Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Cyber-Attacks? 373

Galahad2 writes "The Washington Post has a lengthy article about the Bush administration's fears of an Al Qaeda cyber attack on the nation's infrastructure. Though we have all seen this sort of attack as a possiblity for a long time, I'm having a hard time believing that Al Qaeda is capable of anything along these lines." You're not the only one. The article does cite an example of the only known infrastructure attack, a case in Australia where a consultant used his inside knowledge of a local sewage treatment system to dump raw sewage, hoping for a contract to solve the problem he created.
This discussion has been archived. No new comments can be posted.


Comments Filter:
  • Of course, once all computer systems are run on Microsoft's forthcoming Palladium system then such attacks will be completely impossible. Obviously the correct response to this potential threat is to outlaw any OS that does not have Palladium security.
    • And detain all known contributors to any "terrorist" operating systems in military prison camp. Don't forget to do that.

      Think about the children

      • And detain all known contributors to any "terrorist" operating systems in military prison camp.

        Not prison camps. MSCE Reeducation Centers.

        • Not prison camps. MSCE Reeducation Centers.

          There's the crux. If we actually start torturng the terrorists with MSCE Reeducation, thn the Russians, Germans, Finns, etc. may pullout of our alliance. We need to just intern them in POW camps until the war has gone on long enough that our allies are pissed off enough at the terrorists to look the other way on torturing them.

  • So that's why I've been getting these .ag spams...
  • Believing (Score:3, Insightful)

    by saphena ( 322272 ) on Thursday June 27, 2002 @04:59AM (#3777414) Homepage

    I'm having a hard time believing that Al Qaeda is capable of anything along these lines.

    I had a hard time believing the events on September 11th even whilst they were happening!

  • They have to resort to flying planes into buildings as weapons, and you expect them to be able to what? Use a computer?
  • hoping for a contract to solve the problem he created.

    Isn't this exactly what happened with y2k ? Consultants talked up a problem in the hope of being paid to "fix" it.

    It's not so unique
    • Isn't this exactly what happened with y2k ? Consultants talked up a problem in the hope of being paid to "fix" it.

      Whats even more funny is that I remember an incident of a sewage spill during a y2k test in Australia. Is this the same incident?
    • by MrMickS ( 568778 ) on Thursday June 27, 2002 @05:44AM (#3777537) Homepage Journal
      Y2K is called a fiasco because work was done and there were no disasters. People talked about it, spent money checking systems, upgrading systems, fixing problems before the event. No great disaster so all of this was in vain. A hoax. A fiasco.

      If the work hadn't been done and there had been disasters wouldn't that have been a greater fiasco?

      Situations like this are a no-win. If you do the work and fix problems, you've talked up the problem to get work. If you do nothing and their are problems you are negligent.

      Choose now.

  • by Howzer ( 580315 ) <grabshot@@@hotmail...com> on Thursday June 27, 2002 @05:11AM (#3777437) Homepage Journal
    This, and several other even less plausible recent "possible attack" stories look to me like a classic "cover your arse" move from the White House. The conversation in the "war-room" probably went something like this:

    Flak 1: "Hey, we're really getting pasted over the fact that we "knew about" 9-11 and didn't warn anyone."
    Solemn pause as the room thinks. Scratching of heads, etc.
    Flak 2: "I know, let's warn everyone about every possible type of attack, so that if and when the next one occurs we can say..."
    Flak 1: "... I told you so?! That's brilliant! Bob, call your guy at the Post and see if you can sell that cyber attack story. Frank, get the Times on the phone, tell them ... oh you'll think of something! Ted, start posting stories on Slashdot; those hackers suck up every meme that's going..."
    Scene of chaos as flunkies run in every direction to Flak 1's barked commands.

    Something like that, right?

    • Bob, call your guy at the Post and see if you can sell that cyber attack story. Frank, get the Times on the phone, tell them ...

      ...that Bob's guy at the Post is already doing a story on it. Bob, be sure to say that Frank's guy at the Times is doing the same.

    • Re:Smart Move... (Score:3, Interesting)

      by Zathrus ( 232140 )
      What's funny is that shortly after some of the first arm-chair quarterbacking by the networks the White House said "fine... we'll brief you more often". They then began to share more possible threats, particularly those with a lower probability than previously publicly discussed. What happened? The next night on the network news at least one anchor (either Sam Donaldson or Dan Rather I believe) groused that the White House was now sharing too much and causing undue panic.

      Uh. Duh.

      You can't have it both ways. You either have to let the intelligence community work at things and only inform you of the threats deemed likely to occur, or you have them warn you every time some crank caller picks up the phone. Yes, there's middle ground. But who draws it?

      Were there screwups prior to 9/11? Possibly. It's likely that we'll look back on it and say "how could that have occurred?" similar to Pearl Harbor now. But it's being done in a post-mortem fashion -- when you KNOW what to look for it's a helluva lot easier to find it than it is when you have 5 million inputs and only one of them is valid.
    • Re:Smart Move... (Score:4, Informative)

      by thelaw ( 100964 ) <spam@c e r a s t es.org> on Thursday June 27, 2002 @08:24AM (#3778016) Homepage
      i'm not so sure that this is the case. i've been following washingtonpost.com's cyber-attack stories for quite some time (very much pre-september-11), and just about every story they do has a slightly sensationalist bent. this one, ironically, is the most fact-based story i've seen them do since i started reading them.

  • by aelvin ( 265451 ) on Thursday June 27, 2002 @05:12AM (#3777440)
    "DCS and SCADA systems might be accessible to bits and bytes," Assistant Secretary of Defense John P. Stenbit said in an interview. But al Qaeda prefers simple, reliable plans and would not allow the success of a large-scale attack "to be dependent on some sophisticated, tricky cyber thing to work."

    I don't know whether to be more concerned about a potential cyber attack or the fact that the Assistant Secretary of Defense refers to critical infrastructure as "some sophisticated, tricky cyber thing."

  • by khym ( 117618 ) <matt@nightreal[ ]com ['ms.' in gap]> on Thursday June 27, 2002 @05:15AM (#3777450)
    Why are any of the computers controlling national infrastructure on the Internet or available via modem? Anything that important should be completely cut off from the outside world.
    • by Xtifr ( 1323 ) on Thursday June 27, 2002 @07:11AM (#3777755) Homepage
      I'm sure that many government computers are safely isolated from any public nets, but many of them have the sole purpose of serving information to the Internet, and would be pretty useless if they were isolated! Furthermore, it's not just government installations that are at risk. The 9-11 attacks weren't just aimed at the Pentagon. Or perhaps you forgot about the WTC?

      The major US backbones of the Internet itself could be considered part of our national infrastructure. I hope you're not going to ask why the backbones are on the Internet!
    • (1) critical infrastructure (eg: the DoD) needs internet access too. (Guess who their preferred NSP was? A clue: it rhymes with "huge con".

      (2) the networks themselves are built of routers and switches. These devices, which are scattered around the world (often in cold, dark, inaccessible ops centers or datacentres) need to be managed remotely. Your standard one-modem-per-rack emergency device is only that, really - for routine stuff you want to go in-band (so you can ssh onto your cat 5500 and do `sh ip bgp' or whatever from the comfort of a quiet, airconditioned NOC (net ops centre) where you have access to docs, r&r, other engineers and so on.

      (3) the internet ITSELF is critical infrastructure these days. I don't think they're seriously saying that terrorists are going to crash ATC systems from an internet cafe in Peshawar (well, OK, maybe they are implying that to the general public, but of course that's pure FUD.) Traditional DDoS attacks of the mafiaboy style have the power to significantly fsck up the world economy however. Did you know Mafiaboy only stopped cos he got bored? If he'd been motivated enough he could have carried on for weeks or months whilst net ops painstakingly backtraced every attacker through the chain of abuse desks and LEAs...
      Imagine if, say, Akamai's content distribution network were attacked.

      (4) Finally, there are some interesting new toys for attackers to use: pulsing zombies, warhol worms, and (the thing we don't really want to mention which is a big vulnerability: network peeps know what I mean) in many, many networks.

  • So might this be an all-out DoS attack looking to shut down the spread of the fruits of the decadent, imperialist American culture? Would they try to clog the networks so that people can't share any type of creative endeavour that represents the freedom that all Americans enjoy? Oh wait. That would be these people. [riaa.org] My bad. Move along. Nothing to see here. I get those groups trying to subvert freedom at all costs in pursuit of their twisted ideology confused sometimes. (NB: I am not condoning piracy. But you shouldn't let companies engage in the kinds of activities that terrorits might do. :P) Also, is there a new version of Godwin's law relating to calling someone a terrorist?
  • What kind of fscking imbecile allows critical infrastructure control systems to be connected to the Internet?

    This is a complete non-issue. There are no critical systems connected to the Internet. (Any that are need to have their plugs yanked and their admins fired, even if we weren't in the middle of an undeclared war.) This smells to me like a red herring for the Administration to grant itself more sweeping powers of warrantless surveillance and intrusion.

    I wonder what Austria's immigration policies are like?


    • > What kind of fscking imbecile allows critical
      > infrastructure control systems to be connected
      > to the Internet?

      A truly fscking imbecile.

      However, some computer systems *have* to be hooked up. And once they are 0wn3d, they *have* to be cleansed. Thus using up time and manpower that could best be used somewhere else.

      Besides being a PITA, it would also be a PR victory for the other side if they succeeded in "cracking the US military's servers". (never mind if it's not critical, out of the inner network, with no information on it).

      So it's really a "red herring", yes. Do not fear for your "national security", but fear for your national pride :)

    • What kind of fscking imbecile allows critical infrastructure control systems to be connected to the Internet?
      I don't know, maybe the same kind of person who would code infrastructure control systems to rely on only the last two digits of a date's year.

      I'm sure there are people who have a Web interface set up for some seemingly non-critical facet (though there probably aren't many cases of "Look Honey, I can manage the dam's intake system from my iBook in the backyard!"), but there is probably a greater number of people who use the Internet for some communication/reporting feature ("Hey, I'm encrypting all transmissions, I'm using port 18937, I'm not publishing this info on a Web site and I'm not controlling the infrastructure in any way through this interface, so I should be safe."). Should such people be running infrastructure control systems? No. Does that mean they're not running these systems? No.

      I think the article's primary purpose is to send a "Hey, infrastructure engineers, this means YOU" (or "does that guy who works for you have infrastructure controls connected to the Internet? Ask him.") message to people who think they're already covered.

    • What kind of fscking imbecile allows critical infrastructure control systems to be
      connected to the Internet?
      Individuals whose career prospects can be heavily affected by pressure from elected politicians and other PHBs to cut costs, perhaps?

      The WP story claims that some intrusion tests into important infrastructure controls have been carried out and that the intruders were typically able to gain access. And there's this interesting comment on page 4 of the piece:

      ... But many of the
      [SCADA remotely-operable control] systems rely on instantaneous responses and cannot tolerate authentication delays. And the devices deployed now lack the memory and bandwidth to use techniques such as "integrity checks" that are standard elsewhere.
      One could reasonably hope that such systems would be on redundant dedicated control connections, for pity's sake. Or - if you're going to use the Internet for such critical control information (and for all I know it may well make sense, at least as a backup) then have them connected via a robust black box that does have the resources to operate a continuous dedicated secure Internet connection, and which then controls the SCADA systems through a local direct link.

      <Oliver Hardy>Well, here's another nice mess you've gotten us into, Stanley</Oliver Hardy>

  • by ShaunC ( 203807 ) on Thursday June 27, 2002 @05:16AM (#3777456)
    From the article,
    Unsettling signs of al Qaeda's aims and skills in cyberspace have led some government experts to conclude that terrorists are at the threshold of using the Internet as a direct instrument of bloodshed.
    Fortunately, Sprint Nevada has absolutely no holes in their network! The claims that an attack would take place in Las Vegas on July 4th are clearly bogus ;)

  • by g4dget ( 579145 ) on Thursday June 27, 2002 @05:22AM (#3777473)
    Government experts and the media are bombarding us with possible scenarios: smallpox sprayed from crop dusters, terrorist attacks shutting down our stock markets, dirty bombs in New York harbor, nuclear missiles raining down from God-knows-where, etc.

    Why do they do that? Certainly not to improve our life expectancy or security. If we wanted to do that, spending $280 billion on public health and education would save a lot more lives than a missile defense system even in the unlikely event that we were attacked and that the system worked. If we are worried about attacks on our financial system, stopping crooks like Enron and WorldCom executives would be a whole lot less trouble and costly, not to mention less threatening to our civil liberties; Osama sending a Microsoft Word virus out of his cave pales in comparison to what a single felonious US executive can achieve.

    No, people create fear in order to gain power. That's true for Afghan terrorists as much as for the US government and the media. Creating fear gives people power and it allows politicians to move billions of dollars to their favorite campaign contributors.

    Folks, life is dangerous: live with it. And learn to evaluate risks and spend dollars wisely on prevention. Nearly 50000 people die each year in the US in traffic accidents, more Americans than in the entire Vietnam War. Cars cause even more deaths each year from pollution. Smoking causes 440000 premature deaths each year. Obesity causes about 280000 premature deaths each year. (Data comes mostly from JAMA.) Those are all easily preventable, with better education, reduced stress, and a better transportation infrastructure. Instead, however, we get worked up about obscure threats and spend enormous amounts of money on anti-terrorist measures and military hardware that will almost certainly not protect us anyway.

    In the literal meaning of "terrorist"--people who create terror for power--governments and the media are way ahead of any third rate coward in some cave halfway around the world. Hold the people who spread fear accountable the next time you go to the ballot box.

    • by Anonymous Coward
      There's a lot of truth in this. For a balanced, well-written (and refreshingly non-conspiracy-nut) view on government-controlled media , read the article Sept11: Unanswered Questions [communitycurrency.org] by MalcontentX (this is the article that gave rise to a recent press conference attended by families of Sept11 victims).

      The cyber-attacks that should be taking place are ones that alert the public to articles such as this one and encourage them to question the official line of everything they think they know. Imagine how enlightening it could be for a link to the above article to mysteriously appear on the front page of CNN.com....
    • Well put. My browser just made the sound of a nail being hit squarely on the head.

      A conference I was to attend got cancelled in the wake of the Sept. 11 attacks. Since I had the plane ticket, I flew anyway and spent the weekend kayaking around Washington D.C.

      Being acclimatised to European media, I found the propaganda pouring from my car radio stunning and repulsive. The real dissonance in the whole experience, though, was the refreshingly critical and well informed views of my fellow kayakers (most of whom, contrary to popular image, are healthy, intelligent, independant-minded folks).

      My compliments to you and all such Americans who are displaying an ability to think, something you would hardly guess from your media or your government spokesmen.

      • fellow kayakers (most of whom, contrary to popular image, are healthy, intelligent, independant-minded folks

        Gee... I always thought the image was of sickly, slightly dumb, and go-with-the-flow folks...

        Exactly what is the "popular image" of kayakers? I never would've thought of them as anything but the above. You can't kayak if you're not healthy, it's certainly an independant sport, and while intelligence is in the eye of the beholder, I expect most sub-average intelligence folks wouldn't get the zen of kayaking. And would probably end up drowning themselves.

        As far as the media/govt rhetoric on 9/11 - yes, it's rather insane. Some of it is well placed. Some is not. I'm not at all happy with a lot of the post-9/11 law enforcement bills that have been passed, nor am I pleased to see US citizens (and non-citizens) deprived of their rights with some rather vague handwaving. If they're guilty, prove it and either throw them out of the country, throw them in jail, or improve the gene pool.
    • Well said, very interesting.

      On the other hand there are probably some real threats that don't get a lot of media attention. One I can think of, which I have seen mentioned in the media but it wasn't main-stream, has to do with genetically engineered bio-threats. There could be a couple of ways this might happen, such as 1) eugenically targeted proteins (I think there is one that is known), or 2) hybrid proteins/virii or bacteria that don't have an immediate antidote (like AIDS) but kill within a few days. I view biology becoming a bigger and bigger threat over the next several years. Not to be completely alarmist, but I wonder what the government is doing beyond the anthr*x investigation to keep watch on biological research and the people involved.
  • by Kasreyn ( 233624 )
    And the WP journalist responsible for this trash ought to be horsewhipped. As if we need more hysteria about the internet right now.

    Anyone who thinks a few religious fanatics hiding in caves somewhere can take the internet down has another think coming. Or, to paraphrase Emperor Palpatine, "The infrastructure is quite safe from your pitiful little band."

  • by crovira ( 10242 ) on Thursday June 27, 2002 @05:44AM (#3777536) Homepage
    and the destruction of the morally bankrupt, corrupt western civilization, we sure are giving Al Qeda and the Q'Ran-and-ravers kudos for a lot more hightech savvy than they need to infect themselves with to accomplish their goals.

    Have you read about how Islam is treating anybody with enough education to frame a question to ask the immams? After they've shot them?

    Have you read the clap-trap that their schools, in those countries where they still pretend to have some, are spewing in an effort to reconcile the Western scientific viewpoint, based on letting things describe themselves so that we can understand them, and Islam's mystical religious authoritarian fervor, which is based on Allah this, Allah that and nothing happens without the will of Allah and the Q'Ran is the only book you need and the immams will guide you in its interpretation so you don't need to know how to read. (Very Catholic of them. Watch your sons around that bunch of androsterone loving creeps.)

    Given the patterns shown to date and the historic emnity betwen the Q'Ran-and-ravers and our transportation infrastructure, (you don't need to leave your village and the influence of your immam,) we'd probably do better to watch who the country's transportation workers are.

    What do they do to spread terror and interfers with our lives? Mall bombers are a very ineffective way to spread terror. They have noticed that our conveyances offer the opportunity to murder and do a lot of harm to many people in a tight space. Now they set bombs off next to busses, hijack planes, crash them into buildings.

    River bridges and tunnels are far more vulnerable than airports right now. Truckers and their rigs are the vulnerable underbelly of America.
    • by dpilot ( 134227 ) on Thursday June 27, 2002 @09:16AM (#3778303) Homepage Journal
      So right, and the really funny and tragic thing about this is that 1000 years back, Islam was the cultural light of the world. They had no problem with science, saw it as studying Allah's creation, and a truly proper thing to do. Large parts of the Rennaissance were merely bringing knowledge from the Islamic world into Europe.

      Then sometime in the past few hundred years, they began to throw all of that away.

      Kind of like the US and Freedom.
  • Another dimension (Score:2, Insightful)

    by Ryu2 ( 89645 )
    Most of the critical infrastructure stuff is air-gapped from the Net (that is, they are completely separate from it, and not connected, not even indirectly), and rightfully so. So any job would have to be an inside job by a sleeper agent or something.

    But it might be easier for terrorists to take out something (physically) like the root DNS servers, or a major point like MAE East/West -- it may not cause the apocalypse, but that will still screw things up majorly for the world... the Internet does have lots of single points of failure, believe it or not.

  • by Dilbert_ ( 17488 ) on Thursday June 27, 2002 @05:46AM (#3777543) Homepage
    I don't believe Osama's buddies would attempt something like this. Somebody else, maybe, but not Al Quaeda. They're much more interested in the 'honor' and the 'glory' of making big, bloody direct attacks. Look at their history of attacks: WTC, Khobar Towers, USS Cole, WTC again, Kenya embassy,... All aimed at directly attacking symbols of US hegemony, with big booms and many dead. Computers is just not like them.

    Anthrax, maybe.

    • Right on. The whole problem with cyber-attacks is that they're not sexy--I mean, thrilling--enough to the average glory hound. Even the Anthrax scare is too low-key for Al Qaida.

      Terrorists want to grab the front page, the lead story, and kill people so that other people will listen to them. They're in it for the adrenalin rush, the feeling of power. Computers are too impersonal to hold their attention for very long.

      If anybody's going to start cyberterrorism, it won't be for political purposes. It'll be for extortion, "protection money" and industrial espionage. Cybermafiosi are *much* more likely than Cyberterrorists.
    • Look at their history of attacks: WTC, Khobar Towers, USS Cole, WTC again, Kenya embassy,... All aimed at directly attacking symbols of US hegemony, with big booms and many dead.

      Absolutely right. And lets not forget that Osama "promised" a steady escalation of the attacks, in terms of casualties and damage. So far his actions follow this "promise"... And I can't really make up any scenario in which a solitary/distributed "cyber-only" attack would result in more casualties and damage than 9-11.

      Can you?
      • I can't really make up any scenario in which a solitary/distributed "cyber-only" attack would result in more casualties and damage than 9-11.

        How about disruption of 911 service? power outages at major nodes of the network in major cities? Mess with traffic lights at key intersections at rush hour? A virus in the computers at the NYSE? Remember the Y2K bug stories - even though hardly anything actually happened, a lot of the scenarios described were not that outlandish, and in fact a lot of near disasters were prevented.

        (One in particular was noteworthy - in Los Angeles, a y2k test at a water reclamation plant led to some 4 million gallons of raw sewage [greenspun.com] spilling into the streets. Had this occurred on New Year's eve, there would have been 150,000 or so in that park for a millennium celebration. Hehe... 150,000 Angelenos covered in shit on New Year's eve....

        • disruption of 911[...]power outages[...]major cities[...]traffic lights at key intersections[...]virus in the computers at the NYSE

          Even if all of this happened at the same time, to the full imaginable extent, I doubt that it would leave a number of casualties comparable to 9/11. And don't forget that they have to operate under cover. The WTC/Pentagon attack sure was properly planned and "well-executed" but on a scale from 1 to 10 Osama would probably give it just a 7,5 rating. Too many things went "wrong" (mind you, in the terrorists view of the things). Don't get me wrong, the WTC attack was horrible, but even this horror could have been optimized - hit lower to cut off the escape routes for more people. Hit harder to speed up collapse. In that case I suppose the causalties would have rocketed to a 5 digit number easily. Same for the plane that came down on the field instead of a target. Things never work out as planned, and that is what saved America further grief. So,for these cyber-attack(s) you mentioned - even executing them with surgical precision and astronomical timing would leave things open to failure (again, seen from the terrorists view). Therefore I am in doubt when you say these attacks could cause more damage/casualties. Remeber, Osama promised to escalate every attack in terms of casualties.

          Had this occurred on New Year's eve, there would have been 150,000 or so in that park for a millennium celebration. Hehe... 150,000 Angelenos covered in shit on New Year's eve....

          Well, whatever... Drunk as most of them would be, they would have trouble noticing the difference at all I guess. This is hardly a "terror attack" in my book. Sure, nasty for the individual. Certainly a heavy damage when it comes to laundry bills. Probably something that requires a lot of people to take antibiotics afterwards. But when it comes down to be crushed by a collapsing building or snorkeling in other people's shit... well, pass me some swimming shorts.
    • Anthrax, maybe.

      Anthrax, no way. That has to be some kooky retired redneck general with keys to the lab, or, worse, someone who still works in the lab. The targets (Judith Miller, Sen. Daschle, Tom Brokaw) are hardly folks that would be high on al-Qaeda's list of most heinous infidels.... if anything, they are all more visible to and hated by elements of the American right. Interestingly enough, the attack on Daschle (which was perhaps an attack on all of Congress rather than him personally, who knows) came just as the patriot act was being debated on the Hill. Who would gain from spreading that particular kind of fear at that particular moment? Hardly Osama bin Laden. In fact, in papers found on a computer [ozarksnow.com] bought by a reporter in Afghanistan, an al Qaeda operative admits in a memo that "despite their extreme danger, we only became aware of [chemical and biological weapons] when the enemy drew our attention to them by repeatedly expressing concern that they can be produced simply."

      (By the way let's not forget that al Qaeda's nuclear weapons plans included an internet spoof [politechbot.com] from the "Journal of Irreproducible Results"....)

      These people may want to kill all Americans, but they are not the most sophisticated bunch, no matter how well orchestrated 9-11 was. That anthrax was home grown, and it was probably someone who still has access to a biodefense lab, and his identity is possibly well known to a number of people around him who find him embarassing and dangerous but protect him anyway because they've known him for so many years.

    • They're much more interested in the 'honor' and the 'glory' of making big, bloody direct attacks.

      I can just see it...

      An al-queda operative sits alone in a house in halfway around the globe. He dials into the internet and with a few mouse clicks wipes out some critical infrastructure across the entire United States that will result in thousands of deaths...

      ... and for 'honor' and 'glory' he procedes to set off the suicide bomb strapped to his chest.

  • When stuff like the Worldcom farce can lead to the excellent and strategically vital UUNET backbone potentially going dark, what on *earth* do they think Al Quaida can do?! This sounds like "electronic Pearl Harbour" b/s - if you don't know, that phrase is a common code-phrase meaning "give us more money and power!" often heard in Washington over the last decade or so.

    What do they think a terrorist organisation could do, that groups of script kiddies with a few botnets couldn't do? Have they really got any idea what sort of DDoS stuff happens every day of the week out there in IP land?

  • by WasterDave ( 20047 ) <davep@NOSPAM.zedkep.com> on Thursday June 27, 2002 @06:01AM (#3777586)
    I'm having a hard time believing that Al Qaeda is capable of anything along these lines.

    So they have towels on their heads, hide in caves and currently live somewhere between Afghanistan and Pakistan - so this makes them stupid, right?

    Whatever. Have you forgotten that these people managed to simultaneously hijack FOUR aircraft, in a country with absurdly tight border restrictions, keep the whole thing quiet from an increasingly Orwellian state, run the whole gig on a budget of eighty dollars and five camels AND get away with it? Hmm? Do I see Osama Bin Laden's head mounted on a plaque in the oval office? Quite.

    Thing 2 - Sysadmin's are notoriously lazy, particularly Microsoft ones. Count the number of no brainer hacks we've had over the last, say, two years: Default passwords on SQL servers, unpatched IIS installations by their thousands... Not to mention the notoriously bad security record of the vendor itself.

    Not that you need to actually attack anything, don't forget that the multi billion dollar Yahoo! empire was reduced to rubble by some kid in fuckwad Arizona calling himself "Mafiaboy". And he bragged about it on IRC, hardly the gold standard in attempting to get away with things.

    Fucks' sake, A "cyber attack" is so thoroughly within the reach of Al Queda that the only reason I can suggest that they've not done it is that they've been busy regrouping after their previous hosts, the Taliban, had their arses royally kicked a few months back.

    You think they're going to run forever? Grow up America. You're not as smart as you think you are, and you're very much a target. Have a nice day.

    • by CrosseyedPainless ( 27978 ) on Thursday June 27, 2002 @08:19AM (#3777991) Homepage
      While the point of your post is quite valid, I'd like to correct one thing: absurdly tight border restrictions

      The (approximately) 9,000 km border with Canada is completely uncontrolled except at major highways and urban areas. The 3,300 km border with Mexico is somewhat more controlled, but is readily penetrated in remote areas. Add in the lightly patrolled coastlines, and the immense and basically uninhabited border of Alaska, and one has what is essentially unimpeded access to the US. (Pre 9-11, anyway; things may have changed.)
      • The (approximately) 9,000 km border with Canada is completely uncontrolled except at major highways and urban areas.

        Yes, but none of the 9/11 terrorists came through Canada. [state.gov] In fact, doing so would be pretty silly, since then you'd have to go through two immigration procedures, and both Canada and the U.S. share a list of known terrorists.

        It would be easier to smuggle yourself into the U.S. aboard a ship than trying to cross the "completely uncontrolled" U.S.-Canadian border. Actually, the border between the U.S. and Canada employs quite a few high tech gadgets, such as motion detectors, IR video surveillance, and even low-level radar to track anyone trying to cross the border without going through a checkpoint. Forested areas are clearcut for 10 metres (or yards) each side of the border to make anyone crossing visible to surveillance.

        Most of these practices are in place to catch drug smugglers, but they are equally effective against anyone trying to sneak across the border.
    • in a country with absurdly tight border restrictions

      Absurdly tight? Which part? The part where thousands of Mexicans (by customs estimates) cross every month? The parts where you can go from Canada to the US with only a small roadsign telling you which is which? The part where you can take a boat across any of five very large lakes to enter the country, and customs consists of calling in on the honor system to let us know you've arrived?

      The part where any fool can hop a ride to any of a dozen small islands in the Carribean and take a charter to Florida without EVER going through US Customs?

      Sorry, but while the United States does it's best, there is no way you can call the border restrictions absurdly tight.

      Doesn't take that much effort to get into the country. It doesn't take more than a swatch watch to have four simultaneous attacks, and until we AT LEAST give pilots TASIRs (-sp?) it ain't that hard to take out a jet.

      As them being able to launch a "cyber attack" being a script kiddie doesn't cut it. That's a cyber nuisance at best. Taking out one misconfigured system (and much of DOS and even DDOS attacks can be taken care of by reconfiguring) does not a battle make.

      You DO need some decent skills to do damage that lasts longer than a server reboot takes. Quite frankly few people have them. A real attack:
      • Needs to last long enough without detection to corrupt back ups
      • Needs to take out more than one system
      • Needs gain some type of strategic advantage, ie cause real death, erase vital records, allow easier access to the country for actual terrorist people
      • Needs to have the source provable, no honor for anon cowards
    • some kid in fuckwad Arizona calling himself "Mafiaboy"

      I'm pretty sure [wired.com] that Mafiaboy was from Canada, not Arizona. Not that we're proud of him... but if you're going to rant, then get your facts straight.
    • simultaneously hijack FOUR aircraft

      Requiring a few watches, maybe some calendars, and some flight schedules. Real high tech! I'm not saying that makes them dumb, but any desert goat-herder has the skills to do that.

      in a country with absurdly tight border restrictions

      You're joking, right? I don't know what country you're talking about, but it sure as hell isn't the USA. Our borders aren't even tight on paper.

      keep the whole thing quiet from an increasingly Orwellian state

      Yeah, that's dificult. Our "intelligence" community is almost totally focused on signals. If you don't use the phone or email, they probably don't even know you exist. It's pretty easy to not talk about a terrorist plot on the phone.

      run the whole gig on a budget of eighty dollars and five camels

      Christ, all they needed was some box cutters and some plane tickets. Yeah, some of them had some flight training, but I bet they could have done just fine without it. Flying a plane really isn't difficult. Taking off and landing is, but they really didn't care about that, did they?

      A "cyber attack" is so thoroughly within the reach of Al Queda that the only reason I can suggest that they've not done it is that they've been busy regrouping after their previous hosts, the Taliban, had their arses royally kicked a few months back.

      Here's a suggestion: maybe they haven't done it because they realize that it's pointless and stupid. Nobody's going to die from a "devastating cyber attack". Nobody's even going to be particularly worried, since Microsoft has conditioned us to expect computers to fuck up regularly. The biggest effect a cyber attack would have is a slight increase in help desk calls asking why the internet is broken. Who cares? Maybe, just maybe, they've decided to focus their attentions on something that would actually be effective?

  • In summary (Score:4, Insightful)

    by Graymalkin ( 13732 ) on Thursday June 27, 2002 @06:09AM (#3777605)
    Al Qaeda has hired script kiddies to bring down rain down computer destruction. I don't understand why the fuck things not designed to be hooked up to the internet are being hooked up to it.

    I ask in all seriousness, why is a railway switch hooked up to the public internet? What good reason is there for eletronic valve controls for fresh or sewage water to be hooked up to the internet? Does a passing shit or dead goldfish need to check its e-mail? I can understand having some sort of network linking a bunch of sensors and whatnot, that makes sense. I do not understand however why that network needs to be on the internet or even publicly accessible. In some cases, like the guy in Australia, the method of intrusion was not the internet or a network of any sorts, just an unsecured method of entry. Having singular systems with unsecured entry point is understandable and pretty forgivable. Not everyone expects some jackass to try to scre with something. A network of systems with unsecured entry is ridiculous.

    I remember reading a billion and a half philez back in the day on how to fuck with systems through Tymnet and other networks similar to it. I still don't see why the SCADA system controlling the Hoover damn needs a modem in it, if it does need that modem in it what is up with the lack of intense and thurough handshaking and password challenges?

    The internet is an obvious target regardless for you bozos who question militant religious fanatics and their target aquisition. Why attack the WTC? It was a symbol, same with the White House or Pentagon. They're both symbols. The internet is another symbol of Western culture. Who is the internet big with? A hint: it is not a bunch of predominatly Muslim countries but the word does start with W and end with est. It would be yet another symbol to attack if you're in the mindset that the West is the source of all of your ills.

    If you're worried about phone lines going down and needing network access get some geeky friend together, get yourselves Ham licenses and form yourself an emergency packet radio network. If you've got laptops and battery powered equipment you'll be fine even if your power goes from al Qaeda script kiddie attack. While it sounds sort of ufnny to some it is a good idea, hams in an area suffering from power outages or down phone systems can be a big help keeping the flow of information flowing. Nothing helps in an emergency situation like the right information getting to the right people at the right time.
    • Re:In summary (Score:5, Interesting)

      by nordicfrost ( 118437 ) on Thursday June 27, 2002 @07:55AM (#3777904)
      Well, when I was in the military, working on multimedia apps, I was impressed by the security precautions on the computers... We really wanted to make one of the servers accessible from the 'net because of the nature of the app. We applied to the HQ to be allowed to make the info on the server available from outside the secure digital phonelines. This was a "Restricted" server, the first security level in our classification system. The HQ said, "of course you can connect it to the 'net. On one condition; you must install a firewall". "No prob", I said. Then they answered; "oh yeah, one more demand. The firewall must be 100% intrusion secure, guaranteed by you personally. Not 99,9997%, not even 99,999999% but 100% secure. Then and only then can you put the server on the 'net." It never accessed the 'net.

      Security in the military is amazing. At least here. Any computer net designed for "Classified" to "Secret" is not allowed to be connected to ANYTHING except a fiber-op LAN. No floppy, no HDD, Windows boots from servers. The parallel and serial ports are removed, keyboard cords are glued to the machine, cabinet locked with padlock... The network I spent most of my time on had nothing more secret than the SSN of several persons, but that info is "Classified" so we had the server in a EMP-safe, TEMPEST-classified locked concrete room. The fib-op was in concrete ducts, the switch cabinets were thin safes, backups were stored in two separate fireproof vaults... I dare you. Hack that server, my guess is that it is next to impossible, primarily because of the NoNet-policy. Any computer connected to the 'net is automatically classified as "Unsafe" no matter what firewall in between. A computer that is "Unsafe" is not allowed to be next to a secure computer(!). This is to avoid human confusion...

    • First of all, I'm sure you can provide us with some evidence that "Al Qaeda has hired script kiddies to bring down rain down computer destruction".

      Second of all, I'm willing to bet that you've never been to a predominately Muslim country. Indonesia, which has the largest Muslim population in the world contributes a HUGE number to the Internet's user-base. Malaysia also has a very large Muslim population, and again a HUGE Internet presence.
  • Utter shite (Score:4, Informative)

    by Anonymous Coward on Thursday June 27, 2002 @06:18AM (#3777630)
    The subject of this article is such rabid FUD that it needs dispelling, quickly. The technically savvy readers of Slashdot, if not already aware of the state of power-plant security, need to catch up to what reality is, because they will be the ones that the non-technicals will look to for answers and reassurance.

    The idea that critical systems of a power-plant of any kind would be on-line and accessible via the web or dial-up is so preposterous as to defy reason. The idea is surely suggested by ignorant kooks, and snatched up and carried into daylight by "journalists" who would rather see their name in a byline than verify the information in the stories they rush to press. In short, someone has seen one to many USA Channel Sunday Night Movies.

    Having worked on nuclear plant monitoring systems software, I can tell you for a fact that the critical systems not only can not be tripped from off-site, but also can not be accessed from anything but specific, highly secure and redundant systems.

    These systems have physical switches that often require two hands to operate. They are designed to prevent insider sabotage, so no wanker with a laptop, sitting in a cave or boardroom half a world a way can do anything. The only action that can be caused by any local anomaly is a controlled, safe shut-down. The only thing that a remote action will result in is a line-item in the logs, period. A plant shutdown may be costly and greatly inconvenient, but hardly lethal, and absolutely not catastrophic. The "terrorists" will have better luck flying a 747 into the Hoover Dam.

    The notion that someone with access from outside could trip a plant or cause anything but the generation of a non-critical statistics report to be generated is lunacy. Yes, some aspects of some systems may be monitored from outside, but this is only for informational purposes only.

  • enough to understand the dangers of the connection and of the mode of connection?

    Gimme a break? The bell curve shows that most of them will be mediocre. That's sad but statistically true.

    But we've got some hope. Our infestation of script kiddies and the puerile juvenile delight our youth takes in engaging in high-tech sacred-cow-tipping.

    Somebody somewhere is getting hammered at by the bazillion script kiddies and his/her systems are behaving like women of negotiable affection when the fleet's in town. But its not somewhere important. An individual firm may go under but it most probably wasn't important either.

    The web of commerce is far broader, loser and more resilient than it is vulnerable.

    But watch the transportation industries and highway system that are the filaments that hold it all together...

    Remember the Golden Gate bridge and the disruption expense and systemic inefficiency caused by the Loma Prieta 'quake...
    • The Golden Gate (SF -> Marin) survived Loma Prieta just fine. It was the Bay Bridge (SF -> Oakland) that fell to pieces.

      After Loma Prieta, you might think that building an earthquake-proof replacement might be a high priority. Nope. Work on replacing the Bay Bridge was delayed for years while people argued about making a pretty bridge that passed over just the right scenic spots. Seriously. The world is far sicker than you can ever imagine.


  • by Nishi-no-wan ( 146508 ) on Thursday June 27, 2002 @06:36AM (#3777677) Homepage Journal
    Off topic, I know, but there's been a serious increase in attempts to hijack my web site since the Gobbles' proof of break-in-ability code for the Apache hole was released last week. It's probably the work of out of school script kiddies rather than that cad Al, but I'd like to know if other sys-admins have notice an increase in UNIX targetted attacks (specifically geared toward Apache) in the past week.

    The usual attack pattern goes:

    1. Enter the site on a "powered by freebsd" google search reference
    2. Cause an error ("GET ../.." or a "GET / HTTP/1.0" request) to get the web server name and version.
    3. If the version is a vulnerable version of Apache, an attack commenses with a different tool.
    If everyone hasn't upgraded Apache to a safe version yet, I strongly suggest you do. It's not just a Microsoft hole any more.
  • There is only one problem with an attack on the infrastructure, and it is not the actual attack.

    Indeed there would be a days work lost, but any company that has a good tech department / disater recovery plan would be able to sort themselves out within a day, although the backlog of mail might take a little longer. This is not in fact a massive deal.

    The biggest problem would come from the fact that all the current anti privacy legislation would have an excellent excuse to go through with the backing of all in congress/parliment (for us in the UK)

  • Politics (Score:4, Funny)

    by eyeball ( 17206 ) on Thursday June 27, 2002 @06:54AM (#3777712) Journal
    Of course the Bush administration will finally have a real reason to blame the Clinton administration for somthing, with Al Gore being the inventor of the Internet and Cyber-everything.

  • by Saggi ( 462624 ) on Thursday June 27, 2002 @08:48AM (#3778144) Homepage
    One of the most important issues for a terrorist is to generate fear. The more, the better. To hit the world trade centre surly get the public attention. Now lets say you create a powerful virus and called it "AQ_FUCK_USA". It may do a lot of damage. It may cost millions of dollars and cause a lot of people to be angry. But it won't create fear.

    Even if you hit a vital structure like power plants or hospitals. Yes it will be an annoyance. Some might die (due to lack of traffic lights, respirators etc...), but it's nothing compared to killing 5000 people (or more in some of the other possible scenarios).

    You can't tell the terrorist world; "We just cost the evil USA 2 billion dollars". It doesn't give as much "respect" as saying "We just killed 100 Americans" (or some other western "evil" country).

    But I wouldn't feel safe anyway. Someone (maybe AQ) will try it anyway. Why not? But do it make a change whether a script-kiddie or AQ hits us?
  • When we have Worldcom's CFO...

    Think KPNQwest...
  • Well, working in IT, this is probably a wrong thing to say....but

    The U.S. highest leaders are generally clueless about a great many things, especially technology.

    So, while I have in the past plausibly ridiculed the prospects of Osama bin Laden using his laptop computer to communicate via the Internet using steganographic means from his goat-ridden non-electrified hovel in the mountains of Asia, close advisors to the President have spun stories to trigger fear, uncertainty and doubt in the minds of decision makers.

    They've promoted these fallacies not out of malice, but rather in the interests of getting their particular piece of bread buttered. There are plenty of people in the business that would enjoy making money by contracting out a few projects that will be fun to work on, but which are of small substantive value.

    But, hey, if I was pressured the same way, I'd probably lash and "Do Something" to make myself look like I was an active leader, look like I knew what was going on, etc.

  • by SledgeHammerSeb ( 520650 ) on Thursday June 27, 2002 @09:45AM (#3778526)
    I have read about 15 posts here. It is the naive arrogance of these posts that causes me to be happy we, the USA, are going to be concerned about infrastructure security.

    It is true that today Al-Qaeda or who ever are not be able to disrupt our infrastructure anymore than any script kiddie. Of course these enemy forces have a great deal more resources and time than even an army of script kiddies. That is the real problem.

    Please assess the situation as it is, not as you want it to be or think it might be. There is an enemy force that killed 2823 Americans on Sept. 11 2001. This force probably spent as many as 8 years and much money planning that attack; since the previous attack in 1993. They are patient. They may field students that get jobs in very vulnerable places, and then do a great deal of harm. This will take time and money, and they have a track record of doing just that.

    I appreciate the hubris expressed by everyone here, but as Teddy Roosevelt said, lets "walk softly and carry a big stick".

    Cheers, SEB

    • They are patient.

      Excellent post.

      We tend to be an impatient society, microwaves, fast food, etc. and we tend to project whatever we are on others. The problem is that many other cultures are vastly different than our own. This was one of the mistakes we made in the Vietnam era. When we went to Paris to negotiate with the Viet Cong we rented hotel rooms. They bought a villa. They were in it for the long-haul while we hoped (as always) for a quick solution.

      Desert Storm was a "good" war for the American people. We saw results early on, it didn't last long and there were few American casualties. The current conflict is wearing on an impatient public because we can't see the bad guys backing out of a country they'd overrun or other visible results. Soon it will be a "whole year" since the attack and we don't have everything tied up in a nice package with a bow on it.

      The worst thing we can do is underestimate the resolve of these organizations. This is not a new conflict. It is centuries old. We are merely new players or more accurately our role has recently changed. Early on we heard that there will be more attacks. We have heard that warning repeated. Since Sept. 11 we've had a guy try to light his shoes up and a few other minor incidents. Most Americans seem to feel that this is a case of the boy who cried "wolf!" and don't really understand that there actually will be more attacks. Part of this is also the result of the govt. to grab as much additional power as they can under the guise of patriotism and homeland security, but the bulk of it is because of our cultural biases.
  • Consulting (Score:5, Funny)

    by carlos_benj ( 140796 ) on Thursday June 27, 2002 @10:02AM (#3778668) Journal
    ....a consultant used his inside knowledge of a local sewage treatment system to dump raw sewage, hoping for a contract to solve the problem he created.

    Isn't that what consultants do everywhere? Come in, dump raw sewage, hope for a contract.
  • by swm ( 171547 ) <swmcd@world.std.com> on Thursday June 27, 2002 @10:18AM (#3778818) Homepage
    Look at the graph titled "Rise in Cyber Attacks".
    It shows an exponential rise in the "Number of reported cyber incidents".
    Pretty scary, no?

    Now read the footnote

    *Includes probes, illicit entry and attacks aimed at causing damage or taking control

    It's hard to take something like this seriously.
    It's like putting up a graph showing "Rise in illegal activity", with a footnote that says,

    *includes parking violations, theft, and murder

    - SWM
  • "The event I fear most is a physical attack in conjunction with a successful boogie-attack from the responders' closet or underneath their bed," Ronald Dick, director of the FBI's National Infrastructure Protection Center, told a closed gathering of corporate security executives hosted by Infraguard in Niagara Falls on June 12.
  • So the next time you get one of those poorly-worded, no punctuation, no capitalization emails from "3l337haX0r2002@aol.com" asking "teach me to hack", you should send it off to the FBI?
  • ... because nothing short of a disaster with major associated loss of life will convince people that:

    * It's not safe to use Microsoft "solutions" for anything remotely mission-critical

    * The problems are caused by Microsoft's lack of attention to security

    * The problems are made worse by their marketing that convinces people that Microsoft software is an acceptable substitute for thought about security

    * All of this is enabled by their monopoly

    * The only way to deal with the monopoly is to break it up

    Note that I said "almost". If I must choose between an intact Microsoft and another WTC disaster, Microsoft can live on. But I would prefer neither.
  • I think people here are ignoring something that is even more frightening than a concerted attack on the Internet: an electromagnetic pulse bomb.

    Imagine a bomb filled with filaments of graphite detonated in a special manner near a power generating plant or major power substation. The EMP from such an explosion would effectively wipe out most everything electrical connected downstream from the point of attack and anything electrical within line of sight of the explosion; you might as well kiss anything connected to the wall outlet in your home goodbye since the pulse will overwhelm most surge protectors out there.

    And the scary part is that building such a bomb is very inexpensive.
  • by Pvt_Waldo ( 459439 ) on Thursday June 27, 2002 @12:31PM (#3779856)
    Though we have all seen this sort of attack as a possiblity for a long time, I'm having a hard time believing that Al Qaeda is capable of anything along these lines."

    You're not the only one.

    Yea and if I told you a year ago someone would crash three airliners into major buildings in the US you'd have said the same thing.
  • Ironically, their cyber attacks were thwarted when they burned up all their AOL hours trying to stay connected.
  • "using the Internet as a direct instrument of bloodshed."

    I can see the headlines now: "Millions dead as UDP packets are directed out of control. Packet shards found embeded in victims!"
  • The idea that a terrorist organization could attempt some sort of hack isn't out of the realm of possibilities. Hell, a 12 year-old can take down a website. But what are they really capable of? Probably less than they're being given credit for. The media knows however, that by attaching any varient of any computer related phrase, something becomes plausable. Fear what you don't understand, it's the american way.

    There's an upside now. All of us sudden, being a geek may be patriotic. A well run, well administered network won't be as useful in a zombie (which I'd bet is the most likely) attack. Al-Qaeda, you've met your match. The American geek. We're waiting for you, packet sniffers in hand!
  • ...300,000 volts of electric power...

    Reporters: If you don't know what a word means, please don't use it. The volt is a unit of potential difference, not power.
    Discovery of one acute vulnerability -- in a data transmission standard known as ASN.1, short for Abstract Syntax Notification...

    Abstract Syntax Notation is a way of defining packed representations of data. It is analogous to XML. How could there be a vulnerability in the specification itself?
    Much of the technical information required to penetrate these systems is widely discussed in the public forums of the affected industries...

    Implication: we should seek security through obscurity by hiding such technical information. That is a very naive idea. A railroad signalling system, for example, is probably sold both to US railroads and to third world railroads. The third world engineers who maintain these systems may have good reasons to attack the US or to aid those planning the attacks.
    They told the president that researchers in Finland had identified a serious security hole in the Internet's standard language for routing data through switches...Bush ordered the Pentagon and key federal agencies to patch their systems. But most of the vulnerable networks were not government- owned.

    I don't understand. As with the ASN example, if the problem was inherent in a language, then the language would need to be modified. If the problem was solved by patching software, then the problem must have been in a specific implementation rather than the language. But what is this person talking about? Does he mean IP, or BGP? Does he even know what he means? The problem is not just that the article lacks information, it's that this reporter does not seem to think clearly.

Remember to say hello to your bank teller.