disLEXia

Saturday, 01. February 2003

WEF/Cyber Attacks

http://www.weforum.org/...
Cyber Attacks and Society
24.01.2003
Annual Meeting 2003
Two or three years ago a session like this would have been considered science fiction, said Stephen Cole, Main Presenter, BBC World TV, United Kingdom. The proliferation of faster networks, wireless networks, and personal devices for sensitive information multiply the ease and potential damage of a cyber attack. And while investments are being made in disaster recovery, many businesses have yet to recognize the risk of an attack to their networks.

People don't realize that we are at war, said André Kudelski, President and Chief Executive Officer, Kudelski Group, Switzerland. Computer networks are under constant attack by would-be hackers. Some hackers are the cyber-equivalent of vandals, others determined thieves. In either case, we need to infiltrate the hacker community to discover risks before they materialize. Until we can devise a new architecture for the Internet, the computing world is playing catch-up with the hackers. And if secrecy is lost it cannot be recovered.

Erkki Liikanen, Commissioner, Enterprise and Information Society, European Commission, Brussels, noted how essential services - hospitals, schools, utilities - have become dependent on computer networks. Attack the networks and you can shut down a city, he said. The migration to broadband connections multiplies the opportunity for attack. But highlighting the risks could potentially undermine confidence in e-commerce, discouraging companies from availing themselves of the productivity gains it affords.

Government shouldn't interfere where business can function, he added. But in a few weeks, Liikanen pointed out, Europe's authorities will start operating a computer security network capable of alerting the corporate networking community when an attack occurs, preventing a spread. But he suggested that industry sectors create their own security networks to facilitate the spread of information across jurisdictions.

Alex Mandl, Chief Executive Officer, Gemplus International, France, said the failure of the changeover to the year 2000 on computers to disrupt networks undermined corporate concern about network security. It may take the network equivalent of 9/11 before business gets serious about the problem, he said. In creating security frameworks, government and the private sector have to cooperate. Government doesn't have the capacity to police the Internet, he said, and the private sector can't coordinate a solution on its own.

The press got Y2K wrong said Leonard H. Schrank, Chief Executive Officer, SWIFT, Belgium. The money invested preparing networks for the millennium was not wasted, he said, it forestalled a catastrophe. If we are to avoid a financial Chernobyl in the future, we need to imagine and analyse what would happen if certain systems were hit. Hackers have access to technology on the Internet today that ten years ago even the CIA couldn't get. "I've never been more secure and felt more insecure," he said. Schrank also advised against the creation of a computer security czar in government: Government and business have to work together to build a framework for security, he said.

Malcolm Williamson, President and Chief Executive Officer, Visa International, USA, said it was clear there was a growing problem, one growing more complex every day as networks get faster and carry increasingly enormous amounts of mission-critical data. Attacks are growing more frequent, though many go unreported. And while financial information networks like Visa can control their member banks, more of those banks are outsourcing their networks to third-party services, multiplying the opportunity for attack. But without a deadline, the search for solutions lacks urgency. Somehow, he said, we have to inject urgency into solving this.

Creating legislation from country to country, Williamson warned, carries the risk of creating a Tower of Babel for international businesses. There is an urgent need for a cross-border communication channel to raise awareness and promote best practice on security policies.

[infowar.de]
00:24 | permanent link | mail this

Monday, 27. January 2003

comp.risks: Computer sabotage against Venezuela oil?

From: David Wagner <daw@cs.berkeley.edu>

Oil Daily quoted Ali Rodriguez (head of Venezuela's state oil company):

"[...] we have suffered many acts of sabotage at the terminals, the refiners, and even to some well-heads in Lake Maracaibo. There were even instances of computer hacking which did a lot of damage since much of the operation is centrally controlled by computer." [Source: *Oil Daily*, vol 53, no 9, 14 Jan 2003]
14:06 | permanent link | mail this

Massive Network Attack was a deliberate attack against South Korea

• Internet Weather Report [lawrence's notebook]
• Fresh warning over cyber attack [moreover Computersecurity]
• How a computer hacker and an internet virus called Slammer gave the worldwide web a serious cold [moreover Computersecurity]
• Massive Network Attack was a deliberate attack against South Korea [Securitynewsportal]
• Virus-like attack hits web traffic - http://news.bbc.co.uk/2/hi/technology/2693925.stm
• Hackers crash Net services in S Korea - http://economictimes.indiatimes.com/cms.dll/html/uncomp/articleshow?artid=35478944
• Hackers Crash Internet Services in S.Korea - http://news.cnet.com/investor/news/newsitem/0-9900-1028-20818169-0.html?tag=ats

Saturday, 25. January 2003

Net warfare is 'not just tech'

Joint Staff official says network-centric warfare has three equal parts: technology, organization and culture [FCW: Policy]
10:18 | permanent link | mail this

At least 50 Indian websites hacked by Pakistanis every month

ExpressIndia.com Jan 24 2003 10:05AM ET [moreover Computersecurity]
08:07 | permanent link | mail this

Monday, 13. January 2003

Die Online-Miliz Die Online-Miliz

Eine politisch einseitige, pro-israelische Gruppe aus den USA will im Selbstauftrag das Web überwachen und von extremistischen muslimischen Sites säubern
15:34 | permanent link | mail this

Tuesday, 10. December 2002

Cyber Hype

Cyberterrorism is giving governments an opportunity to curb civil liberties, but is it really a lethal weapon? Mike Butcher reports

Thursday December 5, 2002 The Guardian

Just hours after a surface to air missile passed within metres of an Israeli airliner in Kenya last week, media websites began humming. Internet chatrooms set up by Islamic sympathisers had been buzzing with rumours of an attack barely a week before. It was just one in a long line of hysterical media reports alluding to the way the internet has been co-opted by "cyberterrorists" for their evil ends.

Since September 11, for which much of the planning happened over email, cyber-terrorism - loosely defined as using computers to intimidate others to further political or social objectives - has become a useful buzzword. Governments have used it to justify ramping up internet monitoring and - some argue - a corresponding crackdown on civil liberties online.

The official fear is that religious or political zealots could, for instance, hack into a hospital computer system to change a ward's dosage of medicine; or switch off a city's power supply; or change the operations at a sewage treatment works to poison the water.

In November last year, the European Union member states signed the Convention on Cybercrime. It was the first international treaty on crimes committed via the internet and other computer networks, dealing with infringements of copyright, computer-related fraud, child pornography and violations of network security.

It also contained a series of powers, such as the search of networks and "legitimate interception" of communications traffic. Europe is not the only one to resort to these methods. Last Thursday, President Bush signed legislation creating the new Homeland Security Department, which will bring together 22 federal agencies to help stop nuclear, chemical and biological attacks, and, specifically, cyberterrorism.

Japan is so concerned about the possibilities of cyberattack that they have thrown a virtual fence around the country to check email and web traffic. But Hollywood-style hacker scenarios such as those outlined in the latest James Bond movie are far removed from reality. At least, that's according to the people who should know: the hackers themselves.

As hackers and security consultants gathered last week for Dublin's Hivercon conference, a newer and simpler argument was aired: that it is far easier to be a real-world terrorist than a virtual-world one.

Simple Nomad is a senior security analyst for BindView Corporation and a founder of the Nomad Mobile Research Centre, an internationally known group of hackers. He is concerned about how governments are using the cyberterrorist pretext to "sniff" personal email and web traffic.

"Cyberterrorism is a catchy phrase and seems to be a hot topic. I'm not saying that a hack could never lead to someone's death, but it's much easier for a terrorist to throw a knapsack of poison into a reservoir than to do something remotely with a computer," he says. "If I knew George Bush was going into hospital and would be on a life support system, conceivably I could interrupt the power grid or hit the back-up batteries in the middle of his operation. But most of these systems already have a lot of safeguards, mainly just to prevent simple accidents."

Nomad argues that the biggest hackers, in fact, are governments themselves. "There are at least 10 governments out there - like the US, the British, the Germans, the Chinese - with very sophisticated teams. In the name of cyberterrorism, there is more funding than ever going into the listening and data sniffing capability of governments."

It is this capability that is often being used by countries to gain commercial advantage over other countries, not prevent terrorism, claims Nomad. He says one of the biggest "sniffers" is the international Echelon project, set up by western governments to sniff the net, telephones, and almost everything digital to provide intelligence for the security services.

Most of Echelon is large scale, to do with all telecommunications - which is why, he says, national governments have had to introduce such legislation as the UK's Regulation of Investigatory Powers Act to be able to monitor pure ISP internet traffic.

So can hackers really gain access to sensitive data? "Most of the big stuff, like military systems, can't be accessed anyway. There are air-gaps - things not connected to the outside internet," says Nomad. He is dismissive of the recent case where Gary McKinnon, a 36-year-old former systems administrator from London, allegedly deleted files on a server used by a US navy command centre between April and September of last year. Nomad believes this is a rare case and that the files could not have been sensitive if they were accessible via the net.

Tom Reeve, editor of Security Voice magazine, agrees: "From a global perspective, I am far less concerned about cyberterrorism and hacking than acts of terrorism in the physical world. With bombs going off around the world and everyone wondering when al-Qaida will strike next, who cares if a web server gets hacked?"

He admits he would be as annoyed as anyone if his web site was hacked or defaced: "But you couldn't justify diverting large amounts of resources from anti-terrorism in the physical world to protect my assets in the virtual world."

That's the argument of Hivercon speaker Richard Thieme, a consultant who is also contributing editor for Information Security Magazine and a regular speaker at the Black Hat Briefings and DefCon, the well-known hacker conferences. Thieme says some of these cases are legitimate causes for concern, but that usually, cyberterrorism is a sideline affair.

"It's a lot easier to blow up a pipeline in the middle of nowhere than it is to hack your way in over a computer terminal," he says. "A single car bomb in the right place in Wall Street, in conjunction with the events of 9/11, would have taken out the US financial system. Not a hack."

Such "force multipliers" can make a terrorist attack a great deal worse. "Using hackers in conjunction with real world events would have more impact, but just bringing down a web server does not," he says. Cyberterrorising is more often than not directed at opposing groups, rather than governments.

In the Israeli-Palestinian battle, criminal hackers, or "crackers", on both sides are constantly attacking one another's web sites. A Pakistani cracker once stole the credit card numbers of members of a pro-Israel lobbying group and posted them online.

Indeed, it is the Middle East and the Indian sub-continent, not western Europe, that have often been at the forefront of official attempts to block techno-terrorists.

Last week, Indian mobile phone companies were facing the prospect of a government plan to tap into SMS (short messaging service) mobile mail services to combat malicious hackers. And last year, the Yaha virus emerged to launch a rudimentary denial of service attack on the Pakistan government's website. But since then, computer hackers have reverted to type - going for corporate systems in the main.

According to Synstar, an information security company, 1,057 corporate organisations were hacked in September - a five-fold increase over the previous year's 225 attacks.

Thieme is one of the first to admit that the internet - the ultimate "network technology" - helped create the events of September 11. Although America's intelligence communities were well aware of the threat posed by small bands of fundamentalists before 9/11, "it brought home to them that the way power is distributed has been changed by network technology", says Thieme.

In fact, in common with Simple Nomad, he points out that the US itself is capable of the biggest acts of cyberterrorism. "The US has enough electronic warfare capabilities in its own right. High power microwaves can knock out command and control centres. It's not necessary to just hack the enemy's network. We did this in Kosovo, and in Iraq."

"Ultimately, the idea of a cyber Pearl Harbor is pure hype. The surrender of some liberties in the name of security is about physical security and terrorism, not cyberterrorism, which is a less important subset. People are much more worried about dirty bombs and gas attacks."

Thieme argues that the true cyber threat does not come in the traditional form of the disaffected hacker located in a remote country, but the insider - the guy who already knows all the passwords and works inside the system.

"The next stage for technology is true globalisation. We'll see a single kind of flexible interface develop which unites all societies. So the biggest threat to society is an insider who uses our own technology like an insider - just as happened on 9/11."

In the final analysis, however, hackers saying they are not going to get involved in cyberterrorism is not going to be enough to call off the dogs and halt the data clampdown, even if some of the most sensitive systems are not directly connected to the internet.

Jason Hart, head of secu rity with consultants says: "As far as we know, no one has died as a result of the work of a hacker, but we'll never know the true answer because of the nature of hacking.

'Good' hackers don't leave any trace of their incursion into a system. So, for instance, someone could hack into an airline system to change the weight allowance on an airliner's payload, causing the plane to crash on take-off or landing.

"Everyone is aware of the physical threat to, say a reservoir, but at the end of the day, that threat has to be checked using computer systems, which are vulnerable," says Hart. He points to evidence that drug cartels have employed hackers to do such things as fooling banking systems to take a pound every month from 20,000 individual credit card accounts.

"You can hide the fact that a pound goes missing and use that money to fund more hacking. Terrorists could use this model to fund their own activities. "The biggest threat is ignorance - people believing it will not happen to them." [LinuxSecurity.com]
09:09 | permanent link | mail this

Monday, 02. December 2002

Niederländische Spione ausspioniert

[Backdoors in dutch survillance equippment]

Die Überwachungsausrüstung des niederländischen Geheimdienstes und rund die Hälfte der Ausrüstung der dortigen Polizei ist unsicher. Informationen über abgehörte Telefonate oder Internetverbindungen können über Hintertüren nach außen dringen, nämlich nach Israel, berichtet die niederländische c't und beruft sich dabei auf informierte Kreise im niederländischen Geheimdienst.

Die Lücken sollen von der Firma eingebaut worden sein, die die Systeme installiert hat: Verint mit Sitz in Israel. Das Unternehmen hieß bis vor einem halben Jahr Comverse-Infosys. Es sei schnell umbenannt worden, nachdem die Ermittler des FBI der Firma auf die Spuren gekommen sei. Einige Mitarbeiter von Verint seien wegen "E-Spionage" inhaftiert worden.

Dabei hätte die niederländische Regierung gewarnt sein können, denn schon vor drei Jahren soll sie Hinweise auf mögliche Hintertüren bekommen haben und auch die niederländische c't wies im Juni 2001 auf das Problem hin. Aufgedeckt worden seien die Missstände im Zusammenhang mit dem Gerichtsverfahren gegen den Vorsitzenden des kurdischen Exilparlaments Huseyin Baybasin, der aufgrund von Informationen beschuldigt worden sei, die die türkischen Behörden von israelischen Stellen bekommen haben und die wiederum vom niederländischen Geheimdienst stammen sollen. [heise]
21:11 | permanent link | mail this

Saturday, 23. November 2002

Is the new wave of cyber security just to stop web terrorism ... or is there a hidden agenda?

THE trouble with IT is that the more significant it becomes, the more open it is to attack from the same collection of reactionary fools, simian thugs and intellectual pygmies that have worked so hard to screw up the rest of human endeavour for us.

In moves that will no doubt have delighted Iraqi bunker manufacturers, the CIA this month warned that fundamentalist Muslim terror group Hezbollah is among a gaggle of shadowy miscreants hoping to wreak havoc upon the West with a wave of 'cyber-attacks'. Lawks a lawdy -- this is scary stuff.

With breathtaking serendipity, this stark message was bolstered on the same day by an announcement in London by security specialists mi2g that terrorist-backed hacking attacks on the web have increased 10-fold over the past month. The company, which has a board and advisory committee packed with players from the diplomatic, defence and intelligence services, claims that at least 3001 such incursions took place in October.

Connoisseurs of irony, for whom these are rich and fruitful times, will have enjoyed the fact that if the digital revolution is seriously threatened at all, it is largely by the people making such big pronouncements.

Let's cast our minds back to 2001, when the spectre of Code Red threatened to bring the web grinding to a halt. While off-the-record briefings from the FBI's National Infrastructure Protection Centre (NIPC) hinted strongly that the malicious worm was a Chinese cyber-attack responsible for a 30% slowing down in web speeds, it transpired that a non-politically motivated hacker from London was later arrested and the velocity breakdown traced to a train derailment in Baltimore.

By the time the truth was out the damage had been done, but that didn't particularly bother an agency that only days before had been officially censured for its incompetence and was in desperate need of a PR victory. Doubtless the security industry had no regrets over the free publicity either.

There can be no doubt that hacking does pose a very real threat to businesses and governments. Increased use of online services means that malevolent geeks have a multitude of targets to choose from, and clearly these need to be protected.

What's odd, however, is the unbelievably convenient political nature of the threats reported by security agencies. During the trial of Oklahoma bomber Timothy McVeigh it was white supremacists haunting our wires, a danger that was momentarily replaced by the online Cuban menace before switching to the Red Chinese. Since September 11, all the action has apparently been routed from Islam.

In much the same way that fear of terrorist attack has been used to introduce levels of surveillance and executive power in the US that would once have been considered massively unconstitutional, the spooks are now moving to cover the online world. The net is too democratic and makes information and ideas too accessible for such agencies to control, and consequently they're going to do something about it. Sunday Herald Nov 23 2002 3:32PM ET [moreover Computersecurity]
21:41 | permanent link | mail this

Thursday, 21. November 2002

War with Iraq will mean virus outbreak, hacker says

A Malaysian virus writer who is sympathetic to the cause of the al-Qaeda terrorist group and Iraq and who has been connected to at least five other malicious code outbreaks is threatening to release a megavirus if the U.S. launches a military attack against Iraq...

Melhacker confirmed earlier reports by Chantilly, Va.-based iDefense Inc. that he has developed and tested a "three-in-one" megaworm code-named Scezda that combines features from the well-known SirCam, Klez and Nimda worms. [The Hacktivist]
21:35 | permanent link | mail this

Tuesday, 19. November 2002

Bin Laden associate warns of cyberattacks

Sheikh Omar Bakri Muhammad, spokesman for Osama bin Laden, said all types of technology, including the Internet, are being studied for use in the global jihad against the West. [Help Net Security]
15:19 | permanent link | mail this

Saturday, 19. October 2002

Beltway sniper takes out FBI cyber-sleuth

An armed lunatic plaguing the Washington, DC area has managed to do more harm to American cyber-defence with a single .223 caliber bullet than an entire squadron of PLA hackers could hope to accomplish, Vmyths editor Rob Rosenberger points out in a recent rant.

FBI National Infrastructure Protection Center (NIPC) cyber-analyst Linda Franklin became the Beltway sniper's eleventh victim shot and ninth victim murdered last Monday as she loaded her car with merchandise in a suburban DC shopping mall.

For Rosenberger it's an opportunity to consider the irony of the federal government's cyber-terror fear mongering.

"A single bullet took out more 'computing' power at FBI NIPC than a cyber-terrorist could ever hope to achieve. Second: this assassination inflicted a quantifiable, tangible damage both in terms of money (e.g. casualty insurance) and lost manpower, which is something the FBI and the White House cannot quantify when it comes to the non-existent cyber-terrorism they fear so much," he observes. [The Register: Security]
06:52 | permanent link | mail this

Thursday, 25. July 2002

Risks from cyberterrorism

Cybersecurity experts are busy lobbying Congress for protections from liability lawsuits but some analysts say the media may be over-stating the risks from terrorist cyber attacks. Marc Maiffret of eEye Digital Security says, "Terrorists are only recently starting to realize the benefits of having people within their organizations that have real hacking skills," and University of South California professor of communications Douglas Thomas adds: "Cyber-terrorism is a lot more difficult than many people assume." Even so, security expert Stanley Jarocki warns that terrorists could do a lot of damage by cracking U.S. corporate systems: "Today, some say it would be easier for a terrorist to attack a dam by hacking into its command-and-control computer network than it would be to obtain and deliver the tons of explosives needed to blow it up. Even more frightening, such destruction can be launched remotely, either from the safety of the terrorist's living room, or their hideout cave." [AP/USA Today 24 Jul 2002; NewsScan Daily, 25 July 2002] http://www.usatoday.com/tech/news/computersecurity/2002-07-24-cybersecurity-protection_x.htm http://www.usatoday.com/tech/news/computersecurity/ 2002-07-24-cybersecurity-protection_x.htm ["NewsScan" <newsscan@newsscan.com> via risks-digest Volume 22, Issue 18]
15:56 | permanent link | mail this

Friday, 14. June 2002

Microsoft's Allchin: API disclosure may endanger U.S.

From a 2002/05/13 article by Caron Carlson in eweek.com:

"A senior Microsoft Corp. executive [Jim Allchin] told a federal court last week that sharing information with competitors could damage national security and even threaten the U.S. war effort in Afghanistan. He later acknowledged that some Microsoft code was so flawed it could not be safely disclosed."

and later, directly quoting Allchin...

"Computers, including many running Windows operating systems, are used throughout the United States Department of Defense and by the armed forces of the United States in Afghanistan and elsewhere."

Microsoft proposes to withhold details of the MSMQ protocol (TCP port 1801 and UDP port 3527), the Windows File Protection API, as well as APIs for anti-piracy protection and digital rights management under the security carve-out.

I recall that the Windows NT family of operating systems was designed to meet DOD's C2 security criteria, including the Orange Book (standalone, which they passed), as well as Red Book (networking) and Blue Book (subsystems) criteria which they started working on at least 4 years ago; I don't know if they've yet passed, but I suspect not if it's so flawed that they don't want to disclose the protocol or API! See http://msdn.microsoft.com/library/default.asp? url=/library/en- us/dnproasp2/html/windowsntsecuritysystems.asp

So, one risk of flawed software might be that you have to publicly invoke national security (read patriotism) as a last refuge from legal process.

[Active Quality Software <activequalitysw@la.com> via risks-digest Volume 22, Issue 13]
19:09 | permanent link | mail this

Tuesday, 23. October 2001

Web defacement and cyberattacks

GForce Pakistan hackers defaced the U.S. Defense Test and Evaluation Processional Institute Web site www.dtepi.mil as well as enduringfreedom.dtepi.mil and nasa.dtepi.mil http://www.newsbytes.com/news/01/171341.html after which a rival group of Pakistani vigilante hackers (Yiyat) identified the purported culprit and retaliated. http://www.newsbytes.com/news/01/171365.html

[Above text PGN-ed from the URLs. I tried to verify the "processional", but dtepi.mil was apparently off the Net. PGN]

Also, an interesting CNN article on a DoE cyberattack scenario. Best quote:

The important lesson is that Black Ice showed how interdependent are the various infrastructure systems -- including telecommunications, utilities and banking -- and how major might be the combined effects of cyber- and physical attacks, she says.

The infrastructure system providers didn't understand the interdependencies among their systems," Scalingi says. "If you talk to state and local government and local utilities, they'll tell you they have great response plans. The problem is, they write them in isolation. http://www.cnn.com/2001/TECH/ptech/10/21/black.ice.idg/index.html [Dave Stringer-Calvert <dave_sc@csl.sri.com> via risks-digest Volume 21, Issue 71]
00:00 | permanent link | mail this

disLEXia, a research project by Maximillian Dornseif