Forwarded from: Richard Forno <rfornoat_private> What is it about Fridays and FUD????? Last week it was that piece out of Australia, and now this article. A few choice comments enclosed below. > Fanatics with Laptops: The Coming Cyber War > By Tim McDonald > NewsFactor Network > May 16, 2002 Title alone is sensational enough to tell me this article is a crock. But I'll read anyway because it's Friday and I need to fight some FUD today before meeting the g/f for Episode 2 this afternoon. :) > That increasing interdependence, however, becomes frightening when > one considers that a next-generation cyber terrorist will likely not > represent an aggressive world power. I'm not sure what the cyberterrorists of 'this generation' are, let alone the ones of next generation........ > In terms of present-day vulnerability, such a terrorist could simply > be a lone fanatic wielding a laptop. And the damage could be > staggering. One guy with a laptop - fanatic or not - does not make a cybeterrorist that is bent on destroying the world. When will these reporter types realize this? All such statements to is fan the flames of speculation and fear, and in most cases, make the reporter look like an idiot. On a side note - does this mean if someone's an aethiest or agnostic, they won't be a good 'cyber-threat'??? Oh, wait - it the eyes of the media, fanatic=terrorist=0911=great imagery for getting readers' attention. I agree with those that say one guy with a backhoe is far more effective at causing wide-spread infrastructure damage than someone with a laptop. But "backhoe-terrorists" aren't as sensational of a story as those allegedly waging "cyber-jihads" so we'll just leave it at that for now.... > 'Asymmetric Warfare' > The military call it "asymmetric warfare," which means that the > disadvantaged side must use unconventional weapons against the > wealthier side if it is to have any chance of winning. Using airplanes as guided missiles is asymmetric warfare, too, and a far more effective way of wreaking infrastructure havoc than by a laptop. > Any country that can scrape together the price of a computer manual > and that has a basic understanding of information systems > infrastructure can train and motivate a misguided "patriot." Reading a 'manual' does not make one an expert. Nor does getting a diploma or certification, despite the claims to the contrary. > Anonymous Warfare > > Due to recent advances in "attack technology," cyber warfare can be > waged remotely and anonymously. This approach would make it much > harder to find an attacker than it is, for example, to root out Al > Qaeda forces along the border of Pakistan and Afghanistan. Gee, and it wouldn't be hard for someone to do a truck bombing anonymously, either.....the problem is that folks like Mcveigh (OK City), Rachman (WTC attack #1), and others, were clumsy terrorists that left a trail......a dedicated adversary would not be so easy to track. Drawing a paralell between cyber-terrorists and al-Qaeda is threat inflation. The implication this reporter makes is that folks should be licensed or easily-tracked online....if someone's hell-bent on committing murder or terrorist actions, they WILL circumvent any requirements for online monitoring/tracking -- that's the least of their concerns! Making it illegal to be anonymous won't do anything to impede them. > "As the automation of deployment and the sophistication of attack > tool management both increase, the asymmetric nature of the threat > will continue to grow," the report said. This has nothing to do with increasing the asymmetric nature of the threat. It simply means that future such attacks might be more harder to recover from quickly. > New Tactics: Poison and Hijacking > Attackers are finding more ways to bypass firewalls and other > security roadblocks. Some of the newer -- and nastier -- tactics > involve attacks on the Internet domain name system (DNS), including > cache poisoning and domain hijacking. DNS poisoning is an old tactic - security folks have known about it for years. And Domain Hijacking - well, during my time @ NSI, I had to deal with that technical problem far too many times. The problem was a system vulnerability that the company refused to address, and instead chose to deal with recurring negative publicity, giving me and my team major stress headaches on a regular basis. Besides, it's been proven that one can hijack a domain name w/o being a 'hacker' -- using the legal system and WIPO is pretty effective, too, I've heard. DNS cache poisoning was done in 1998 by Eugene Kashpuroff -- it's not a new attack methodology, either -- and that really screwed the net over for a few hours. > Businesses, especially large corporations, are becoming targets with > increasing frequency. In the right hands, cyber attacks could wreak > untold damage. Again, that wonderful word "could" -- most of the folks on this list COULD wreak untold damage, but it's yet to materialize. It's always amazing how many reporters talk about what such a so-called 'cyberterrorist' "could" accomplish......but nobody talks about what IS needed to deal with the problem. > As the Arab-Israeli conflict continues to escalate, the odds of a > full-scale cyber war grow. The first Arab-Israeli cyber war erupted > in 2000, when Israeli hackers attacked the site of a Hezbollah group > in London. Arabs retaliated by attacking the main Israeli government > site and the Israeli Foreign Ministry's site. This is a crock of first-rate tripe. Cyberwar is a nuisance situation. So what if a website gets defaced or hacked? So what if a ping sweep trips some alarms? What's being reported on as 'cyber-warfare' is the electronic version of 'prick-waving' to see who's a badder dude on the net playground. > How prepared is the United States? Not very, according to analysts. > There has been some improvement, such as the Clinton > Administration's 10-step National Plan for Critical Infrastructure, > drafted in 1999. Indeed - plenty of bureaucracy was created, lots of blue-ribbon reports and panels, but little real action. > Only in the past year has action been taken, however, by opening > serious discussions about creating separate networks for critical > federal agencies; granting computer security scholarships in return > for national service; and increasing the budget for computer > security. GovNet - stupid plan. Reminds me of sticking one's head in the sand. But it's been Richard Clarke's fantasy network since the mid-90s, so he may as well keep trying to build it when he's got access to large (free!) funding sources. He's already admitted they will likely have viruses, worms, etc. on GovNet - with the associated downtimes and problems we all know result from such incidents - so WTF good is GovNet going to be anyway? Computer security scholarships are long-term projects. A diploma or certification doesn't mean you're any more the wiser of a security person. You need experience in the real world, and that would only occur OVER TIME, not in the classroom. What they need to do is stop these pie-in-the-sky projects and allocate money and authority HERE and NOW to address the root causes of the problems the government ALREADY KNOWS ABOUT but seems content to brush off. I mean, they just killed the $9B Army Crusader system - imagine what even $5B of that money could do, if properly allocated for government-wide operational IT security improvements TODAY instead of more research and analysis of 'future threats' in cyberspace? > What they have learned is that the "install-and-patch" system does > not work, especially against a concentrated attack. Operating > systems, they have concluded, need to be designed more securely from > the outset. It took how long to figure that out? While most OSes are install-and-patch, let's look at the largest culprit here. How come nobody's placing budget pressure on Redmond saying since their products are so buggy and insecure, they're going to look elsewhere for solutions that work as advertised and intended? I took that position in 1998 and haven't looked back. And guess what - I've been virus free, trojan free, worm free, since then, and been more productive, too. > An equally fanatical individual, with a little more knowledge and a > much lighter load, can, if we do not defend against it, use a laptop > to do unimaginable damage at no personal cost whatsoever. This last line is a piece of sensational tripe that is common among those companies and individuals making Chicken Little claims about cyber-terror being the harbringer of unimaginable evil. Unfortunately, most of the media folks covering this general issue of computer security have no clue about the reality of the situation......and are unable to do anything except continue to perpetuate this sensational FUD, scare the public, and make it all the more difficult for folks in the security profession to do our jobs, especially when talking with senior managers and lawmakers. This article will keep me awake tonight - not out of fear of a cyber-attack, or what 'could' happen down the road, but because this sort of half-arsed tripe is believed by so many who take this stuff as unassailable gospel and continue to make decisions based on it. I wonder what next Friday's FUD story will be?? Rick infowarrior.org (c) 2002 - Permission granted to reproduce in entirety with credit. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Mon May 20 2002 - 06:10:13 PDT