

[Alex Belits]

1. Using CT, how easy or otherwise is it to bring down or attack vital systems?

This depends on the level/quality of security measures and goals of the attackers. "Attacks" against computers and networks most likely don't have a goal to perform actual destruction -- access to "enemy's" computers and networks is much more valuable for gathering information while those systems are considered to be secure rather than for performing actual acts of destruction and very likely exposing the insecurity. Well-known cases of successful unauthorized access to computers are more at the level of high-visibility pranks (defacing web pages, demonstrating the access to private information stored on some company's servers, etc.), and even though they can be used to threaten companies and governments, there is no evidence that it ever was done.

However if the goal is to actually perform something destructive, the possibilities are abundant -- everything that is controlled by computers theoretically can be vulnerable to some kind of computer-based attack. The possibility of attack depends on the possible ways, computer and/or network can be accessed.

2. What sort of skills would be needed to do so, and are they common/teachable?

Basic skills are very common, and are available to every person with basic understanding of computers and networks. Pre-made scripts, kits, etc. (software-only) are widely available, and skills, necessary to apply them are at the "advanced computer user" level. Some of them are targeted for gaining unauthorized access to some kind of systems, some are designed to temporarily disable some functions (denial of service attacks) however none of them are specifically targeted to perform actual destruction of something in particular (phone systems, banks, military, etc.) -- some more advanced knowledge is required to actually perform an attack with noticeable consequences beyond the level of shutting random computers down, disabling parts of networks, disrupting email and file transfer services and gaining unauthorized access to various information.

Skills necessary to design software for sophisticated attack, perform the attack while unknown obstacles are present, and establish monitoring of compromised systems or networks are less common, however still widespread. In most of cases they are at the college student level.

Skills, necesary to establish an outside link from the closed network or standalone computer, with communication equipment present, are basic skills necessary for any work with computer/communication equipment, however it does not include the ability to perform those actions secretly.

3. Commercial-off-the-shelf software: can it really do CT?

Both commercial and noncommercial software can be used for all kinds of attacks. Software specifically designed to be used for such attacks is available as well as various kinds of security probes, monitoring software, etc. that are not specifically designed for such a goal yet can be used for it. However more important is that large amount of software that is used in various systems is vulnerable to attacks because of poor design, bugs or unrealistic expectation of secure environment, the software is supposed to work in.

4. Which systems are actually attackable?

Obviously, system that is not connected to any kind of communications is only vulnerable to the direct physical attack, and if physical access is gained, attack can't be stopped by any means other than disabling the access and recovering the system. However the goal of the physical access to that kind of computer may be to establish some kind of communications between those kinds of machines and something else instead of performing destructive actions or copying the data directly -- for example, by attaching some kind of communication equipment, by the use of existing but disabled equipment, etc. Usual physical security measures and restricted access to this kind of computers can prevent all kinds of physical attacks, and measures that restrict the use of communication equipment, shielding, etc. can prevent unauthorized links.

Computers, connected to some closed local network (with no physical links outside the secure environment -- not systems that have networks with physical connections outside, restricted by some kind of firewalls or gateways), or have long console links are vulnerable to attacks that originate from within the network. The difference from true standalone system is that those networks already have large number of communication equipment working, and their size and accessibility allow more possibilities to establish "invisible" links. In most of cases there is some possibility to attach something that establishes this kind of link without bringing any additional equipment, and even in the case when external communications are severely restricted (no phone lines) it's possible to add some wireless device, powerline communications, etc.

Computers, connected to some restricted local network (with connections outside, restricted by some kind of firewalls and gateways) are vulnerable to various kinds of attacks, originated both from within and from outside. Attack from outside may be started from using some service, accessible from outside for some reason, or from directly compromising a firewall, accessible from outside. Attack from inside can be everything mentioned above plus compromising firewall or installing some software or hardware that establishes connections from something outside by mimicking a legitimate use of the firewall, and attack from outside very likely can have a goal of installing a software of this kind. After firewall is compromised, this configuration can remain inactive for a long time without being detected by any reasonable means. The service, used for initial attack can be something innocent-looking enough to be allowed by the firewall and vulnerable enough to be used for its compromise -- email with vulnetable mailreaders, HTTP with vulnerable browsers, etc.

Virus or trojan programs can be used for initial attack if the computing environment in such a network allows them to be viable.

If a restricted network allows some computers outside to access some "privileged" services that can be used for an attack, those computers can be the initial target, and once compromised, can be used to access the restricted network even if the means for communications between those outside computers and restricted network are secure. If the means of access are in some way insecure, they can be attacked instead of computers with the goal of spoofing communications with those computers and gaining access on their behalf.

Stand-alone computer with dial-out or dial-in modems, or closed local networks with such computers are in the same category as restricted local networks.

Restricted network after the firewall compromise are either in the same state as unrestricted networks, or, most likely, unrestricted and compromised in some way.

Computers, connected to unrestricted local networks or "directly to the Internet" (what is basically the same thing) can be vulnerable to various attacks, with vulnerability depending on the secure configuration of the Internet" (what is basically the same thing) can be vulnerable to various attacks, with vulnerability depending on the secure configuration of the system software and applications running on it. Vulnerabilities can be divided into two classes -- "local" and "remote". Local vulnerabilities allow various kinds of access to data and functions (up to absolute control of the system) to users that already have some restricted access to the system. Remote vulnerability allow users that have absolutely no access to the system except possibly the use of services, available to the "public" -- such as sending email to the system, accessing HTTP server, etc. to gain some access, and often absolute control of the system. Note that "local" in this case does not mean that user is physically present anywhere near the computer -- it means that user has to perform some action while logged into his account on the computer, as opposed to "remote" user that may have no accounts at all. Protection against attacks directed against such computers include proper configuration of security features, provided by applications and operating systems and disabling unnecessary or known to be vulnerable software and services.

All kinds of computers, including ones that are connected to restricted or closed networks, should be protected against attacks of this kind, even if restrictions placed on the networks are supposed to prevent them. This is important because networks, despite being protected, often have large number of point of failures from the security standpoint, and attack may originate from within the network. Networks that have computers, using software known to lack security features, should have those computers separated from the rest into subnets, with firewalls, configured to prevent exposing those vulnerabilities to all other, even "friendly" computers.

Networks can be compromised to allow an intruder to read, disable or spoof traffic through them, thus allowing the possibilities to attack computers attached to them. In general, once one computer or router is compromised, and attacker gained the complete control over it (root, administrator, etc), part of the network is compromised with it. In different network configurations such compromise may be limited to the traffic to/from the host, some local group of computers, local subnet, group of sumnets before some firewall, or the whole organization.

Computer, connected to non-compromised local network or "directly to the Internet" is in most of cases more secure than computer, connected to compromised network, unless it uses unencrypted or poorly encrypted communications to pass sensitive data through parts of the network that can be compromised. Computer, connected to compromised network can remain secure if it only uses sufficiently encrypted communications, and does not depend on other computers that are already compromised.

5. Can a recovery be made from such attacks?

In most of cases once something is compromised, it can't be trusted until all potentially corrupted data/prograns are replaced. This means use of backups, loss of some data and potential risk of restoring compromised data.

Recovery from denial of service attacks is easy however temporary, unless the vulnerability is eliminated.

6. Is it likely to improve/get worse?

With the increase of software quantity, lack of increase of software quality from security standpoint, vulnerability in general will increase. With the adoption of computers in various activities the possible harm from successful attack will increase.

7. What sort of preventitive work would you recommend them to carry out?

1. Competent sysadmins (with sufficient education to understand the threats, design and implement security measures for every particular situation -- this is beyond usual sysadmin training programs).

2. Physical security and no-connection policy on standalone systems, use of secure software everywhere else, minimal configuration of users and services on all security-sensitive computers, use of sufficient encryption in all sensitive communications, separation of secure and insecure parts of the networks with minimal insecure traffic between them, distrust of any protection provided by firewalls except against minor denial-of-service problems, security-aware backups policy.

Re:Cyberterrorism != Bogeyman

[Anonymous Coward]

I dont think it's overblown. I used to work at an ISP who was being attacked by bulgarian nationalists, we weren't small or insignificant, just not able to keep on top of every system at every moment, and once you piss a competent hacker off you have to worry about more serious retribution (We had a guy blow away /usr on one of our server becasue we cancelled his account). I've talked to people who have either used IT to attack people and organizations, or been attacked. It is serious. Real serious.

I dont know what these Bulgarian guys were finding, but we had all kinds of customers who could prove to be interesting targets.

Sure I thnk CT is overblowin to an extent, but I also think there's alot of people out there not doing enought to prevent it. We're unprepared. Someone needs to prepare us.

Re:Good on CBRN but misses the point on Infowar.

[wilkinsm]

I like this one, so let's pull it this apart some more.

This example highlights another problem: the sheer variety of targets. Information technology touches so much of modern post-industrial society that just about anything you can think of has some form of vulnerability. We cannot patch all those holes - we cannot even identify them all.
Yeah. There are so many levels you can go after, with various levels of effectiveness. Most of the obvious industries (Computers, Telephony) have developed at least rudimentery levels of security, but what about your local power company? There already such a massive IT shortage as it is without involving mostly non high tech industries.

This raises another issue, which is competence. So called "script kiddies" may be able to take out a public web site, but it takes a lot more knowledge and effort to bring down critical infrastructure pieces (communications networks, power networks, banking networks) that are not connected to public networks, have some experience being attacked, and have the money to pay for better defense.
It has always been said that that there is no defense againt stopping the truely modivated, and in technology this is especially true. Just like in robbery, you are most likely going to be able to catch up with the intruder only after you have been robbed.

What sort of preventative work would you recommend them to carry out?[...]
I'd like to add general public awareness. Sooner or later, every person on this earth will need to learn good electronic security habits, such as logging off when they leave a terminal, or when choosing passwords.

The real danger of cyber "terrorism"

[gupg]

I think the real danger of attacks on computer systems are to the civilian infrastructure. This happens to be exactly the target of terrorists; they want to terrorize the people and the govt. of a country.

Here are the scenerios:
- there are a lot of foriegn contractors developing software for public utility, phone and other companies related to civilian infrastructure. So, the terrorist groups finds one who sympathizes with their cause (or their money) and this person inserts malicious back doors into the software.

- Most chip manufacturing is done abroad (ie the fabrication) and also a lot of design and development is also being done abroad. Again, insert a malicious hardware unit onto the processor which can be activated by only the right set of inputs. This is virtually impossible to detect.

To get an idea about how clear this danger is, read the article about the hacker group L0pht which was reported on /. yesterday. They claim they can take out most of America's electricity grid within minutes.

How to cripple systems running Netscape/IE!

[Joe 'Nova']

1) Log on to the following address
http://skyscraper.fortunecity. com/gpfault/134/dloads [fortunecity.com] FYI, this is not a hacking site.
2) Click on any of the first array of names. Either something will reply 'Bad File Type', or pop up 'Pick App'. If 'Pick App', browse and find any file you want to run, Click.
WARNING!: I accept NO responsibility for anyone using this technique, however, I can provide the cure for this, as a consultant. If I am going to be branded a threat thank-you-very-much, I would like you good folks to accuse me of being a white hat.
UWMilwaukee Golda Meir Library ran me off, calling me a pornagrapher, for no reason other than finding their mistakes, and that they hire incompetent people, unable to stop this. I offered to fix their flaws, and they'd rather fix me. They might be able to ban me from the entire UW system, depending on how court goes(yes!) Also, Marquette University has some of the same flaws, but minor. I would check your systems, sysadmins. This one will work BEHIND a firewall!
Email me [mailto], I could use some help myself. =(

Re:security teams own worst enemy

[Madwand]

Some of us who were around for the Morris Internet Worm have been screaming about the need for better Software Quality Assurance (SQA). Bad SQA was the proximate cause of the fingerd buffer overflow that Morris exploited.

Much more worrisome is the proliferation of proper, Turing-complete interpreted languages in unsafe contexts, e.g. Microsoft [microsoft.com] Word Macros, JavaScript and ActiveX in web pages, etc. We should not be designing and deploying programs which allow for execution of "foreign" code from untrusted sources without prior, explicit permission from the computer user, each time!

Unfortunately, the pull of additional functionality has been greater than the pushback of potential security flaws in the basic model, so these incredibly dangerous systems get deployed, and those of us who speak out against them as decried as alarmists.

And do I need to mention that the vast majority of desktop Operating Systems (e.g. MacOS [apple.com], Microsoft Windows [microsoft.com]) do not use the MMUs for any kind of application address space protection, which makes any incursion that much more serious?

Human Engineering

[GoofyBoy]

I have to agree entirely. When I was reading the Jane article I kept on waiting for something original or insightful but it was just too shallow. Compare this to the description of the PCweek server crack last week. (Jane does have a different audience but still its a boring read.)

One of the main problems is that it doesn't specifically define CT and why it is dangerous.

>Using CT, how easy or otherwise is it to bring down or attack vital systems?
>which systems are actually attackable?

Every system can be attacked/shutdown.
Assumption:Every system requires an organization to support it or has access to the physical hardware. E.g. Banking IT departments, Telecommunications Consulting firms.

All a terrorist group has to do is to plant an agent into these groups and then, maybe during an major company re-org or Dec 31, 1999, attack the physical hardware. These computers are located in a secure room but how many are built to withstand a C4 explosion? How about stealing backup tapes, alter them with hostile program, replace the tape then cause the system to have to restore the tape?

Hell, how about infiltrate Bell/Lucent/Citicorp/IBM, rise up the ranks of management, then cripple the institutions by making PointHairBosses decisions to weaken the systems from within?

My point here is that human engineering can go farther than any software/cracker if a dedicated organization sets its mind to it.

My comments

[proberts]

I think it's an injustice to lump information warfare in with "traditional" NBC-type warefare.

The problems of INFOSEC today are the infrastructure of tomorrow. Power grids, water treatment plants, telecommunications infrastructure, etc. are all quite vulnerable in at least several instances. Don't forget that it doesn't take an anonymous long-distance attack to get "in." A virus on a demo CD, a trojan in an executable "greeting card", etc. Timebombed code can be left by a temporary employee, cleaning person with physical access...

Today, employers, even those who are running critical infrastructure are hard-pressed to not give employees Web access (401k plans, health insurance plans and others are starting to _mandate_ it) Most of those employees are on inseucre, poorly administered, untrusted desktop operating systems. Add SSL and VPNs to make tunneling next-to-impossible to detect and you've got a recepie for serious electronic mayhem.

The barrier to entry here isn't very high. If you look at the number of viruses and compromised hosts on the Internet, and see if you can get hold of the statistics for telephone fraud that relate to compromised PBX's. You'll see that the knowlege is already fairly easy to gain. It's fairly easily transferable too. But *there's no need to transfer it*. Recruiting people who are already good at it should be trivial for most either well-funded organizations or organizations with a strong "appeal" to either a targeted individual, or a member of the target's preferred sex group. Ideologies tend to be better draws, but it wouldn't be difficult in either case, nor would extraction of several unwilling potential accomplices. One sympathetic organization member with competence would probably have a trivial time recruiting as well.

Some of the people who have the skillsets aren't socially very far evolved, don't necessarily have access to material things they'd like and are under age. All of those groups are easily targeted.

It's all software and easily gained knowlege, and testing is trivial and not necessarily dangerous. Unlike most traditional weapons, it's fairly simple to test out information attacks without anyone detecting it because you can do it on your own systems.

Until infrastructure vendors start making secure-by-default infrastructure (switches and hubs predominantly) and it becomes widespread in the install base, things like hospitals, power plants, water and waste treatment facilities, telephone exchanges, banks, etc. will be good targets of oppertunity.

While some places practice good security, not all do. It's becomming quite trivial to place a small 2" square machine onto a LAN port. Wireless networking on the back side and you're in. For less than USD$1000 you could build such systems and disguise them as appliances like lamps.

Not many places outside of the national security arena even do RF sweeps. Infrared is starting to make even that less useful.

Look at what the failed S&L industry cost, it's possible to disrupt commerce in key segments enough to cause millions of dollars of damage today, and billions over the next 5-10 years, not all electronic terrorism need be traditonal warfare, economic warfare is just as valid.

We're "used" to terrorists who directly cause terror, now we're building the capability for them to set events in motion that have longer-term effects and aren't first-order effects.

Finally, the combination of electronic and unconventional warfare, since they need not be exclusive, is a new one. False SNMP trap, compromised phone switch and a ready to deploy "customer engineer" is just one example that springs immediately to mind.

I could go on and on, but that's probably enough for now.

Paul

Cyberterrorism

[fizban]

There are a couple of points that need to be stressed in this article.

• CT is easy to do

The hurdles faced by a cyberterrorist are much, much lower than those faced by a CBRN terrorist, from financial needs to technical know-how. Because of this, the possibility that cyberterrorism can be a threat is much greater than that of CBRN terrorism, and there is a definite need for strong anti-terrorist programs.

• CT will become a more significant threat in the future

Although most of the CT attacks that we see today are merely

fluff attacks on websites and involve purely propaganda-related intentions, the threat of these attacks will become more dangerous and will hit many more critical systems as we move into a future. As our infrastructures rely more and more heavily upon networks and communication to stay alive, they will become more susceptible to attack and will suffer heavier damages if that attack occurs.

• CT is both an internal as well as external threat.

Although we may currently be more worried about external attacks upon our systems, the future will bring a greater possibility of attacks from the inside as a result of members of our own community becoming frustrated and disillusioned with the government and other power figures. Anarchy is the ethical norm in the Cracker

and Hacker communities and the possibility that lone rogues may take matters into their own hands is quite strong.

• CT in addition to CBRN attacks will become the norm.

As terrorists add CT to their list of tools for destruction, we will see more and more cases where CT becomes an

essential step in their attack plans. Defeating a security system through CT, then attacking with conventional life-threatening weapons will likely become the most common means by which an attacker operates.

In essence, CyberTerrorism should be taken as a serious threat and should be treated as such, now and in the future. We should instill in our children a sense of technical know-how and understanding of how to combat these threats as well as a moral obligation to fight the elements of our society who threaten to destroy us.

----
Lyell E. Haynes

Thoughts and comments

[TBone]

As one of the other readers commented, this article just about looks like they are replacing Terorism with CT, and rehashing a previous article. The two really have nothing to do with each other, outside of the fact that both are disruptive to the intended target. In addition, there is nothing in this article that goes into any kind of depth; I'd expect to get this article back out of an academic article abstract database, like ERIC or PSYLIT, or something similar. At least include references for additional reading.

Standard terroristic attacks are designed to physically disrupt or injure the target. CT attacks are intended to logistically disrupt or subversively capture sources of information, communications, or other lines of non-physical infrastructure. Because of this, it is much harder to identify from the inside what you are trying to defend against (would you think to secure your "recent documents" list on a computer that regularly handles sensitive material that may include logistical data?)

• How easy is it to bring down vital systems depends on how vital those systems are considered by the owners/administrators, and how secure they attempt to make these systems. If you run your company's payroll and general ledger system on a computer that has a wide-open link to the Internet, and don't consider that information very vital ("I can restore that any time I need to if it crashes..."), then you can expect that even commonly known points to hack into systems will be vulnerable.
• Basically, all that's needed is a good set of programs that can identify systems and, equipped with a knowledge base of vulnerabilities, start hammering away at them. In reality, being able to crack systems is all in a way of thinking that most people don't manage. Just as some people can't "get" math and some people seem to breathe it, some people just "get" cracking.
• If you mean "Can I buy Microsoft Hacker 2000", no. But the tools and means are readily available to anyone who knows how to read, has a dialup connection of some sort, and knows how to either download already-written program snippets or can program themselves.
• Any system that can be accessed in some way by someone who does not explicitly need access to the system is attackable. If you touch the internet, you may be attackable (DoS, various service attacks, etc). If the machine is physically accessible by someone who doesn't need access to it, it can be attacked (I don't need to blow up your data center, I just need to hit the big red button on the wall to shut you down). It all comes down to whether or not the system is available to someone who doesn't need it to be available to them.
• Recovery can be made, but is the window acceptable? How fast do you need to recover the computer that controls the ballast tanks and external hatches on a submarine? How long does it take someone who gains access to a satellite to get the image of the local layout of your building/utilities/people? If you have to "recover", you didn't properly perform your job at hand, which is to secure your systems.
• CT wil probably get worse as time goes on. More devices are being connected to the world, more information is flowing between them, and we are becoming more dependent on these devices and the imformation they provide. The bigger the mountain, the more places to drill into it and cause an avalanche.
• As far as preventative work, you should look at everything as a potential target. Once you start seeing your technology in that light, you will begin to see holes in it's existence. Why is that essential server just sitting in a common room with no limits to it's access? How come we designed our phone system to trunk every line we use through this closet? How vital is this data that we are broadcasting to possible millions of people; could it end up being subversively intercepted, edited, and redirected?

Reading back on this, it sounds alarmist, but I've worked in both the financial and transportation industries, and have seen points in the companies that, given the right circumstances and the right time, could cause irreparable harm to the operations.

This is really the point of CT; if I blow up a bridge, you can wade through the river, or go around to the next one; or build another command center, or have another one available. However, if I have access to your computer systems, or have the ability to alter your data, you may never be able to tell your people about the blown bridge, and half of them will walk right off of it.

Re:CBRN != Cyber

[Anonymous Coward]

Here in the US, there is currently a roundup going on of a fairly major criminal organization of people who made their living by computer crime. They cracked virtually every phone company's record system, for instance, and sold calling card information for $2 a card. They played games with the FBI's computers, redirected phone bills (the FBI got a $200,000 phone bill for a dial-a-porn service), and the like. They were welling info from the FBI's criminal data base to the Sicilian mafia. They had also wandered through virtually all of our major public utilities, major corporations, etc.

These individuals lacked directed leadership, and generally had second class equipment--they were basically a bunch of losers who found something interesting to them to do, and a way to make a living. They are reputed to have been in a position to take out our power grid, shutdown our phone service, and mess with a lot of other things (water here, natural gas there) we need everyday to maintain a civilized existence. Given a lot of the things we have learned preparing for Y2K problems, this could potentially be very serious (e.g., although the nuclear reactors themselves are very secure, loss of circulation of coolant to a many spent fuel recovery ponds could potentially lead to a Chernobyl type of event after a week or so, and these were not backed up and secure).

Our infrastructure will never be secure without wide availability of the type of strong encryption encryption our government is dead set against us having. Anything which is networked is insecure (as our government recognizes in its security protocols), but by insisting that phone companies, utilities, etc., keep their files secure by encryption would not only save them a ton of money they loose to fraud every year, but would go a long way towards placing their infrastructure systems beyond the reach of attack by any but the best equipped of nations. I.e., if instead of a $600 used computer and a $50 modem to gain access through some ungaurded side door on another system, you need an additional miniature NSA to work on the encrypted files you find inside, then you have placed the game beyond the reach of the sociopath next door and made it a game for sociopaths running nations. There are resources sufficient to watch the other nations of the world, but the Oklahomma city bombings (for instance) showed you cannot catch all the local nuts in time.

Where's the evidence?

[attila_the_pun]

The article starts with the assertion that CyberWarfare is an accepted fact. The evidence for this seems to consist of a few web pages being replaced with propaganda and a physical attack by the LTTE on telecommunications facilities. Neither of these count for much as CyberWarfare. Changing web pages does not cause significant disruption and bombing telecommunication facilities has been a feature of warfare since before the internet.

Cyberwarfare/cyberterrorism is usually taken to mean causing disruption of communications or physical damage using electronic means. This article presents no evidence of either. There is a risk, but don't get carried away in the hype.

Re:CBRN != Cyber

[jsm2]

This is true, but we're talking about terrorists here, which makes insider attack less of a consideration. Insiders should be watched like hawks, but in general, their crimes will be dedicated to stealing valuable things. They lack the ideological motivation of the true terrorist, so they will attack different targets, unless they need funds. But in general, bank clerks and pwoer station workers are not "outsiders", so they don't join terrorist organisations.

Social engineering is obviously a problem, and you get props from me for mentioning it (sorry, I don't have points to give). I think the solution here lies in censoring this kind of information from employees. As many terminals as possible should be kept as dumb as possible, and all requrests for systems information be directed to someone central who knows exactly who is bonafide and who isn't.

jsm

what I would look for if I were a terrorist...

[dragon2eden]

Hmmph. Article was full of crap -- it was trying to draw on 'big fears' and tie a couple together (cyberattacks + weapons of mass destruction in the hands of terrorists! lions&tigers&bears! oh-my!). More importantly, a terrorist is not likely to use weapons of mass destruction because they are such a pain in the ass to deal with (conventional bombs are cheaper -- both in terms of money and opportunity costs). A terrorist organization blows a lot of money and time on THE-ONE-BIG-SHOT, and then fucks it up somehow, then they've taken themselves out of the game. Large-scale cyber-attacks [say, i don't know, trying to crash a train track switching network with a virus, or something), even more than WMD, requires you to raise your signature to find out a lot of information before you've even done anything [i.e. is a big pain in the ass to try and put together and has a potential for failure that is intimidating]. The weaknesss in the approach is that it relies to heavily on *one* method of attack. However, a small scale cyber attack -- when coupled with a small scale physical attack like a conventional explosion -- could be a very effective force-multiplier. For instance, a really large conventional explosion at [or even near] a nuclear power plant, when coupled with a massive spamming (by phone and e-mail) of news organizations, radio stations, 911, with a follow-on crashing/bombing of the local phone network switching centers (and maybe jam some police and emergency vehicle radio communications while we're at it?) right at the point where a lot of rumour has spread but no truth has been reported, has the potential to create an *incredible* panic at very little cost or risk. You have to think of cyber-attacks as things that do not stand in-themselves; once they are coupled with physical methods of attack, they can be extremely powerful. But you combine the attack, AND keep both the physical and cyber attack *simple*. At least, that's what I would look for if I were a terrorist. [disclaimer: be advised, I am not advocating any activity that I've talked about in my post. I am merely using notional examples to make some points about terrorism.]

Good true information on Hacking/Cracking

[Mdoc]

The web address of The Hacker Crackdown, ISBN 0-553-08058-X Copyright (C) 1992 by Bruce Sterling

http://www.mit.edu/hacker/hacker.html

Probertly the best (abait a little dated)information on/about hackers

Q & A

[aarpier7]

1. It depends on what systems you are talking about. Defacing websites, and other publicly acessible systems requires a minimal amount of technical know-how, taking down a section of the national power grid would most likely require months of careful research and planning... 2. Knowledge of LAN/WAN theory, remote access, common security protocols,current exploits for UNIX/Linux/NT, C++, Perl, Java, etc... Beyond the nuts and technical bolts however, their are certain acquired skills ie social engineering, system penatration and take down, that one must acquire within the cracker community. These tricks of the trade are also difficult to practice for most individuals, for fear of involvement with law enforcement or other authorities. 3. Certain system tools, SAINT(satan), as well as other security diagnostics, and cracker script tools can significantly automate the process of cracking less secure systems. I feel that that best use of these script based tools would be to masquerade a more serious attack under the barage of multiple automated, script based attacks. 4. Anything. If you make it, someone will crack it. However, the most secure O/S. out is, IMHO, is OpenBSD. However, even OpenBSD can be made insecure. OpenBSD is the only O/S I know of that has had a complete, line by line audit of the source to spot security errors. 5. Yes, however the speed of recover will depend on the whether or not an attack was prepared for in a proper manner. 6. Most likely, as computer technology continues to intertwine itself into our everyday lives, the threat will grow. 7. If you care about your data, keep a computer security specialist on staff. Impliment wide spread encryption. Also, the most important things is to educate the end users about security. Let's face it. Nobody is going to dive into the sewers, splice into a piece of telco fiber, and spend months decoding that spiffy RSA-512 crypto you've got on your WAN lines to protect you data. They're going to ask Joe sixpacks for the RAS number, and if he could *please* readback his username and password for "validation with our databases".

Comments, and cmts on cmts

[whitroth]

As a number of other posters have pointed out, the article, as is, is on CBNR terrorism, with a global search and replace to add "cyber". Much, if not most, of the article is unrelated to "cyberwarfare" (CW).

For one thing, there is *no* recognition of the direct relation of corporate espionage and warfare to CW. Just last week, for example, a letter was posted by Iambe on the userfriendly web site concerning a sr. IT manager requesting that the co. security & sysadmin perform what, were it done by a political group, instead of a company, would be CW (btw, the author of the letter resigned rather than comply). Clearly, any company is capable of serious CW, and individuals are only slightly less capable. Yet in the article, there is no discussion of corporate CW, both as a training ground for CW agents, and as an instigator of CW. Let us also not forget that merely having been exposed to the idea that it was do-able by ordinary people, *and* *acceptable* *as* *a* *tactic* by socially-acceptable companies, the population of people who would be able and willing to do it is increased dramatically.

Another part of what is wrong with the article is the failure to assimilate the lesson of the Rodney King affair: that a few years after high tech is available, it's old tech, and available on the street, which will find its own uses for it, even as it was suggested in the novels of the cyberpunk genre. Note that, in many cases, those uses will be the same as the "official" uses...just from a different viewpoint.

Refusal to recognize this, while it leads to a terminology that Jane's regular users are familiar with, and perhaps does not cause heart attacks among them, does a great disservice to them, since it does not make clear the real logistical and tactical situation they find themselves in, and with which they may have to deal someday. We do not need another Maginot Line.

Note that "training" is not that important in CW, since any college will provide this, and it is, instead, the intellegence and viewpoint of the people performing the CW.

Consider how easy it is for people to write virii and worms, and that they come from second and third world countries as, or more frequently, as from the first world. Now consider a revolutionary or terrorist group member writing a virus or worm with a timer, which does nothing until the day of their Big Event. All this scenario needs, for the CW side of this, is one college student with net access and any old PC.

Yet another serious issue in security is the dilemma of security vs. inconvenience and obstructionism. Do you force peole to go through all sorts of contortions every time they log on to a machine, or access a file (as in B2 security), all of which slows things down, or do you make it easy for them to do their work, and spend less time in time-waisting contortions?

I also had a problem with the article in the section concerning motivation. What I did *not* notice was anything beyond what I'd hear on tv news. For example, *why* does Hammas have as much support as they do in the West Bank and Gaza? A few years ago, I heard on a news story that Hammas provides half, or more than half, of all the schooling and medical care in those areas.

CW *is* a form of guerilla warfare. The article does not appear to realize this, nor point it out to its readers. I suggest to you that the only real and effective way to counter terrorism, as in any guerilla war, is to reduce the support the local community provides. By doing that, you wind up with a larger base of computer-oriented people who are less willing to perform CW actions, and more willing to fight it on a personal programming and security level.

mark roth-whitworth
whitroth@wwa.com

Some comments

[Gleef]

In the article, Jane's discounts the benefits of state sponsorship to cyberterrorism, since tools are commonly available. This is misguided.

Most of the recorded cyberterrorist attacks have been either defacement of a website, or crashing a system on the internet. I would call this the "car bomb" level of cyberterrorism. It causes a little mayhem, gets a little publicity, but doesn't make a big wave in the scheme of things.

A cyberterrorist can do a lot more with a full scale infiltration of a key system. Assuming social engineering [netmeg.net] doesn't work to get sufficient access, crypto might be required to ensure access. That requires a lot of CPU time, something a terrorist organization won't have without help from the big boys.

Lastly, if the goal of a cyberterrorist is to disrupt electronic systems, there's nothing that does it better than an EMP. "EMP Guns", that is a portable device that can produce a localized or directed EMP without human or property damage, are a persistant urban legend that clearly has some kernel in fact. With over the counter hardware, you can build a HERF gun [slashdot.org] able to produce a trivial EMP. Is it that far fetched to think that the big governments have the technology to do better than that, considering they've been researching EMP for the past three decades? One could possibly find its way into the hands of terrorists. The midwest millitias seem to be very proficient at obtaining US military hardware.

Regardless, it's not an urban myth that an airburst nuclear weapon can produce a substantial EMP with little human or property damage. In fact, here's some congressional testimony detailing this [fas.org]. The biggest problem facing a terrorist who wants a nuclear weapon isn't figuring out how to build it, it's obtaining the fissionable material. Here again, government sponsorship of a terrorist organization could become key. China has shown itself very willing to supply governments that might sponsor terrorists with nuclear materials.

A terrorist with a nuclear weapon might well decide that a country-wide EMP would be a better use of it than blowing up a piece of a city. It would be easy to implement too, just place the weapon on an airplane and time it properly.

In all, cyberterrorism is in its infancy, and in order to determine an appropriate response to or defence against it, you need to look at what's possible, and not what happened so far.

It's also worth noting that the FBI's requests for additional computer tapping rights and restrictions on encryption "to protect against terrorism" would not do anything against such a terrorist. Any computer savvy terrorist will use strong encryption (easily available on foreign websites), and communicate on a server that is in a country where the US would have enforcement problems. The FBI's requests do not defend against either of these.

----

part two: answers to the questions

[CormacJ]

Can a recovery be made from such attacks?

Unless the machine is physically destroyed, and assuming that you are efficient about your off-line backup storage a recovery is always possible. Curing the holes takes longer, but a good admin is always able to do something that fixes problems.


Is it likely to improve/get worse?

My belief is that things will stay pretty much static. As attack methods get more isoteric, the security methods used become more complex as a result. The number of attacks will always increase in line with the number of people using computer systems.


What sort of preventitive work would you recommend them to carry out?

Really important machines should be on a private network and no computer system that has access to this network should have access to any other network.
Less important machines should be setup to use only the bare minimum of resources to lessen the chance that some module is vunerable to attack.
Regular audits and checksum comparison of code is always a good idea.
Regular user audits are needed too. Any user thats not recognised to a staff member is suspect. Any user that you don't have paperwork (not computer files) on is suspect.
Regular reading of security/bugtraq lists are always a good idea too. If you have a piece of software that appears on these as vunerable, apply a patch within hours or less.

Good security is easy to do, but harder to maintain, and no matter how many levels of security you have, one moment of stupidity always can break all the security you have, so be very careful about what you install, and code audit if you have to.

Using CT

[Q*bert]

Using CT, how easy or otherwise is it to bring down or attack vital systems?

I have found that CmdrTaco can bring down almost any system with ease, given a Perl interpreter and a mod_perl enabled Web server.
Beer recipe: free! #Source
Cold pints: $2 #Product

CT, the totally non-definitive answer

[jd]

I'll answer the questions in the order they're given.

1. Depends on the system. Anything computer-controlled, where the controlling system is networked, it's likely to be easy. Security is often neglected, or a last-minute consideration.

2. The skills are basically the same for system admin, and are not only teachable, they're common. That's why system admins are paid amongst the lowest salaries in the computer industry. They're a dime a dozen.

3. Doesn't even have to be COTS. The "SATAN" program caused a huge stir, when it was released. But, yes, there are plenty of COTS packages which could be used for CT.

4. Any system that is both physically AND logically on a virtual public network is vulnerable to CT across that network. (Mere physical connection is not enough. If the s/w rejects everything sent to it, it is effectively not there. Also, you can have multiple virtual public networks on the same physical network, none of which interact.)

5. Yes. If you have HA, some kind of intrusion detection, and automatic restore, then you can just fail-over everything but the connection, restore the compromised system, and continue.

6. It's likely to get worse. As computers become increasingly wide-spread, and as civil dissatisfaction increases, the problem is likely to escalate. There is likely to be a spike of CT around the year 2000, as doomsday cults try to create their scenarios, and other groups try to take advantage of the psychological issues surrounding Y2K.

7. There are a great many things you can do to secure your systems against CT. Here are some that I'd recommend as worth doing:

• Firewall your network. PROPERLY! Sieves are for the kitchen.
• Install IPSEC or SKIP on critical or highly confidential networks.
• Ban telnet and .rhost files. If you need terminal connections, use SSH or Kerberos.
• Enforce strong passwords, and install the shadow password kit and the mcrypt library.
• Portscan servers AND clients for vulnerabilities on a regular basis.
• If you are connecting two or more centers together over a public network (such as the Internet), use a non-standard protocol (such as IPv6) at the very least - if you can connect to the other centre, so can someone else. A non-standard protocol makes this considerably more complex.
• Encrypt filesystems! This is a must, especially for networks with sensitive data.
• Tripwire your system, to detect for altered programs.
• Monitor connections with public networks for signs of portscanning.
• Monitor login attempts and points-of-origin, for evidence of hackers.
• Check CERT regularly for security bulletins and advisories. ACT ON THESE! If an advisory exists, be aware that this means there's a good chance someone knows how to take advantage of it.
• Install tcpwrappers and deny access to all hosts to all services. Specifically enable access to any service, by name and requestor.
• Check file permissions, to ensure that people can only access what they're supposed to.
• Never, EVER, run a service as "root", unless you have to. And if you do, find an alternative that doesn't need this.
• If a system is known to be vulnerable to attack (eg: Windows NT), don't put it somewhere where attacks can reach it.
• Don't be afraid of using proxies. If your corporate web server needs to be accessed by the outside world, stick a proxy on the outside and relay everything through the firewall. Your data will thank you for it. If necessary, use a double proxy (one on the firewall itself, eg: SOCKS) and one on the outside (eg: Squid). It won't hurt your image, and you're not a wimp if you do this, but not even the best cracker can deface a web page they can't reach.

Re:CBRN != Cyber

[Mister Attack]

In my opinion, the fundamental difference is that Cyber attacks are utterly unlike any other form of attack because they do not involve the delivery of large amounts of energy to the enemy...

Chem/Biological weapons also don't involve large amounts of energy delivered to the target.

What, then, is the fundamental difference between cyber attacks and other attacks using "weapons of mass destruction?" The obvious answer is that CBRN attacks are aimed at a) creating terror and b) killing large numbers of people (this is usually a secondary goal), whereas cyber attacks are aimed at either destroying or rendering useless the communications infrastructure. In the case of either CBRN or cyber attacks, the goal is to make the military's job much more difficult. The end is the same, only the means are different. CBRN attacks work by clogging or destroying physical infrastructure, e.g. by filling hospitals with patients and highways with people rushing to flee affected areas. Cyber attacks, on the other hand, disrupt the communications infrastructure either by spoofing or DoS attacks. The real danger would come from coupled cyber and CBRN attacks. For example, with the major communications lines jammed from a cyber attack, the military would have no chance of effectively organizing to control spread of disease, etc. after a biological attack.

So how can we prevent cyber-attacks? Obviously, documented security holes must be patched immediately, and if I recall correctly, our military hasn't always been great at getting on the ball to do so. Beyond that, standard security measures (start by denying everything, then let in the things you know you want) could go a long way to preventing an effective cyber attack on the USA.

As always, my opinions are my own.

Re:CBRN != Cyber

[LinuxParanoid]

I would add to the previous poster's bullets that "CBRN" and "Cyber" threats are also different in the following ways:

Radically different logistics: terrorists face reduced logistical barriers to insertion/destruction: physical logistics takes on radically reduced importance when attacks can be relayed remotely over the global telecommunications infrastructure. Logistical-oriented defenses for detection and interception (e.g. borders) become largely irrelevant.

greater freedom of information: certain types of nuclear and biological expertise are closely guarded and narrowly disclosed, while attack tactics and strategies are much more widely available in online communities, largely in hopes of exposing infrastructure flaws so that they can get fixed.

reduced scarcity of precursors: while physical precursors to biological, chemical and nuclear materials can be controlled, at least to a limited extent, controls over precursor material useful for "Cyber" attacks is substantially less effective due to the fluidity of information flow (i.e. ease of dissemination) and availability of encryption for hiding information flows. Restricting information flows runs counter to the information-sharing process that has created existing technological (and economic) progress, not to mention raising problematic civil liberties issues. And restricting encryption technology exposes corporate interests to increased espionage vulnerabilities.

--LP

This is Too Easy...

[The Ancient Geek]

Johan J Ingles-le Nobel is wise to wonder about the credibility of this article. The author is trying to link two entirely different spheres (cyber-terrorism and weapons of mass destruction) into a single subject--he even goes so far as to coin the phrase "weapons of mass disruption." Which is to say, you can draw a parallel between getting nuked and getting a busy signal.

The writer doesn't seem to grasp the impact of computers and technology on terrorism. And the writer also doesn't seem to grasp the concept that terrorists act intelligently--within their own world view. And so the writer focuses inordinately on the feats of prowess of Aum Shinrikyu, a cult of Shinshinto extremists who bumbled their way through a sarin gas attack on the Kasumigaseki and Kamiyacho subway stations in Tokyo in 1995. If Aum Shinrikyu, using a World War I sarin recipe, is the best the new breed of terrorists have to offer we can all rest easy. Would that it were that simple.

The fatal flaw of this article is the writer's complete ignorance of the principle impact of technology on terrorism: computer technology makes the up-to-date (and up-to-speed) terrorist vastly more productive.

Let's examine the writer's linkage of chemical, biological, radiological, and nuclear terrorism with cyber-terrorism. There's no correlation at all: CBRN warfare involves significant scientific achievement, a fairly high order of precision in manufacturing, a means of storing extremely hazardous materials, finding an anonymous--or at least deniable--means of delivering those weapons, and (for most terrorists) finding an exit strategy for any agents in the vicinity of the attack. As this article points out, there is a lot to it--manufacturing facilities, storage facilities, and testing facilities to start with. There are significant issues involved in transporting the weapons and triggering them. And there is the enormous difficulty of keeping the effort a secret--an oft-repeated maxim in suspense novels is that the likelihood of a secret's being blown is equal to the square of the number of people in on the plot. You can't even try to build a nuclear bomb, store it, and test it without hundreds (even thousands) of staff who have to be housed and fed to stand around in the dark on rainy nights trying to remember why they volunteered for this great assignment. If nothing else, CBRN terrorism pretty much requires having a sympathetic Saudi prince just to bankroll the scheme.

Cyber-terrorism, on the other hand, involves writing a program and running it. One graduate student, Robert Morris, accidentally launched a "worm" virus that shut down most of the Unix-based computers in the U.S. in the 1980s. While such an attack is more difficult today, any such attack would not take any significant amount of manpower. "DOS" (denial of service) attacks are a good example: it is relatively trivial to write a program that will attempt to connect to a remote server, asking for responses to an Internet address that does not exist. Each request takes a certain amount of time to process--you can flood that server with a large number of requests, effectively preventing anybody else from getting in. With the vast increase in affordable Internet bandwidth available today ($169/month for 192kpbs dedicated bandwidth in a residential suburb of New York, for example) it is a relatively trivial exercise for a "cyber-terrorist" with a thousand bucks and three or four talented high school students to become, at the very least, a cyber-annoyance.

But computer technology offers much more to the would-be terrorist. Just as an editor for Jane's can find expert criticism of an article on cyber-terrorism (amidst a stream of childish ranting, one expects) by searching the World Wide Web, a terrorist can find all sorts of useful information. The terrorist can also take advantage of the commercialization of high-end technologies (such as the U.S. Defense Department's vaunted Global Positioning System [GPS]). And the terrorist can take advantage of the computerization of toys (particularly the growth of robotics such as Lego Mindstorms, or radio-controlled cars).

Were I a would-be terrorist, particularly one with a political agenda based on hatred of the Western World, I wouldn't waste my time with nuclear weapons or World War I sarin recipes. Instead I would have a cadre of recruits developing expertise with the most commonly available explosive in the U.S.--the barbeque grill propane cylinder. With very, very little technological sophistication one could fabricate the poor man's Fuel Air Explosive [FAE]: program a Palm Pilot to set off a task on a specified date and time, create a robotic hand with Lego Mindstorms, attach it to the valve on the cylinder, and put the "package" inside a closed room. The Mindstorm "hand" opens the valve and vents the cylinder; a second Mindstorms device sets off a spark, and, well, you get the picture. You can mass produce what little specialized technology you need and transport it on airliners with no worry at all--you will buy the Palm computers at an office supply store, the Lego Mindstorms kits at Toys 'R Us, and the propane cylinder at the nearest convenience store.

I would begin my terrorism campaign by publicly asking the Great Satan to have greater regard for its poor--with all the usual verbiage about the terror inflicted upon the Third World by greedy Wall Street speculators. I would then follow up by using my propane packages at various convenient locations around Wall Street--despite the World Trade Center bombing a few years ago, it is child's play to leave a propane "package" anywhere in the vicinity. (If I had the budget, I'd fabricate brightly-colored trash cans with the "packages" inside. I'd distribute the trash cans, conspicuously empty them for several days, then set them all off at once. Press release: "the garbage of the world, that you throw away like yesterday's sandwich wrappers, will rise up to smite you.")

Then I'd go after the New York transit system, focusing particularly on those parts of it that are heavily-used by the financial community (continuing my Third World Liberation theme). So I'd use Mindstorms robots and GPS units to "crawl" packages into the PATH tubes under the Hudson River. The propane cylinders wouldn't be powerful enough to burst the tunnels and flood them--but that enclosed space would focus the effect of the explosions and do an awful lot of damage. And scare the entire NYC populace out of the subways for a generation. (Press release: "Financial swine, you are not free from the wrath of the people wherever you go--even into holes in the ground.")

Then I'd go after the Internet. It isn't rocket science--all it requires is some skill at title and deed work. Identify the rights of way of AT&T, MCI WorldCom, etc., to identify trunk lines. Most of those lines are on poles--right there along the side of the road. Even the "secure" lines that are buried underground have to surface to cross bridges, railway lines, etc. Spend some time, do a little traveling. The locations of the five major interconnect points in the U.S. are widely known (just look on the World Wide Web). In a month or two you can probably find key trunk lines for a good portion of the major Internet carriers. More propane cylinders, more packages. (Press release: "Witlings of the imperialists--now you have some glimmer of understanding of how your brothers in the Third World must live. Free yourselves from their oppression!")

Want to go whole hog? Really do it right? OK--we'd have to do a little prototyping by testing a package or two against some targets. Aum Shinrikyu tested sarin in the Australian outback for months without arousing undue suspicion. Blowing things up "just for fun"--particularly with a can of beer in hand--is considered Manly Recreation in many parts of the U.S. Then we'd do some planning (using PCs and Microsoft Project, of course) to identify the tasks at hand and the time it will take to plant all of our packages. We could identify task dependencies (frankly, the biggest difficulty would be getting an adequate supply of Lego Mindstorms kits--they are in very short supply) and we could distribute Gantt charts to the entire team. We distribute our packages across a relatively small area in the eastern U.S., and wait for them all to go off. At once. Kill hundreds of people, shut down the NYC transit system, cripple the Great Satan's telecommunications, and prevent a nation full of office workers from downloading pornography; all in one single, simple, coordinated attack. (Press release: "Now do we have your attention, big boy?")

If you're keeping score at home, here's what we're talking about: A Mindstorms kit ($200); a Palm Pilot ($500); a barbeque propane cylinder ($30); and related hardware (wire, spark, etc., figure $20). Add another $250 for boxes and other decoy containers (and to keep the math simple) and you're talking about $1000 per package. For $100,000 to $150,000, including airfare, hotels, meals, and gratuities, you and three or four comrades could conduct a terrorism campaign that would make the FALN and the PIRA look like amateurs.

The economics are undeniable: the ability to create bombs that combine software and robotics for chump change completely alters the question of terrorism. What we might term "legacy" terrorists (understand: in the parlance of computer programmers that is a punishing insult) are trying to win funding from bankrupt former First World spy agencies and hoping to score plutonium on the open market. The avant garde terrorist is the fellow in line in front of you at Toys 'R Us.

The security is undeniable: your chances of finding these guys before they strike is zero. This only requires one person. If the plot involves more than four or five people it gets overly complicated. None of the components can be characterized as a weapon--so even if you are questioned by the police ("you're correct, officer--I do not have a license for this Lego kit") there's no rational basis for suspicion. And once you do wreak havoc on the target country you will be practically impossible to find: just the kind of simple precaution you learn from reading John Le Carre novels (wipe the propane cylinders for fingerprints) is enough to prevent anybody from ever finding you.

And the politics are undeniable as well: the legacy terrorists help fund the day-to-day payroll by running guns, smuggling drugs, and generally operating like gangsters. It is difficult to gain the support of the oppressed when the selfsame oppressed also recognize you as the local drug dealers. Our high-tech robot-wielding terrorist, on the other hand, doesn't need to support a huge payroll--so he doesn't need to run guns, smuggle drugs, rob banks, or anything else. With some creativity and perhaps a slightly smaller budget he could literally do the entire project on credit cards.

Press release: "We have smote the Great Satan in his lair--we have left him wounded, bleeding, alone, and in the dark. We have deprived him of his filthy pictures of oppressed women. And we have done it with the products of his own depravity--the computer toys of his pampered children and the office toys of his fattened bourgoisie, fueled by explosives from his so-called convenience stores. And we financed the entire operation using the Evil Oppressor's own credit cards."

This writer is totally wrong: the impact of technology on terrorism doesn't mean that we have to add a new letter or suffix to the "CBRN" acronym. The impact of technology radically changes how productive, and how anonymous, the would-be terrorist can be. Ultimately, technology obviates CBRN terrorism--the terrorist doesn't need to be that extravagant, and doesn't need to take the risks of handling those materials. With a little bit of applied thought, and off-the-shelf technology (and off of shopping mall shelves at that), the avant garde terrorist can scare the daylights out of any country on the face of the earth.

To contact me by email, use the address above, but do not include the "nospam" entry in the address.

security teams own worst enemy

[Anonymous Coward]

In many ways, the security teams are their own worst enemies.

A few years ago I was an on-site contractor for NOAA, and we were deploying a prototype system at another federal agency which provides a critical service. (For obvious reasons I won't provide further details in this forum.) For some reason we needed to access the prototype system, and we knew that our computer was on their network but they had moved it from the initial IP address for some reason and hadn't told us its new address. They also changed the name for some unknown reason. (This wasn't related to security, it felt much more like a low-level pissing contests between the two agencies.)

We *really* needed to access that computer, and most people had already gone home from both sites, so I pinged all of the addresses in the subnet and attempted to telnet to each responsive address in turn. Within half an hour or so I found our lost sheep, fixed some files, and the government employee who asked for my help went home happy.

Unfortunately I had a problem. I discovered that they had their router on one of the ports, with absolutely no password. Anyone who discovered this IP address could change a few numbers and take down this site and possibly a second site. If it happened at the right time it could easily make the national news. I reported my discovery to the only network person still around, and he was clearly agitated by the perceived dilemma of needing to report this to the proper security group and the expected pain of the subsequent inquisition and torture. The fact that this was at a sister agency clearly didn't help his mood.

I don't know if the reputation was warranted, or if he was ever subsequently contacted in any way. I know that some subsequent comments about my "hacking" skills were grossly unwarranted. I do know that the reputation of the security team was such that most security breaches will go unreported out of the fear that the investigation will focus on how the person learned about the breach, not the breach itself.

(Sidenote for _Janes_: many geeks will immediately recognize this as a concrete example of Hagbard Celine's observations in the Illuminatus Trilogy. People with (perceived) power tend to see only what the people under them think they want to see. This makes it difficult to impossible to get an accurate view of your current state from within the organization. I think CT is a very real possibility, but I am also extremely skeptical that anyone above a GS-12 has the faintest clue where the real threats lie.

(If I had to pick one thing to start with, I would focus on Melissa. I'm sure every potential cyberterrorist noted how quickly Melissa took down large corporations and is wondering what would happen if it carried a malicious payload. Trivial example: what would happen if every Melissa victim started to ping www.victim.mil? Why do the same people who readily recall the Morris Internet Worm (which quickly resulted in significant changes in the Unix infrastructure to prevent a recurrence) remain silent despite a pandemic of Microsoft Macro Viruses?)

Bear Giles (bgiles@coyotesong.com)

Re:CBRN != Cyber

[GooberToo]

"Any system for which the safe frequency is too low for the backup defense to be practical (for example, a power grid) should be kept remote from networks; although this does not defend against attacks from insiders, network seclusion should allow the terminals of the vulnerable network to be physically guarded."

As I understand it, the majority (in the range of 80%) of IT attacks reported are associated to insiders or social engineering.

Phone rings.
"I'm Bob in IT support. I'm having trouble with the modem bank. Can you check the modem to make sure it's turned on? Also, can I have the number to make sure I'm using the right one?" Of course, being the deligent and helpful worker that he/she is, they are happy to help.

I believe that internal security, planning, and employee education far out weighs the need for external security. This is not to say that deligence should not be given by a sysadmin, however, physical accessibility should always be addressed. This, of course, assumes that www.norad.nukem.gov is also unavailable.

I've worked at a place that had computers in a room behind locked doors, but the routers and switches were on racks external to it. Anyone could walk up, plug in, and snoop all they wanted.

31337 hAx0r dOoDz

[Lord Kano]

Skill doesn't cost very much in terms of money to aquire.

The people who can bring down systems are the same people needed to protect them. It's in a way kind of like the wild west, but there are no black hats and white hats only dark and light grey.

The difference between a hacker, and a cracker is what they do with their skills. One man with a rifle is a hunter, another man with an identical rifle is a murderer. What you do is more important than what you are capable of doing.

6 months from now when the l0p(Lords of Pudding) cracks Jello's web site for publicity it won't be a well funded attack. It'll be a couple of rinky dink high school kids who allowed their talent to be used for non-productive ends.

Hacking has nothing to do with who's the best funded. It's about getting done what you need to get done no matter how you need to do it.

I'm sure that every hacker here has done some things that at least border on cracking at one time or another. Not that there was necessarily any malicious intent, it's just doing what needs to get done.

It's the script kiddies who've (at least in recent years) given us a bad name. It's the assholes WhO TyP3 3v3rY7hiNg LiK3 7hIs who make us look like a bunch of pimple faced rejects before the masses.

One thing that makes many hackers fertile recruiting ground is the total lack of respect for the ability and value of a good hacker. When a hacker has to stand by and watch a brainless marketting suit make millions for sitting around and thinking up crap like "Got Milk?" and "Think Different" it can make him want to make an undeniable statement and force people to recognize him. Also how many of us would be willing to pass up a pile of cash if someone offered it in exchange for getting access to Company X's fincancial records?

I've never caused any damage to any company's computer systems, just like the vast majority of my fellow slashdotters, but in a materialistic society how many of us would pass up the chance to make big pay checks if we did?

LK

Just how easy

[GoNINzo]

Okay, because I don't feel anyone has addressed these issues seperately, or treated this as something that will get published (even if they don't differentiate between CBRN and IS machines), I feel it neccessary to write up a short bit on each of these points. Feel free to flame me if you disagree, but I don't feel they are getting what they asked for.

• Using CT, how easy or otherwise is it to bring down or attack vital systems?

  It really depends on how the system was devised. There are a couple factors here, a who is attacking, a why, and a how.

  There has been a recent profiliation of machines that are 'automagic', where the user plugs the machine in, and it works. As this becomes more common-place, there will be more attacks of the 'script-kiddie' mentality. These are the more common-place, and usually more destructive attacks. A good example would be the Cold-Fusion exploit released not too long ago. It was written up into a nice package that someone could give to a 13 year old kid. That 13 year old could go burn down a machine in some place he's never heard of, and he wouldn't care. Someone who researched this exploit might actually have some ethics about destroying someone else's virtual property.

  Then there is the why question. In the beginning, cracking was mostly used as a 'I was interested in how it worked' explination. In the future, I think we will see more infiltration attacks, where people just want to get onto the system to listen, gather, and desiminate information. This could be to gather personal information, financial information, share a virus, or to expose your political views. The system will continue to work, but an incorrect manner. As these become more sophisicated, I think they will become harder to detect. It's only when we relax our guard do we get hurt by an attack

  Then there is a how. The discussion of potentially harmful weapon systems is a matter of exposure. Networking is a useful thing, but think of it in another light. You have a gun cabinet in your office, forget why, but would you really want this expose? So you put it behind a secret door, only certain people know how to go up and press on the door in the right way to open it. But someone visiting might press all your walls in several ways, and still find it. Security via oscurity does not work. So you put a master lock on it. However, a nice pair of bolt cutters work quickly. So you put it in a true safe, making it difficult to get to. People complain, so you are forced to make the combination something simple like '1 2 3'. This again, breaks the system. You run into the common brick wall of security versus ease of use. As our society seemed centered on easing our lives, we tend to focus more on the ease of use. Good example are the web forms out on the web, to make our lives easier, but could also break our security policy.

  So you are looking at more information is being distributed, it is becoming easier to find this information to infiltrate a host, and we are moving towards a looser definition of neccessary security. Is it easy to attack systems? Yes, and it's becomign easier all the time.

• What sort of skills would be needed to do so, and are they common/teachable?

  Many of the skills can be learned from reading on the web. Most are commonly found out. But the most useful are taught in a student/mentor relationship. While root exploits can now be thought of as easier to figure out on your own, it usually takes an experienced person to point the newbie in the right direction, to wade through the bullshit. As we migrate to a more networked envirionment, these requirements will become less, and become a more 'click here!' security risk.

• Commercial-off-the-shelf software: can it really do CT?

  Two issues, the offense versus the defense. As far as products go, COTS will never be as good as what can be obtained by an experienced professional. and all experienced professionals have a cost. Also, would you include COTS to have web-based and free software? Because it's all out there for the taking. Remember that COTS lag behind the speed of the rest of the world, especially security related products. For instance, ISS security product still checks for certain accounts when trying to check a unix system. However, ISS knows nothing about nmap and it's use as a port scanner. (well, last I checked)

  On the defensive side, with proper design COTS can protect your data.. Many companies think of security last, it's an afterthought of a 3rd level VP who says 'BTW Bob, is this system secure?' 'No it isn't Ted, You said you didn't want to put in your password on every new screen' 'Well make it secure, mmmkay?' However there are some products that are designed off the shelf with security in mind, these would be more of the unix systems as they have a better chance to mature. Just the fact that there is a root account where a user can do anythign they want has to remind the designer not to let people get there. For an example, the BSD security audit that took 10 people a year and a half is what I would considered to be an ideal.

• Which systems are actually attackable?

  All networked systems are attackable. You must assume that. Just as no fortress can be completely safe, no data can truely be secure. There is a sliding scale of usabilty versus security, so set your thresholds high.

• Can a recovery be made from such attacks?

  This is why backups and data integrity plans are a must. Everyone should have a buisness continutity plan. This can also be associated with an extended cracker attack. If a weapon system is compromised, we will simply have to face the consequences of that weapon being used on ourselves. Some philosopher once stated that man will not be happy until he has devised a weapon that is able to scare even himself.

• Is it likely to improve/get worse?

  It is most likely going to get only worse, until a light turns on in the mind of software developers that it is bad to have a product that a 13 year old can walk in and take over at any time. Those types of attacks are the true threat in the growing sea of information.

• What sort of preventitive work would you recommend them to carry out?

  Get the best people you can to manage your systems and your software. The risk of having a new administrator to manage your credit-card-number-heavy network is much higher than the price to find a good administrator. While you can never bank on the security of your software, your security is only as good as your administrator. An aware adminstrator will be able to fix the major flaws in your security.

Anyway, that's my rant on the article. You'll notice most of this information is just systems best practices, and more general information systems, not weapon systems specific. Mainly because I have not dealt with weapon systems, but you'll find software is the same everywhere. Also, 13 year old kid could reference any person of human intelligence and inclination, regardless of nationality, religion, and moral vocation.

Feel free to publish any of this, I do work for Collective Technologies [colltech.com], but these are my own opinions.
--
Gonzo Granzeau

"Hardness" of systems

[Paul Johnson]

A common thread running through Johan's questions is the assumption that target computers can be rated by "hardness" in the same way as a military base.

This assumption has limited validity. It is certainly true that some systems are constructed to be much harder to penetrate than others. However any system can be made insecure by improper installation or use. A classic example is the recent Linux box crack. The crack exploited an insecure CGI script instead of the underlying operating system.

This leads to a situation where attacks are single-use weapons with irregular effects. Think of the Federation encountering the Borg: a phaser works on the first borg, but not the second because the second one had learned what killed the first. Attacks on computers have this nature: you may be able to penetrate many computers at first, but when the attack becomes known the hole will be closed. If the defensive structure is good then this will happen fast and universally. This is what CERT is about.

Much has been made here of the "script kiddy" phenomenon. This does not seem a realistic concern for real national infrastructure or military issues. Sure there are plenty of insecure systems around, but the attacks the script kiddies use are generally known and they can be locked out.

This means that against a well-defended target you are going to have to devise fresh attacks. This is not a trivial exercise. Its easier if you can get hold of the source code, but either way expect to have to fund a team of good techies sitting down with sample systems looking at how to take them down. The result will not be an armoury so much as a mixed bag of ad-hoc tricks, each of which will have a very narrow window of use. Also you can't stockpile these attacks because at any time someone else could discover the same crack, use it, and get you locked out.

Even a successful cyber attack will be little use on its own. It would have to be co-ordinated with other actions. At this point it gets hairy. The effects of your actions when you actually try to take down or penetrate a system are difficult to predict. Maybe it will work, or maybe the defenders are on to you and will be duly warned. And the mixed bag of tricks will be hard to integrate into the rest of the strategy.

All this points to the need for a proper defensive posture. This makes the entire infrastructure much more robust. Use operating systems and applications which are known to be reasonably secure. Keep up with CERT bulletins and other sources of information. If a computer is worth guarding physically then it is worth guarding "informationally", and for critical assets this might well extend to a continuous human auditor looking for discrepancies and odd patterns, just as a human guard is used to check people in and out of a base instead of relying on barbed wire and key cards.

Finally, it is important not to let these threats get out of proportion. If I was a terrorist and wanted to bring down the national power grid I'd go for a few pounds of plastic attached to strategic pylons and transformers. Much more certain, and much longer lasting effects (aside, why did the IRA never realise this?). A defence system is only as strong as its weakest point, and that point is rarely a computer.

Paul.

doesn't require IT devices

[kaisyain]

whereas cyber terrorism utilizes information technology (IT) devices to inflict mass disruption of an opponent's critical IT infrastructure

Cyber terrorism doesn't (necessarily) utilize IT devices to disrupt critical IT infrastructure. A backhoe to a set of OC-192 circuits works just as well at disrupting critical IT infrastructure. I also wouldn't really categorize social exploits as "utilizing IT devices".

Cyberterrorists...

[Hobbex]

Here's a hint that might help the American government a little in its fight against terrorists:

If there are any cyberterrorists out there, they already have cryptography!

On a more serious note, the article is definetly making a mistake in bunching together Cyber threats and CBRN. They are different (as rde wrote above) in all possible ways except in that they are a relatively new threat. IMHO cyber terrorism is mostly an excuse to harrass punks who deface webpages, while CBRN really worries me.

Also, the article looses a lot of credibility when it starts listing Bin Ladens use of email as examples of cyber-terrorism. My grandmother uses email for gods sake, it happens to be a good way to communicate.


-
/. is like a steer's horns, a point here, a point there and a lot of bull in between.

Re:Vulnerable systems

[Anonymous Coward]

What if the script-kiddies are guided by somebody more knowledgable?

Say, for instance, that I were a foreign agent interested in finding out how secure a governmental system was.

Why couldn't I just write some tools, pass them off to some 3leet wannabe lusers in an IRC channel, and later (under a different 'nick from a different site) monitor the same or similar channels waiting for the lusers to brag about "their" exploits? Somebody has to have a clue, but it need not be the attackers themselves.

Prevention

[howardjp]

The best way to prevent CT is to have a good staff of administrators and a good set of tools. By far, the two most stable and secure operating systems are OpenBSD and OpenVMS. Use them. Also make sure your staff knows how to administrate them properly.

Also make sure you are always running with the most up to date patches for your software (not just the OS, but all of it). Read Bugtraq to find out what the latest problems are and follow through on the suggestions given for securing a system.

Don't get too proud. Just as soon as you think you've gotten the crackers beat, they'll find a new way in. Never let your guard down.

Disable non-estential services. If you do not need a service running, why do you have it on?
Remove any tools which could be used against you.

Don't be an easy target. Firewalls are good. Protect yourself at multiple levels.

Anyway, there are plenty of other ways to handle prevention, but I'll let others pick up the slack.

Big Differences...

[helver]

It seems to me that trying to group CBRN weapons with cracking requires a huge leap.

For CBRN, aquisition of the materials required to implement these weapons is a significant issue. As mentioned in the article, people get arrested for simply trying to buy the materials needed. The acquisition of materials for a cyber attack is a much simpler task.

The level of knowledge required to implement a CBRN weapon is orders of magnitude higher than to implement a cyber attack. Additionally, the CBRN agents must be stored, transported, and potentially disposed of. These are risks to the developer, not the victim.

There are countermeasures for some kinds of CBRN attacks, but in general they are impossible to implement to ensure 100% safety. For other kinds there are no countermeasures. For cyber attacks there are almost always defenses. More often than not these defenses are disabled for the sake of convenience, or due to ignorance.

I have no doubt that crackers can cause significant damage, but to group crackers in with CBRN agents is blowing their capabilities way out of proportion. In order to implement a cyber attack it takes a $500 computer and an internet connection - essentially it can be done by anyone who wants to learn how. It's impossible to prevent because the threshhold is so low and the materials required can server legitimate purposes as well. But the effects can be neutralized if a small portion of the population - the system admins - are kept up to date and are willing to do what's necessary to keep their systems secure.

Cyber-warfare HOW-TO

[Rahga]

First of all, the article reads as a half-backed introduction to CT and how it relates to other forms of terrorism and the history of related terrorist events in the past decade. Reads too much like a boring history report done by a college freshman... but, to anwer the questions...

Most of the questions are surprisingly elementary, but I'm sure this was done to bring out as many relevant pov's as possible :)

"Using CT, how easy or otherwise is it to bring down or attack vital systems?"
It is either easy or hard. The real question, how are the vital systems in question prepared to stand up to said attacks. Like a question on how well armored tanks can stand up to gunfire, it depends on which tank is in question.

"What sort of skills would be needed to do so, and are they common/teachable?"
They aren't common in the sense that Joe Blow knows how to hack into the pentagon, but they can definitely be teached. Though skill and talent are considerable factors, they aren't neccesary...

"Commercial-off-the-shelf software: can it really do CT?"
Like it says in question one, yes, but it depends on how well the targeted systems are prepared. And if they run NT, well....

"Which systems are actually attackable?"
If it exists, it can be attacked. Most vulnerable are those connected to mainstream communication systems such as the internet. Also, you must keep in mind that there are many different types of attacks availibale to your modern cyber-terrorists, including futile ones.

"Can a recovery be made from such attacks?"
Yes, and no. Data can always be backed up and restored on virtually any computer system. What is more dangerous is when terrorists defeat system security measures and retrieve privlidged data. There is no way to "steal it back".

"Is it likely to improve/get worse?"
Rhetorical question. As computer systems become more complex and the world keeps getting smaller, the more insecure that computer systems will become or at least seem to become...

Points

[Hermetic]

I really don't think there are any COTS software apps dedicated to CT, (ie. MS LoopHole Exploiter 2000 or some such thing). There are, however, many, many people out there who devote their lives to finding ways around security. Many of them are all to proud to show off their newest exploits or workarounds.
Astalavista [astalavista.box.sk] and sister sites take great pride in allowing you to do things you shouldn't. However, most of these tricks, scripts, and cracks are relativly harmless compared to a single man placing a pipebomb at the nearest telephone switching station.
There is no such thing as "security" as most people like to think about it. The best you can do is stop the incompetent (they weren't a threat anyway) and slow down the professionals (who you will never be able to stop).

CT can, and probably will be a problem, but I don't think we have reached that critical point yet.

Lack of definitions disabling the entire debate

[FreeUser]

One of the main problems is that it doesn't specifically define CT and why it is dangerous.

This is indeed the crux of the issue IMHO. In all of the debate and hysteria being bandied about regarding "cyberterrorism", I have yet to see a coherent, reasonable definition of just what cyberterrorism is? The absurd example of using Bin Laden's use of email and chatrooms to communicate with others as a form of cyberterrorism is clearly alarmist and silly, while the notion of remotely ordering a nuclear powerstation to melt down (hardly realistic perhaps, but an effective image) would certainly be included in any reasonable definition of cyberterrorism. On the other hand, a cracker shutting down the power gird of an entire city or multi-state area appears to fall somewhere in between (disruption and quite possibly mayhem is caused, but no life is directly attacked as such). What about public defacement of web pages? Terrorism? IMHO I hardly think so -- not a single life is threatened or directly attacked. It smacks more of vandalism or graffiti, yet such attacks are consistently used as "examples" of cyberterrorism.

Until reasonable definitions are agreed upon, and adhered to, as to what constitutes cyberterrorism vs., say, cyberwarfare, cybervandalism, cybertresspass, or cyber(information)theft, discussions and articles about this subject will continue to be offpoint, confused, and ultimately of little use in forming coherent policies to combat the threats that these and other criminal (cyber)activity pose. Perhaps the one thing that can be learned from such confusion is just how dangerous it is to allow one's propoganda and misuse of language (as evidenced by the extreme hype and demonization surrounding cracking and such loaded words as "cyberterrorism" all out of proportion to the actual damage or potential damage done) to define one's own thinking when trying to establish responsible and effective public policy.

Cyberwar?

[Lando]

Okay, let me give a summation of the article before you read what I actually wrote. First and foremost the author has no idea what he is trying to say. The article sounds like it's supposed to be about cyber-warfare right? Wrong, it's marginally about cyber-terrorism with no facts and a lot of spin.

Basically, the author says that because terrorists are bad... and since people use computers for e-mail, irc, etc that terrorists might use computers too. Wow, oh gee, really?

Then he tries to relate the fact that terrorists try to cause terror with car-bombs and such and since they might get nukes that we need to be preparing for an attack on our computers.

No logic to link them together.

I read the entire article because I started it and said I would, otherwise I would just ignore this article.

I suggest that the only thing to be done with this article is to trash it and start over.

Kill the spin and get some facts, this article is more of and editorial than a news story.

Sincerely,
Lando

PS, I saw wording I didn't like in the beginning so I stated that I was being a little critical, but I didn't expect this type of article with no facts and lots of spin. Sarcasm starts 2 paragraphs into this story.

I'm just writing down random remarks about the article as I work my way through it. Just wanted to make sure we are clear that this is not bashing , but the way I read an article.

Now that cyberwarfare has become an accepted fact

I don't believe that it is an accepted fact, I think that is a lot of spin generated by the media. If you agree with that spin then might I point out the computer viruses were being used in the 80's which were much more destructive in nature and were targeted as well. Hacking a website and having a physical battle as recently reported for some reason don't really seem to be the same. There are special units for intelligence gathering, etc which are definitely components of war, however those have always been with us. Labeling this cyberwar is just spin to create hype...

Joshua Sinai examines the requirements for anti-state groups to employ this and chemical, biological, radiological and nuclear weaponry

What the heck is Radiological? CBR is chemical, biologic and radiation. I don't remember radiological from my time in the military, more spin?

I'm willing to give the benefit of the doubt to CBRN, I am unfamiliar with the term though.

whereas cyber terrorism utilizes information technology

Wait a second, why are you introducing cyberterrorism here, you said that you were going to talk about cyberwarefare.

Nevertheless, there is sufficient reporting of activities by terrorist groups and their state sponsors in the CBRN/Cyber realm

How about intelligence communities, what the heck is CBRN/Cyber realm?

acquiring a CBRN/Cyber capability requires extensive funding, an overt or covert acquisition capability, a technological research and development program to produce, weaponise and stockpile CBRN materiel (or the capability to purchase or steal ready-made weapons), and a level of technical expertise and logistical infrastructure that is appropriate to launch successful CBRN attacks. This is beyond the technical capability or motivation of most terrorist groups.

False, a couple of million dollars with the right people could cause problems, the cost though is a lot higher for the attacker than the defender with no guarantee that your attack will succeed.

On the other hand, the information revolution ushered in by the Internet allows terrorists to access articles and documents from the World Wide Web about the manufacture or acquisition of BW or CW agents, and commercial-off-the-shelf (COTS) software products can easily be obtained to conduct cyberterrorism, making CBRN/Cyber attacks much more feasible to launch than hitherto.

Spin, spin, spin, sensationalism is fine and all, but I prefer facts. Dropping this information in between two facts attempts to prod the reader into believing the statement. What you should be saying is that conducting cyberterrorism attacks against off the shelf commercial software is what makes cyberterrorism possible.

One of the things you need to realize is that obscure code is generally hard to break and that open source by it's very nature tends to find security holes quickly and patch them. When you start using obscure code in a wide production area, ie commercial off the shelf software is when you enable systems to be cracked on a wholesale level. I have the ability to take administrator access from a NT machine in 9 minutes if I can get to the box via an ethernet connection. Unless the latest patch has fixed security problems that NT has had for years. UNIX systems tend to be a little more secure forcing you to crack the shell to get inside the machine.

I am not saying that UNIX/Linux is good and Windows is bad, it should not be taken like that. I have fixed a number of security errors under UNIX over the years and more continue to pop up, however when you have open-source which because of the way AT&T 'sold' UNIX, Berkley and others got the code, you tend to have people beating on that code all the time. Only when you use security through obscurity do you have major holes sitting open for years.

Although such cost/benefit considerations may limit the majority of terrorist operations to the realm of conventional warfare in the 21st century, recent WMD- related events and reports indicate increasing activity by certain terrorist groups and state sponsors in the CBRN/Cyber arena

Just wanted to point out that this is really getting on my nerves, trying to create a new word? Let me see, "I made up the word so I must be the expert!!!" Nope, sorry just doesn't cut it.

There have already been several instances of CBRN/Cyber operations by terrorist groups. Chemical attacks have been mounted by the Aum Shinrikyo cult, such as the March 1995 sarin nerve gas attack on the Tokyo subway system, killing 12 people and injuring 5,500. Chemical cyanide was included with explosives in the February 1993 bombing attack by Islamic militants of the World Trade Center. In the mid-1980s, the Tamil secessionist group, LTTE (which provides its operatives with a cyanide pill in the event of capture) threatened to carry out a BW attack by spreading pathogens to infect humans and crops in Sri Lanka. Aum Shinrikyo also attempted, albeit unsuccessfully, on at least 10 occasions to disperse biological warfare agents in aerosol form, and in October 1992 its members attempted to acquire Ebola virus samples in then Zaire for future use in biological attacks. In mid-1997, an American white supremacist faction plotted to attack the New York City subway system with biological weapons. Reportedly, Hizbullah and Hamas operatives have acquired chemical and biological components, although they have so far refrained from carrying out such attacks.

Wait a second... What are we talking about here? First we are talking about cyber-warfare, then we are talking about cyber-terrorism and now we are talking just plan terrorism... Unless, you are using these examples to talk about cyber-terrorism and just trying to create spin with violent examples. Let me see what would that do? Umm, some person that doesn't really understand computers and how they work, maybe a little frightened of them, sees this paragraph and is struck by the visual pictures that are implied, but doesn't quite realize that none of these situations involved cyber-anything. However he/she now associates cyber-terrorism with these images. Spin, spin, spin.

And then we get the nuke worry into the picture and then finally we hit the cyber-terrorism. Hmmm, let's look at it.

One of the first known instances of cyberterrorism occurred in 1997 when the LTTE launched cyber attacks against Sri Lankan government sites, including hacking into a government web site and altering it to transmit their own political propaganda.

Oh my goodness, they actually spoke out and people could see what they wrote!!!!! To the death chamber with them.

Supporters of the Mexican Zapatista rebels have jammed Mexican government web sites

Oh my goodness, censorship only news-media and governments should be able to do this!!!! To the death chamber with them!

The American terrorist group, the Christian Patriot movement, is active in the Internet.???

Oh my goodness, Americans using? active? on the internet? Dang, I never knew. Obviously they are gathering information and disseminating propaganda. Just who do they think they are??? To the death chamber with them!!!!!!!

The Osama Bin Laden group utilises an extensive network of computers, disks for data storage, and Internet for e-mail and electronic bulletin boards to exchange information.

Oh no, someone other than the American team is doing more than web-browsing, they are running a web-server!!!!!! To the death chamber with them!!!

Hamas operatives in the Middle East and elsewhere use Internet chat rooms and e-mail to coordinate activities and plan operations.

Chat rooms and e-mail anyone else care to point out just how insecure these formats are with Echolon around?

Oh no!!! People are talking to one another, just when will this stop?!!? To the death chamber with them!!!!!!!!!!!!

Other Middle Eastern terrorist groups, such as Lebanon's Hizbullah and Algeria's Armed Islamic Group, also utilise computers and the Internet for communications and propaganda.

Jeez!!! They are speaking their own minds... This has got to stop!!!!

TO THE DEATH CHAMBER WITH THEM ALL!!!!!!

Just in case any of the readers forgot about what we are talking about. Just in the case that the computer talk has gotten a little boring, let's throw in some good wholesome slaughter to get back some attention and pump up those hormones.

Terrorists have also targeted critical infrastructure. Thus, for example, in the Summer of 1998, the LTTE bombed state-owned and private telecommunications facilities in Sri Lanka, damaging buildings and disrupting telephone service.

Look it has bombing and telephones in it, definitely couldn't do that without a computer.

Motivation concerns the psychological, political and strategic factors that are likely to serve as incentives or disincentives for terrorist groups to resort to CBRN/Cyber warfare, particularly the decision to embark on a higher lethality and disruption in targeting

Rather than taking over websites, they will start sending SPAM!!!!!

There are no fixed organisational prerequisites for attaining CBRN/Cyber capability, particularly in the age of the Internet when terrorist operatives can be dispersed geographically yet are able to communicate with each other by using their own secured communications networks

Sorry jumped a couple of paragraphs here, it was just getting a little deep for me. Then I come across this. Of course it's bad for the terrorists to use encryption because the government can't read their messages. I don't know if I even want to touch this one, but let me just ask a question... Okay, encryption and talking is required but organization isn't knowledge isn't. Sounds like you throw in a little willpower and you can start casting spells. Are we talking about a game? I thought this was a serious article...

At one end of the organisational spectrum, the technological complexities involved in acquiring CBRN/Cyber capability require a well organised, hierarchical organisation, with a command and control apparatus staffed by professional terrorists, a highly- developed R&D apparatus staffed by scientists and technicians, production and storage facilities, a transnational logistics network to clandestinely acquire the necessary technology from external sources, and business activities (either legitimate or illegitimate) to generate the necessary income to fund the acquisition of CBRN/Cyber operational capability.

Did anyone realize you can make money working with computers? Hmm, let's see time to pay my bills, $1000 to the IRS, $150.00 to state, $300 dollars for my education bill, $400.00 for my car, oh and let's not forget my $15.00 to insert terrorist group of your choice

A terrorist group might also train its members in not just a single weapon but a variety of CBRN/Cyber weapons for which different sets and levels of technological expertise are required in order to attain operational capability in each of these weapons. Thus, for example, terrorist groups, such as Aum Shinrikyo, have provided their members with extensive training and education in a variety of CBRN/Cyber weapons, including studying uranium enrichment and laser technology, with at least one of their members working on the staff of a Russian nuclear physics laboratory, while another contingent traveled to Africa to study the Ebola virus. Cyberwarfare involves a different set of training requirements that is also more readily available. Thus, training in computer science is now widely prevalent among terrorist groups.

Two comments, first how does a Russian nuclear physics lab and the Ebola virus relate to computers??? Beats me I thought you would know. Second, I'll be danged if those pesky terrorists aren't getting trained in computers. I mean heck it'll be easy to catch the terrorists now, since no one else is getting computer training...

Skipping again...

terms of technological hurdles, CBRN weapons and Cyber devices vary in the levels of technological sophistication required for their development, weaponization and deployment. There is also a clear distinction between CBRN weapons and Cyber devices

Which, let me guess, is why the article points out bombing, nuclear attack and biological agents and never points out anything remotely dangerous to do with cyber-warfare or cyber-terrorism? Hmmm interesting, but then why are we lumping them together through the entire article? Guess I must just be plain stupid not to understand...

This is getting rather boring, let's skip to the end...

CBRN/Cyber terrorist warfare is likely to pose a significant threat in the 21st century as a result of the confluence of motivation, technical capabilities, and involvement by state sponsors. Just take my word for it since I haven't shown any relevant information in this article. This analysis is intended to highlight some of the internal and external factors, requirements and hurdles that need to be considered in assessing a terrorist group's current and future development status and operational capability to conduct CBRN/Cyber warfare. But somehow I forgot to include any facts and just used spin to create that impression Correlating these internal and external factors and hurdles would make it possible to forecast , something I didn't do, which terrorist groups and state sponsors are likely to embark on CBRN/ Cyber warfare, the types of adaptations since I have no idea what a terrorist group is much less which ones if any are actually planning on some type of cyber-campaign, and changes they would require to transition to such warfare, the types of weapons and targeting they are likely to pursue (including the possible resort to single or multiple CBRN/Cyber weapons and devices), the timelines for such attacks, and vulnerabilities that could be exploited by foreign intelligence and counterterrorism agencies to constrain terrorist groups--and, when applicable, state sponsors--from embarking on such warfare.

Sheesh can you look at that last line? This is a conclusion??? Not only doesn't the author close up his arguments about what the article is about, but he basically says that this needs to be researched. Hmmm, needs to be researched? and definitely a threat? If you haven't done any research how do you know there is a threat?

Lando

Deranged Chemist

[the eric conspiracy]

I don't know about this deranged chemist thing. With all these monocultures in agriculture it wouldn't take that much to put together a pretty nasty attack on the food supply.

Taking out a power grid is much less impressive.

Infrastructure

[Anonymous Coward]

Frankly, I'm more concerned about attacks against the physical infrastructure of the net than I'm worried about "cyber attacks".

Perhaps I'm naive, but I view crackers mainly as a way to keep sysadmins on their toes, not as some sort of world-destroying threat. OK, so somebody nails a sendmail box I'm running -- I'll just overwrite the HD with a backup & secure it from there. Big deal.

I'm much more concerned that someone will use real-world weaponry against the net. For example, using a couple truck-bombs against MAE-West and other NAPs simultaneously. A sufficiently coordinated attack of this nature could do real damage to the global economy just in terms of panic and disruption (massive stock sell-off, etc.). Plus, since it's a real-world attack, the damage is harder to contain/repair. I mean, anyone got a backup tape that'll rebuild MAE-West?

As far as I can tell, the main thing we have going for us is that most terrorists are pretty stupid people. They're ALWAYS going after ineffectual targets, like innocent civilians, and they do it in a half-assed manner. Most terrorist groups just seem to be places for losers to hang out and bitch about life; if they were more intelligent they'd be doing other things with their time.

I dunno; most terrorists just remind me of the Columbine losers grown up. Any half-wit could have managed to kill more people.

Cyber-attacks are inherently unsexy; there's no big boom, there's no glory in dying for a cause, just a bunch of nerds in a closet. Terrorists want to die with glory, to strike the big blow, and they're too dim to realize what an effective attack means.

Perhaps more importantly, anyone with enough skill to launch serious cyberattacks is probably going to be making serious $$$ in legitimate industry. After all, what world-class computer nerd wants to spend his/her time in some dirt-poor corner of the world, surrounded by psychopathic gun-toting losers? Osama Bin-Laden, for all his supposed clout, lives like an animal in a hole in the ground. What programmer wants to spend their time that way? You can make a bomb in a cave lit by candlelight -- you can't launch a cyber attack that way.

Jane's Goes Open Source

[Gerv]

Have you seen the title to their main page [janes.com]?

"Jane's Intelligence Review, the world's leading open source defence, security risk and threat analysis for the professional intelligence and defense analyst"

Obviously this means anyone can copy and redistribute copies of Jane's Intelligence Review as long as they make any modifications they make to the text publically accessible...

Gerv

Stock Market

[kid]

It's always occured to me that, in a war, the country/party that runs out of funds first, loses. Thus, the objective of war isn't to (per se) do as much physical damage as you are capable of inflicting, it's to cause just enough damage that the "enemy" is unable to recover financially.

This suggests, in this time of cyber-warfare that we live in, that attacking a stock market or other primary financial institution is the most effective means of accomplishing your goal. Much more damage would be accomplished by taking the NY Stock Exchange offline for a couple of days, than an attempt to attack of the "food supply" (which be up and running again within hours from backup tapes, or replacement hardware).

I see no mention of this financial aspect of war in the article, yet it seems the most vulnerable in my mind.

Re:Hackneyed alarmism

[Roblimo]

Johan, the Jane's editor, agrees with you. That's why he's soliciting comments from Slashdot readers - and is going to write a whole new article based on them that'll run alongside the original clueless piece. This is a great exercise in showing the difference between "official" thinking (which generated the original story) and the "grass roots, hands on" style of thinking common among Slashdot readers (and authors and editors too, come to think of it).

- Robin "roblimo" Miller

Just unplug the computers

[Jimhotep]

Why have a critical computer system exposed to
the world? Defacing a web page never killed
anybody.




Other terrorism ideas: find and read
"A Higher Form of Killing"

this book explains how the CIA tested the spread
of toxins in the NY subway system.

from the Jane's article
"In mid-1997, an American white supremacist faction plotted to attack the New
York City subway system with biological weapons."

Thanks CIA

The Inside Threat

[remande]

Personal disclosure: I work at a facility that could, at worst, cause a lot of financial havoc if compromised. I am also partially responsible for security at this facility, particularly the ability to securely connect to other facilities (AKA public-key crypto). No, I am not a cryptographer or anything similar; I just know how to use the software available.

If you are really going to crack a facility, you can often do so from the inside. The most important skill needed to compromise such a facility is "social engineering"; basically the ability to lie through your teeth to other people. This sort of thing can get you inside your target's security with no computer skill whatsoever, and then you only need the skills required to cause the computers to do whatever it is you want them to do.

Let me list a few SE gambits. The first, which takes a bit of time but is usually safest, is to get yourself hired. You will need some computer skill even to do an attack from the inside, and that skill will get you hired in America's techie-hungry job market. This gives you building access and a computer account. If you have sysadmin skills, all the better: you will get a root password, the equivalent to an all-access pass.

The second gambit is simply to sneak into the physical facility in broad daylight, by pretending that you belong there. Low-security facilities may use badge-locking, but often one employee will hold the door open for someone who forgot their badge. Just about any facility will let people in if the security is lax at all. I remember a story (verified) about someone showing up at a 20-person company dressed as a delivery person. People let him in and out, and he made several trips carrying boxed printers out every time.

Another gambit that someone could try with enough time would be to infiltrate the development branch of a commercial security software company (or better yet, get a few terrorists together and form one), and put a back door into the software. The facility is rare that fails to trust shrink-wrapped software. If the software is a hit, you can hit multiple targets at will without anyone putting the pieces together.

Hopefully, the above tactics would not work in places like military facilities or nuclear plants, where paranoia should be a way of life. However, a creative mind can cause a lot of damage by infiltrating a facility not known for its paranoia. Hospitals and food-processing plants would likely be prime targets. Such attacks would not necessarily be "real" terrorism, but would look a lot like accidents (until, of course, somebody claimed responsibility for them).

You do not need a terrorist...

[kris]

... to shut down vital parts of the computer infrastructure of a country. As we have seen, a backhoe is enough. Or a faulty software upgrade in a power grid or phone control point.

Also, what crackers (and cyberterrorists, if they actually exist) do is utilizing remotely exploitable bugs in current software. That is, they use tolsl and techniques which are roughly identical with normal debugging techniques, but apply them a bit more creatively. The creative application may have spectacular effects, but that does not change the fact that the basic techniques used are actually routine debugging techniques.

The bottom line is: As long as current production software is as bad and immature as it is, there is no cyberterrorism. Just applied stupidity.

Grossly underestimated and wrongly accented

[arivanov]

This artcile is a very bad piece of work. The authro did not do her homework properly

Only a select number of terrorist groups and few state sponsors are likely to possess the necessary motivation and capability in the spheres of organisation, funding, acquisition, technology, storage and stockpiling, logistics, and other overt and covert resources to be able to make the transition from conventional to CBRN/Cyber warfare. For many, the numerous internal and external tasks and hurdles involved in acquiring, storing and deploying such sophisticated weaponry and devices are simply too much. Moreover, few terrorist groups and state sponsors are sufficiently motivated to carry out mass casualty or mass disruption warfare.

Well the necessary means of cyber disruption are verys simple 33K modem, an old 486 running Linux or BSD and a brain. It is true that few terrorists have the necessary knowledge but this does not mean that they may not hire someone. And this will be cheaper then bying and smuggling explosives and weaponry.

On the other hand, the information revolution ushered in by the Internet allows terrorists to access
articles and documents from the World Wide Web about the manufacture or acquisition of BW or CW
agents, and commercial-off-the-shelf (COTS) software products can easily be obtained to conduct
cyberterrorism, making CB/Cyber attacks much more feasible to launch than hitherto. Radiological and
nuclear weapons, however, are far more difficult for terrorist groups to acquire or to develop
indigenously, to weaponise and deploy, or to provide storage for.

Commercial and off the shelf solutions are mostly applicable after a breakin has been commited - i.e. for maintianing access, deciphering data, etc. So they come to play after the breaking which once again requires few resources and some brain.

Significant financial resources are required for terrorist groups to develop an indigenous CBRN/Cyber
operational capability unless a group succeeds in weaponising a crude, low-technology device, or
stealing or hijacking such a device.

Yet another dumb statement.

• You can make a microwave cannon in your garage. No point of stealing it. And you can knock out an enitre stock exchange with it.
  
• It takes a modem and a unix box to break in in a remote machine. It is neither stolen no expensive.
  

Overall very very very bad article with the following bad implications hidden between the lines:

The availability of security related information on the internet is _BAD_

part one: cyberterrorism - a definition

[CormacJ]

CBRN warfare is an advanced method of warfare - cyberwarfare isn't. The resources needed to achieve this aren't expensive, all it needs it some knowledge and a little cheap equipment.

There are examples of this already, including L0pht's research into the vunerability of the US electricity network. They gather data from public websites and once the data is correlated a good image of the security of the network is found. This can then be explotied. Cyberterrorism is about this type of research.

This article concentrates more on the conventional side of terrorism, but attention should be paid to the groups that use IT for gathering and co-ordination of intelligence rather than for warfare.

Cyberwarfare is where tomorrows terrorists will attack. Terrorism is part destruction/part publicity. Several terrorist groups attacked targets to generate publicity, not to kill people. Similarily cyberwarface attacks are about the same: posting web pages, taking over known servers. The next level is the hardest one to guard against. This is the hacker in the system that doesn't destroy or alter data, just reads things and leaves.

The author groups cyberwarfare along with "script kiddies". Cyberwarfare is not only about damaging systems, it is also about intelligence gathering and information processing.

This is essential to terrorists. Hacking into a government server and posting a new webpage looks good and generates publicity, but hacking into a government server and reading the documents in peoples email directories is much more valuable to terrorists. This gives cyber terrorists valuable details about the thinking and opposition to thier movement, and can aid in planning conventional attacks.

The next generation cyber-terrorism won't just be about invading and crashing control computers or servers, it will also be used for spying and sabotage.

Cyberwar like all other forms of war is not just about damage and destruction but also is about spying and intelligence gathering.

These areas are where most consideration will have to be given.