Four Threats For '09 You Haven't Heard of

ancientribe writes "Security experts are cautiously on the lookout for some lesser-known but potentially lethal threats that could be more difficult to prepare for and defend against in 2009. These aren't your typical enterprise hack attacks. They're mainly large-scale Internet threats — attacks that knock out sections of the Internet infrastructure, radical extremist hackers, Web attacks that adversely affect online ad revenue, and even the unthinkable: human casualties as a result of a cyberattack." Also known as the new group of things the fear mongers will use to make you do their bidding.

"The Unthinkable"

[Knara]

Why is "human causalities as the result of cyberattack" supposedly unthinkable?

human casualties as a result of a cyberattack ..

[rs232]

'Three U.K. hospitals were forced to shut down their networks last month after a malware outbreak infiltrated their systems .. Prince says he worries that eventually, human lives could be affected by a cyberattack like that of those hospitals or attacks on national infrastructures such as utilities. "It will happen at some point," he says'

Have these security professionals ever considered using computers that don't get malware ?

Anti-virus, Anti-phishing, Spyware [perimeterusa.com]

Sounds like a sales job to me.

[Samschnooks]

One U.S. hospital was recently hit with a denial-of-service attack that knocked its critical services offline temporarily. "There have been several close calls" including that one, notes Perimeter eSecurity's Prince, who couldn't reveal details about the attack on the hospital. Prince says the hospital was able to deploy some redundant power sources to keep its operations going during the attack on its network. But Prince says he worries that eventually, human lives could be affected by a cyberattack like that of those hospitals or attacks on national infrastructures such as utilities. "It will happen at some point," he says.

Of course you do. Got to keep those customers coming in.

The hospital I'm familiar with has an internal LAN with the Life or Death systems on it. The Docs that have access to it go through their gateway. In other words, a DOS attack would keep folks from seeing the hospital's website that has their marketing stuff, job listings, location, etc... nothing that would kill anyone.

See, the IT folks there are actually pretty smart and read the security journals and some even come from defense contractors. Imagine that. This hyperbole is just a PR statement to get the suits and their lawyers all worked up to hire people like that for very large fees.

Re:"The Unthinkable"

[rev_sanchez]

I'm pretty sure this is the plot for nearly every movie involving hackers. I'd say that it's overly thinkable.

Re:human casualties as a result of a cyberattack .

[TheRealMindChild]

In the scheme of things, while windows malware (I assume this is what you speak of) is an easy vector, it isn't the only vector. Plain and simple fact is, not everyone who uses a computer is competent, even when they should be (The same goes for car mechanics, doctors, etc).

Here is a really easy way to root a few Unix(like) boxes. Scan for some FTP servers. Log in and spider the directories. Can you make a file that has the executable bit set? Great! Do some fingerprinting to figure out what OS it is (this may not be necessary), upload an executable, then run it. You will be surprised at what said process can now access.

Need to stop treating computer crime as separate

[Anonymous Coward]

There is precious little new in this story, just a little present-day Nostradamus mixed in with a conspiracy theory, alarmism, and an admission that the enemies of the western world are not stupid and know how to use computers.

If we want to go beyond panic stories, we have to start treating such attacks, any attacks, as real crimes. That means FBI needs to get involved, and there must be a serious effort at apprehension. Once apprehended, those folks must be treated like criminals, that means orange jumpsuites (not three-piece suites) and long prison terms. This must be publicized.

As far as foreign threats, we need to work with local authorities. If those actitivites are conducted from within war zones, they need to be treated as enemy saboteurs and shot.

It's time to stop distinguishing between "computer crime" and regular crime. The consequences are the same, the victims are the same, the costs are the same. Therefore, the penalties must also be the same.

Mytob?

[jav1231]

Okay so Mytob shuts down a hospital. Frankly, hospitals and other public health entities shouldn't be running Windows. It's vulnerable and proven so time and again. Had they been on any *NIX-based system the spread of such a worm would have been mitigated.

I know, a tired old point but I'm frankly sick of hearing about government entities and public works entities being brought down because they've bought into the Windows-everywhere philosophy.

Re:human casualties as a result of a cyberattack .

[betterunixthanunix]

That may not be as simple as it sounds. Sure, it is technologically feasible to lock down a computer system, but there are matters of money and politics to consider. Consider the expense of hiring a full time security team that can tune ACLs and security policies and monitor the hospital network for intrusions. Here in America, hospitals, especially public hospitals, often have to fight for every dollar just to afford medical equipment, and there is constant political wrangling about paying for healthcare. Investing millions of dollars per hospital to create a secure IT infrastructure is a difficult move to justify when you are engaged in a battle for money for other equipment, and a lot of people either do not understand or do not care about the risks patients face from IT failures.

There is also the matter of commercialization of healthcare software. Gone are the days when a hospital's IT staff would roll their own middle tier and front end systems -- healthcare software systems are now purchased from companies that "specialize" in such products. Those companies often market proprietary software, compile it for the world's most popular desktop OS, and send shrink-wrapped copies to hospitals. That software can force choices upon the hospital, like requiring a certain database that only runs on a certain server OS or preventing certain ACLs from being in place because of the manner in which the software utilizes system resources. It is neither malice nor incompetence, it is just a byproduct of the system we have in place for managing our healthcare centers.

Personally, I have never understood how utilities might wind up in a situation where their systems may be vulnerable to a malware attack. I would think that the critical systems in utilities would be offline and running some sort of highly application-specific software, but I could be wrong.

Screw that

[djupedal]

...forget the 'un-. What say we start looking out for some of the thinkable, such as the cables that keep getting slashed in the Med, eh?

Only if it is an iVolcano.

[khasim]

From TFA:
e-bomb
Middle Eastern cybercartels

And so forth. Lots of technobabble, not much factual information.

Re:human casualties as a result of a cyberattack .

[Anonymous Coward]

Last time i checked FTP didn't have an EXEC method.

I'm guessing you mean pray it has a directory inside a website (then why bother fingerprinting the OS) or you have shell access which just brings up the question of why you bothered ftping a file in the first place your more than halfway there!!

Re:Mytob?

[Anonymous Coward]

And I'm tired of lunix trolls claiming that everything open source is 100% secure out of the box with no configuration required. All unix based systems are completely invulnerable to every attack ever conceived huh? Fucking delusion morons.

BE AFRAID!

[Anonymous Coward]

Be very afraid!

Good.

Now I will lead you back to safety if you do whatever I say...

Cutting Cables

[Jafar00]

I wanna know who keeps cutting the cables to Egypt and the rest of the Middle East. Talk about knocking out sections of infrastructure.

Oh noes muslims with computers!

[thetoadwarrior]

The biggest threat facing the internet in 2009 is pointless scaremongering laid out on more pages than it should be to get more ad revenue.

Re:human casualties as a result of a cyberattack .

[segra]

so who certified the malware ??

Re:Mytob?

[Lord Jester]

It was not stated that it would be immune to attacks, rather the worm threat would be mitigating the threat of this worm.

Also, he did not say Linux, he said a *nix based system. Which, until NT, most systems in such entities were.

*nix based systems are not invulnerable, but it takes a lot more than a script-kiddie with a script generator to penetrate and subvert than in *nix based systems.

But, regardless of your OS predilection, you should be able to admit that Windows based systems have an extremely higher rate of penetration and subversion.

Re:How to Falsify Evolution

[mlwmohawk]

Because of your post, I think we need a "Billy Madison" moderation.

What you wrote wasn't flamebait or over rated, it was stupid.

"Mr. Madison, what you've just said is one of the most insanely idiotic things I have ever heard. At no point in your rambling, incoherent response were you even close to anything that could be considered a rational thought. Everyone in this room is now dumber for having listened to it. I award you no points, and may God have mercy on your soul."

This item would not be such a bad thing.

[Aram Fingal]

From TFA:

One casualty of the jump in Web attacks and threats could be Internet ads, as enterprises and users increasingly begin to deploy technologies that block third-party content.

Third-party content is ultimately not necessary for web ads. Advertisers could submit ads to be published by the sites themselves the way it's done in every other form of media. I suppose that there is some convenience in just serving ads from a third party but is that really worth the security and privacy costs? The main point of third-party content is to track users. Again, this isn't necessary. It's only done because one advertising agency is at a disadvantage if they don't do it while their competitors do. I realy don't see any great benefit to society from advertisers being able to profile people and deliver more and more targeted ads to them. Certainly, for my part, I don't think it's worth the loss of privacy and I've been blocking some kinds of third-party content for years because of it.

Bigger Fish.....

[IHC Navistar]

Even bigger threats:

1) Undersea cable cuts

2) Hub Power Outages

3) Botnets

Seeing as how *no* skills are required to execute the first two of the aforementioned items, I'd say that those are the biggest things to watch out for.

I just had to point out a couple things, sorry

[mlwmohawk]

Any theory that does not provide a method to falsify and validate its claims is a useless theory.

In real science we state claims and provide proof and theory as to why we accept them as true. Furthermore, we make predictions that can be tested. In science, nothing is "disproved," all things are assumed false until proved. Its make more sense that way as I can not disprove your watermellon claim, but you have offered no theory or proof as to why your claims should be believed in the first place.

I could claim anything and you would be foolish to believe. If I make a claim and provide proof and a theory to explain why it is so, and you check out the proof, you have the ability to prove or disprove it on your own.