Re: [ISN] Fanatics with Laptops: The Coming Cyber War / RFF Reply

From: InfoSec News (isnat_private)
Date: Mon May 20 2002 - 03:25:02 PDT

  • Next message: InfoSec News: "[ISN] Alert issued for China's next cyber attack"

    Forwarded from: Richard Forno <rfornoat_private>
    
    What is it about Fridays and FUD?????
    
    Last week it was that piece out of Australia, and now this article.
    
    A few choice comments enclosed below.
    
    > Fanatics with Laptops: The Coming Cyber War
    > By Tim McDonald
    > NewsFactor Network
    > May 16, 2002
    
    Title alone is sensational enough to tell me this article is a crock.
    But I'll read anyway because it's Friday and I need to fight some FUD
    today before meeting the g/f for Episode 2 this afternoon.  :)
    
    > That increasing interdependence, however, becomes frightening when
    > one considers that a next-generation cyber terrorist will likely not
    > represent an aggressive world power.
    
    I'm not sure what the cyberterrorists of 'this generation' are, let
    alone the ones of next generation........
    
    > In terms of present-day vulnerability, such a terrorist could simply
    > be a lone fanatic wielding a laptop. And the damage could be
    > staggering.
    
    One guy with a laptop - fanatic or not - does not make a cybeterrorist
    that is bent on destroying the world. When will these reporter types
    realize this? All such statements to is fan the flames of speculation
    and fear, and in most cases, make the reporter look like an idiot.
    
    On a side note - does this mean if someone's an aethiest or agnostic,
    they won't be a good 'cyber-threat'??? Oh, wait - it the eyes of the
    media, fanatic=terrorist=0911=great imagery for getting readers'
    attention.
    
    I agree with those that say one guy with a backhoe is far more
    effective at causing wide-spread infrastructure damage than someone
    with a laptop. But "backhoe-terrorists" aren't as sensational of a
    story as those allegedly waging "cyber-jihads" so we'll just leave it
    at that for now....
    
    > 'Asymmetric Warfare'
    
    > The military call it "asymmetric warfare," which means that the
    > disadvantaged side must use unconventional weapons against the
    > wealthier side if it is to have any chance of winning.
    
    Using airplanes as guided missiles is asymmetric warfare, too, and a
    far more effective way of wreaking infrastructure havoc than by a
    laptop.
    
    > Any country that can scrape together the price of a computer manual
    > and that has a basic understanding of information systems
    > infrastructure can train and motivate a misguided "patriot."
    
    Reading a 'manual' does not make one an expert. Nor does getting a
    diploma or certification, despite the claims to the contrary.
     
    > Anonymous Warfare
    > 
    > Due to recent advances in "attack technology," cyber warfare can be
    > waged remotely and anonymously. This approach would make it much
    > harder to find an attacker than it is, for example, to root out Al
    > Qaeda forces along the border of Pakistan and Afghanistan.
    
    Gee, and it wouldn't be hard for someone to do a truck bombing
    anonymously, either.....the problem is that folks like Mcveigh (OK
    City), Rachman (WTC attack #1), and others, were clumsy terrorists
    that left a trail......a dedicated adversary would not be so easy to
    track.  Drawing a paralell between cyber-terrorists and al-Qaeda is
    threat inflation.
    
    The implication this reporter makes is that folks should be licensed
    or easily-tracked online....if someone's hell-bent on committing
    murder or terrorist actions, they WILL circumvent any requirements for
    online monitoring/tracking -- that's the least of their concerns!  
    Making it illegal to be anonymous won't do anything to impede them.
    
    > "As the automation of deployment and the sophistication of attack
    > tool management both increase, the asymmetric nature of the threat
    > will continue to grow," the report said.
    
    This has nothing to do with increasing the asymmetric nature of the
    threat. It simply means that future such attacks might be more harder
    to recover from quickly.
    
    > New Tactics: Poison and Hijacking
    
    > Attackers are finding more ways to bypass firewalls and other
    > security roadblocks. Some of the newer -- and nastier -- tactics
    > involve attacks on the Internet domain name system (DNS), including
    > cache poisoning and domain hijacking.
    
    DNS poisoning is an old tactic - security folks have known about it
    for years. And Domain Hijacking - well, during my time @ NSI, I had to
    deal with that technical problem far too many times. The problem was a
    system vulnerability that the company refused to address, and instead
    chose to deal with recurring negative publicity, giving me and my team
    major stress headaches on a regular basis. Besides, it's been proven
    that one can hijack a domain name w/o being a 'hacker' -- using the
    legal system and WIPO is pretty effective, too, I've heard.  DNS cache
    poisoning was done in 1998 by Eugene Kashpuroff -- it's not a new
    attack methodology, either -- and that really screwed the net over for
    a few hours.
    
    > Businesses, especially large corporations, are becoming targets with
    > increasing frequency. In the right hands, cyber attacks could wreak
    > untold damage.
    
    Again, that wonderful word "could" -- most of the folks on this list
    COULD wreak untold damage, but it's yet to materialize. It's always
    amazing how many reporters talk about what such a so-called
    'cyberterrorist' "could" accomplish......but nobody talks about what
    IS needed to deal with the problem.
    
    > As the Arab-Israeli conflict continues to escalate, the odds of a
    > full-scale cyber war grow. The first Arab-Israeli cyber war erupted
    > in 2000, when Israeli hackers attacked the site of a Hezbollah group
    > in London. Arabs retaliated by attacking the main Israeli government
    > site and the Israeli Foreign Ministry's site.
    
    This is a crock of first-rate tripe. Cyberwar is a nuisance situation.
    So what if a website gets defaced or hacked? So what if a ping sweep
    trips some alarms? What's being reported on as 'cyber-warfare' is the
    electronic version of 'prick-waving' to see who's a badder dude on the
    net playground.
     
    > How prepared is the United States? Not very, according to analysts.
    > There has been some improvement, such as the Clinton
    > Administration's 10-step National Plan for Critical Infrastructure,
    > drafted in 1999.
    
    Indeed - plenty of bureaucracy was created, lots of blue-ribbon
    reports and panels, but little real action.
    
    > Only in the past year has action been taken, however, by opening
    > serious discussions about creating separate networks for critical
    > federal agencies; granting computer security scholarships in return
    > for national service; and increasing the budget for computer
    > security.
    
    GovNet - stupid plan. Reminds me of sticking one's head in the sand.
    But it's been Richard Clarke's fantasy network since the mid-90s, so
    he may as well keep trying to build it when he's got access to large
    (free!) funding sources. He's already admitted they will likely have
    viruses, worms, etc. on GovNet - with the associated downtimes and
    problems we all know result from such incidents - so WTF good is
    GovNet going to be anyway?
    
    Computer security scholarships are long-term projects. A diploma or
    certification doesn't mean you're any more the wiser of a security
    person. You need experience in the real world, and that would only
    occur OVER TIME, not in the classroom.
    
    What they need to do is stop these pie-in-the-sky projects and
    allocate money and authority HERE and NOW to address the root causes
    of the problems the government ALREADY KNOWS ABOUT but seems content
    to brush off.
    
    I mean, they just killed the $9B Army Crusader system - imagine what
    even $5B of that money could do, if properly allocated for
    government-wide operational IT security improvements TODAY instead of
    more research and analysis of 'future threats' in cyberspace?
    
    > What they have learned is that the "install-and-patch" system does
    > not work, especially against a concentrated attack. Operating
    > systems, they have concluded, need to be designed more securely from
    > the outset.
    
    It took how long to figure that out? While most OSes are
    install-and-patch, let's look at the largest culprit here. How come
    nobody's placing budget pressure on Redmond saying since their
    products are so buggy and insecure, they're going to look elsewhere
    for solutions that work as advertised and intended?  I took that
    position in 1998 and haven't looked back. And guess what - I've been
    virus free, trojan free, worm free, since then, and been more
    productive, too.
    
    > An equally fanatical individual, with a little more knowledge and a
    > much lighter load, can, if we do not defend against it, use a laptop
    > to do unimaginable damage at no personal cost whatsoever.
    
    This last line is a piece of sensational tripe that is common among
    those companies and individuals making Chicken Little claims about
    cyber-terror being the harbringer of unimaginable evil. Unfortunately,
    most of the media folks covering this general issue of computer
    security have no clue about the reality of the situation......and are
    unable to do anything except continue to perpetuate this sensational
    FUD, scare the public, and make it all the more difficult for folks in
    the security profession to do our jobs, especially when talking with
    senior managers and lawmakers.
    
    This article will keep me awake tonight - not out of fear of a
    cyber-attack, or what 'could' happen down the road, but because this
    sort of half-arsed tripe is believed by so many who take this stuff as
    unassailable gospel and continue to make decisions based on it.
    
    I wonder what next Friday's FUD story will be??
    
    Rick
    infowarrior.org
    (c) 2002 - Permission granted to reproduce in entirety with credit.
    
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Mon May 20 2002 - 06:10:13 PDT