RE: [ISN] Cyber-Attacks by Al Qaeda Feared

From: InfoSec News (isnat_private)
Date: Mon Jul 01 2002 - 03:08:26 PDT

  • Next message: InfoSec News: "[ISN] Microsoft's Digital Rights Management -- A Little Deeper"

    Forwarded from: Austin <austinat_private>
    
    -> -----Original Message-----
    -> From: owner-isnat_private
    -> Sent: Thursday, June 27, 2002 3:05 AM
    ->
    ->
    -> Late last fall, Detective Chris Hsiung of the Mountain View, Calif.,
    -> police department began investigating a suspicious pattern of
    -> surveillance against Silicon Valley computers.
    
    Yeah, the city police dept. tracking international 'net crime. It's
    more likely that there's a guy with a green shirt and a goatee driving
    around a van called the Mystery Machine; and who understands his dog
    talking back to him; and who both successfully solve crimes while
    tripping over each other in the process while under the influence of
    dog treats.
    
    
    ->  ......  A forensic summary
    -> of the investigation, prepared in the Defense Department, said the
    -> bureau found "multiple casings of sites" nationwide. Routed through
    -> telecommunications switches in Saudi Arabia, Indonesia and Pakistan,
    -> the visitors studied emergency telephone systems, electrical
    -> generation and transmission, water storage and distribution, nuclear
    -> power plants and gas facilities.
    
    I know this seems kinda dumb, but why do these utilities need outside
    access into the "valuable" core computer systems. Why are "emergency
    telephone systems, electrical generation and transmission, water
    storage and distribution, nuclear power plants and gas facility"
    computers even allowed to have internet access? or access from the
    'net?
    
    if so, seems to me that pesky Greed factor at work, "Why can't we just
    use the internet instead of using our own phone lines? that would save
    tons of money!! I should get a raise for brainstorming this one!"
    Isn't this what lead to the Y2K crunch? companies having to spend
    money on newer systems and updating old ones because they were too
    stingy to do it when they knew they *had* a problem before they *had*
    to fix them?
    
    -> Unsettling signs of al Qaeda's aims and skills in cyberspace have led
    -> some government experts to conclude that terrorists are at the
    -> threshold of using the Internet as a direct instrument of
    -> bloodshed.
    
    I remember this cry from the Chicken Little stories dating way back
    for years. When is someone actually going to commit an actual computer
    crime?? God forbid its ever successful! I don't know how these
    "experts" keep their jobs by pointing to the terrorists as being
    skilled instead of the gov. systems admin's being a bunch of moron's
    for not updating their systems.
    
    Yeah, I know, there's so many patches and updates to do... sniffle...  
    but if you're constantly recompiling kernels for this fix or that,
    maybe you need to choose a different platform, a different
    application. And for systems/apps to even have ONE buffer overflow is
    just plain inept programming testing and coding.
    
    The exploits of the Dynamic Duo are only tragic to the people they
    catch with their unsecured pants down. Does the Duo ever exploit
    non-published holes in software? If people did their jobs, then the
    Duo would be out of business! The same goes with virus infestations.
    If systems were protected, it would have never spread as fast. Yes,
    there are new vulnerabilities being "discovered" by independent
    sources, but why are the second or third strains taking advantage of
    the same vulnerabilities?? and why aren't the people who actually
    wrote the code finding their own errors!!!!??????
    
    -> The new threat bears little resemblance to familiar financial
    -> disruptions by hackers responsible for viruses and worms.
    
    OOOOOHHHHH! "financial disruptions" my ASS!! AKA the cost of a virus
    or a hack the company pays to clean up after it and to actually go out
    and buy the updated OS or new scanners they should have purchased
    ALREADY!!! oh, then there's the "lost revenue" of shutting a server
    down to install the software - AKA greed. I have *little* sympathy for
    companies being "hurt" by viruses alone being that the VAST majority
    are preventable.
    
    -> U.S. analysts believe that by disabling or taking command of the
    -> floodgates in a dam, for example, or of substations handling 300,000
    -> volts of electric power, an intruder could use virtual tools to
    -> destroy real-world lives and property.
    
    Again, why are these controls accessible from the 'net???
    
    -> "The event I fear most is a physical attack in conjunction with a
    -> successful cyber-attack on the responders' 911 system or on the power
    -> grid,"
    
    oh, like the 911 system is so foolproof now! there are so many times
    it either doesn't work or is busy or under-manned even if it exists in
    a market at all.
    
    -> Regarded until recently as remote, the risks of cyber-terrorism now
    -> command urgent White House attention.
    
    most things that get the attention of any political system regards
    politics. NEVER has a leader in any branch of the government been
    motivated for the sole purpose of defending rights or cutting costs if
    that said action will cost them a chance to be re-elected. AKA
    career-greed.
    
    
    -> The security flaw could have been exploited to .. halt "all control
    -> information exchanged between ground and aircraft flight control
    -> systems."
    
    again, why is there direct access of this to the public internet ???
    
    -> One al Qaeda laptop found in Afghanistan, sources said, had made
    -> multiple visits to a French site run by the Societé Anonyme, or
    -> Anonymous Society.
    
    he must not have deleted his cookies
    
    -> What is new and dangerous is that most of these devices are now being
    -> connected to the Internet
    
    OMG!!!  "What is new ... is that .. these devices are .. connected to
    the ['net]"... NOT!
    
    -> -- some of them, according to classified
    -> "Red Team" intrusion exercises, in ways that their owners do not
    -> suspect.
      ...right...
    
    -> Until recently, said Director John Tritak of the Commerce
    -> Department's
    -> Critical Infrastructure Assurance Office, many government and
    -> corporate officials regarded hackers mainly as a menace to their
    -> e-mail.
    
    WHAT??  I have never heard any story regarding e-mail hacks...  what a
    crock! and why would a government or corporate official even care how
    their security is setup? this means their IT dept. consists of a bunch
    of degenerates that don't know how to inform their own bosses of the
    issues at hand.
    
    -> "There's this view that the problems of cyberspace originate, reside
    -> and remain in cyberspace," Tritak said. "Bad ones and zeros hurt good
    -> ones and zeros
    
    Bad one's & zero's...  like there're also evil floppies and terminals
    lurking around corners to take out the goods ones as well.
    
    -> "...al Qaeda prefers simple, reliable plans and would not allow the
    -> success of a large-scale attack "to be dependent on some
    -> sophisticated, tricky cyber thing to work.""
    
       simple is what simple does
    
    -> Roger Cressey, a longtime counterterrorism official who became chief
    -> of staff of the President's Critical Infrastructure Protection
    -> Board in October. "An attack is a question of when, not if."
    
       my question exactly.
    
    -> In a book-length Electricity Infrastructure Security Assessment, the
    -> industry concluded on Jan. 7 that "it may not be possible to provide
    -> sufficient security when using the Internet for power system
    -> control."  Power companies, it said, will probably have to build
    -> a parallel private network for themselves.
    
       WOW!  What a solution!!!
    
    
    -> Frustrated at the pace of repairs, Clarke traveled to San Jose on Feb.
    -> 19 and accused industry leaders of spending more on coffee than on
    -> information security. "You will be hacked," he told them. "What's
    -> more, you deserve to be hacked."
    
       YEAH!!!
    
    -> Experts said public companies worry about the loss of customer
    -> confidence and the legal liability to shareholders or
    -> security vendors when they report flaws.
    
       AKA greed
    
    -> "It doesn't matter whether it's al Qaeda or a nation-state or the
    -> teenage kid up the street," he said. "Who does the damage to you is
    -> far less important than the fact that damage can be done. You've got
    -> to focus on your vulnerability . . . and not wait for the FBI to tell
    -> you that al Qaeda has you in its sights."
    
       ...but will they?  not likely.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Mon Jul 01 2002 - 05:43:00 PDT