[ISN] Cyber hype

From: InfoSec News (isnat_private)
Date: Thu Dec 05 2002 - 22:42:21 PST

  • Next message: InfoSec News: "[ISN] /etc/inittab - The Most Overlooked Cracker Haven"

    Mike Butcher 
    December 5, 2002
    The Guardian 
    Just hours after a surface to air missile passed within metres of an
    Israeli airliner in Kenya last week, media websites began humming.  
    Internet chatrooms set up by Islamic sympathisers had been buzzing
    with rumours of an attack barely a week before. It was just one in a
    long line of hysterical media reports alluding to the way the internet
    has been co-opted by "cyberterrorists" for their evil ends.
    Since September 11, for which much of the planning happened over
    email, cyber-terrorism - loosely defined as using computers to
    intimidate others to further political or social objectives - has
    become a useful buzzword. Governments have used it to justify ramping
    up internet monitoring and - some argue - a corresponding crackdown on
    civil liberties online.
    The official fear is that religious or political zealots could, for
    instance, hack into a hospital computer system to change a ward's
    dosage of medicine; or switch off a city's power supply; or change the
    operations at a sewage treatment works to poison the water.
    In November last year, the European Union member states signed the
    Convention on Cybercrime. It was the first international treaty on
    crimes committed via the internet and other computer networks, dealing
    with infringements of copyright, computer-related fraud, child
    pornography and violations of network security.
    It also contained a series of powers, such as the search of networks
    and "legitimate interception" of communications traffic. Europe is not
    the only one to resort to these methods. Last Thursday, President Bush
    signed legislation creating the new Homeland Security Department,
    which will bring together 22 federal agencies to help stop nuclear,
    chemical and biological attacks, and, specifically, cyberterrorism.
    Japan is so concerned about the possibilities of cyberattack that they
    have thrown a virtual fence around the country to check email and web
    traffic. But Hollywood-style hacker scenarios such as those outlined
    in the latest James Bond movie are far removed from reality. At least,
    that's according to the people who should know: the hackers
    As hackers and security consultants gathered last week for Dublin's
    Hivercon conference, a newer and simpler argument was aired: that it
    is far easier to be a real-world terrorist than a virtual-world one.
    Simple Nomad is a senior security analyst for BindView Corporation and
    a founder of the Nomad Mobile Research Centre, an internationally
    known group of hackers. He is concerned about how governments are
    using the cyberterrorist pretext to "sniff" personal email and web
    "Cyberterrorism is a catchy phrase and seems to be a hot topic. I'm
    not saying that a hack could never lead to someone's death, but it's
    much easier for a terrorist to throw a knapsack of poison into a
    reservoir than to do something remotely with a computer," he says. "If
    I knew George Bush was going into hospital and would be on a life
    support system, conceivably I could interrupt the power grid or hit
    the back-up batteries in the middle of his operation. But most of
    these systems already have a lot of safeguards, mainly just to prevent
    simple accidents."
    Nomad argues that the biggest hackers, in fact, are governments
    themselves. "There are at least 10 governments out there - like the
    US, the British, the Germans, the Chinese - with very sophisticated
    teams. In the name of cyberterrorism, there is more funding than ever
    going into the listening and data sniffing capability of governments."
    It is this capability that is often being used by countries to gain
    commercial advantage over other countries, not prevent terrorism,
    claims Nomad. He says one of the biggest "sniffers" is the
    international Echelon project, set up by western governments to sniff
    the net, telephones, and almost everything digital to provide
    intelligence for the security services.
    Most of Echelon is large scale, to do with all telecommunications -
    which is why, he says, national governments have had to introduce such
    legislation as the UK's Regulation of Investigatory Powers Act to be
    able to monitor pure ISP internet traffic.
    So can hackers really gain access to sensitive data? "Most of the big
    stuff, like military systems, can't be accessed anyway. There are
    air-gaps - things not connected to the outside internet," says Nomad.  
    He is dismissive of the recent case where Gary McKinnon, a 36-year-old
    former systems administrator from London, allegedly deleted files on a
    server used by a US navy command centre between April and September of
    last year. Nomad believes this is a rare case and that the files could
    not have been sensitive if they were accessible via the net.
    Tom Reeve, editor of Security Voice magazine, agrees: "From a global
    perspective, I am far less concerned about cyberterrorism and hacking
    than acts of terrorism in the physical world. With bombs going off
    around the world and everyone wondering when al-Qaida will strike
    next, who cares if a web server gets hacked?"
    He admits he would be as annoyed as anyone if his web site was hacked
    or defaced: "But you couldn't justify diverting large amounts of
    resources from anti-terrorism in the physical world to protect my
    assets in the virtual world."
    That's the argument of Hivercon speaker Richard Thieme, a consultant
    who is also contributing editor for Information Security Magazine and
    a regular speaker at the Black Hat Briefings and DefCon, the
    well-known hacker conferences. Thieme says some of these cases are
    legitimate causes for concern, but that usually, cyberterrorism is a
    sideline affair.
    "It's a lot easier to blow up a pipeline in the middle of nowhere than
    it is to hack your way in over a computer terminal," he says. "A
    single car bomb in the right place in Wall Street, in conjunction with
    the events of 9/11, would have taken out the US financial system. Not
    a hack."
    Such "force multipliers" can make a terrorist attack a great deal
    worse. "Using hackers in conjunction with real world events would have
    more impact, but just bringing down a web server does not," he says.  
    Cyberterrorising is more often than not directed at opposing groups,
    rather than governments.
    In the Israeli-Palestinian battle, criminal hackers, or "crackers", on
    both sides are constantly attacking one another's web sites. A
    Pakistani cracker once stole the credit card numbers of members of a
    pro-Israel lobbying group and posted them online.
    Indeed, it is the Middle East and the Indian sub-continent, not
    western Europe, that have often been at the forefront of official
    attempts to block techno-terrorists.
    Last week, Indian mobile phone companies were facing the prospect of a
    government plan to tap into SMS (short messaging service) mobile mail
    services to combat malicious hackers. And last year, the Yaha virus
    emerged to launch a rudimentary denial of service attack on the
    Pakistan government's website. But since then, computer hackers have
    reverted to type - going for corporate systems in the main.
    According to Synstar, an information security company, 1,057 corporate
    organisations were hacked in September - a five-fold increase over the
    previous year's 225 attacks.
    Thieme is one of the first to admit that the internet - the ultimate
    "network technology" - helped create the events of September 11.  
    Although America's intelligence communities were well aware of the
    threat posed by small bands of fundamentalists before 9/11, "it
    brought home to them that the way power is distributed has been
    changed by network technology", says Thieme.
    In fact, in common with Simple Nomad, he points out that the US itself
    is capable of the biggest acts of cyberterrorism. "The US has enough
    electronic warfare capabilities in its own right. High power
    microwaves can knock out command and control centres. It's not
    necessary to just hack the enemy's network. We did this in Kosovo, and
    in Iraq."
    "Ultimately, the idea of a cyber Pearl Harbor is pure hype. The
    surrender of some liberties in the name of security is about physical
    security and terrorism, not cyberterrorism, which is a less important
    subset. People are much more worried about dirty bombs and gas
    Thieme argues that the true cyber threat does not come in the
    traditional form of the disaffected hacker located in a remote
    country, but the insider - the guy who already knows all the passwords
    and works inside the system.
    "The next stage for technology is true globalisation. We'll see a
    single kind of flexible interface develop which unites all societies.  
    So the biggest threat to society is an insider who uses our own
    technology like an insider - just as happened on 9/11."
    In the final analysis, however, hackers saying they are not going to
    get involved in cyberterrorism is not going to be enough to call off
    the dogs and halt the data clampdown, even if some of the most
    sensitive systems are not directly connected to the internet.
    Jason Hart, head of secu rity with consultants says: "As far as we
    know, no one has died as a result of the work of a hacker, but we'll
    never know the true answer because of the nature of hacking.
    'Good' hackers don't leave any trace of their incursion into a system.  
    So, for instance, someone could hack into an airline system to change
    the weight allowance on an airliner's payload, causing the plane to
    crash on take-off or landing.
    "Everyone is aware of the physical threat to, say a reservoir, but at
    the end of the day, that threat has to be checked using computer
    systems, which are vulnerable," says Hart. He points to evidence that
    drug cartels have employed hackers to do such things as fooling
    banking systems to take a pound every month from 20,000 individual
    credit card accounts.
    "You can hide the fact that a pound goes missing and use that money to
    fund more hacking. Terrorists could use this model to fund their own
    activities. "The biggest threat is ignorance - people believing it
    will not happen to them."
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Fri Dec 06 2002 - 01:25:14 PST