Re: Terrorists could launch cyber-war / RFF Reply to First-Rate FUD

[InfoSec News <isn () c4i org>]

Forwarded from: H C <keydet89 () yahoo com>
Cc: rforno () infowarrior org

> > A "CYBER jihad" could be launched against the West
> > as terrorists moved from the real world to an internet-based
> > virtual world, a US expert warns.
>
> Sensational, fear-mongering term here. "CyberJihad" ??? Crikey, we
> better run for the hills.....

Crikey?  Really, Rick?!  Have you taken to wearing khaki shorts and
speaking w/ an Aussie accent?

I think it's also important to point out the operative term in the
above quote, which is "could".  Yeah, a lot of things "could"...but
how likely is this "cyberjihad"?  Does the intel community still hold
on to the belief that terrorists are staying away from computer
networks as weapons simply b/c they aren't as reliable or poignant as,
say, a suicide bomber?

> > Michele Zanini, a consultant with the think-tank
> > McKinsey and Company, said terrorist groups such as al-Qaeda
> > were already making huge use of the web for communications,
> > propaganda, recruitment and target data.
>
> Never heard of them, but it must be a think-tank full of stagnant
> thoughts and conventional thinking. The web and internet is a
> communication medium.....a tool.....criminals use it to plan
> traditional crimes, it's only natural that a terrorist would use it
> for such purposes too.

Not only is this "think-tank" largely unheard of (what happened...the
magazine couldn't get a sound bite from Gartner or RAND?), but it's
old news.  Wasn't it about a year ago that a "news" story about
terrorists using steganography and porno Usenet groups to communicate?

> This is NOT new.  What we also forget is that just because something
> CAN be used as a weapon doesn't mean it WILL, either.

Correct.  Maybe it's better to chalk this one up to the author of the
article (a media-hound looking for something sensational) rather than
to whomever he quoted.  I'm sure most folks who do authorize a quote
or two have found that many times the quotes are used out of context.

> > Another expert, Rand Europe senior policy analyst
> > Kevin O'Brien said there was potential for terrorists to 
> > cause huge losses to the West by damaging information technology 
> > systems.
>
> We have that now, but nobody seems to give a hoot.

At least it's a quote from an organization we've heard of.  But again,
we're back to "potential"..."could"...that sort of thing.

> It's called Microsoft and the incessant amount of security problems
> costing how many billions to address, and most of the problems NEVER
> FULLY GO AWAY.  If you're worried about cyber-security, why not
> point the finger and take action against a known cause of repeated
> and quite significant problems and vulnerabilities we ALREADY KNOW
> where they come from?

While Microsoft does produce products that are full of holes, one
thing needs to be understood.  Take a look at the recent articles
about the "Deceptive Duo" and the nmap scans of some of their
"victims" on AllDas.org.  Microsoft systems with NetBIOS ports exposed
to the Internet.  At least one article quoted the DD as saying they
broke in by way of weak passwords on user accounts.  In one case,
MS-SQL server was exposed to the Internet w/ an admittedly (by a
spokesman for the victim) "weak password".

At that point, whose fault does it become?  MS for producing products,
or the admins for not allowing two neurons to interact and pass
chemical messages back and forth, thereby allowing them to form a
"thought" to protect their networks?

After all, even MS put out information on how to protect IIS
servers...one of the instructions was to disable unnecessary script
mappings.  Code Red demonstrated that most IIS admins seem to be
illiterate.
 
> I guess it's still easier to point the fingers for our INFOSEC
> problems at shadowy cyber-terrorists and such, thereby ducking blame
> and avoiding responsibility for the current state of world
> information insecurity.

Not easier.  Remember, Rick, it's the media that's doing this sort of
finger pointing.  Why?  B/c it's "cool" and sensational.  Take this
Kevin O'Brien from RAND...he's an "expert", reportedly, but of what?  
Who recognizes Mr. O'Brien's credibility as an "expert" at anything?  
I'm not trying to disparage Mr. O'Brien, b/c I don't know him...but
the author of the original article simply expected his readers to
accept this fact, that's all.
 
> > Dr Zanini and Dr O'Brien were speaking at an international
> > conference on global terror in Hobart.
> >
> > Dr O'Brien said Western-developed IT had become
> > the "great equaliser" as it was exploited by terrorists 
> > and rogue states.
>
> Yeah, and the electron is the ultimate guided weapon, like former
> DCI Deutch said. What a crock.

Yeah, Deutch.  The DCI who took classified info home to his
unprotected PC...the one his kid played games on.  Great source.  
Perhaps Dr. O'Brien's quote has significance...after all, anyone can
call up Dell and order a bunch of systems.  In fact, someone
purchasing a gross of computer systems from Dell today will be an a
far better footing than some corporations who haven't upgraded their
systems in...6 months.  A year.
 
> > He said the cyber world was chaotic and without boundaries 
> > and Western security agencies were traditionally ill-equipped 
> > to deal with its threats.
>
> Agreed. They have a hard enough time keeping their own systems
> secured.

Sure.  But I don't think this is an issue just for Western security
agencies.  Wasn't it the Brits who had a laptop stolen during Desert
Shield?  Sure, I know the State Dept. has done a much better job of
loosing laptops, but it's not an issue unique to the West.
  
> > In the wake of September 11, it was clear terrorists were using 
> > the internet as a weapon of war, the experts said.
>
> "Weapon of war"??? Sensational fear-mongering.

No doubt!  Who is this clear to?  Not to me!  Obviously not to you,
Rick.  So...who?

> They also used airplanes as a real and quite deadly 'weapon of war'
> but nobody here seems to remember that. Under these guys'
> definitions, a USG visa, fraudulent drivers' licenses, and a copy of
> the Koran would be 'weapons of war' too....

So would an ATM debit card.  But how do the trips to WalMart and T&A
bars fit in?
  
> > Terrorists used the net to gather intelligence, including target
> > information, and counter-intelligence.
>
> Net notwithstanding, it didn't take a genius to know where the WTC
> was.

Yeah, big deal.  Anyone can use the 'Net to gather intelligence.  
There are plenty of books and sites out there that talk about this.  
But like you said, it doesn't take a genius to see the Pentagon or WTC
from the air, particularly when you're right over it.

> > They made and moved money on it and were suspected of even
> > manipulating stocks for profit.
>
> Gee. Maybe al-Qaeda sat on the Enron Board...

More FUD..."suspected".  By whom?  If they were suspected, and it
wasn't proven, why mention it?  Or, why not quote whomever stated
this?  Nope, can't do that...not sensational enough.

Rick, I think you're really pointing out here that it isn't weaknesses
in the infrastructure...we know this, and they're more political than
technological...but the need for far too many "journalists" to justify
their existance with over-sensationalized garbage.

Just the fact that we're discussing (or rebutting) the article gives
it credence.  After all, it's clear that the "journalist's" intention
wasn't to produce an accurate article...it was to get paid.
 
> > They could also use it for worldwide planning and coordination,
> > propaganda, psychological terrorism and rumour-mongering.
>
> Old news. Regarding propaganda, psyops, and rumor-mongering, the
> net's been used for this for years.

Rumor-mongering?  Interesting...isn't that exactly what the media is
doing with this article?

> > Dr O'Brien said the danger to business was of great concern, 
> > with some websites particularly vulnerable.

Yeah, some are.  So what?  They're web sites.  The NYSE isn't tied
directly into their public web site.  The author of this article
doesn't seem to realize that defacing web sites is as passe as the
graffiti on highway overpasses.

> > Companies could also be damaged through extortion, brand 
> > destruction and fraud.
>
> That already happens, but terrorists aren't to blame.

Yeah, no doubt.  Wait...wouldn't that make the senior management of
companies like Enron and Winstar "terrorists"?  I mean, both companies
laid off thousands of workers and for all intents and purposes have
disappeared due to fraud, etc.
   
> I need more coffee now.

Me, too.  See you at Starbucks...



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.