RE: Cyber-Attacks by Al Qaeda Feared

[InfoSec News <isn () c4i org>]

Forwarded from: Austin <austin () highstream net>

-> -----Original Message-----
-> From: owner-isn () attrition org
-> Sent: Thursday, June 27, 2002 3:05 AM
->
->
-> Late last fall, Detective Chris Hsiung of the Mountain View, Calif.,
-> police department began investigating a suspicious pattern of
-> surveillance against Silicon Valley computers.

Yeah, the city police dept. tracking international 'net crime. It's
more likely that there's a guy with a green shirt and a goatee driving
around a van called the Mystery Machine; and who understands his dog
talking back to him; and who both successfully solve crimes while
tripping over each other in the process while under the influence of
dog treats.


->  ......  A forensic summary
-> of the investigation, prepared in the Defense Department, said the
-> bureau found "multiple casings of sites" nationwide. Routed through
-> telecommunications switches in Saudi Arabia, Indonesia and Pakistan,
-> the visitors studied emergency telephone systems, electrical
-> generation and transmission, water storage and distribution, nuclear
-> power plants and gas facilities.

I know this seems kinda dumb, but why do these utilities need outside
access into the "valuable" core computer systems. Why are "emergency
telephone systems, electrical generation and transmission, water
storage and distribution, nuclear power plants and gas facility"
computers even allowed to have internet access? or access from the
'net?

if so, seems to me that pesky Greed factor at work, "Why can't we just
use the internet instead of using our own phone lines? that would save
tons of money!! I should get a raise for brainstorming this one!"
Isn't this what lead to the Y2K crunch? companies having to spend
money on newer systems and updating old ones because they were too
stingy to do it when they knew they *had* a problem before they *had*
to fix them?

-> Unsettling signs of al Qaeda's aims and skills in cyberspace have led
-> some government experts to conclude that terrorists are at the
-> threshold of using the Internet as a direct instrument of
-> bloodshed.

I remember this cry from the Chicken Little stories dating way back
for years. When is someone actually going to commit an actual computer
crime?? God forbid its ever successful! I don't know how these
"experts" keep their jobs by pointing to the terrorists as being
skilled instead of the gov. systems admin's being a bunch of moron's
for not updating their systems.

Yeah, I know, there's so many patches and updates to do... sniffle...  
but if you're constantly recompiling kernels for this fix or that,
maybe you need to choose a different platform, a different
application. And for systems/apps to even have ONE buffer overflow is
just plain inept programming testing and coding.

The exploits of the Dynamic Duo are only tragic to the people they
catch with their unsecured pants down. Does the Duo ever exploit
non-published holes in software? If people did their jobs, then the
Duo would be out of business! The same goes with virus infestations.
If systems were protected, it would have never spread as fast. Yes,
there are new vulnerabilities being "discovered" by independent
sources, but why are the second or third strains taking advantage of
the same vulnerabilities?? and why aren't the people who actually
wrote the code finding their own errors!!!!??????

-> The new threat bears little resemblance to familiar financial
-> disruptions by hackers responsible for viruses and worms.

OOOOOHHHHH! "financial disruptions" my ASS!! AKA the cost of a virus
or a hack the company pays to clean up after it and to actually go out
and buy the updated OS or new scanners they should have purchased
ALREADY!!! oh, then there's the "lost revenue" of shutting a server
down to install the software - AKA greed. I have *little* sympathy for
companies being "hurt" by viruses alone being that the VAST majority
are preventable.

-> U.S. analysts believe that by disabling or taking command of the
-> floodgates in a dam, for example, or of substations handling 300,000
-> volts of electric power, an intruder could use virtual tools to
-> destroy real-world lives and property.

Again, why are these controls accessible from the 'net???

-> "The event I fear most is a physical attack in conjunction with a
-> successful cyber-attack on the responders' 911 system or on the power
-> grid,"

oh, like the 911 system is so foolproof now! there are so many times
it either doesn't work or is busy or under-manned even if it exists in
a market at all.

-> Regarded until recently as remote, the risks of cyber-terrorism now
-> command urgent White House attention.

most things that get the attention of any political system regards
politics. NEVER has a leader in any branch of the government been
motivated for the sole purpose of defending rights or cutting costs if
that said action will cost them a chance to be re-elected. AKA
career-greed.


-> The security flaw could have been exploited to .. halt "all control
-> information exchanged between ground and aircraft flight control
-> systems."

again, why is there direct access of this to the public internet ???

-> One al Qaeda laptop found in Afghanistan, sources said, had made
-> multiple visits to a French site run by the Societé Anonyme, or
-> Anonymous Society.

he must not have deleted his cookies

-> What is new and dangerous is that most of these devices are now being
-> connected to the Internet

OMG!!!  "What is new ... is that .. these devices are .. connected to
the ['net]"... NOT!

-> -- some of them, according to classified
-> "Red Team" intrusion exercises, in ways that their owners do not
-> suspect.
  ...right...

-> Until recently, said Director John Tritak of the Commerce
-> Department's
-> Critical Infrastructure Assurance Office, many government and
-> corporate officials regarded hackers mainly as a menace to their
-> e-mail.

WHAT??  I have never heard any story regarding e-mail hacks...  what a
crock! and why would a government or corporate official even care how
their security is setup? this means their IT dept. consists of a bunch
of degenerates that don't know how to inform their own bosses of the
issues at hand.

-> "There's this view that the problems of cyberspace originate, reside
-> and remain in cyberspace," Tritak said. "Bad ones and zeros hurt good
-> ones and zeros

Bad one's & zero's...  like there're also evil floppies and terminals
lurking around corners to take out the goods ones as well.

-> "...al Qaeda prefers simple, reliable plans and would not allow the
-> success of a large-scale attack "to be dependent on some
-> sophisticated, tricky cyber thing to work.""

   simple is what simple does

-> Roger Cressey, a longtime counterterrorism official who became chief
-> of staff of the President's Critical Infrastructure Protection
-> Board in October. "An attack is a question of when, not if."

   my question exactly.

-> In a book-length Electricity Infrastructure Security Assessment, the
-> industry concluded on Jan. 7 that "it may not be possible to provide
-> sufficient security when using the Internet for power system
-> control."  Power companies, it said, will probably have to build
-> a parallel private network for themselves.

   WOW!  What a solution!!!


-> Frustrated at the pace of repairs, Clarke traveled to San Jose on Feb.
-> 19 and accused industry leaders of spending more on coffee than on
-> information security. "You will be hacked," he told them. "What's
-> more, you deserve to be hacked."

   YEAH!!!

-> Experts said public companies worry about the loss of customer
-> confidence and the legal liability to shareholders or
-> security vendors when they report flaws.

   AKA greed

-> "It doesn't matter whether it's al Qaeda or a nation-state or the
-> teenage kid up the street," he said. "Who does the damage to you is
-> far less important than the fact that damage can be done. You've got
-> to focus on your vulnerability . . . and not wait for the FBI to tell
-> you that al Qaeda has you in its sights."

   ...but will they?  not likely.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.