[ISN] A year of living dangerously

From: InfoSec News (isn@private)
Date: Wed Dec 28 2005 - 23:40:41 PST


http://www.globetechnology.com/servlet/story/RTGAM.20051228.gtkirwandec28/BNStory/Technology/

By MARY KIRWAN 
December 28, 2005 
Special to Globe and Mail Update

What dreadful images were seared into our collective imagination in 
2005, as terrorists continued to ply their villainous trade, and 
destroy innocent lives.

What will remain with me will be the pictures of the smouldering 
wreckage of a topless London double-decker bus, and the certain 
knowledge that Dante's Inferno was raging deep beneath the streets of 
London. And who can forget the image of the young female barrister 
emerging from the carnage, her face covered in an eerie white gauze?

And the equally tragic aftermath, as an innocent UK immigrant is shot 
to death on a commuter train in a badly- botched police surveillance 
operation. Even more recently, fear claimed another victim, as U.S. 
plain-clothes police killed a mentally ill airline passenger in Miami 
who claimed to have a bomb.

After 911, numerous anti-terrorism laws were passed around the world, 
in a vain attempt to get a grip on the war on terror. But when the 
enemy is face-less, and does not seek to satisfy any discernible 
objective- except to wreak carnage on a global scale - it is far 
harder to root him out. Civil libertarians believe we have done great 
harm in the process to our way of life, and that we are no safer as a 
result.

But are we safer?

We are told that since 911, we are far safer when we travel thanks to 
technological and operational changes. Yet cargo goes unchecked, and 
investigative journalists and security "experts" around the world 
routinely bypass airport security, smuggle weapons, and wander about 
secure zones, un-challenged by airport personnel. It would almost be 
funny, if it weren't so terrifying.

The Final Report on the 9/11 Commission Recommendations released this 
month, graded the U.S. Transportation system with an 'F'. finding that 
"few improvements have been made to the existing passenger screening 
system since right after 9/11." The Commission found that checked bag 
and cargo screening improvements "have not been made a priority by the 
Congress or the administration," and that "progress on implementation 
of in-line screening has been slow" - due to "inadequate funding."

Yet money, as I wrote in my last column, is being thrown about - with 
gay abandon by governments acting like drunken sailors - on all manner 
of ill- considered IT projects that are probably doomed from the 
outset. Meanwhile, common-sense initiatives with discernible security 
benefits are starved of funding.

The role of technology

And if you scratch the surface, you will find technology implicated 
somewhere along the way. As everything is digitized, and the Net 
infiltrates every nook and cranny of our lives, there are sure to be 
consequences. Meanwhile, security experts around the world are 
bickering about whether the threat of cyber-terrorism is real.

FBI assistant director Louis M. Reigel recently stated that a 
cyber.terrorism capability simply doesn't exist today. In the same 
breath, he admitted that the third version of the Sober worm spread so 
quickly that it almost took out the FBI's computer systems entirely 
before a fix was found.

I fear that we need to spend more time thinking out of the box, rather 
than wasting time discounting the threat of cyber-terror and nit 
picking. Terrorists are clearly aware that technology can augment and 
support their operations. It surely does not have to be all or 
nothing, as blended threats to critical infrastructure sectors, in 
particular, remain very real.

In Australia, for example, the Ten News Network recently reported that 
a bomb threat was received by Delta Electricity in New South Wales. 
The utility was extorted to pay an un-disclosed amount, or face the 
consequences. The threat was reported to have been made against one of 
the four plants they operate in the state. It was taken very seriously 
by Delta and law-enforcement, and security at the plants was 
reportedly "upgraded."

There is nothing new about criminals combining extortion with 
old-fashioned terror tactics, but if you add targeted viruses and 
sophisticated malware to the mix . things that have the potential to 
cause widespread havoc, and expose highly sensitive data . you have a 
very potent brew indeed.

By way of example, the codes required to enter secure areas at 16 
Japanese airports and one in Guam recently appeared on the Internet. A 
virus infected a computer belonging to a Japan Airlines co-pilot, and 
his computer leaked these highly sensitive details onto the Web. 
Although JAL has regulations prohibiting the downloading of sensitive 
information to personal computers, reports indicate that the airport 
codes were "too widely known" among "aircrews, ground staff, 
maintenance workers, cleaners and other airport staff" to be 
considered off-limits.

And that was seemingly an 'innocent' error. Imagine a targeted attack.


Failure of imagination

As kids we are told to 'let our imaginations run wild,' but life has a 
way of kicking us back to earth with a resounding bang. Who has time 
for imagination? However, a failure of imagination can have all kinds 
of undesirable and unpredictable consequences. It can even get people 
killed. And it surely facilitates crime, as we stay perennially one 
step behind the bad guys.

The 911 Commission attributed much of the failure to predict and 
counter the threat from extremists to such a failure of imagination. 
Intelligence analysts had predicted that terrorists might hijack 
planes to fly them into targets, but it was assumed the planes would 
come from outside the U.S. and that there would be ample time to shoot 
them down. The Commission also found that there was an inordinate 
emphasis on old, rather than evolving threats.

In essence, we simply forgot to expect the unexpected.

But career criminals and terrorists are not constrained by morality or 
lack of imagination. They will use whatever tools are at their deposal 
to achieve their goals, including the Internet and complex technology.

Columbian drug cartels and organized crime are old hands at using 
technology to facilitate business. As a one-time drug prosecutor, I 
was always struck by the pragmatic way that high-level drug dealers 
described their business . many of them spoke like the crème de la 
crème of the MBA crop. Of course, many have business, legal and 
technical training, and they will use all the tricks in the book to 
improve business. Including violence, extortion, intimidation- and 
technology.

Detective Ken Reimer of the Toronto Police Service's fraud squad, an 
expert on debit card fraud, spends a good part of his life watching 
criminals use technology to constantly refine their methods to steal 
personal identification numbers (PINs) and magnetic strip codes from 
the back of debit cards - creating ever more elaborate false fronts 
for ATM machines, and false card readers with embedded chip technology 
that can read and store PIN numbers. The lynchpins of these lucrative 
operations are known to police to have computer and engineering 
backgrounds.

They also will go to considerable lengths to defeat technology . if it 
is worth their while. They issue "tenders" to the black market for 
specifications to break the latest bank equipment that tries to foil 
debit card crime - and the battle goes on. Detective Reimer and his 
colleagues express frustration that repeat offenders are routinely 
released on bail, and they must watch them drive straight from the 
courthouse to their next target location to try out their latest 
skimming device.

But at least garden-variety criminals are predictable, as they are 
invariably motivated by money. But terrorists need money too, to 
realize their apocalyptic conflagrations . and the links between 
organized crime and terrorists have always been amorphous, but 
nonetheless real.

Criminals of all stripes will continue to exploit technology for their 
own ends. They will 'mix and match'- blend the old with the new, and 
attempt to foil law enforcement efforts to track them.

Detective Reimer has encountered encryption on laptops seized from bad 
guys, but so far police have been able to crack the codes. However, if 
criminals and terrorists use very strong encryption correctly, it can 
be impossible to break it. What then?

Cpl. Jamie Driscoll of the RCMP Electronic Surveillance Support Unit, 
agreed that the ever-changing nature of technology is an ongoing 
challenge, but he is confident that the RCMP can evolve to match the 
capabilities of their tech-savvy adversaries.

But we will not stay ahead, or even keep pace, with people who desire 
to do us harm, if we fixate on irrelevant distinctions, and stop 
thinking out of the box. Or if we keep throwing good money after bad.

Can we look forward to a common-sense revolution in 2006?

In the spirit of the season, I remain optimistic. Happy holidays.



_________________________________________
Earn your Master's degree in Information Security ONLINE
www.msia.norwich.edu/csi
Study IA management practices and the latest infosec issues.
Norwich University is an NSA Center of Excellence.



This archive was generated by hypermail 2.1.3 : Fri Dec 30 2005 - 19:29:54 PST