funsec mailing list archives

Re: US 'unprepared for cyber 9/11'

From: "David Harley" <david.a.harley () gmail com>
Date: Mon, 22 Dec 2008 07:34:27 -0000

I've wondered whether someone in Al Qaeda read "Debt of Honor" and
"Executive Orders" and said "Aha!" 

Some of the Clancy franchises are much less readable, but I guess there are
some ideas worth thinking about in there.

--
David Harley BA CISSP FBCS CITP
Director of Malware Intelligence
ESET LLC

-----Original Message-----
From: funsec-bounces () linuxbox org 
[mailto:funsec-bounces () linuxbox org] On Behalf Of Tomas L. Byrnes
Sent: 21 December 2008 18:37
To: Jon.Kibler () aset com; John C. A. Bambenek, GCIH, CISSP
Cc: funsec () linuxbox org
Subject: Re: [funsec] US 'unprepared for cyber 9/11'

Prior to 9/11 Tom Clancy posited using airplanes as Cruise 
missiles in the opening scenes of "Executive Orders". He's 
been pretty prescient in his description of our 
vulnerabilities, so maybe reading some of his "Net Force" 
books might be useful to those dreaming up defense and 
contingency plans.

-----Original Message-----
From: funsec-bounces () linuxbox org

[mailto:funsec-bounces () linuxbox org]

On Behalf Of Jon Kibler
Sent: Sunday, December 21, 2008 9:35 AM
To: John C. A. Bambenek, GCIH, CISSP
Cc: funsec () linuxbox org
Subject: Re: [funsec] US 'unprepared for cyber 9/11'

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

John C. A. Bambenek, GCIH, CISSP wrote:

Tell me exactly how any scenario of a "cyber 9-11" would entail 
anything on the scale of a loss of 3,000 lives. Hyperbole does not 
serve our industry well.


I can think of several scenarios where lives could be lost from an 
intentional attack against critical infrastructure under computer 
control. Here are a few examples:
  1) There have already been deaths (from too much X-ray

exposure) due

to software bugs. An intentional attack against medical

devices could

kill people.
  2) The DoE has already demonstrated that an attack against SCADA 
systems can damage power generation infrastructure beyond

quick repair.

A widespread attack against the generation systems could

disrupt power

for weeks to months on end. If that occurred in conjunction with a

major

winter storm, people could easily freeze to death or die of CO 
poisoning, like has already happened in relatively minor

power outages

in mid-winter in the U.S northeast and midwest.
  3) Remember Bophal, India? That was an accidental wrong

positioning

of a value on a chemical tank that lead to a chemical spill

that killed

or injured thousands. Today, much of this type of chemical plant 
infrastructure is under computer control. An intentional

attack could

easily result in a chemical spill that could injure or kill

thousands.

For example, just look at the number of chemical plants

directly across

the river from NYC in Jersey. Each one of those is a ticking

time bomb.


These are just a few ways that 'computers can kill.' I could

go on for

pages with other hypothetical scenarios that you would

probably dismiss

as "would never happen." But, prior to 9/11, what you have said if 
someone told you that it was likely that terrorists would hijack air 
planes and crash them into major buildings, killing thousands? I am

sure

that you would have also dismissed that as "would never happen," too.

Jon K
- --
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC  USA
o: 843-849-8214
c: 843-224-2494
s: 843-564-4224
http://www.linkedin.com/in/jonrkibler

My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAklOficACgkQUVxQRc85QlNF8wCfYItukyrt1eHM3j7/CTqTqt86
kwgAn2IrRmrC6b+1EjNOtG88SQjH31Wm
=AKfE
-----END PGP SIGNATURE-----




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service 
http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email.



_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

US 'unprepared for cyber 9/11' quispiam lepidus (Dec 18)
- Re: US 'unprepared for cyber 9/11' David Harley (Dec 19)
- Re: US 'unprepared for cyber 9/11' Jon Kibler (Dec 19)
  - Re: US 'unprepared for cyber 9/11' John C. A. Bambenek, GCIH, CISSP (Dec 20)
    - Re: US 'unprepared for cyber 9/11' Jon Kibler (Dec 21)
    - Re: US 'unprepared for cyber 9/11' Tomas L. Byrnes (Dec 21)
    - Re: US 'unprepared for cyber 9/11' David Harley (Dec 21)
    - Re: US 'unprepared for cyber 9/11' John Bambenek (Dec 21)
    - Re: US 'unprepared for cyber 9/11' Rob, grandpa of Ryan, Trevor, Devon & Hannah (Dec 21)
    - Re: US 'unprepared for cyber 9/11' John Bambenek (Dec 21)
    - Re: US 'unprepared for cyber 9/11' der Mouse (Dec 21)
    - Re: US 'unprepared for cyber 9/11' John Payne (Dec 22)