Re: Fanatics with Laptops: The Coming Cyber War / RFF Reply

[InfoSec News <isn () c4i org>]

Forwarded from: Richard Forno <rforno () infowarrior org>

What is it about Fridays and FUD?????

Last week it was that piece out of Australia, and now this article.

A few choice comments enclosed below.

> Fanatics with Laptops: The Coming Cyber War
> By Tim McDonald
> NewsFactor Network
> May 16, 2002

Title alone is sensational enough to tell me this article is a crock.
But I'll read anyway because it's Friday and I need to fight some FUD
today before meeting the g/f for Episode 2 this afternoon.  :)

> That increasing interdependence, however, becomes frightening when
> one considers that a next-generation cyber terrorist will likely not
> represent an aggressive world power.

I'm not sure what the cyberterrorists of 'this generation' are, let
alone the ones of next generation........

> In terms of present-day vulnerability, such a terrorist could simply
> be a lone fanatic wielding a laptop. And the damage could be
> staggering.

One guy with a laptop - fanatic or not - does not make a cybeterrorist
that is bent on destroying the world. When will these reporter types
realize this? All such statements to is fan the flames of speculation
and fear, and in most cases, make the reporter look like an idiot.

On a side note - does this mean if someone's an aethiest or agnostic,
they won't be a good 'cyber-threat'??? Oh, wait - it the eyes of the
media, fanatic=terrorist=0911=great imagery for getting readers'
attention.

I agree with those that say one guy with a backhoe is far more
effective at causing wide-spread infrastructure damage than someone
with a laptop. But "backhoe-terrorists" aren't as sensational of a
story as those allegedly waging "cyber-jihads" so we'll just leave it
at that for now....

> 'Asymmetric Warfare'

> The military call it "asymmetric warfare," which means that the
> disadvantaged side must use unconventional weapons against the
> wealthier side if it is to have any chance of winning.

Using airplanes as guided missiles is asymmetric warfare, too, and a
far more effective way of wreaking infrastructure havoc than by a
laptop.

> Any country that can scrape together the price of a computer manual
> and that has a basic understanding of information systems
> infrastructure can train and motivate a misguided "patriot."

Reading a 'manual' does not make one an expert. Nor does getting a
diploma or certification, despite the claims to the contrary.
 
> Anonymous Warfare
>
> Due to recent advances in "attack technology," cyber warfare can be
> waged remotely and anonymously. This approach would make it much
> harder to find an attacker than it is, for example, to root out Al
> Qaeda forces along the border of Pakistan and Afghanistan.

Gee, and it wouldn't be hard for someone to do a truck bombing
anonymously, either.....the problem is that folks like Mcveigh (OK
City), Rachman (WTC attack #1), and others, were clumsy terrorists
that left a trail......a dedicated adversary would not be so easy to
track.  Drawing a paralell between cyber-terrorists and al-Qaeda is
threat inflation.

The implication this reporter makes is that folks should be licensed
or easily-tracked online....if someone's hell-bent on committing
murder or terrorist actions, they WILL circumvent any requirements for
online monitoring/tracking -- that's the least of their concerns!  
Making it illegal to be anonymous won't do anything to impede them.

> "As the automation of deployment and the sophistication of attack
> tool management both increase, the asymmetric nature of the threat
> will continue to grow," the report said.

This has nothing to do with increasing the asymmetric nature of the
threat. It simply means that future such attacks might be more harder
to recover from quickly.

> New Tactics: Poison and Hijacking

> Attackers are finding more ways to bypass firewalls and other
> security roadblocks. Some of the newer -- and nastier -- tactics
> involve attacks on the Internet domain name system (DNS), including
> cache poisoning and domain hijacking.

DNS poisoning is an old tactic - security folks have known about it
for years. And Domain Hijacking - well, during my time @ NSI, I had to
deal with that technical problem far too many times. The problem was a
system vulnerability that the company refused to address, and instead
chose to deal with recurring negative publicity, giving me and my team
major stress headaches on a regular basis. Besides, it's been proven
that one can hijack a domain name w/o being a 'hacker' -- using the
legal system and WIPO is pretty effective, too, I've heard.  DNS cache
poisoning was done in 1998 by Eugene Kashpuroff -- it's not a new
attack methodology, either -- and that really screwed the net over for
a few hours.

> Businesses, especially large corporations, are becoming targets with
> increasing frequency. In the right hands, cyber attacks could wreak
> untold damage.

Again, that wonderful word "could" -- most of the folks on this list
COULD wreak untold damage, but it's yet to materialize. It's always
amazing how many reporters talk about what such a so-called
'cyberterrorist' "could" accomplish......but nobody talks about what
IS needed to deal with the problem.

> As the Arab-Israeli conflict continues to escalate, the odds of a
> full-scale cyber war grow. The first Arab-Israeli cyber war erupted
> in 2000, when Israeli hackers attacked the site of a Hezbollah group
> in London. Arabs retaliated by attacking the main Israeli government
> site and the Israeli Foreign Ministry's site.

This is a crock of first-rate tripe. Cyberwar is a nuisance situation.
So what if a website gets defaced or hacked? So what if a ping sweep
trips some alarms? What's being reported on as 'cyber-warfare' is the
electronic version of 'prick-waving' to see who's a badder dude on the
net playground.
 
> How prepared is the United States? Not very, according to analysts.
> There has been some improvement, such as the Clinton
> Administration's 10-step National Plan for Critical Infrastructure,
> drafted in 1999.

Indeed - plenty of bureaucracy was created, lots of blue-ribbon
reports and panels, but little real action.

> Only in the past year has action been taken, however, by opening
> serious discussions about creating separate networks for critical
> federal agencies; granting computer security scholarships in return
> for national service; and increasing the budget for computer
> security.

GovNet - stupid plan. Reminds me of sticking one's head in the sand.
But it's been Richard Clarke's fantasy network since the mid-90s, so
he may as well keep trying to build it when he's got access to large
(free!) funding sources. He's already admitted they will likely have
viruses, worms, etc. on GovNet - with the associated downtimes and
problems we all know result from such incidents - so WTF good is
GovNet going to be anyway?

Computer security scholarships are long-term projects. A diploma or
certification doesn't mean you're any more the wiser of a security
person. You need experience in the real world, and that would only
occur OVER TIME, not in the classroom.

What they need to do is stop these pie-in-the-sky projects and
allocate money and authority HERE and NOW to address the root causes
of the problems the government ALREADY KNOWS ABOUT but seems content
to brush off.

I mean, they just killed the $9B Army Crusader system - imagine what
even $5B of that money could do, if properly allocated for
government-wide operational IT security improvements TODAY instead of
more research and analysis of 'future threats' in cyberspace?

> What they have learned is that the "install-and-patch" system does
> not work, especially against a concentrated attack. Operating
> systems, they have concluded, need to be designed more securely from
> the outset.

It took how long to figure that out? While most OSes are
install-and-patch, let's look at the largest culprit here. How come
nobody's placing budget pressure on Redmond saying since their
products are so buggy and insecure, they're going to look elsewhere
for solutions that work as advertised and intended?  I took that
position in 1998 and haven't looked back. And guess what - I've been
virus free, trojan free, worm free, since then, and been more
productive, too.

> An equally fanatical individual, with a little more knowledge and a
> much lighter load, can, if we do not defend against it, use a laptop
> to do unimaginable damage at no personal cost whatsoever.

This last line is a piece of sensational tripe that is common among
those companies and individuals making Chicken Little claims about
cyber-terror being the harbringer of unimaginable evil. Unfortunately,
most of the media folks covering this general issue of computer
security have no clue about the reality of the situation......and are
unable to do anything except continue to perpetuate this sensational
FUD, scare the public, and make it all the more difficult for folks in
the security profession to do our jobs, especially when talking with
senior managers and lawmakers.

This article will keep me awake tonight - not out of fear of a
cyber-attack, or what 'could' happen down the road, but because this
sort of half-arsed tripe is believed by so many who take this stuff as
unassailable gospel and continue to make decisions based on it.

I wonder what next Friday's FUD story will be??

Rick
infowarrior.org
(c) 2002 - Permission granted to reproduce in entirety with credit.




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.