Forwarded from: William Knowles <wkat_private> http://www.zdnet.com/anchordesk/stories/story/0,10738,2914453,00.html Robert Vamosi, Senior Associate Editor, CNET/ZDNet Reviews August 11, 2003 With a publicly available search engine, a few well-chosen e-mail addresses, and off-the-shelf viral code, anyone can commit an act of cyberterrorism--or so says Roelof Temmingh, technical director of SensePost, a South African computer security company. Speaking at the recent Black Hat Briefings and Defcon 11 conferences, Temmingh explained that the current methods of assailing computer networks--denial-of-service attacks (DoS) or remote break-ins--inconvenience too few people to really impact a nation's information infrastructure. The sort of exploit that could really hurt a country, Temmingh suggests, would more likely be based on e-mail viruses, a concept he outlined in a recent paper [1]. HOPEFULLY, learning about how the unthinkable could happen should help us prepare for and minimize the damage of such an event, should it ever occur. Temmingh and his associates got a chance to investigate his theory while working with a South African bank. They decided to see how easy it would be to infect a bank's computer systems (which presumably are pretty secure) with an e-mail-borne virus. Since e-mail attachments are relatively easy for IT departments to detect, they started by imbedding in an e-mail message a link to a Web site that could have contained malicious code (but didn't, because the team didn't want to actually infect the bank's computers). Of the thirteen IT people working at the bank, eight downloaded the executable file linked to in the e-mail, and five actually executed the code on their desktop systems. This means, had the virus been real, the bank's entire network could have been infected. FROM THIS experiment Temmingh extrapolated that a cyberterrorist could effectively deliver malicious code to any organization, anywhere in the world. If that individual sent the infected e-mail simultaneously to individuals in government agencies and the military, it could have devastating effects on a country's ability to communicate, carry out business, and defend itself. The key to this attack is finding real e-mail addresses to target. For this, Temmingh wrote a few scripts that use Google to search for public references to e-mail addresses on the Web. The scripts allow him to search for e-mails from a given country, and hunt in particular for individuals working for telecommunication and financial companies, energy providers, governmental departments, the military, the media, prominent local businesses, and hospitals. There are plenty of addresses available, especially on bulletin boards and in discussion forums. If a malicious user could infect just one government system (even if it's the desktop machine of a low-ranking official), he could, in theory, infect larger government computer systems as well. WITHIN MINUTES of running the scripts at the Black Hat conference, hundreds of e-mails belonging to U.S. military and government employees showed up on Temmingh's presentation screen. Judging from the collective gasp from the audience (comprised mainly of U.S. government, military, and private computer security experts), Timmingh made his point. Some may not agree with me, but I don't think talking and writing about this sort of attack is a blueprint for disaster. Rather, becoming informed about how cyberterrorists could hurt us helps our security community learn how to protect against these threats. The U.S. government has long worried that a cyberattack could cripple our nation's infrastructure. Before Sept. 11, it was one of the White House's key security concerns. But we were betting cyberterrorists would have to be very clever to pull something like this off. It turns out that's not true. Now that we're aware of how easy it could be to carry out such an attack, we must turn our attention to making sure we're prepared for it. [1] http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-sensepost/bh-us-03-sensepost-paper.pdf *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ---------------------------------------------------------------- C4I.org - Computer Security, & Intelligence - http://www.c4i.org ================================================================ Help C4I.org with a donation: http://www.c4i.org/contribute.html *==============================================================* - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Mon Aug 11 2003 - 04:01:29 PDT