A Big LOL for FBI Alert

[InfoSec News <isn () c4i org>]

http://www.wired.com/news/politics/0,1283,54382-2,00.html

By Michelle Delio 
10:05 a.m. Aug. 7, 2002 PDT 

In a Chicken Little-like incident that flew under virtually every
computer security experts' radar, the FBI's National Infrastructure
Protection Center bravely predicted and monitored a ferocious
cyberattack Tuesday morning on U.S. computer systems, launched by an
army of European enemy hackers.

Never mind that no independent Internet traffic monitoring service or
security expert had even noticed that any sort of cyberattack had
occurred.

The FBI's National Infrastructure Protection Center warned of the
impending widescale hacker attacks in an alert issued on Monday. Then,
on Tuesday, according to wire reports, Richard Clarke -- the Bush
administration's top official for cyber-security -- said, "There was a
real spike in Internet traffic at odd hours. It was clearly unusual
because it was five-times and seven-times normal, but it didn't take
anything down."

Perhaps there may have been a brief rise in Internet traffic early
Tuesday morning -- but it was a mere blip on the screen if anything,
security experts said. But the general consensus is that Monday's
alert was a self-created crisis caused by an over-reactive,
publicity-seeking government agency, sparked by the idle online
conversations of a band of young and aspiring "hackers" who had
threatened to attack U.S. sites in retaliation for the Aug. 1 arrest
of 14 Italian hackers in Milan.

"It is bizarre," ventured Vern Paxton, senior scientist with the
International Computer Science Institute in Berkeley, California. "And
if there were political cyberattacks, then they appear miserably
unsuccessful. What sort of politically motivated attacker targets East
Coast sites at 2 a.m., EDT?"

The "enemy" combatants appear to be a half-dozen, evidently clueless
Italian youngsters who couldn't even sort out the time difference
between Italy and the East Coast of the United States.

Last week, Italian police arrested 14 local hackers, acting on tips
received from American officials. The Italian hackers are charged with
attacking U.S. government sites, including those belonging to the Army
and NASA.

And some published news reports indicated that the NIPC's hack attack
alert on Monday was based on information provided by Italian
authorities.

Italian computer security experts said that they had noticed "vague
threats" about retaliatory hacks, but dismissed them since the threats
appeared to be originating from youngsters.

"There was some talk on Italian Internet chat channels about DOSing
and defacing American websites last week in response to the Milano
arrests," Augustine DelFalco, a security consultant based in Rome,
said. "But to me it was apparent that the conversations were being
conducted by young teenagers. It's odd that such nonsense should
concern your government."

"At one point, the kids said they would attack at 9 in the morning,
when the American business was just getting started," DelFalco added.  
"Young children who perhaps didn't know of the time difference?"

George Smith, editor of virus and computer security information site
vMyths, wondered whether the "spike" in Internet activity that Richard
Clarke alluded to occurred before or after the NIPC issued its
warning.

The Associated Press story, Smith said, gives the impression that the
alleged attack occurred a few hours after the NIPC posted its alert.

"Knowing the average cyber-ankle-biter, people known to stay up at odd
hours, it's not at all unreasonable to entertain the idea that the
NIPC alert might have precipitated some nincompoops who had nothing
better to do with their time except create a statistical blip in
someone's Internet monitoring service," Smith said.

But neither Smith nor his colleagues in the security community saw
anything unusual yesterday, and no one seemed surprised that the
NIPC's alert apparently fizzled.

"The NIPC and Richard Clarke do have an excellent track record of
warning about cyberattacks and cyber-badness that is often only
visible to them," Smith said.

Such warnings of invisible menaces include the NIPC's 1999 alert
warning that every nation whose name began with the letter "I" would
target American computer systems on Jan. 1, 2000.

That warning was followed by another prediction of worldwide hack
attacks on Jan. 1, 2001, and the impending fall of the Internet due to
the Code Red worm last summer.

Since the NIPC doesn't have a sterling reputation among many security
experts, more time and energy was devoted to attempts to figure out
what might have induced them to issue their latest alert rather than
hardening websites and systems.

Some believe that the latest NIPC warning may have been a rather
desperate move made in the hopes of gaining publicity and proving the
agency's value.

According to Rob Rosenberger, also of vMyths, it appears the CERT
Coordination Center, a federally funded research lab focused on
computer security, has decided to sever what Rosenberger described as
its "co-dependent relationship" with the NIPC.

Rosenberger mentioned this rumor at his keynote speech Tuesday at
CERT's annual computer security conference.

"NIPC believes they need CERT's technical prowess if they want to
survive politically. I tend to agree," Rosenberger said. "But if CERT
doesn't want to continue the relationship, I imagine they'll suffer
the classic symptoms of a co-dependent breakup. I can imagine NIPC
wailing how the relationship must continue in order to save the world
from future cyber-terrorism. 'Honey, I swear, just give me one more
chance, I need you'...."

"So who knows?" Rosenberger added. "The NIPC's latest PR move could be
a manifestation of a co-dependent breakup in progress."

Whatever motivated Monday's warning, security experts believe that the
NIPC shouldn't issue public alerts about issues that concern Web and
systems administrators.

"It seems to me that warnings of attacks against the Internet
infrastructure and large websites don't really require a public
announcement," said security researcher Richard Smith. "A private
e-mail list for system administrators should be good enough."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.